Unable to surf internet with VPN on OpenBSD

Question

I am using OpenBSD 5.7-amd64 with the latest patches applied.

I downloaded and installed OpenVPN (package version: openvpn-2.3.6.tgz) available for OpenBSD 5.7 using the following command:

sudo pkg_add -vi openvpn

I change to the directory where my .ovpn files are located:

cd openvpn-configs

I choose one ovpn file, say uk.ovpn and type the following command:

sudo openvpn uk.ovpn

Lines flash across my terminal and finally the message:

Initialization Sequence Completed

indicate that I am connected to the UK server.

I launch Firefox and type in a URL.

Nothing appears in the browser.

I open up another terminal and type:

ping microsoft.com

No pings are recorded.

What is happening?

In response to mjturner's request for more information, below are additional details.

Please note that the basic pf firewall supplied by OpenBSD during installation of the OS is enabled by default. Moreover during installation of the OS, when asked whether to configure/turn-on IPv6, I answered "No".

Details of the log of the VPN connection:

Tue Jul 14 00:00:17 2015 OpenVPN 2.3.6 x86_64-unknown-openbsd5.7 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Mar  7 2015
Tue Jul 14 00:00:17 2015 library versions: LibreSSL 2.1, LZO 2.08
Tue Jul 14 00:00:17 2015 WARNING: file 'auth.txt' is group or others accessible
Tue Jul 14 00:00:17 2015 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Jul 14 00:00:17 2015 UDPv4 link local: [undef]
Tue Jul 14 00:00:17 2015 UDPv4 link remote: [AF_INET]111.222.333.444:443
Tue Jul 14 00:00:19 2015 TLS: Initial packet from [AF_INET]111.222.333.444:443, sid=16-alphanumeric-string
Tue Jul 14 00:00:19 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 14 00:00:20 2015 VERIFY OK: depth=1, [particulars of commercial VPN service provider]
Tue Jul 14 00:00:20 2015 Validating certificate key usage
Tue Jul 14 00:00:20 2015 ++ Certificate has key usage  00a0, expects 00a0
Tue Jul 14 00:00:20 2015 VERIFY KU OK
Tue Jul 14 00:00:20 2015 Validating certificate extended key usage
Tue Jul 14 00:00:20 2015 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 14 00:00:20 2015 VERIFY EKU OK
Tue Jul 14 00:00:20 2015 VERIFY OK: depth=0, [particulars of commercial VPN service provider]
Tue Jul 14 00:00:21 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 14 00:00:21 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 14 00:00:21 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 14 00:00:21 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 14 00:00:21 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jul 14 00:00:21 2015 [VPN-UK] Peer Connection Initiated with [AF_INET]111.222.333.444:443
Tue Jul 14 00:00:23 2015 SENT CONTROL [VPN-UK]: 'PUSH_REQUEST' (status=1)
Tue Jul 14 00:00:24 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.9.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.9.0.6 10.9.0.5'
Tue Jul 14 00:00:24 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 14 00:00:24 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 14 00:00:24 2015 OPTIONS IMPORT: route options modified
Tue Jul 14 00:00:24 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 14 00:00:24 2015 ROUTE_GATEWAY 192.168.220.1
Tue Jul 14 00:00:24 2015 TUN/TAP device /dev/tun0 opened
Tue Jul 14 00:00:24 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jul 14 00:00:24 2015 /sbin/ifconfig tun0 10.9.0.6 10.9.0.5 mtu 1500 netmask 255.255.255.255 up -link0
Tue Jul 14 00:00:26 2015 /sbin/route add -net 111.222.333.444 192.168.220.1 -netmask 255.255.255.255
add net 111.222.333.444: gateway 192.168.220.1
Tue Jul 14 00:00:26 2015 /sbin/route add -net 0.0.0.0 10.9.0.5 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.9.0.5
Tue Jul 14 00:00:26 2015 /sbin/route add -net 128.0.0.0 10.9.0.5 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.9.0.5
Tue Jul 14 00:00:26 2015 /sbin/route add -net 10.9.0.1 10.9.0.5 -netmask 255.255.255.255
add net 10.9.0.1: gateway 10.9.0.5
Tue Jul 14 00:00:26 2015 Initialization Sequence Completed

Details of ifconfig -a when the VPN connection is ON:

