-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect to websites when connected to VPN #584
Comments
Did you check the troubleshooting guide? |
I did. I tried troubleshooting by adjusting the MTU, but I still can't seem to reach sites. Pings go through just fine when connected to my Algo instance, but trying to reach sites via the browser or even via curl and wget fails.
The wget was killed after waiting about 2 minutes. |
I'm experiencing exactly the same symptoms on my Arch Linux laptop, and I also tried adjusting the MTU, which didn't help. The log messages are exactly the same as those posted by @donniebishop except for the IP addresses and username. Like @donniebishop, the issue does not occur on my Android phone. OS / environment / software versions: same as @donniebishop On the client machine (my Arch Linux laptop), I'm using strongswan 5.5.3 (built using the AUR package with NetworkManager support enabled with the |
i have this problem on my new arch laptop too, but it works fine on my old one. |
@blueonyx Do you know what's different on your old Arch laptop? (Maybe an older version of strongswan or a different configuration?) |
i found it's the kernel version! if i downgrade my new box from linux 4.11.{3,5}-1 to linux 4.10.13-1 it works as expected! although the output of all these commands is the same no matter the kernel version:
|
This does, in fact, appear to be a kernel issue with Linux 4.11:
Edit: By the way, thanks for isolating the issue to the kernel version, @blueonyx! I was messing around with the strongswan version with no success. |
Nice find @blueonyx! I downgraded to 4.10.10 from 4.11.6 and the VPN is working once more, smooth as silk. Great find, and will certainly be keeping an eye out for updates to the 4.11 strongswan bug - thanks to @jturner314 for finding those links as well 👍 |
Is it possible to have info about which kernel versions have this problem be put somewhere in the docs? |
I had a different issue but with very similar symptoms, so I'm commenting here in case it helps (issue was fixed by networking change, see below). My IPSec connection was from macOS 10.11 to Ubuntu 18.04 (kernel 4.15) server, created in AWS by the I found that connecting via one broadband provider worked perfectly. Ping and website access worked for a range of sites. The other broadband provider (fixed wireless) was fine for pings, and connection stayed up, but only a few websites worked (https://google.com, https://bing.com/), with various http and https sites never finishing load (usually not loading the main page). I tried restarting the VPN server, reducing MTU to 1300 (ping test was fine), disabling IPv6 (in fact all traffic was IPv4 anyway, this was just to check), etc. I read the Troubleshooting guide but only the MTU action applied. This provider just did a firmware upgrade for a router (2 hops away from Mac, and not involved in IPSec at all), which completely fixed this. So if you get this type of issue, I recommend:
Perhaps this could be added to the Troubleshooting doc along with "check you don't have kernel 4.11"? Algo is now working well - thanks for all the effort that has gone into this! |
Is there a work-around for this for a 18.04 Ubuntu client aside from downgrading the kernel? I can't seem to use VPN on Ubuntu but everywhere else it works fine. |
Same issue here. |
May be an MTU issue as stated above. |
Yeah, I tried setting the MTU but didn't work. Off topic: If I use |
OS / Environment
Ubuntu / DigitalOcean
Ansible version
2.2.0.0
Version of components from
requirements.txt
msrestazure: 0.4.8
setuptools: 36.0.1
dopy 0.3.5
boto 2.47.0
boto3 1.4.4
azure 2.0.0rc5
msrest 0.4.1
apache-libcloud 2.0.0
six 1.10.0
pyopenssl 17.0.0
jinja2 2.8
Summary of the problem
After connecting to the VPN via strongswan (
ipsec up algo
), the connection is successfully established, but I am unable to connect to websites and browse. Pings and mtrs to many sites are successful, both against IPs and domain names (google.com, placekitten.com, and github.com are sites I have been testing). However, browsing via HTTP/HTTPS and connecting to IRC servers fails.This is only solved by disconnecting from the VPN (
ipsec down algo
). When disconnecting, I do get an ominous message about an iptables rule:I did a full iptables flush of all chains, but this did not alleviate the issues I saw.
Steps to reproduce the behavior
Connect to Algo DigitalOcean instance via strongswan (
ipsec algo up
). Problem is only solved by disconnecting. Only affects my Arch Linux laptop. Issue does not occur on my Android phone when connecting to the VPNThe way of deployment (cloud or local)
Cloud
Expected behavior
Expect to be able to browse and connect to internet sites/irc servers
Actual behavior
I am unable to connect to web and irc servers until I disconnect from my Algo instance
Full log
The text was updated successfully, but these errors were encountered: