OpenVPN connects to internet, but internet does not work

Message

michael_a · #1 Post by **michael_a** » 2017-11-11 03:22

I'm trying to connect to a VPN server using OpenVPN on Debian stretch/stable. The documentation for this company's VPN say to run

Code: Select all

sudo openvpn [file name]

where the file is an authentication file for one of their servers, e.g. us1020.nordvpn.com.tcp.ovpn. However, once I do this, my internet doesn't connect. On Windows, their VPN client works, so I'm fairly confident it's not my router or their servers. After searching online for a while, I couldn't find any solution, but I'm including information that might be helpful to debug this, per other forum posts.

Routing table without the VPN:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp0s31f6
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp0s31f6

Routing table with the VPN:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.7.7.1        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp0s31f6
10.7.7.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
38.132.111.195  192.168.1.1     255.255.255.255 UGH       0 0          0 enp0s31f6
128.0.0.0       10.7.7.1        128.0.0.0       UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp0s31f6

ifconfig on my ethernet interface, with the VPN running

Code: Select all

enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.108  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::529a:4cff:fe51:2904  prefixlen 64  scopeid 0x20<link>
        ether 50:9a:4c:51:29:04  txqueuelen 1000  (Ethernet)
        RX packets 311291  bytes 369763756 (352.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 225890  bytes 64590566 (61.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7100000-f7120000

ifconfig on the tunnel, with the VPN running

Code: Select all

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.7.7.213  netmask 255.255.255.0  destination 10.7.7.213
        inet6 fe80::6f6e:4807:2bb8:3a9d  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100
 (UNSPEC)
        RX packets 24  bytes 1872 (1.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 150  bytes 33452 (32.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I ran the following commands, shamelessly stolen from an Ubuntu forums post (that didn't solve the problem)

Code: Select all

ifconfig
route -n
cat /etc/resolv.conf
ping -c3 91.189.94.186
ping -c3 ubuntuforums.com

with the VPN running:

Code: Select all

user@workstation:~$ sudo ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.108  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::529a:4cff:fe51:2904  prefixlen 64  scopeid 0x20<link>
        ether 50:9a:4c:51:29:04  txqueuelen 1000  (Ethernet)
        RX packets 311492  bytes 369786355 (352.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 226082  bytes 64646658 (61.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7100000-f7120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 254  bytes 12964 (12.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 254  bytes 12964 (12.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.7.7.213  netmask 255.255.255.0  destination 10.7.7.213
        inet6 fe80::6f6e:4807:2bb8:3a9d  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 48  bytes 3640 (3.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 211  bytes 43492 (42.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code: Select all

user@workstation:~$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.7.7.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 enp0s31f6
10.7.7.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
38.132.111.195  192.168.1.1     255.255.255.255 UGH   0      0        0 enp0s31f6
128.0.0.0       10.7.7.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6

Code: Select all

user@workstation:~$ cat /etc/resolv.conf
domain hsd1.il.comcast.net.
search hsd1.il.comcast.net.
nameserver 75.75.75.75
nameserver 75.75.76.76

Code: Select all

user@workstation:~$ ping -c3 91.189.94.186
PING 91.189.94.186 (91.189.94.186) 56(84) bytes of data.
From 91.189.88.5 icmp_seq=1 Destination Host Unreachable
From 91.189.88.5 icmp_seq=2 Destination Host Unreachable
From 91.189.88.5 icmp_seq=3 Destination Host Unreachable

--- 91.189.94.186 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2026ms
pipe 3

Code: Select all

user@workstation:~$ ping -c3 ubuntuforums.com
ping: ubuntuforums.com: Temporary failure in name resolution

Code: Select all

user@workstation:~$ sudo iptables-save -c

and without the VPN running:

Code: Select all

user@workstation:~$ sudo ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.108  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::529a:4cff:fe51:2904  prefixlen 64  scopeid 0x20<link>
        ether 50:9a:4c:51:29:04  txqueuelen 1000  (Ethernet)
        RX packets 312106  bytes 369851244 (352.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 226685  bytes 64736218 (61.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7100000-f7120000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 254  bytes 12964 (12.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 254  bytes 12964 (12.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Code: Select all

user@workstation:~$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 enp0s31f6
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6

Code: Select all

user@workstation:~$ cat /etc/resolv.conf
domain hsd1.il.comcast.net.
search hsd1.il.comcast.net.
nameserver 75.75.75.75
nameserver 75.75.76.76

