1
I've set up a Debian box as a PPTP VPN router for other computers on our network - the Debian box establishes a PPTP connection to a remote VPN service and then routes all Internet traffic via the VPN.
From the router itself I can access all websites, everything works fine.
But from other client computers on the network using the router as the default gateway, these machines can only access about 50% of websites for some reason. For example, I can access www.bbc.co.uk but not www.speedtest.net - yet both of these sites work fine when testing with a text-based browser directly on the router's command line.
From the other computers we can ping and traceroute to the non-working sites, it's just web access which won't load (the browser times out waiting for a response).
The following are the iptables rules we've used on the router to enable NAT:
iptables --table nat --append POSTROUTING -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
Also IP forwarding has been enabled with:
echo 1 > /proc/sys/net/ipv4/ip_forward
If I disconnect the VPN on the Debian box and traffic routes through the DSL connection via the Debian router, all websites load properly from client computers - so this problem only occurs when the VPN is connected (though all sites can be accessed directly from the router when connected via the VPN so this rules out a problem with the VPN as such).
Does anyone have any suggestions as to what might be causing this and what I need to do to fix this?
Chris
Posted 2013-08-05T11:31:14.433
Reputation: 202
Are there any proxy settings set in the browser? – trpt4him – 2013-08-05T13:22:17.010
No proxy settings set - it's the same if I try from any browser on any computer or mobile device. Forgot to state in the original question: if I disconnect the VPN on the Debian box and the traffic routes through the DSL connection, all websites load properly. So it only occurs when the VPN is connected (but all sites load fine when accessed directly on the router via the VPN). – Chris – 2013-08-05T15:09:21.333
And is the same DNS server being used whether traffic is flowing through the VPN or direct through ISP? Most VPNs allow a separate DNS setting. You could try a speedtest.net IP to rule that out:
216.146.46.10– trpt4him – 2013-08-05T15:26:53.670Thanks for your reply. Just tried the Speedtest IP with and without the VPN and it works both ways which is promising. The DNS is the same regardless of the VPN state - we have Dnsmasq running on the Debian box at 192.168.1.3 and this is set as the primary/secondary DNS for all local DHCP clients connecting through the router (192.168.1.3 is also the gateway address). DNS resolution via 192.168.1.3 on client computers works fine with and without the VPN connected. – Chris – 2013-08-05T21:03:10.683
I'm wondering if some sites use a different protocol or some sort of proxy which doesn't work with my current iptables firewall setup? It is strange that 50% of sites do work, and 50% don't - but with the VPN disconnected it all works fine. – Chris – 2013-08-08T12:05:36.267
Well it sounds like we've just about narrowed it down to a DNS issue. Do you have any OUTPUT iptables rules, or is everything allowed? Remember that DNS usually operates over UDP instead of TCP, though IIRC it does sometimes use TCP. – trpt4him – 2013-08-08T12:18:46.030
If I do an nslookup on one of the clients either with or without the VPN connected, the DNS lookup works fine. DNS lookups go via 192.168.1.3 regardless of VPN or not. If it was a DNS issue wouldn't you expect this to be an all-or-nothing situation rather than 50/50? I don't have any OUTPUT iptables rules set in the firewall. – Chris – 2013-08-08T16:37:17.200
So if you do an nslookup to speedtest.net either through VPN or not, it returns the IP, and if you go to speedtest.net in the browser it doesn't work, but if you go to the IP, it does? – trpt4him – 2013-08-09T12:48:34.547
That's correct - though the IP comes back blank eg http://72.21.92.82 as opposed to loading the site.
When connected to VPN and trying to access www.speedtest.net, Chrome just says "Waiting for www.speedtest.net..." in the status bar and the loading icon on the toolbar just keeps spinning.
While I can't load www.speedtest.net on the web via the VPN, I can ping it just fine.