jkavx
asked on
OpenVpn limits Internet access
I'm logging into a OpenVpn network successfully and I'm able to access the company's web mail site and Svn repository. But when I'm logged into OpenVpn, I'm unable to access any regular Internet sites outside of the company network. The browser just hangs. I'm using IE7 and a Windows XP SP3 operating system. I am able to send and receive messages in my Outlook.
Other colleagues do not have this problem. We all use the same .opvn configuration file:
client
dev tap
proto udp
remote abc.xxx.com 11952
ca ca.crt
cert local.crt
key local.key
tls-auth tls.key
resolv-retry infinite
nobind
auth-user-pass
persist-tun
persist-key
verb 5
comp-lzo yes
tls-remote "abc.xxx.com"
Does anyone know what might be wrong here?
ASKER
Thx. That makes sense, but my colleagues don't have this problem. So it's something unique to my setup. I'm in New York City and connect to the Intenet via Road Runner, so that may be a factor. I have McAffee anti-virus.
I can live with this, I just don't understand what's different about my setup. I was hoping there'd be a simple change to the .opvn file that would allow me to get to the Internet with my normal connection.
I can live with this, I just don't understand what's different about my setup. I was hoping there'd be a simple change to the .opvn file that would allow me to get to the Internet with my normal connection.
I would double check with your networking group to see if you are supposed to be able to do this.
If you are, they should be able to tell you exactly what to do. If you are supposed to be able to do this and they can't help you, let me know and I will help you figure it out.
If you are, they should be able to tell you exactly what to do. If you are supposed to be able to do this and they can't help you, let me know and I will help you figure it out.
ASKER
I spoke with the networking guy who hadn't encountered this before and had no answer for it. So if you can help me, I'd appreciate it.
Issue the command:
netstat -rn
before and after you connect to the VPN and post the output here. I doing a little reading and from what I have found so far this is actually controlled by the VPN server. Do your co-workers connect to the same exact VPN server?
netstat -rn
before and after you connect to the VPN and post the output here. I doing a little reading and from what I have found so far this is actually controlled by the VPN server. Do your co-workers connect to the same exact VPN server?
ASKER
There's a setup package for OpenVpn that installs the .opvn configuration file that I put in the initial post. So I assume we all connect to the same VPN server. Here are the details from netstat -rn
BEFORE:
Route Table
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.65.92.1 66.65.92.23 20
66.65.92.0 255.255.252.0 66.65.92.23 66.65.92.23 20
66.65.92.23 255.255.255.255 127.0.0.1 127.0.0.1 20
66.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 66.65.92.23 66.65.92.23 20
224.0.0.0 240.0.0.0 66.65.92.23 66.65.92.23 20
255.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 1
255.255.255.255 255.255.255.255 66.65.92.23 3 1
Default Gateway: 66.65.92.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
AFTER:
Route Table
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.65.92.1 66.65.92.23 20
1.0.0.0 255.0.0.0 1.16.1.1 1.16.1.4 1
1.16.1.0 255.255.255.0 1.16.1.4 1.16.1.4 30
1.16.1.4 255.255.255.255 127.0.0.1 127.0.0.1 30
1.255.255.255 255.255.255.255 1.16.1.4 1.16.1.4 30
66.65.92.0 255.255.252.0 66.65.92.23 66.65.92.23 20
66.65.92.23 255.255.255.255 127.0.0.1 127.0.0.1 20
66.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 66.65.92.23 66.65.92.23 20
224.0.0.0 240.0.0.0 1.16.1.4 1.16.1.4 30
224.0.0.0 240.0.0.0 66.65.92.23 66.65.92.23 20
255.255.255.255 255.255.255.255 1.16.1.4 1.16.1.4 1
255.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 1
Default Gateway: 66.65.92.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
BEFORE:
Route Table
==========================
Interface List
0x1 ..........................
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.65.92.1 66.65.92.23 20
66.65.92.0 255.255.252.0 66.65.92.23 66.65.92.23 20
66.65.92.23 255.255.255.255 127.0.0.1 127.0.0.1 20
66.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 66.65.92.23 66.65.92.23 20
224.0.0.0 240.0.0.0 66.65.92.23 66.65.92.23 20
255.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 1
255.255.255.255 255.255.255.255 66.65.92.23 3 1
Default Gateway: 66.65.92.1
==========================
Persistent Routes:
None
AFTER:
Route Table
==========================
Interface List
0x1 ..........................
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.65.92.1 66.65.92.23 20
1.0.0.0 255.0.0.0 1.16.1.1 1.16.1.4 1
1.16.1.0 255.255.255.0 1.16.1.4 1.16.1.4 30
1.16.1.4 255.255.255.255 127.0.0.1 127.0.0.1 30
1.255.255.255 255.255.255.255 1.16.1.4 1.16.1.4 30
66.65.92.0 255.255.252.0 66.65.92.23 66.65.92.23 20
66.65.92.23 255.255.255.255 127.0.0.1 127.0.0.1 20
66.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 66.65.92.23 66.65.92.23 20
224.0.0.0 240.0.0.0 1.16.1.4 1.16.1.4 30
224.0.0.0 240.0.0.0 66.65.92.23 66.65.92.23 20
255.255.255.255 255.255.255.255 1.16.1.4 1.16.1.4 1
255.255.255.255 255.255.255.255 66.65.92.23 66.65.92.23 1
Default Gateway: 66.65.92.1
==========================
Persistent Routes:
None
Well, what ever is blocking your access to the Internet is not a routing table update. Your default route/gateway is still 66.65.92.1.