$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
    priority: 0
    groups: lo
    inet6 xx11::1%lo0 prefixlen 64 scopeid 0x3
    inet6 ::1 prefixlen 128
    inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr [MAC address of network card]
    priority: 0
    groups: egress
    media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
    status: active
    inet 192.168.220.176 netmask 0xffffff00 broadcast 192.168.220.255
enc0: flags=0<>
    priority: 0
    groups: enc
    status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
    priority: 0
    groups: pflog
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    priority: 0
    groups: tun
    status: active
    inet 10.9.0.6 --> 10.9.0.5 netmask 0xffffffff

Details of netstat -nr -f inet when the VPN connection is ON:

$ netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.9.0.5           UGS        0        0     -     8 tun0 
default            192.168.220.1      UGS        1      137     -     8 re0  
10.9.0.1/32        10.9.0.5           UGS        0        0     -     8 tun0 
10.9.0.5           10.9.0.6           UH         3        0     -     4 tun0 
10.9.0.6           10.9.0.6           UHl        0        0     -     1 lo0  
111.222.333.444/32 192.168.220.1      UGS        0        0     -     8 re0  
127/8              127.0.0.1          UGRS       0        0 32768     8 lo0  
127.0.0.1          127.0.0.1          UHl        1        4 32768     1 lo0  
128/1              10.9.0.5           UGS        0        0     -     8 tun0 
192.168.220/24     link#1             UC         1        0     -     4 re0  
192.168.220.1      [MAC-router]       UHLc       2        0     -     4 re0  
192.168.220.176    [MAC-network card] UHLl       0        0     -     1 lo0  
192.168.220.255    link#1             UHLb       0        0     -     1 re0  
224/4              link#1             UCS        0        0     -     8 re0

Details of dig when the VPN connection is ON:

$ dig +short microsoft.com
;; connection timed out; no servers could be reached
$

Please provide a lot more more detail. What VPN provider? Please show us (a) IP addresses of your network interfaces and (b) your routing table as a starting point (obfuscate IP addresses as necessary). Do you have a firewall in place? — mjturner, Jul 13 '15 at 18:47
@mjturner: Answer to first question: it's a commercial VPN service provider (not home-made). What did you mean by *IP addresses of network interface*? And how do I find my routing table? As you know, OpenBSD enables pf firewall, even though it's basic, by default. With or without the pf firewall in place, I'm unable to surf the internet. — virvegto, Jul 13 '15 at 19:06
@mjturner My problem is quite similar to the one described in the following URL: https://unix.stackexchange.com/questions/186099/dns-resolution-problem-with-openbsd In Ubuntu and Debian, I need to install a package called `resolvconf` and a file called `update-resolv-conf` in `/etc/openvpn/` The `update-resolv-conf` file can be downloaded from https://github.com/masterkorp/openvpn-update-resolv-conf — virvegto, Jul 13 '15 at 19:13
@virvetgo Please include the output if `ifconfig -a` and `netstat -nr -f inet` (with the OpenVPN connection up) in your question. You can change IP addresses to hide them, but make sure you change them so that we can still see what's going on. You don't need to worry about the `resolvconf` package on OpenBSD. — mjturner, Jul 13 '15 at 19:37
@mjturner: I've modified my original post to include the additional details you'd requested. — virvegto, Jul 14 '15 at 08:05
@virvetgo I wonder if this is a DNS problem - I can see the routes to `0/1` and `128/1` are being set correctly though (as pushed by the VPN). When connected to the VPN, can you paste the output of a `traceroute` to `8.8.8.8` (Google's public DNS) and a `ping` of the same IP? Also, what's in your `/etc/resolv.conf` - that may need to change that when connected to the VPN (try using `8.8.8.8` and `8.8.4.4` temporarily). — mjturner, Jul 14 '15 at 08:35
@mjturner: *When connected to the VPN, can you paste the output of a traceroute to 8.8.8.8 (Google's public DNS) and a ping of the same IP?* I can tell you without hesitation that when connected to the VPN, launching a ping is impossible. *Also, what's in your /etc/resolv.conf - that may need to change that when connected to the VPN* Sorry, I don't understand your question. `resolv.conf` doesn't exist in OpenBSD, only in Ubuntu and Debian. — virvegto, Jul 14 '15 at 11:06
Please paste the `traceroute` / `ping` information I asked for. Your information above all references hostnames - I think your problem may be DNS-related. Do you not have an `/etc/resolv.conf` file? If so, please create one. OpenBSD most certainly requires a `resolv.conf` file for DNS resolution. — mjturner, Jul 14 '15 at 11:30

Unable to surf internet with VPN on OpenBSD

0 Answers0

Linked