On 11/25/2018 10:32 AM, 'Christophe Pfeifer' via qubes-users wrote:
Hi,
I followed the tutorial "Set up a ProxyVM as a VPN gateway using iptables and CLI scripts" [1], then I subscribed to NordVPN and configured OpenVPN over UDP (since my ISP blocks OpenVPN over TCP).
---------------
My final architecture is the following:
AppVM ----> VPN (ProxyVM) ----> Firewall VM ----> Network VM
---------------
Firewall VM rules: Deny all but:
Address   |   Service   |   Protocol
*               | OpenVPN | UDP
*               | OpenVPN | TCP
*               | HTTPS     | TCP
---------------
Problem: this is working for mostly all websites I use, except some ones, like Protonmail, Facebook, etc. These latter sites are either showing first some contents just after logging in, or the logging in is impossible, and then loading endlessly.
It seems like a "Keep-alive connection issue".
---------------
Investigation:
1) I allowed full access on the firewall for 5 minutes
2) I launched Wireshark on the VPN VM
3) I tried to log in to Protonmail
Results: (excerpt)
- 10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2
- 192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable (Fragmentation needed) - 185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938 [ACK] Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194 - 10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 443 [ACK] Seq=1868 Ack=69096 Win=3261 Len=1325
[...]
- 10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 [ACK] Seq=977 Ack=1262 Win=32640 Len=0
---------------
Do you know any solution to prevent this from happening? Maybe a configuration trick of OpenVPN or of the VPN VM ?

Did you download the openvpn config from NordVPN or write it yourself? Its preferable to download it. I see that NordVPN's config includes 'ping' and 'ping-restart' which is similar to using the 'keepalive' option.

The issue with only certain sites not working could indicate that a third-party service like a CDN has blocked the IP addresses that your VPN provider is using. I've also seen some services block VPN IPs on certain servers but not others. I see this occasionally when connecting through Private Internet Access. The solution rests with the VPN operators to block abusive network patterns and switch to IPs that haven't been blacklisted... its basically a VPN reputation thing.

BTW, you might find Qubes-vpn-support project better to use overall for VPNs. You can control it as a system service and it uses connection parameters that keep openvpn operating more smoothly (although for this particular problem I don't think it would have an effect)...

https://github.com/tasket/Qubes-vpn-support

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fdba8410-3ea3-5abd-34bf-4514ebadfe14%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to