You are not logged in.

#1 2021-08-15 08:15:50

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

[SOLVED] Can not access many sites when using VPN

When not using a VPN, I seem to be able to access all websites available in the country where I currently reside. However, as soon as I connect to my vpn (using Strongswan, the only method available for Linux users in my case), most websites cannot be accessed at all, including many which can be accessed without a VPN. In other words, I can access more sites without vpn than with vpn, which does not make sense. My vpn provider spent weeks trying to solve my problem and gave up without a solution.

II tried everything I could find, like trying various dns servers, installing / removing everything relating to DNS / resolving.

The only thing that looked close was the TCP window scaling problem. However, I tried both solutions provided (the bad and the good) without any change.

Strangely, if I use Firefox (which I normally don't), I have the option to use DNS over HTTPS in the settings. But it still does not solve the problem. It makes no difference watsoever. Even using private / incognito mode in any browser does not improve the situation.

The websites I can not access when using the vpn: duolingo.com, gmx.com, gmail.com, linkedin.com, scmp.com (probably many others as well). Luckily, most of them (except gmail and scmp, which are not crucial to me) work fine when I am not connected to the vpn, but it's annoying to have to switch the vpn on and off all the time depending on what I need to do.

Strangely, I can access any website without any problem from my Android phone, when connected by wifi to the same router (to which my Archlinux desktop is connected by wire) and to the same vpn (also using Strongswan, although the android version). So it seems that it has to do with my Arch linux configuration. It has been 2 months already. Before that everything was working fine, and I did not make any change to my configuration except the routine updates.

I would appreciate any help.

Last edited by damienmarsic (2021-08-19 06:49:57)

Offline

#2 2021-08-15 13:26:47

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

Compare

dig gmail.com

w/ and w/o VPN and then tracepath the IP, eg.

tracepath 172.217.16.133

The last IP should be somewhere at Google, what you can check eg.

whois 74.125.32.52

What could be an issue is a  DNS cache like systemd-resolved in which case either
a) just don't use this nonsense
b)

sudo pkill -SIGUSR2 systemd-resolved # drop caches

Online

#3 2021-08-16 00:38:02

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

When using the vpn, tracepath shows no reply from the beginning, while without vpn, it shows many lines before reaching no reply (gmail is not available in China where I am currently).

With VPN on:

[daming@archlinux ~]$ dig gmail.com

; <<>> DiG 9.16.19 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gmail.com.			IN	A

;; ANSWER SECTION:
gmail.com.		234	IN	A	172.217.24.5

;; Query time: 3 msec
;; SERVER: 192.168.3.1#53(192.168.3.1)
;; WHEN: Mon Aug 16 08:24:51 CST 2021
;; MSG SIZE  rcvd: 54

[daming@archlinux ~]$ tracepath 172.217.24.5
 1?: [LOCALHOST]                      pmtu 1422
 1:  no reply
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply

Without VPN:

[daming@archlinux ~]$ dig gmail.com

; <<>> DiG 9.16.19 <<>> gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46720
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gmail.com.			IN	A

;; ANSWER SECTION:
gmail.com.		238	IN	A	172.217.27.133

;; Query time: 13 msec
;; SERVER: 192.168.3.1#53(192.168.3.1)
;; WHEN: Mon Aug 16 08:29:08 CST 2021
;; MSG SIZE  rcvd: 54

[daming@archlinux ~]$ tracepath 172.217.27.133
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.554ms 
 1:  _gateway                                              0.477ms 
 2:  192.168.1.1                                           1.396ms 
 3:  192.168.1.1                                           1.307ms pmtu 1484
 3:  221.178.235.217                                       2.550ms 
 4:  183.213.14.65                                         4.198ms 
 5:  183.213.49.230                                        7.476ms 
 6:  183.213.49.229                                        4.767ms asymm  4 
 7:  109.25.207.183.static.js.chinamobile.com             12.262ms asymm  5 
 8:  from-NJ-JNZSL-3.js.chinamobile.com                   13.828ms asymm  6 
 9:  no reply

Systemd-resolved is not installed. Networkmanager is.

Offline

#4 2021-08-16 06:13:26

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

Systemd-resolved is not installed. Networkmanager is.

pacman -Qo /usr/lib/systemd/systemd-resolved

NM might be using it, https://wiki.archlinux.org/title/Networ … d-resolved but dig receives a reply from your gateway  (router)
It's a google server in both cases so it's not a DNS issue.