Code: Select all

user@workstation:~$ ping -c3 91.189.94.186
PING 91.189.94.186 (91.189.94.186) 56(84) bytes of data.
From 91.189.88.5 icmp_seq=1 Destination Host Unreachable
From 91.189.88.5 icmp_seq=2 Destination Host Unreachable
From 91.189.88.5 icmp_seq=3 Destination Host Unreachable

--- 91.189.94.186 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2025ms
pipe 3

Code: Select all

user@workstation:~$ ping -c3 ubuntuforums.com
PING ubuntuforums.com (91.189.94.16) 56(84) bytes of data.
64 bytes from marula.canonical.com (91.189.94.16): icmp_seq=1 ttl=47 time=107 ms
64 bytes from marula.canonical.com (91.189.94.16): icmp_seq=2 ttl=47 time=107 ms
64 bytes from marula.canonical.com (91.189.94.16): icmp_seq=3 ttl=47 time=108 ms

--- ubuntuforums.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 107.151/107.931/108.934/0.791 ms

Code: Select all

user@workstation:~$ sudo iptables-save -c

What am I doing wrong? Are there other diagnostics I should run?

gradinaruvasile · #2 Post by **gradinaruvasile** » 2017-11-11 05:57

First of all you have to test the connectivity to your default gateway:

Code: Select all

ping 10.7.7.1

Does that work?
After that ping something from the net such as Google's DNS 8.8.8.8

Then ping your DNS servers.
And run DNS queries on them to see if they work:

Code: Select all

host www.google.com

Some providers restrict DNS queries to their own networks so if you go out via the vpn, the queries will come from whatever IP address the vpn provider NAT's your outgoing packets through.

michael_a · #3 Post by **michael_a** » 2017-11-12 01:00

Pinging the default gateway does work

Code: Select all


user@workstation:~$ ping -c3 10.7.7.1
PING 10.7.7.1 (10.7.7.1) 56(84) bytes of data.
64 bytes from 10.7.7.1: icmp_seq=1 ttl=64 time=44.1 ms
64 bytes from 10.7.7.1: icmp_seq=2 ttl=64 time=44.1 ms
64 bytes from 10.7.7.1: icmp_seq=3 ttl=64 time=45.1 ms

--- 10.7.7.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 44.106/44.464/45.152/0.515 ms

as does pinging Google's DNS server

Code: Select all

user@workstation:~$ ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=44.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=114 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=46.6 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 44.324/68.342/114.095/32.366 ms

and the nameservers I have set in /etc/resolv.conf

Code: Select all

user@workstation:~$ ping -c3 75.75.75.75
PING 75.75.75.75 (75.75.75.75) 56(84) bytes of data.
64 bytes from 75.75.75.75: icmp_seq=1 ttl=55 time=82.3 ms
64 bytes from 75.75.75.75: icmp_seq=2 ttl=55 time=47.3 ms
64 bytes from 75.75.75.75: icmp_seq=3 ttl=55 time=60.9 ms

--- 75.75.75.75 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 47.345/63.579/82.394/14.426 ms

However, when I try to resolve a domain, I get an error

Code: Select all

user@workstation:~$ host www.google.com
Host www.google.com not found: 5(REFUSED)

Since it looked like the DNS servers were the problem, I contacted the VPN provider and they gave me DNS servers to use. Updating /etc/resolv.conf with those solves the problem. So, thank you!

reinob · #4 Post by **reinob** » 2017-11-12 14:02

michael_a wrote:Since it looked like the DNS servers were the problem, I contacted the VPN provider and they gave me DNS servers to use. Updating /etc/resolv.conf with those solves the problem. So, thank you!

Most ISPs refuse to resolve DNS for random strangers (in your case, from your VPN provider).
As you found out, either your VPN provider lets you use their DNS (which makes sense if you want to avoid leaking DNS..), or you use a public DNS (such as 8.8.8.8), which informs google of all your (look-up) activities.

You may or may not trust google more or less than your VPN provider. That's up to you, of course.

Debian User Forums

OpenVPN connects to internet, but internet does not work

OpenVPN connects to internet, but internet does not work

Re: OpenVPN connects to internet, but internet does not work

Re: OpenVPN connects to internet, but internet does not work

Re: OpenVPN connects to internet, but internet does not work