Openvpn - no access to certain site when connected, but works as expected on windows

I have an .ovpn file generated by the company that provides my VPN. If I open this file with openvpn client on windows I am able to connect successfully, whatismyip reports my new public ip address and location and I am able to access the sites I require the vpn for.

However, if I import the same file into KDE Connection manager as well as if I run openvpn --config myfile.ovpn from my terminal it seems to connect successfully, i see my public ip address and location change but i’m unable to connect to the website.

I’m not too confident with networking / vpns etc outside of following guides to configure the stuff I need so would someone be able to assist me in debugging this issue? Here’s the (sanitised) output from when i run openvpn via the terminal:

sudo openvpn --config vpn.ovpn                                                                                                                                                                                              ─╯
2022-04-25 08:58:05 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-04-25 08:58:05 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-04-25 08:58:05 OpenVPN 2.5.6 [git:makepkg/e8df2e64d6f817e6+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
2022-04-25 08:58:05 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-04-25 08:58:05 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2022-04-25 08:58:05 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-25 08:58:05 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-25 08:58:05 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2022-04-25 08:58:05 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-04-25 08:58:05 UDP link local: (not bound)
2022-04-25 08:58:05 UDP link remote: [AF_INET]xxx.xxxx.xxxx.xxxx:1194
2022-04-25 08:58:05 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=92c6a6e5 95cd6675
2022-04-25 08:58:05 VERIFY OK: depth=1, C=AE, ST=NA, L=redacted, O=Hostingor Limited, OU=redacted.io, CN=Hostingor Limited CA, name=redacted-vpn, emailAddress=support@redacted.io
2022-04-25 08:58:05 VERIFY OK: nsCertType=SERVER
2022-04-25 08:58:05 VERIFY OK: depth=0, C=AE, ST=NA, L=redacted, O=Hostingor Limited, OU=redacted.io, CN=server, name=redacted-vpn, emailAddress=support@redacted.io
2022-04-25 08:58:05 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-04-25 08:58:05 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2022-04-25 08:58:06 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2022-04-25 08:58:06 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 10.255.254.1,route 10.255.254.1,topology net30,ping 10,ping-restart 120,ifconfig 10.255.254.230 10.255.254.229,peer-id 2,cipher AES-256-GCM'
2022-04-25 08:58:06 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-25 08:58:06 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-25 08:58:06 OPTIONS IMPORT: route options modified
2022-04-25 08:58:06 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-04-25 08:58:06 OPTIONS IMPORT: peer-id set
2022-04-25 08:58:06 OPTIONS IMPORT: adjusting link_mtu to 1625
2022-04-25 08:58:06 OPTIONS IMPORT: data channel crypto options modified
2022-04-25 08:58:06 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-04-25 08:58:06 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-25 08:58:06 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-25 08:58:06 net_route_v4_best_gw query: dst 0.0.0.0
2022-04-25 08:58:06 net_route_v4_best_gw result: via 192.168.0.1 dev wlp6s0
2022-04-25 08:58:06 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp6s0 HWADDR=d8:f8:83:88:22:9b
2022-04-25 08:58:06 TUN/TAP device tun0 opened
2022-04-25 08:58:06 net_iface_mtu_set: mtu 1500 for tun0
2022-04-25 08:58:06 net_iface_up: set tun0 up
2022-04-25 08:58:06 net_addr_ptp_v4_add: 10.255.254.230 peer 10.255.254.229 dev tun0
2022-04-25 08:58:06 net_route_v4_add: xxx.xxx.xxx.xxx/32 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-04-25 08:58:06 net_route_v4_del: 0.0.0.0/0 via 192.168.0.1 dev [NULL] table 0 metric -1
2022-04-25 08:58:06 net_route_v4_add: 0.0.0.0/0 via 10.255.254.229 dev [NULL] table 0 metric -1
2022-04-25 08:58:06 net_route_v4_add: 10.255.254.1/32 via 10.255.254.229 dev [NULL] table 0 metric -1
2022-04-25 08:58:06 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-04-25 08:58:06 Initialization Sequence Completed

If there are any other logs / information I can provide please let me know

Thanks in advance

Can you try via terminal:
openvpn --verb 4 --mss-fix 1400 --config myfile.ovpn

Hi, thanks for the reply

I ran: sudo openvpn --verb 4 --mssfix 1400 --config myfile.ovpn
(note mssfix not mss-fix, i assume this was a typo? :slight_smile: )
(also note, i require sudo as it fails with a permission error)

Which yeilds the same results; public ip changed but can’t access the site I require

Which website do you require? What is the difference between this site with your public IP site? How do you check for your public IP?

This is usually a DNS or IPv6 problem.

Yes, that was a typo :wink:

Is that a public site or a site on the server network?
Looking at the servers push reply, you only have access to the server machine and public sites.
That same machine also provides DNS.

Can you ping quad9.com?
Can you ping 9.9.9.9?

Also note that your client side is using a very common subnet, 192.168.0.x.
This can lead to routing conflicts.
Please read here:
AvoidRoutingConflicts

So it might be a DNS problem. Keep in mind that your DNS is not changed, you still use your default DNS of your local network or your self configured DNS. If you use just the openvpn binary on the command line, you need to do it yourself or script it. If you use NM to connect to your VPN it will do it for you.

It’s a public site yes so thats expected.

ping quad9.com ← no response
ping 9.9.9.9 ← ok response

I also can’t ping quad9.com when NOT on the vpn

I’ll look my local IP range later, i’m working at the moment and don’t really have time to make those kinds of changes on my network

Thanks

Yes i’m using openvpn binary straight from the command line but i’ve also attempted to import the file into KDE connection manager - both give the same symptoms.

Can you point me in the right direction for changing my DNS ? I’ve tried to find a clear/flush dns command but i don’t think my system is caching dns?

The first thing to do is to find out if you use systemd-resolved or not. Simply check if the service is running or not.

Depending on the result, you need to different things.
Without resolved you can directly edit /etc/resolv.conf and change to a appropriate DNS server. If you disconnect you need to change it back.

Openvpn comes with a script:
/etc/openvp/update-resolv-conf

Adding:

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

to the *.ovpn file probably does the trick.
.

Add or modify:
redirect-gateway
to
redirect-gateway def1
in the *.ovpn file.

/etc/openvpn/update-resolv-conf doesn’t exist, therefore:

Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2)

should i create the file? if so what should it’s contents be?

This is something from the Debian world.

Check out the Arch wiki, to see how something like this can work on Manjaro.

https://wiki.archlinux.org/title/OpenVPN#DNS