The local tracepath issue smells firewall related, https://wiki.archlinux.org/title/Iptabl … rent_rules
If you're using ufw, that's gonna be a mess of an output, so also look at "ufw status" - https://wiki.archlinux.org/title/Uncomp … figuration

But also be sure to check "ip r" to see whether your VPN configures a different default gateway

Online

#5 2021-08-16 07:54:20

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED] Can not access many sites when using VPN

It might also be useful to see how the kernel interprets the routes and what it wants to do to connect, e.g.

ip route get 172.217.24.5

Strongswan might use multiple routing tables, so "ip r" alone would not be enough, it might take a combination of "ip rule" and "ip route show table..." to list all routes. (Maybe even firewall rules and fwmark...)

Last edited by progandy (2021-08-16 08:02:18)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2021-08-16 12:08:34

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

[daming@archlinux ~]$ pacman -Qo /usr/lib/systemd/systemd-resolved
/usr/lib/systemd/systemd-resolved is owned by systemd 249.3-1

How do  remove systemd-resolved ? I don't find any package by that name.

ufw is not installed.

With VPN on:

[daming@archlinux ~]$ ip r
default via 192.168.3.1 dev enp37s0 proto dhcp metric 100 
192.168.3.0/24 dev enp37s0 proto kernel scope link src 192.168.3.4 metric 100 

[daming@archlinux ~]$ ip route get 172.217.24.5
172.217.24.5 via 192.168.3.1 dev enp37s0 table 220 src 10.6.3.75 uid 1001 
    cache 
[daming@archlinux ~]$ 

With VPN off:

[daming@archlinux ~]$ ip r
default via 192.168.3.1 dev enp37s0 proto dhcp metric 100 
192.168.3.0/24 dev enp37s0 proto kernel scope link src 192.168.3.4 metric 100 

[daming@archlinux ~]$ ip route get 172.217.24.5
172.217.24.5 via 192.168.3.1 dev enp37s0 src 192.168.3.4 uid 1001 
    cache 
[daming@archlinux ~]$ 

Offline

#7 2021-08-16 14:16:40

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

How do  remove systemd-resolved

You don't - it's part of systemd.
You can make sure the service is disabled and/or disable it

systemctl status systemd-resolved

You're coming out of a different subnet w/ VPN on, but that's expectable - what about the iptables?

Online

#8 2021-08-17 12:41:54

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

With VPN:

[daming@archlinux ~]$ ip rule
0:	from all lookup local
220:	from all lookup 220
32766:	from all lookup main
32767:	from all lookup default

[daming@archlinux ~]$ ip route show table all
default via 192.168.3.1 dev enp37s0 table 220 proto static src 10.6.0.163 
throw 192.168.3.0/24 table 220 proto static 
default via 192.168.3.1 dev enp37s0 proto dhcp metric 100 
192.168.3.0/24 dev enp37s0 proto kernel scope link src 192.168.3.4 metric 100 
local 10.6.0.163 dev enp37s0 table local proto kernel scope host src 10.6.0.163 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.3.0 dev enp37s0 table local proto kernel scope link src 192.168.3.4 
local 192.168.3.4 dev enp37s0 table local proto kernel scope host src 192.168.3.4 
broadcast 192.168.3.255 dev enp37s0 table local proto kernel scope link src 192.168.3.4 
throw ::1 dev lo table 220 proto static metric 1024 pref medium
throw fe80::/64 dev lo table 220 proto static metric 1024 pref medium
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev enp37s0 proto kernel metric 100 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::90e1:33ef:a69f:6ff4 dev enp37s0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev enp37s0 table local proto kernel metric 256 pref medium

Without VPN:

[daming@archlinux ~]$ ip rule
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

[daming@archlinux ~]$ ip route show table all
default via 192.168.3.1 dev enp37s0 proto dhcp metric 100 
192.168.3.0/24 dev enp37s0 proto kernel scope link src 192.168.3.4 metric 100 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.3.0 dev enp37s0 table local proto kernel scope link src 192.168.3.4 
local 192.168.3.4 dev enp37s0 table local proto kernel scope host src 192.168.3.4 
broadcast 192.168.3.255 dev enp37s0 table local proto kernel scope link src 192.168.3.4 
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev enp37s0 proto kernel metric 100 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::90e1:33ef:a69f:6ff4 dev enp37s0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev enp37s0 table local proto kernel metric 256 pref medium
[daming@archlinux ~]$ systemctl status systemd-resolved
○ systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients

Last edited by damienmarsic (2021-08-17 12:43:38)

Offline

#9 2021-08-17 13:19:18

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

* https://wiki.archlinux.org/title/Iptabl … rent_rules
* systemd-resolved is obviously not running
* if the 220 table interferes, I don't see how.

most websites cannot be accessed at all

"Most" are not "all" - is there a pattern in the IPs that actually work?

