Eu tenho uma configuração de VPN que normalmente funciona completamente bem. No entanto, quando me conecto ao meu servidor VPN por meio de alguns wifis, o Firefox e o Chrome parecem ter problemas e não podem mais abrir sites. Até agora eu assisti esse mau comportamento apenas em wifis com 10.x.y.z IPs internos, mas isso pode ser uma coincidência. Qualquer coisa de linha de comando, curl, wget e amigos não tem problemas para se conectar através da VPN, o mesmo com, por exemplo, Thunderbird. No entanto, o Chrome e o Firefox não podem abrir nenhum site.
Ambos os navegadores parecem esperar uma eternidade por alguma resposta, não dando nenhuma mensagem de erro rápida. Além disso, logo após a conexão com a VPN, a abertura de 1-2 sites pode funcionar algumas vezes, antes que a conexão congele. Alguma ideia, o que está errado aqui?
# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.10.10.5 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 10.20.113.1 0.0.0.0 UG 0 0 0 wlan0 10.10.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.10.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.10.10.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.20.113.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 _vpnhost_ 10.20.113.1 255.255.255.255 UGH 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
Não há configurações de firewall proibindo tráfego:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
E até parece que o firefox realmente consegue se conectar (heise.de):
# lsof -i -a -p 27648 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 27648 michael 61u IPv4 878646 0t0 TCP 10.10.10.6:53372->ec2-54-186-218-125.us-west-2.compute.amazonaws.com:https (ESTABLISHED) firefox 27648 michael 65u IPv4 878643 0t0 TCP 10.10.10.6:47076->ec2-54-191-113-255.us-west-2.compute.amazonaws.com:https (ESTABLISHED) firefox 27648 michael 66u IPv4 878689 0t0 TCP 10.10.10.6:41718->www.heise.de:http (ESTABLISHED) firefox 27648 michael 68u IPv4 878669 0t0 TCP 10.10.10.6:52994->server-54-230-79-235.cdg50.r.cloudfront.net:https (ESTABLISHED)
Este é o log da sequência de iniciação:
Mar 26 09:35:51 nyx nm-openvpn[19187]: OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jul 8 2015 Mar 26 09:35:51 nyx nm-openvpn[19187]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08 Mar 26 09:35:51 nyx nm-openvpn[19187]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 26 09:35:51 nyx nm-openvpn[19187]: Control Channel Authentication: using '.../ta.key' as a OpenVPN static key file Mar 26 09:35:51 nyx nm-openvpn[19187]: UDPv4 link local: [undef] Mar 26 09:35:51 nyx nm-openvpn[19187]: UDPv4 link remote: [AF_INET]_vpnhost_:1194 Mar 26 09:35:53 nyx nm-openvpn[19187]: [tritone] Peer Connection Initiated with [AF_INET]144.76.64.108:1194 Mar 26 09:35:55 nyx nm-openvpn[19187]: TUN/TAP device tun0 opened Mar 26 09:35:55 nyx nm-openvpn[19187]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --tun -- tun0 1500 1602 10.10.10.6 10.10.10.5 init Mar 26 09:35:55 nyx NetworkManager[25408]: (tun0): new Tun device (carrier: OFF, driver: 'tun', ifindex: 12) Mar 26 09:35:55 nyx NetworkManager[25408]: VPN connection 'Novocalculus' (IP Config Get) reply received. Mar 26 09:35:55 nyx NetworkManager[25408]: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) Mar 26 09:35:55 nyx NetworkManager[25408]: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. Mar 26 09:35:55 nyx NetworkManager[25408]: VPN connection 'Novocalculus' (IP4 Config Get) reply received. Mar 26 09:35:55 nyx NetworkManager[25408]: VPN Gateway: 144.76.64.108 Mar 26 09:35:55 nyx NetworkManager[25408]: Tunnel Device: tun0 Mar 26 09:35:55 nyx NetworkManager[25408]: IPv4 configuration: Mar 26 09:35:55 nyx NetworkManager[25408]: Internal Gateway: 10.10.10.5 Mar 26 09:35:55 nyx NetworkManager[25408]: Internal Address: 10.10.10.6 Mar 26 09:35:55 nyx NetworkManager[25408]: Internal Prefix: 32 Mar 26 09:35:55 nyx NetworkManager[25408]: Internal Point-to-Point Address: 10.10.10.5 Mar 26 09:35:55 nyx NetworkManager[25408]: Maximum Segment Size (MSS): 0 Mar 26 09:35:55 nyx NetworkManager[25408]: Forbid Default Route: no Mar 26 09:35:55 nyx nm-openvpn[19187]: Initialization Sequence Completed Mar 26 09:35:55 nyx NetworkManager[25408]: Internal DNS: 10.10.10.1 Mar 26 09:35:55 nyx NetworkManager[25408]: DNS Domain: '(none)' Mar 26 09:35:55 nyx NetworkManager[25408]: No IPv6 configuration Mar 26 09:35:55 nyx NetworkManager[25408]: VPN plugin state changed: started (4) Mar 26 09:35:55 nyx NetworkManager[25408]: VPN connection 'Novocalculus' (IP Config Get) complete. Mar 26 09:35:55 nyx NetworkManager[25408]: (tun0): link connected Mar 26 09:35:55 nyx NetworkManager[25408]: NetworkManager state is now CONNECTED_LOCAL Mar 26 09:35:55 nyx NetworkManager[25408]: NetworkManager state is now CONNECTED_GLOBAL Mar 26 09:35:55 nyx NetworkManager[25408]: Writing DNS information to /sbin/resolvconf Mar 26 09:35:55 nyx dnsmasq[1184]: vorgelagerte Server von DBus gesetzt Mar 26 09:35:55 nyx dnsmasq[1184]: Benutze Namensserver 10.10.10.1#53
