So I have a real network mystery that has haunted me for the past few years. Hopefully there’s a network guru here on Reddit who can tell me how the big boyz do this. I’m the sole IT system/network admin, for a small company with offices in US and China. I have been setup several PPTP VPN servers to give Chinese users access to US internet and also our local Intranet.
I have gone from RHEL 2.0 → Ubuntu Server 10.4 → to finally a Amazon EC2 Ubuntu 12.4 and yet they all suffer from the same flaw. Many sites like lifehacker, and gizmodo will not load when connected to my VPN. However when I tried, StrongVPN’s service I was able to browse these troublesome sites.
How can I debug this issue? Anyone can setup their own PPTP server EC2 server to test this issue in about 5 minutes by following the instructions on: http://www.yanxinxue.com/blog/?p=10359
BTW, this is not an MTU issue as far as I can tell. The MTU issue can be resolved either by
editing the /etc/ppp/ip-up file and adding the following line:
/sbin/ifconfig $1 mtu 1400
Or by editing /etc/rc.local and adding:
iptables -A FORWARD -p tcp --syn -s 192.168.0.0/24 -j TCPMSS --set-mss 1356
I have tried all the suggestions that I can find on the web. I have also enabled verbose logging and looked for issues in the PPTP log files all to no avail. But there must be a solution. What do the big VPN service providers do?
Also, paying for one of these big VPN providers is not ideal, since I want to give users a split tunnel to both our Intranet and the free US Internet at the same time.
The solution for this is the same as just about every networking problem: Capture traffic on both the client and server and analyze to see where packets are getting dropped.
So the problem is when satellite sites VPN to your head office they can’t entirely connect to websites but when they connect to strongVPN it is okay? If that’s the case, change the split tunnel to full tunnel and see if you notice a difference.
Do you have a websense server at the head end or are nullrouting any subnets on the internet? Big sites use CDN’s to cache traffic and I have seen the CSS file be dropped due to accidental blackholding of CDN subnets.
Networking is not my specialty, but I could try to setup a network trace. Once I had a successful server trace and failed PPTP client trace, I’m not sure how I would use that data to configure PPP or iptables.
Thanks for the response. Tested directly on the EC2 based server with links and I could browse the troublesome sites like io9 and lifehacker no problem. So EC2 address range is not this issue here.
Currently, the EC2 server is just for testing. The production PPTP server is at our colo. And both servers have this issue.
Correct. My current test server (EC2) is a full tunnel PPTP and the production server can be setup for both full and split tunnel. In all 3 cases, the troublesome websites fail to load. When I connect over strongVPN’s PPTP server, I can browse these sites.
As I mentioned in my post, I have tried two MTU fixes. With the etc/ppp/ip-up file, I have tried as low as 1000. I can verify the fix by doing an ifconfig on the server. It will look like this:
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.0.1 P-t-P:192.168.0.235 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1000
The iptables hack does not change the reported MTU size, but both allow certain sites like digg to load, when they didn’t load before.
Some Firewalladmins block specific ICMP packets with this information.
I’m having this problem in my environment. The firenazis allow ICMP Echo but block everything else. If I can’t get Destination Unreachables back to my devices, Path MTU discovery fails and the net effect is silently dropped packets at the destination.
Of course, I’ve been waiting a week for a response on exactly what their policy is regarding ICMP. I’m guessing that’s because they know as soon as they provide it, I’m going to challenge it and they don’t want to deal with the hassle.
Absolutely, I’ve tried myself many times. I have been dealing with this issue since on and off since 2008. I have a VPN connection configured on my laptop and desktop.
The troublesome sites like io9 don’t work in the US or China. I know PPTP is broken, and plan to switch to openVPN. From what I’ve read, it also suffers from the same issue.
This guy had the exact same issue as me with openVPN. He never got it working:
One step at a time… perform the captures, then compare the two and see where things are going wrong. At that point you’ll know exactly where the problem is and you can come up with a solution.
It’s hard to come up with a solution without first knowing where the problem is. You can guess, but it’s much easier to just take a detailed look.