1

An OpenVPN connection (a Linux-like homebrew package on macOS) to my office works flawlessly, but it blocks incoming HTTP(S) traffic from my external IP address; however, when I turn off OpenVPN, I can access my computer from outside, otherwise it is blocked.

How can I configure OpenVPN to allow incoming connections over ports 80 and 443, as if there were no VPN?

  • Client config: 
    client

dev tun
proto udp
remote my-server-1 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC

verb 3
  • Server config 
    port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

tls-auth ta.key 0 
cipher AES-256-CBC

persist-key
persist-tun

status openvpn-status.log
verb 3

explicit-exit-notify 1

  • Output of netstat -rn without VPN: 
    Internet:
Destination        Gateway            Flags           Netif Expire
default            192.168.0.254      UGScg             en0       
127                127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0       
169.254            link#6             UCS               en0      !
192.168.0          link#6             UCS               en0      !
192.168.0.187/32   link#6             UCS               en0      !  # my macbook
192.168.0.254/32   link#6             UCS               en0      !  # router
192.168.0.254      0:1e:e5:6d:91:fb   UHLWIir           en0   1195
192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
192.168.56         link#17            UC           vboxnet0      !
192.168.56.255     ff:ff:ff:ff:ff:ff  UHLWbI       vboxnet0      !
224.0.0/4          link#6             UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0       
255.255.255.255/32 link#6             UCS               en0      !
255.255.255.255    ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
  • Output of netstat -rn with VPN: (utun3 are VPN records) 
    Internet:
Destination        Gateway            Flags           Netif Expire
0/1                10.8.0.5           UGScg           utun3       
default            192.168.0.254      UGScg             en0       
10.8/24            10.8.0.5           UGSc            utun3     
10.8.0.1/32        10.8.0.5           UGSc            utun3       
10.8.0.5           10.8.0.6           UHr             utun3       
127                127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0       
128.0/1            10.8.0.5           UGSc            utun3       
169.254            link#6             UCS               en0      !
192.168.0          link#6             UCS               en0      !
192.168.0.187/32   link#6             UCS               en0      !  # my macbook
192.168.0.254/32   link#6             UCS               en0      !  # router
192.168.0.254      0:1e:e5:6d:91:fb   UHLWIir           en0   1162
192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
192.168.56         link#17            UC           vboxnet0      !
192.168.56.255     ff:ff:ff:ff:ff:ff  UHLWbI       vboxnet0      !
<VPN IP>/32        192.168.0.254      UGSc              en0         # VPN server public IP
224.0.0/4          link#6             UmCS              en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI            en0       
255.255.255.255/32 link#6             UCS               en0      !
255.255.255.255    ff:ff:ff:ff:ff:ff  UHLWbI            en0      !
Improve this question
14
  • Please clarify what you mean by "But it blocks incoming http(s) traffic from my external IP address. When I turn off OpenVPN I can access my computer from outside, otherwise it is blocked." are you trying to reach a system on the same lan you are on via your ISPs public IP? where are these connections coming from in relation to the target computer? most likely your traffic isn't being blocked, but that you either cannot find the service you are looking for (DNS issues) or the systems do not have a network path between them because of the VPN gateway and route config.
    – Frank Thomas
    Commented Feb 5, 2022 at 8:49
  • Devices in the same LAN can reach my computer without problems. But as long as OpenVPN is enabled, my computer cannot be reached from my ISP's public IP address. But when I disable OpenVPN, it is reachable from the public IP address. So it is the VPN which is in the way.
    – php and js
    Commented Feb 5, 2022 at 17:22
  • so you have forward ports on your router to your PC, and systems outside your LAN (but not on the other end of the tunnel) are usually able to reach it on 80/443. is that correct?
    – Frank Thomas
    Commented Feb 5, 2022 at 21:51
  • My guess is, those systems can contact your PC, but the routing rules are directing your responses into the tunnel, rather than through your routers WAN. can you show us your route table both with and without openvpn connected, and check netstat to make sure your listening ports for 80/443 exist, listen on 0.0.0.0 and are associated with your local webserver process PID.
    – Frank Thomas
    Commented Feb 5, 2022 at 22:30
  • How can I show the route table ? I have macOS with homebrew apps. So how can I configure OpenVPN that when it is on it does not block incoming connections ? And it is listening to 80 and 443 as local LAN devices can reach it.
    – php and js
    Commented Feb 6, 2022 at 7:21

1 Answer 1

Reset to default
2

It's a routing issue, unfortunately I fear there may not be an easy and satisfactory answer.

Normal IP routing only cares about the destination of a packet, not it's source. In the open internet asymmetric routing is common and not necessarily a problem, but it can become a big problem when NATs, firewalls, ingress filtering etc become involved.

Without the VPN, the client sends packets to your network's NAT router, which modifies the destination address and sends them on to your computer. Your computer then generates a reply, looks up the destination address in it's routing table and sends it back out via your network's NAT router, which performs the reverse translation and puts the packet back out onto the internet where it will be delivered to the client.

When you bring up the VPN your default route is changed to point down the VPN, this means connections you initiate to the internet go down the VPN, but it also means that replies to connection requests you receive from the internet go down the VPN.

These replies will almost certainly not be delivered to the client in a usable form. Since the return packets do not pass through the NAT that performed the forward translation, the reverse translation will not be correctly performed. The response packet may be dropped by a filter, it may be forwarded to the client with no reverse translation at all, or it may be forwarded to the client with an incorrect translation. Ultimately the client either doesn't receive the packet at all or receives it with an incorrect source address and is unable to match it up with the connection attempt, either way the attempt to establish a connection fails.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .