OpenVpn limits Internet access

This could be by design.   Normally when you connect to a VPN server your default route is set to point to the VPN server.  This way all traffic goes through the VPN tunnel.  

Then your company may setup internal network security to prevent Internet access if you are coming from the VPN server.  This prevents traffic flowing over your companies Internet connection twice.

The reason this is done is that when you connect to the VPN sever if you could still access the Internet via your normal connection your PC can now act like a router between your companies secure network and the Internet, thus making your companies secure network unsecured.

You need to see if your company allows what is called split tunneling when connected to the VPN.

If they do, they will  guide you on how to set it up.  If they do not, then you are stuck because if you try to do it on own you will be violating company policy and most likey could be terminated.

Thx.  That makes sense, but my colleagues don't have this problem.  So it's something unique to my setup.  I'm in New York City and connect to the Intenet via Road Runner, so that may be a factor.  I have McAffee anti-virus.  

I can live with this, I just don't understand what's different about my setup.  I was hoping there'd be a simple change to the .opvn file that would allow me to get to the Internet with my normal connection.

I would double check with your networking group to see if you are supposed to be able to do this.

If you are, they should be able to tell you exactly what to do.  If you are supposed to be able to do this and they can't help you, let me know and I will help you figure it out.

I spoke with the networking guy who hadn't encountered this before and had no answer for it.  So if you can help me, I'd appreciate it.

Issue the command:

     netstat -rn


before and after you connect to the VPN and post the output here.  I doing a little reading and from what I have found so far this is actually controlled by the VPN server.  Do your co-workers connect to the same exact VPN server?

There's a setup package for OpenVpn that installs the .opvn configuration file that I put in the initial post.  So I assume we all connect to the same VPN server.  Here are the details from netstat -rn

BEFORE:

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       66.65.92.1     66.65.92.23       20
       66.65.92.0    255.255.252.0      66.65.92.23     66.65.92.23       20
      66.65.92.23  255.255.255.255        127.0.0.1       127.0.0.1       20
   66.255.255.255  255.255.255.255      66.65.92.23     66.65.92.23       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      66.65.92.23     66.65.92.23       20
        224.0.0.0        240.0.0.0      66.65.92.23     66.65.92.23       20
  255.255.255.255  255.255.255.255      66.65.92.23     66.65.92.23       1
  255.255.255.255  255.255.255.255      66.65.92.23               3       1
Default Gateway:        66.65.92.1
===========================================================================
Persistent Routes:
  None


AFTER:
Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 ba d9 6c ...... Broadcom 440x 10/100 Integrated Controller - Pac
ket Scheduler Miniport
0x3 ...00 ff 2c 1f ad 04 ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       66.65.92.1     66.65.92.23       20
          1.0.0.0        255.0.0.0         1.16.1.1        1.16.1.4       1
         1.16.1.0    255.255.255.0         1.16.1.4        1.16.1.4       30
         1.16.1.4  255.255.255.255        127.0.0.1       127.0.0.1       30
    1.255.255.255  255.255.255.255         1.16.1.4        1.16.1.4       30
       66.65.92.0    255.255.252.0      66.65.92.23     66.65.92.23       20
      66.65.92.23  255.255.255.255        127.0.0.1       127.0.0.1       20
   66.255.255.255  255.255.255.255      66.65.92.23     66.65.92.23       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      66.65.92.23     66.65.92.23       20
        224.0.0.0        240.0.0.0         1.16.1.4        1.16.1.4       30
        224.0.0.0        240.0.0.0      66.65.92.23     66.65.92.23       20
  255.255.255.255  255.255.255.255         1.16.1.4        1.16.1.4       1
  255.255.255.255  255.255.255.255      66.65.92.23     66.65.92.23       1
Default Gateway:        66.65.92.1
===========================================================================
Persistent Routes:
  None

Well, what ever is blocking your access to the Internet is not a routing table update.  Your default route/gateway is still 66.65.92.1.

So that means some other issue is blocking this.

A couple of things to try.

From a command prompt issue the command:

     nslookup www.ibm.com

then after you connect to the VPN issue the command:

    nslookup www.apple.com

You should get back valid Internet IP addresses for them.  Assuming you get back a valid IP address for www.apple.com then issue the command:

     tracert -d www.apple.com

BEFORE VPN:

C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server:  dns-cac-vip1.rdc-nyc.rr.com
Address:  24.29.103.15

Non-authoritative answer:
Name:    www.ibm.com.nyc.rr.com
Address:  24.28.193.9


C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com
Server:  waxpool.id-edd.com
Address:  1.19.51.0

Non-authoritative answer:
Name:    www.ibm.com.cs186.net
Address:  129.42.56.216
Aliases:  www.ibm.com


AFTER VPN:

C:\Documents and Settings\John Kavanaugh.JKLT>tracert -d www.ibm.com

Tracing route to www.ibm.com.cs186.net [129.42.60.216]
over a maximum of 30 hops:

  1     8 ms    12 ms     7 ms  10.35.160.1
  2     8 ms     7 ms    11 ms  24.29.139.210
  3     8 ms     7 ms     6 ms  24.29.157.197
  4     9 ms     7 ms     8 ms  24.29.119.94
  5    10 ms     7 ms     8 ms  4.79.188.33
  6    21 ms    18 ms    18 ms  4.68.99.62
  7    13 ms    12 ms    13 ms  4.69.132.101
  8    30 ms    40 ms    31 ms  4.69.132.69
  9    36 ms    31 ms    31 ms  4.69.132.113
 10    60 ms    71 ms    72 ms  4.69.132.61
 11    54 ms    53 ms    56 ms  4.68.107.163
 12    57 ms    55 ms    56 ms  209.245.20.10
 13    57 ms    57 ms    58 ms  10.15.255.26
 14    64 ms    60 ms    59 ms  10.15.255.50
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Sorry, it might have been obvious, but I put the AFTER VPN:  comment in the wrong place.  It should have been before this line:

AFTER VPN:  
C:\Documents and Settings\John Kavanaugh.JKLT>nslookup www.ibm.com

I don't know FireFox, so I'll have to try and see what IE might be doing.  I do notice that when I'm connected to the VPN, every website that I try to connect to shows in the lower left of the browser as "connecting to 1.19.6.254".  But the browser just hangs.

It looks like somehow your IE may be setup to use a proxy server and when you are not connected to the VPN it can't get to the proxy server so it just goes directly to the web site.  When you are connected to the VPN it is attempting to get to the proxy server and something is broke.

Next step is to see if you are supposed to be using a proxy at all.  Ask your networking group and you may want to ask what 1.19.6.254 is.    You could look at your IE setting, I doubt if you have a proxy server hard coded or you would have problems all of the time.  My guess is that IE may be setup with an autoproxy config.

I don't see any autoproxy configuration.  Let me check with the networking group about 1.19.6.254.

Thx for your help.