Online

#10 2021-08-17 14:11:03

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

[daming@archlinux ~]$ sudo iptables -nvL
[sudo] password for daming: 
Chain INPUT (policy ACCEPT 1037K packets, 1307M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 308K packets, 71M bytes)
 pkts bytes target     prot opt in     out     source               destination         

I did flush and reset iptables to default, but it makes no difference.

I just tried to access about 20 random websites which I never use, and I could access all of them without problem (with VPN on). It looks like the only websites I can not access are those that I had been using regularly for years (and only some of them). I can still access Facebook, Youtube and Twitter for example.

Websites I can not access (when VPN is on):
gmail.com
translate.google.com
duolingo.com
cerego.com
ancestry.com
familysearch.org
cit.com
chase.com
fidelity.com
linkedin.com
scmp.com
gmx.com
yandex.com
bb.archlinux.org (I actually have to exit the VPN in order to reply)

Last edited by damienmarsic (2021-08-17 14:11:42)

Offline

#11 2021-08-17 15:13:36

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

https://serverfault.com/questions/92205 … e-services suggests an MTU issue - you're on 1422, but the serverfault entry suggests

serverfault wrote:

After adjusting the MSS down to 1350 bytes the setup works as expected.

https://wiki.archlinux.org/title/Networ … eue_length

Online

#12 2021-08-19 05:00:14

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

I tried reducing MTU to 1350 and to 1300 but it made no difference. However, I am not sure I did it correctly, as every time I ran "sudo udevadm control --reload-rules && udevadm trigger" after creating or modifying a rules file in /etc/udev/rules.d/ I would get thousands of lines all ending with "Permission denied".

Can you give me an example of a rules file that should do what I am trying to do ?

Offline

#13 2021-08-19 05:48:35

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

ip a # check the present mtu for any NIC
sudo ip link set enp37s0 mtu 1350 # transiently set the mtu, make sure the NIC name "enp37s0" still fits

We'll deal w/ the udev situation if and when the mtu is actually the problem here.

Online

#14 2021-08-19 06:00:04

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

In the meantime I restarted the computer and now I can suddenly access all websites when the VPN is on !

I guess I managed to create a working udev rules file.

I really appreciate your help, the problem is finally solved after 2 months !

If you don't mind, please show me what the content of the rules file should be, I might have written too many things into it.

Offline

#15 2021-08-19 06:15:10

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

Check whether the mtu applied ("ip a") and post the udev rules you wrote for review (it's much simpler to fix/filter them)

You should also consider informing strongswan - the arch wiki actually has this already:
https://wiki.archlinux.org/title/Strong … e_Timeouts

Also please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Online

#16 2021-08-19 13:02:56

damienmarsic
Member
Registered: 2021-07-02
Posts: 21

Re: [SOLVED] Can not access many sites when using VPN

I tried many different values to see what the limit is. It turns out that it works fine up to 1490. At 1495 I can no longer access any of the websites, but at 1490 I can access all of them. This is surprising, as it looks like the value was 1422 when it was not working, but I did just try 1422 and it works fine. It' s only when I go beyond 1490 that the websites are blocked.

My current rules file:    /etc/udev/rules.d/10-network.rules                                       

ACTION=="add", SUBSYSTEM=="net",  ATTR{mtu}="1490"

Last edited by damienmarsic (2021-08-19 13:28:29)

Offline

#17 2021-08-19 13:14:56

seth
Member
Registered: 2012-09-03
Posts: 49,971

Re: [SOLVED] Can not access many sites when using VPN

Check the tracepath whether it's getting smaller there.
And ask the strongswan team since they're supposed to know about that limitation - the wiki mentions a "range of success" and the actual pmtu might be smaller than the configured limit.

Another thing is that you might want to change the value w/ the (i assume something like the) strongswan script instead of using a global udev rule to not needlessly castrate the normal setup.

Online

#18 2021-09-11 10:17:41

jetten
Member
Registered: 2015-02-28
Posts: 6

Re: [SOLVED] Can not access many sites when using VPN

I encountered a similar problem while using IPsec with a VPN provider. My list of websites not working were different though; Google and 95% of websites were working, however for example duckduckgo.com, crt.sh, and atlassian.net were examples of sites not working.

I also believe Path MTU discovery is working correctly on my end (tried ping with various packet sizes: ping -M do -s 1400 1.1.1.1). So most likely the problem is the above mentioned websites are misconfigured and doesn't have working PMTU.

I found a workaround by using iptables to clamp MSS. This way I don't have to change the MTU on my interface, and also iptables calculates the mss for me automatically so I don't have to guess or calculate the correct MTU to use.

iptables -t mangle -A POSTROUTING -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

I found the iptables command from the following link, but had to adapt it slightly as it was assuming the vpn client was also acting as a nat router: https://github.com/QubesOS/qubes-issues/issues/5264

Offline

Board footer

Powered by FluxBB