VPN up Gateway up - No Internet
-
@dilligaf You seem to be a step above me. My gateway won't even show up. I've changed every rule I can find, changed the monitor address to 1.1.1.1, no luck. I'm so fed up with this I'm about to try out an OPNsense install.
-
@sensecanuck I've have a very similar setup by the sounds and like you use cloudflare dns. And like you changed everything I could think of.
All sorts of different issues: I've had it running but only at about 120mb/s (I'm expecting 400+). I thought at that point it was just hardware acceleration. Backed up that config but when I restored it no traffic.
And had the gateway up but no traffic like you. I was mucking about with it late last night and can't repeat anything.
I'm looking to overhaul my network as a suitable and more powerful NUC type box has come into my possession. There's an issue there with 2.5 I don't understand and want to use PFSense on it as everything generally just works, but don't really want to put the effort in on 2.4.5.
And like you I'm testing OpnSense. Not getting the same VPN performance though. Generally 15-20% less. Beware of the NordVPN guide - do not follow the guide for dns prefetch suppork and prefetch dns key. It doesn't work!
-
@viragomann
Here is the routes:
I did a packet capture, but how can I tell if it is being properly routed? If you want me to post or DM let me know, I can do that. It's trivial to get a new IP address generated from my ISP, so I'm not to worried about that.
-
@vmac said in VPN up Gateway up - No Internet:
I did a packet capture, but how can I tell if it is being properly routed?
Go to packet capture, select the NordVPN interface and set the protocol filter to ICMP and enter 8.8.8.8 at host and hit start. Than go to a devices out of the VPN group and do a ping to 8.8.8.8. Check if the ping is working. Then stop the capture and check the result.
If the policy routing and NAT are working well you should see ICMP requests from your virtual VPN IP to 8.8.8.8 and replies coming back.You can find your virtual IP in Status > OpenVPN:
-
@viragomann I don't see the ICMP replies in my capture (only sends).
- My config hasn't been touched since upgrading to 2.5.0.
- Under Status -> Gateways my VPN shows offline even with 1.1.1.1 as the monitor
- Under Status -> OpenVPN the status shows up and I get an IP
- I have some selective DNS (I don't use the DNS resolver for my VPN interface) but I'm assuming that would be irrelevant to the ICMP test?
NAT -> Outbound - If I disable the highlighted rule I get internet (bypasses my VPN). Which I find interesting because it means my NO_WAN_EGRESS tagging doesn't work.
Rules -> LAN - I always see 0/0 B on this one.
-
@sensecanuck said in VPN up Gateway up - No Internet:
I don't see the ICMP replies in my capture (only sends).
And what is the source address? I explained above how to check. Since you don't provide the infos, I can't verify.
Pinging an IP doesn't need DNS. You must see response packets. If not either the source IP isn't correct (from outbound NAT) or it is something wrong at the VPN provider.
There are other threads relating to outbound NAT on 2.5, but I did not go in.
Maybe it helps to switch the outbound NAT into another mode and back again or drop the rule and add it again. -
Recreating the NAT rule didn't make a difference.
The pings are coming from the virtual address but I don't get returns
11:34:33.915913 IP 10.8.3.5 > 8.8.8.8: ICMP echo request, id 28931, seq 601, length 40
I can also see a number of non-ICMP request being sent out (again, no returns).My gateway always shows down, whether I monitor 1.1.1.1 or 8.8.8.8 (don't know if that makes a difference).
-
Update
The gateway now shows up with the default monitor port, but still no internet.
-
Solved in this thread by disabling Data Encryption Negotiation.
https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10 -
@sensecanuck said in VPN up Gateway up - No Internet:
Solved in this thread by disabling Data Encryption Negotiation.
https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10Thank you sir. Just got back to town and this worked. For those who are having this same issue the following two things will fix this issue:
- Uncheck "Enable Data Encryption Negotiation"
or - Remove "tls-client" from custom option settings in OpenVPN
- Uncheck "Enable Data Encryption Negotiation"