Cant connect to an certain site, looked at all the logs, no idea why

meruem

I'm on a windows box. Running OpenVPN. I connect to my home pfsense box.

I'm at work and VPN'ing into home.

When I connect to the VPN, I can no longer access our website which is in a DMZ. If I ping it, it's the public IP address..

I dont see any logs anywhere indicating the problem. Basically all the browsers try and load the page but just spin then time out

Any ideas what could be going on?

marvosa

What you've provided is extremely vague.  We can't even begin to help you troubleshoot this without more specifics about your network and what you're trying to connect to.

meruem

I know because I can't post IP Addresses .. was hoping someone had similar experience

johnpoz

What problem exactly do you think your having?  If you vpn into your home from work, and you setup home as default for all traffic to go through vpn.. Why would you think you would still be able to get to your work stuff?

If you want to vpn to get to your home network then just setup to get to your home network and not send all traffic to vpn.. Is this unchecked on your vpn setup?

meruem

@johnpoz:

What problem exactly do you think your having?  If you vpn into your home from work, and you setup home as default for all traffic to go through vpn.. Why would you think you would still be able to get to your work stuff?

If you want to vpn to get to your home network then just setup to get to your home network and not send all traffic to vpn.. Is this unchecked on your vpn setup?

Ya I have that check box unchecked. I dont push any routes. My home network is on the 192.168.1.0/24 and I can access anything on my home network no problem. My work network is on 10.0.0.0 network and I can also access anything on that network. But I cant access our website in the dmz. It resolves to the public ip address both inside work network, or outside work network, with or without vpn.

just tried ip address in browser instead of host header, ie says cannot access page. if i disconnect from vpn, IE connects to homepage no problem

any debug steps you can think of?

johnpoz

Do a traceroute when your on your vpn connected and without vpn connected… Do you go out your vpn or not when trying to go to that address?

When it works, and your not on your vpn - you sure its resolving to the same public IP?

meruem

i tried push "route webserver_ip net_gateway" and it still dont work

then tried push "route webserver_ip vpn_gateway" and it also didnt work

meruem

@johnpoz:

Do a traceroute when your on your vpn connected and without vpn connected… Do you go out your vpn or not when trying to go to that address?

When it works, and your not on your vpn - you sure its resolving to the same public IP?

oh good catch. I thought it resolved the same if i was connected or not, but i was wrong.

Connected to VPN

tracert website_dns
Tracing route to [websiteDNS] [public ip that routes to web server]
over a maximum of 30 hops:

1    1 ms    <1 ms    <1 ms  [net_gateway 10.x.x.x network]
  2    *        *        *    Request timed out.
  3    *        *        *    Request timed out.
  4    *        *        *    Request timed out.
  5    *    ^C

Not connected to VPN

Tracing route to [websiteDNS] [172.x.x.x]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  [net_gateway 10.x.x.x network]
  2    <1 ms    <1 ms    <1 ms  [webserver internal dns name] [172.x.x.x]

so it's like… when im connected to vpn im trying to access site via public IP instead of internal IP but always through the net_gateway. Theres probably no routes or whatever in our switch/firewall at work that allows that. I do push DNS with openvpn... is windows preferring my 192.168.1.1 DNS server or something?

johnpoz

Yeah most likely when your on your vpn your using your vpn for dns..  Which kind of want if you want to resolve your home stuff..  So just create an over ride in your home dns to resolve where that webserver name is to its 172 address and you should be fine.

or just create a host entry on your work machine to resolve what you want to the 172 address.

meruem

@johnpoz:

Yeah most likely when your on your vpn your using your vpn for dns..  Which kind of want if you want to resolve your home stuff..  So just create an over ride in your home dns to resolve where that webserver name is to its 172 address and you should be fine.

or just create a host entry on your work machine to resolve what you want to the 172 address.

aww yiss, hosts file entry worked perfect, Thank you!