Unable to access port 80 on any host through openVPN

I have OpenVPN configured on a laptop and on an android phone. On both devices, when I connect through OpenVPN to IPFire, I seem to be unable to access any host on port 80. Other ports (at least the ones I tried) seem to work correctly.

When I say any host, I really mean any host, not only hosts on my network but also hosts on the internet (when all traffic is directed through the VPN).

I have no idea what may cause this, as port 80 is not blocked on the firewall for as far as I know. And on the internal network(green, blue or orange) any host internal or external are accessible on port 80 without problem.

When I check traffic with tcpdump on IPFire and on an internal host serving a HTTP service I try accessing from OpenVPN I see the request coming in on IPFire tun0 immediately replied to with a connection refused. On the destination host, I don’t see the incoming request, so it seems IPFire definitely blocks the request.
SSH (22), HTTPS (443), and some other ports on hosts actually serving HTTP content but on alternate ports, are all accessible without problem.

Anyone else experiencing this problem or any knows what may cause this ?
I don’t find any related firewall logging.

I just tried it out on my vm system. I set the server parameter to force all traffic via the OpenVPN tunnel. I don’t have any http hosts myself but I tried to access httpforever.com which is an http only site and I was able to access it without any problem.

So as long as what I did above is what you tried then I have not been able to replicate your block of port 80.

Not sure if this the same settings I use? I have not set any server parameter for this, but only in the openVPN client where I can choose whether all traffic should go through the tunnel or only traffic directed to ip ranges in the remote network.
When I choose to let all traffic go through the tunnel, I can’t access any host on the internet or vpn network on port 80.
When I choose to only direct traffic to the remote network trough the tunnel, off course internet hosts work on port 80 as it won’t go trough the tunnel, but hosts on the vpn network are still inaccessible on port 80.

I did notice a few core update ago, that it suddenly did work, until next core update. (I think 182 if I recall it correctly, but it could also be 181 of 183 :-))

Ah, the client I was trying it with (Network Manager with the OpenVPN plugin does not have any parameter to force using the openvpn tunnel.

Sorry.

EDIT:
I might be able to do that with my OpenVPN for Android app. I seem to remember that I can tell it to force everything via the tunnel.
I will try and test that later today or tomorrow.

I’m using the OpenVPN for Android app from F-Droid store and in the Routing tab I have “Use default route (pass all traffic over VPN)” disabled.
When I enable that option, I can reach httpforever.com. If i disable it, I can’t. (seems the option does the reverse of what I expected :-))

On my laptop I use the default Gnome VPN settings (on opensuse leap 15.5) to configure OpenVPN (I assume this is also Network Manager) where I have an option in the IPv4 tab under the heading “Routes”: “Only use this connection for sources on the remote network” (loosely translated from dutch) which is unchecked, so that all traffic effectively goes through the tunnel. And here, when checked I effectively can access internet hosts on port 80, while unchecked, I can’t.

I tried grepping for “80” and “http” on the output of iptables -L of IPFire, but I only find a rule allowing incoming on red port 80 to be NATed to a server in Orange. And nothing more.

EDIT: I previously stated the OpenVPN for Android option didn’t have effect but it actually does work, only in reverse to what I expected from it causing confusion :slight_smile:

I had missed that button “Routes”

I checked on my laptop Network Manager connection that I had used and the checkbox was at its default unchecked mode. Not surprising as I didn’t know the option was there.

I am pretty sure that when I tested out the connection with the server without the Redirect-Gateway def1 option that I was also able to access httpforever.com

I will test again to confirm the above result with my laptop and also with my mobile.

Do you have any firewall rules manually defined in firewall.local?

I could kick myself on the head… This is what I found in firewall.local:

# Force OpenVPN Client HTTP traffic through proxy server
iptables -t nat -A CUSTOMPREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:801

Even with a nice comment stating my problem :slight_smile: This is probably some leftover from years ago where I tried forcing all http traffic through the proxy… Completely forgot about it…
After removing that rule, it just works…
Many thanks for the pointer!

2 Likes

These things happen.

Glad you got it sorted.

1 Like