OpenVPN server: Can not connect to certain websites

Marci · Sep 23, 2021, 8:23 PM

Hi community

I have set up an external OpenVPN server in pfSense 2.5.2.
On my phone I can connect to the server and everything works smoothly.

At home I have a PC which sits behind a pfSense 2.5.2 box. Here I have created a VPN client and directed all traffic through this client.

Strangely I can not connect to a few websites (e.g. www.digitec.ch) with the PC whereas I can open these sites with the phone.

Key difference between the two devices is the generation of the OpenVPN client.

On the phone I imported the .ovpn file whereas I did a manual client setup on pfSense.
For pfSense I just used the CA, certificate and TLS keys and did not use any custom options for the client.
So I guess that I might be missing something there...?

I did a packet capture at the server on the site above and this is what it looked like:

00:51:55.258287 IP my.ip.my.ip.44201 > 198.18.0.75.443: tcp 0
00:51:55.518193 IP my.ip.my.ip.57675 > 198.18.0.75.443: tcp 0
00:51:56.274134 IP my.ip.my.ip.44201 > 198.18.0.75.443: tcp 0
00:51:56.528621 IP my.ip.my.ip.57675 > 198.18.0.75.443: tcp 0
00:51:58.288136 IP my.ip.my.ip.44201 > 198.18.0.75.443: tcp 0
00:51:58.595028 IP my.ip.my.ip.57675 > 198.18.0.75.443: tcp 0
00:52:02.335017 IP my.ip.my.ip.44201 > 198.18.0.75.443: tcp 0
00:52:02.576575 IP my.ip.my.ip.57675 > 198.18.0.75.443: tcp 0

Here is my client configuration and here the .ovpn file which I used for the phone and for setting up the pfSense client:

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-256-CBC
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
remote my.ip.my.ip 1194 udp4
lport 0
verify-x509-name "abc" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>

Any ideas how to move forward are much appreciated.

Marci

Marci · Sep 20, 2021, 5:42 PM

bump

Any ideas to my problem would be highly welcome.

noplan · Sep 20, 2021, 7:47 PM

@marci

DNS?

Marci · Sep 20, 2021, 9:39 PM

@noplan Hi noplan, thanks for your reply. Can DNS selectively not work for certain websites?
I am using google DNS server and since I can open most websites I was guessing that DNS is working..?

noplan · Sep 21, 2021, 5:31 AM

@marci
Yeah could do but unlikely,

Do you connect your phone to the same openVpn server?

Do u use Splitt dns for the tunnel or all traffic through the tunnel

Screenshots of vpn config of your server would help

Any other services like pfB runnin um your server

Marci · Sep 21, 2021, 5:27 PM

@noplan
Yes, I am connecting to the same server and I am routing all traffic through the tunnel.
Here is the server config.

I am not running any other services, it is a fresh install with just the server being active.

I am clueless... Thanks for looking into it noplan!

Marci · Sep 23, 2021, 7:42 PM

bump

My last try to bump this thread

Any idea where else to look into would be highly appreciated.

johnpoz · Sep 23, 2021, 8:23 PM

@marci said in OpenVPN server: Can not connect to certain websites:

198.18.0.75.443

And what IP is that suppose to be exactly - it sure isn't the IP for www.digitec.ch

Marci · Sep 24, 2021, 10:00 AM

@johnpoz
I thought this is the right IP:

~$ ping www.digitec.ch
PING www.digitec.ch (198.18.0.75) 56(84) bytes of data.
64 bytes from 198.18.0.75 (198.18.0.75): icmp_seq=1 ttl=63 time=18.3 ms

Isn't it?

NogBadTheBad · Sep 24, 2021, 10:07 AM

@marci said in OpenVPN server: Can not connect to certain websites:

www.digitec.ch

https://www.whatsmydns.net/#A/www.digitec.ch

Looks to me like there using Akamai so the address could resolve to the closet IP.

johnpoz · Sep 24, 2021, 1:14 PM

@nogbadthebad said in OpenVPN server: Can not connect to certain websites:

https://www.whatsmydns.net/#A/www.digitec.ch

Very true - IP could be different depending on region.. But thing is 198.18.0.75 is not a valid IP..

NetRange:       198.18.0.0 - 198.19.255.255
CIDR:           198.18.0.0/15
NetName:        SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
Comment:        Addresses starting with "198.18." or "198.19." are set aside for use in 
isolated laboratory networks used for benchmarking and performance testing.  They should never 
appear on the Internet and if you see Internet traffic using these addresses, they are being 
used without permission.

As you see from the link @NogBadTheBad posted - That IP is not returned for that fqdn for any region.

And 198.18.0.0/15 is listed as bogon, updated as of
last updated 1632473401 (Fri Sep 24 08:50:01 2021 GMT)
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

Marci · Sep 24, 2021, 1:14 PM

@johnpoz and @NogBadTheBad
Thank you very much for your comments.
I see why 198.18.0.0/15 is not an external IP address.

The reason why I used this IP was because I wanted to perform a packet capture to further analyze my problem and I though this was the IP for the domain I was trying to access.

So my packet capture data above can be ignored as it doesn't make sense.

Still I am not able to connect to this site when I use my pfSense OpenVPN client, whereas I am able to connect to the site when I use my OpenVPN phone client (both times to the same pfSense OpenVPN server).

Do you have any idea how I could dig into that?

johnpoz · Sep 24, 2021, 1:51 PM

@marci and what does the fqdn resolve too, from your ping its resolving to that

ping www.digitec.ch
PING www.digitec.ch (198.18.0.75) 56(84) bytes of data.

So clearly your never going to be able to go there if its resolving to such an IP.

The other question is how and the F are you getting any response from that IP?

64 bytes from 198.18.0.75 (198.18.0.75): icmp_seq=1 ttl=63 time=18.3 ms

I guess its possible your ISP has such a network internal to their network.. That would be bad practice for sure. But it is possible - but the bigger question is how/why your resolving the fqdn to that IP in the first place? That site for sure is not being hosted on such an IP. Even if was recently decided to make that public space now, kind of how 1.1.1.1 was once not valid public IP space, and now is.

In the current state of deployment if that was the case - it wouldn't work for pretty much anyone because it is still listed as bogon (which do not route on the public internet - or atleast are not suppose to). And if that is the case - why has arin not updated to reflect that it is now owned by company xyz, vs still listing it as special use space.

if I had to take a guess to why it works when you connect via your phone to some vpn, is your phone (different dns, doh maybe) or the vpn dns is resolving it to the correct IP, while how you have pfsense setup its not resolving correctly.

But no your not going to get there if it resolves to that 198.18 address. Since it is not valid IP, nor is even suppose to route on the public internet.