So that means some other issue is blocking this.
A couple of things to try.
From a command prompt issue the command:
nslookup www.ibm.com
then after you connect to the VPN issue the command:
nslookup www.apple.com
You should get back valid Internet IP addresses for them. Assuming you get back a valid IP address for www.apple.com then issue the command:
tracert -d www.apple.com
So that means some other issue is blocking this.
A couple of things to try.
From a command prompt issue the command:
nslookup www.ibm.com
then after you connect to the VPN issue the command:
nslookup www.apple.com
You should get back valid Internet IP addresses for them. Assuming you get back a valid IP address for www.apple.com then issue the command:
tracert -d www.apple.com
ASKER
BEFORE VPN:
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server: dns-cac-vip1.rdc-nyc.rr.co m
Address: 24.29.103.15
Non-authoritative answer:
Name: www.ibm.com.nyc.rr.com
Address: 24.28.193.9
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server: waxpool.id-edd.com
Address: 1.19.51.0
Non-authoritative answer:
Name: www.ibm.com.cs186.net
Address: 129.42.56.216
Aliases: www.ibm.com
AFTER VPN:
C:\Documents and Settings\John Kavanaugh.JKLT>tracert -d www.ibm.com
Tracing route to www.ibm.com.cs186.net [129.42.60.216]
over a maximum of 30 hops:
1 8 ms 12 ms 7 ms 10.35.160.1
2 8 ms 7 ms 11 ms 24.29.139.210
3 8 ms 7 ms 6 ms 24.29.157.197
4 9 ms 7 ms 8 ms 24.29.119.94
5 10 ms 7 ms 8 ms 4.79.188.33
6 21 ms 18 ms 18 ms 4.68.99.62
7 13 ms 12 ms 13 ms 4.69.132.101
8 30 ms 40 ms 31 ms 4.69.132.69
9 36 ms 31 ms 31 ms 4.69.132.113
10 60 ms 71 ms 72 ms 4.69.132.61
11 54 ms 53 ms 56 ms 4.68.107.163
12 57 ms 55 ms 56 ms 209.245.20.10
13 57 ms 57 ms 58 ms 10.15.255.26
14 64 ms 60 ms 59 ms 10.15.255.50
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server: dns-cac-vip1.rdc-nyc.rr.co
Address: 24.29.103.15
Non-authoritative answer:
Name: www.ibm.com.nyc.rr.com
Address: 24.28.193.9
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server: waxpool.id-edd.com
Address: 1.19.51.0
Non-authoritative answer:
Name: www.ibm.com.cs186.net
Address: 129.42.56.216
Aliases: www.ibm.com
AFTER VPN:
C:\Documents and Settings\John Kavanaugh.JKLT>tracert -d www.ibm.com
Tracing route to www.ibm.com.cs186.net [129.42.60.216]
over a maximum of 30 hops:
1 8 ms 12 ms 7 ms 10.35.160.1
2 8 ms 7 ms 11 ms 24.29.139.210
3 8 ms 7 ms 6 ms 24.29.157.197
4 9 ms 7 ms 8 ms 24.29.119.94
5 10 ms 7 ms 8 ms 4.79.188.33
6 21 ms 18 ms 18 ms 4.68.99.62
7 13 ms 12 ms 13 ms 4.69.132.101
8 30 ms 40 ms 31 ms 4.69.132.69
9 36 ms 31 ms 31 ms 4.69.132.113
10 60 ms 71 ms 72 ms 4.69.132.61
11 54 ms 53 ms 56 ms 4.68.107.163
12 57 ms 55 ms 56 ms 209.245.20.10
13 57 ms 57 ms 58 ms 10.15.255.26
14 64 ms 60 ms 59 ms 10.15.255.50
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
ASKER
Sorry, it might have been obvious, but I put the AFTER VPN: comment in the wrong place. It should have been before this line:
AFTER VPN:
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
AFTER VPN:
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't know FireFox, so I'll have to try and see what IE might be doing. I do notice that when I'm connected to the VPN, every website that I try to connect to shows in the lower left of the browser as "connecting to 1.19.6.254". But the browser just hangs.
It looks like somehow your IE may be setup to use a proxy server and when you are not connected to the VPN it can't get to the proxy server so it just goes directly to the web site. When you are connected to the VPN it is attempting to get to the proxy server and something is broke.
Next step is to see if you are supposed to be using a proxy at all. Ask your networking group and you may want to ask what 1.19.6.254 is. You could look at your IE setting, I doubt if you have a proxy server hard coded or you would have problems all of the time. My guess is that IE may be setup with an autoproxy config.
Next step is to see if you are supposed to be using a proxy at all. Ask your networking group and you may want to ask what 1.19.6.254 is. You could look at your IE setting, I doubt if you have a proxy server hard coded or you would have problems all of the time. My guess is that IE may be setup with an autoproxy config.
ASKER
I don't see any autoproxy configuration. Let me check with the networking group about 1.19.6.254.
Thx for your help.
Thx for your help.
Then your company may setup internal network security to prevent Internet access if you are coming from the VPN server. This prevents traffic flowing over your companies Internet connection twice.
The reason this is done is that when you connect to the VPN sever if you could still access the Internet via your normal connection your PC can now act like a router between your companies secure network and the Internet, thus making your companies secure network unsecured.
You need to see if your company allows what is called split tunneling when connected to the VPN.
If they do, they will guide you on how to set it up. If they do not, then you are stuck because if you try to do it on own you will be violating company policy and most likey could be terminated.