Internet is not working when VPN is connected

XFNeo · Post by **XFNeo** » 12 Sep 2023, 20:01

Hi, I have 2 problems with OpenVPN server:

1) I have enabled "Allow clients to access the local area network where the server is located" on the latest version 2.0.49 and I cant connect to any hosts in TNAS local network e,g, TOS UI via local address https://192.168.1.10:5443 does not work, but it works via https://172.10.11.1:5443

2) After update TOS to 5.1.67 and update Docker Manager to 1.2.6, my OpenVPN does not work properly: when I connected to it internet is not working at all, but I can open TOS UI using IP 172.10.11.1. I have tried on PC, mobile and laptop.

Code: Select all

ping 8.8.8.8 -t

Exchange of packets from 8.8.8.8 to 32 bytes of data:
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=65ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
#####Connecting to VPN#####
PING: transmission failed. General failure.
PING: transmission failed. General failure.
PING: transmission failed. General failure.
#####VPN is connected#####
Timed out request.
Timed out request.
Timed out request.
Timed out request.
Timed out request.
Timed out request.
Timed out request.
Timed out request.
#####VPN is disconnected#####
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60
Reply from 8.8.8.8: number of bytes=32 time=49ms TTL=60

TNAS:

Code: Select all

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 veth35f58bf
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 vethbacadd4
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 veth802eeac
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 veth659055e
172.10.11.0     172.10.11.2     255.255.255.0   UG    0      0        0 tun0
172.10.11.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-8b137c1fd954
172.20.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-d295c66d1d24
172.21.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-12a9da5f24a5
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

PC with connected VPN:

Code: Select all

#route print
IPv4 route table
===========================================================================
Active routes:
Network address Network mask Gateway address Interface Metrics
          0.0.0.0          0.0.0.0     192.168.31.1   192.168.31.122     25
          0.0.0.0        128.0.0.0      172.10.11.5      172.10.11.6    257
  119.229.119.120  255.255.255.255     192.168.31.1   192.168.31.122    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0      172.10.11.5      172.10.11.6    257
      172.10.11.0    255.255.255.0      172.10.11.5      172.10.11.6    257
      172.10.11.4  255.255.255.252         On-link       172.10.11.6    257
      172.10.11.6  255.255.255.255         On-link       172.10.11.6    257
      172.10.11.7  255.255.255.255         On-link       172.10.11.6    257
     192.168.31.0    255.255.255.0         On-link    192.168.31.122    281
   192.168.31.122  255.255.255.255         On-link    192.168.31.122    281
   192.168.31.255  255.255.255.255         On-link    192.168.31.122    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       172.10.11.6    257
        224.0.0.0        240.0.0.0         On-link    192.168.31.122    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       172.10.11.6    257
  255.255.255.255  255.255.255.255         On-link    192.168.31.122    281
===========================================================================
Regular routes:
   Absent

Code: Select all

#tracert 8.8.8.8

Trace route to dns.google [8.8.8.8]
with a maximum number of hops of 30:

   1 45 ms 45 ms 45 ms 172.10.11.1
   2 * * * Request timeout exceeded.
   3 * * * Request timeout exceeded.
   4 * * * Request timeout exceeded.
   5 * * * Request timeout exceeded.
.....
   30 * * * Request timeout exceeded.
Tracing is complete.

I deleted VPN Server, rebooted the NAS and installed it again. It did not help.
The same issue.
But veth* interfaces are disappeared.

Code: Select all

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
172.10.11.0     172.10.11.2     255.255.255.0   UG    0      0        0 tun0
172.10.11.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-8b137c1fd954
172.20.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-d295c66d1d24
172.21.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-12a9da5f24a5
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

XFNeo · Post by **XFNeo** » 13 Sep 2023, 00:30

I have found root cause of broken VPN - it is DDOS protection. When I disable it, internet started working with VPN.
But the most interesting thing that FORWARD chain policy changed from DROP to ACCEPT when I disabled DDoS protection.

Chain FORWARD (policy DROP)
Chain FORWARD (policy ACCEPT)

Before:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DOS_PROTECT  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
...

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOS_PROTECT (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10000/sec burst 100
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10000/sec burst 100
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN

After:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DOS_PROTECT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
...

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere

RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOS_PROTECT (1 references)
target     prot opt source               destination

XFNeo · Post by **XFNeo** » 17 Oct 2023, 19:27

Any updates?

XFNeo · Post by **XFNeo** » 17 Oct 2023, 19:38

On every TNAS reboot drop policy returned and I need to switch on\off DDoS protection to update iptables!
from Chain FORWARD (policy DROP) to Chain FORWARD (policy ACCEPT)

Post by **TMzethar** » 17 Oct 2023, 20:12

May I ask if your VPN is now able to connect normally?
Do you mean that the switch of the DDOS option may affect Firewall?

XFNeo · Post by **XFNeo** » 17 Oct 2023, 21:15

TMzethar wrote: ↑17 Oct 2023, 20:12 May I ask if your VPN is now able to connect normally?
Do you mean that the switch of the DDOS option may affect Firewall?

Yes, now it works normaly with "Chain FORWARD (policy ACCEPT)" rule in iptables.
After reboot TNAS in iptables I see Chain FORWARD (policy DROP)
I goes to DDoS protection in TNAS UI and turns it on, it adds own rules and also change "Chain FORWARD (policy DROP)" to "Chain FORWARD (policy ACCEPT)"
I have no idea who set "Chain FORWARD (policy DROP)"

TerraMaster Official Forum

Internet is not working when VPN is connected

Internet is not working when VPN is connected

Re: Internet is not working when VPN is connected

Re: Internet is not working when VPN is connected

Re: Internet is not working when VPN is connected

Re: Internet is not working when VPN is connected

Re: Internet is not working when VPN is connected