0

I am quite amateur in the world of VPNs. I've set up an OpenVPN server at home, and I was expecting that by connecting to that server when traveling abroad I would be "virtually" using the Internet as if I am at my home. However, this seems not to be the case, and certain websites are not accessible when abroad. For instance Facebook is not accessible when my VPN connection is active.

Pondering why, I did a traceroute test, and I found the results surprising: traceroute facebook.com on my laptop abroad (with VPN active) will not terminate after 30 hops (which, IIUC, means a complicated route to facebook.com is being taken from my laptop). But if I ssh into the machine that hosts my VPN server and do the same, it terminates after 11 hops (which sounds natural). What is interesting is that in both cases my home router (which is connected to the Internet) appears at the top of the list.

My conclusion is somehow the traffic is not "fully" tunneled through my home VPN server.

For reference, here are some of the options I have added to my client config:

redirect-gateway def1 bypass-dhcp bypass-dns
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
mssfix 1300

UPDATE: After paying more attention, I see that facebook.com gets resolved to two different IPs from my laptop or VPN server.

From my laptop:

$ traceroute facebook.com
traceroute to facebook.com (10.10.34.35), 30 hops max, 60 byte packets
...snip...

But from the VPN server (ssh):

$ traceroute facebook.com
traceroute to facebook.com (157.240.17.35), 30 hops max, 60 byte packets
...snip...

More interestingly traceroute 157.240.17.35 from the laptop connected to the VPN server reaches the destination in 12 hops and exactly traverses the same nodes as traceroute facebook.com will traverse from the VPN server.

I therefore concluded that there should be a DNS problem, despite dhcp-option directives in the client config.

I manually specified Google DNS IPs in network manager config and the issue is resolved. enter image description here

Is this normal? Why Network Manager does not take into account dhcp-option directives?

Improve this question
2
  • What other device do you expect to be at the top of the list, if not your home router? (Separately from that, how do you tell it's your home router and not your nearby 'abroad' router?)
    – grawity_u1686
    Commented Dec 23, 2023 at 14:19
  • @u1686_grawity, of course it is normal to see the home router at the top of the list (I can tell that from its address that includes my home ISP address). What is why from that point on it takes only 9 hops to get to facebook.com from the server, but more than 30 hops from my machine abroad connected to the VPN.
    – MikeL
    Commented Dec 23, 2023 at 18:20

1 Answer 1

Reset to default
-1

why from that point on it takes only 9 hops to get to facebook.com from the server, but more than 30 hops from my machine abroad connected to the VPN

The difference is the starting-point of the traceroute.

When connected to the VPN, traceroute starts from your computer, reaches your OpenVPN server, then goes all the way from it to the Facebook servers. So it's natural that the route will be somewhat long and complicated.

When you do SSH console on the OpenVPN server, traceroute is then launched from the server and follows the route from it to Facebook. So the route is much shorter, since the the path from your computer to the VPN server is not traced by traceroute. For an SSH tunnel this would be counted as one hop to the VPN server.

Improve this answer
5
  • I am not sure if I understand. Once I reach my home router (either through a laptop connected to the VPN or from the VPN server), should the rest of the route be the same?
    – MikeL
    Commented Dec 23, 2023 at 18:22
  • Any internet route is never guaranteed to be the same.
    – harrymc
    Commented Dec 23, 2023 at 18:26
  • I understand my answer wasn't clear enough, so I added to it. I hope it's clear now.
    – harrymc
    Commented Dec 24, 2023 at 9:47
  • thank you for the clarification. I get your point, however, I expected (and I guess I was right) that the portion of the route from the VPN server to facebook.com should be the same irrespective of where the traceroute is launched from. I.e., from my laptop I should see something like: "Laptop -> [Intermediate Nodes] -> VPN Server -> X -> Y -> Facebook.com", and from my VPN server "VPN Server -> X -> Y -> Facebook.com". Indeed, it turned out that the issue was the incorrect DNS resolution on my laptop. After fixing, the traceroute outputs match my expectations (see my updates).
    – MikeL
    Commented Dec 24, 2023 at 15:53
  • You have changed the question, so you should really start a new post. For this post, the wrong DNS setting has probably sent your packets on a long route over the internet, which doesn't affect the validity of my answer. I'll not leave this answer here with negative votes, so it's up to you.
    – harrymc
    Commented Dec 24, 2023 at 16:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .