[SOLVED] Why my home VPN does not work at work?

[Zucca]

So I setup my home OpenVPN with pfSense, DNS is done at my Pfsense box at home and everything works as it should.

The only problem I got is when I connect using the VPN wifi at work, it connects and everything looks ok but:



Now I did some test and:

Code: [Select]

C:\Users\Zuk>nslookup google.com
Server:  pfSense.localdomain
Address:  172.27.36.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4016:800::200e
          172.217.22.206


C:\Users\Zuk>tracert google.com

Tracing route to google.com [172.217.22.206]
over a maximum of 30 hops:

  1    35 ms    15 ms    10 ms  10.180.0.1
  2    13 ms    29 ms    23 ms  1XX.XX.38.2
  3    31 ms    26 ms     7 ms  host-62-245-191-116.customer.m-online.net [62.245.191.116]
  4    15 ms    35 ms    10 ms  ae1.rt-inxs-1.m-online.net [212.18.7.63]
  5    25 ms    24 ms    16 ms  host-93-104-240-55.customer.m-online.net [93.104.240.55]
  6     8 ms     4 ms     4 ms  108.170.247.97
  7     9 ms     8 ms     5 ms  108.170.234.217
  8    21 ms    15 ms    32 ms  muc11s01-in-f14.1e100.net [172.217.22.206]

Trace complete.
So DNS is resolving at home as it should and I reach 172.217.22.206 no problem.

Can somebody explain me what is going on?

Thanks!

[greenpossum]

Are you normally allowed to reach google.com from your work browser? If not, maybe it's set up to use the work proxy which blacklists it.

[Zucca]

I should add that for the test I used my private laptop which was tested ok with an hot spot mobile.
I can google.com no problem from my Laptop, thanks greenpossum.
My OpenVPN works, only at work I have this problem.

I forgot to tell that also other www does not work not just google.

What it could be?

[Jeroen3]

What does your routing table look like?
Are you intending to create a site-to-site or will you be tunneling all traffic trough it?

Code: [Select]

route print -4Does the pfsense allow 0.0.0.0/0 traffic to go out? Does it know where to go (and back, with nat)?

[Zucca]

Just traffic tunneling not site to site.

I will run route print -4 and report back.

If it works with my hot spot I assume my pfSense is configured correctly.

[Zucca]

BTW why the route print -4 is useful? I already tracert the google.com and everything is correctly forwarded.

[Jeroen3]

Your trace doesn't look like it's going trough the vpn, there is only 1 private hop. Hence the request for the routing table, to look if your vpn profile added the route 0.0.0.0 to 10.180.0.1.

There are two NAT translations required, one for the VPN and one for your ipv4 public, both are a node on your trace iirc.

[Zucca]

Thanks Jero, it makes sense. The circle is getting smaller. I will do more test and report.

[Ranayna]

As a member of a company IT department i can give only one piece of input:

This is likely working as intended. Or rather not working as intended :p
 
You should talk to your IT department. Be careful of what you are doing while connected to a company network.

[johnkenyon]

Can you tell us about your problem, rather than describing how your solution doesn't work?

If your problem is "I want to access stuff at home" then you need to consider routing traffic destined for your home server down the VPN.

If your problem is "I want to surf the internet/bypass my employer's filters" then (IMHO) you are using the wrong solution.

At a previous employer, I addressed both issues by simply connecting to my home network using SSH which connected me to a "gateway server"
The "I want to access stuff at home" itch was scratched by forwarding ports over SSH so I could then connect using SFTP or SSH to the target machines.
The "I want to surf the internet without being tracked/with a UK rather than a <insert employers home country> IP address" itch was scratched by forwarding a local port to the proxy server on my own network. This was then enhanced by using Firefox+foxy proxy to selectively direct web traffic via my employer's proxy configuration, or my proxy server depending on the address. IE was then relegated to "Corporate tools only" use.

At no point did I consider using a VPN solution - simply too much complication, and if caught, the amount of effort expended would have made it look like I was trying to bypass security to let other people from the outside in, rather than the reality of someone (i.e. just me) "inside" the network trying to access stuff outside.

If you are trying to do something more nefarious, then asking questions on a publicly searchable forum isn't a good idea...

[Zucca]

Solved,

The problem was in the pfSense config here.
If you specifiy a Local Network the client will receive the route ONLY for those networks, NOT for the Internet.

There is an option which set the entire client traffic to be routed to the VPN, with this option on the client receive the route to redirect everything (internet included) through the OpenVPN.

Thanks everybody, expecially Jeroen3 for pointing me in the right direction.