Outra observação: Se eu usar o HMA em vez da minha própria VPN, ele funciona sem problemas. O HMA parece estar configurado de forma diferente. Inclui o IPv6 e não usa ponto a ponto? só. Para referência aqui a seqüência de login para o HMA:
Mar 26 09:24:35 nyx nm-openvpn[17575]: OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jul 8 2015 Mar 26 09:24:35 nyx nm-openvpn[17575]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08 Mar 26 09:24:35 nyx nm-openvpn[17575]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 26 09:24:35 nyx nm-openvpn[17575]: Attempting to establish TCP connection with [AF_INET]_hmahost_:443 [nonblock] Mar 26 09:24:36 nyx nm-openvpn[17575]: TCP connection established with [AF_INET]_hmahost_:443 Mar 26 09:24:36 nyx nm-openvpn[17575]: TCPv4_CLIENT link local: [undef] Mar 26 09:24:36 nyx nm-openvpn[17575]: TCPv4_CLIENT link remote: [AF_INET]_hmahost_:443 Mar 26 09:24:40 nyx nm-openvpn[17575]: [server] Peer Connection Initiated with [AF_INET]_hmahost_:443 Mar 26 09:24:43 nyx nm-openvpn[17575]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:7 is ignored by previous blocks Mar 26 09:24:43 nyx nm-openvpn[17575]: TUN/TAP device tun0 opened Mar 26 09:24:43 nyx nm-openvpn[17575]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --tun -- tun0 1500 1543 10.200.2.126 255.255.252.0 init Mar 26 09:24:43 nyx NetworkManager[25408]: (tun0): new Tun device (carrier: OFF, driver: 'tun', ifindex: 11) Mar 26 09:24:43 nyx NetworkManager[25408]: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) Mar 26 09:24:43 nyx NetworkManager[25408]: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. Mar 26 09:24:43 nyx NetworkManager[25408]: VPN connection 'HMA UK' (IP Config Get) reply received. Mar 26 09:24:43 nyx NetworkManager[25408]: VPN connection 'HMA UK' (IP4 Config Get) reply received. Mar 26 09:24:43 nyx NetworkManager[25408]: VPN connection 'HMA UK' (IP6 Config Get) reply received. Mar 26 09:24:43 nyx NetworkManager[25408]: VPN Gateway: 109.169.94.53 Mar 26 09:24:43 nyx NetworkManager[25408]: Tunnel Device: tun0 Mar 26 09:24:43 nyx NetworkManager[25408]: IPv4 configuration: Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Gateway: 10.200.0.1 Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Address: 10.200.2.126 Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Prefix: 22 Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Point-to-Point Address: 0.0.0.0 Mar 26 09:24:43 nyx NetworkManager[25408]: Maximum Segment Size (MSS): 0 Mar 26 09:24:43 nyx NetworkManager[25408]: Forbid Default Route: no Mar 26 09:24:43 nyx NetworkManager[25408]: Internal DNS: 10.200.0.1 Mar 26 09:24:43 nyx NetworkManager[25408]: DNS Domain: '(none)' Mar 26 09:24:43 nyx NetworkManager[25408]: IPv6 configuration: Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Address: 2001:db8:123::2 Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Prefix: 64 Mar 26 09:24:43 nyx NetworkManager[25408]: Internal Point-to-Point Address: 2001:db8:123::1 Mar 26 09:24:43 nyx NetworkManager[25408]: Maximum Segment Size (MSS): 0 Mar 26 09:24:43 nyx NetworkManager[25408]: Static Route: 2000::/3 Next Hop: 2001:db8:123::1 Mar 26 09:24:43 nyx NetworkManager[25408]: Forbid Default Route: no Mar 26 09:24:43 nyx NetworkManager[25408]: DNS Domain: '(none)' Mar 26 09:24:43 nyx NetworkManager[25408]: VPN plugin state changed: started (4) Mar 26 09:24:43 nyx NetworkManager[25408]: VPN connection 'HMA UK' (IP Config Get) complete. Mar 26 09:24:43 nyx NetworkManager[25408]: (tun0): link connected Mar 26 09:24:43 nyx nm-openvpn[17575]: Initialization Sequence Completed Mar 26 09:24:43 nyx NetworkManager[25408]: NetworkManager state is now CONNECTED_LOCAL Mar 26 09:24:43 nyx NetworkManager[25408]: NetworkManager state is now CONNECTED_GLOBAL Mar 26 09:24:43 nyx NetworkManager[25408]: Policy set 'HMA UK' (tun0) as default for IPv6 routing and DNS. Mar 26 09:24:43 nyx NetworkManager[25408]: Writing DNS information to /sbin/resolvconf Mar 26 09:24:43 nyx dnsmasq[1184]: vorgelagerte Server von DBus gesetzt Mar 26 09:24:43 nyx dnsmasq[1184]: Benutze Namensserver 10.200.0.1#53 für Domain 10.in-addr.arpa