Apologies in advance as this is an "abstract" question without a definite black/white answer and I know those don't bode well on this site. Hear me out though as I'll try to add as much details and specifics as possible.
I have an OpenVPN Connect server that works perfectly fine for all remote employees. However it does not work for users in our physical office.
Users can nslookup, ssh, and ping to target systems over the VPN successfully but they cannot browse HTTP/HTTPS through a browser (just says Not Responding). Yes! ssh works over the vpn!!
Have checked network settings like DNS, proxies, etc and everything looks fine -- Furthermore we can literally take a workstation, disconnect it from the LAN, connect to a mobile hotspot and it'll work. This tells me that it's not a config on the local workstation.
The office LAN is behind a SonicWall NSA 2400 firewall. The office LAN has very simple subnet setup and the subnets DO NOT conflict with the VPN subnets.
Everything in OpenVPN logs looks normal and they have been compared with the connections of remote employees and the connections look the same.
The route tables on the connected machines look good, default route and the tun interface (vpn interface) routes all show normal.
The craziest part is how I can do nslookup, ssh, and ping but not browse HTTP/S.
Here is the openvpn server config:
port 43699
proto udp
dev tun
key-direction 0
cipher AES-256-CBC
auth SHA256
tls-auth server.tlsauth
ca ca.crt
cert cert.crt
key cert.key
dh dh2048.pem
topology subnet
server 10.79.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.0.0"
push "dhcp-option DOMAIN-SEARCH example.com"
push "dhcp-option DNS 10.10.0.2"
keepalive 10 120
tmp-dir "/etc/openvpn/tmp"
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so auth-ldap.conf
username-as-common-name
duplicate-cn
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
user nobody
group nobody
management localhost 7707
Here is the client config:
client
proto udp
remote vpn.example.com 43699
dev tun
resolv-retry infinite
auth-user-pass
persist-key
persist-tun
mute-replay-warnings
compress lzo
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
....REMOVED...
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
....REMOVED...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
....REMOVED...
-----END CERTIFICATE-----
</cert>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....REMOVED...
-----END OpenVPN Static key V1-----
</tls-auth>
My questions for Stack Exchange:
My gut is telling me it's something in the Sonicwall -- Can you think of any firewall setting that could cause this behavior? I did poke around in the SonicWall config and there are a ton of options but no blacklists seem to be applied, and the fact that I can connect and ping/etc is making it seem that the layer 4 connection itself is ok.
Any setting look wrong with my ovpn configs? They work perfectly fine for all users except those within the office.
