Connecting to VPN prevents access to normal web sites

I have Ubuntu 10.04 installed with OpenVPN, and when I connect to a VPN, http access to non VPN sites stops working, until I close the VPN connection. To be more specific, both Chrome and Firefox stop being able to load sites like google.com. Sites on my companies intranet are accessible, as well as pages from localhost.

I have asked the Ubuntu gurus at my company, and they can't fix the problem. I have no proxies set up, and the VPN connection uses Automatic VPN with no routes.


Solution 1:

I recently had this same problem.

First question is: Can you ping the sites? Second question: If you can, what packet size can you ping up to "ping -s 1300 www.google.com"

For me it was to do with the MTU and the fact that the VPN was not correctly detecting the MTU size and at the same time not allowing fragmentation.

network manager in 10.04 has these values hard-coded.

I found a bug about it, it has a patch but I don't think its going to be in 10.04:

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/112248

I manually compiled network manager, set the VPN MTU to 1300 and the mss bit on and the whole thing worked again.

Solution 2:

As mentioned before, this seems to be a routing issue. I know that some other VPN client/server are imposing a blocking mode, so that everything actually goes through the VPN. What you want is know as "Split Mode",where part of the routing is going through the virtual adapter, forwarded as encrypted, and the rest goes as usual. Since there seems to be more flexibility under Linux, you should be able (as root) to view your actual routes and change those, or change them in the configuration.

Note that some servers may be able to FORCE a routing to the server, blocking any other route. This may be based on thepolicy and configuration of the VPN server. I use OpenVPN to access a restricted networking in Ottawa for ethical hacking, and the addressing is using non-routable addresses, so the routing is for a specific netmask only. Once I am connected, I can still connect to gmail.com to retrieve my email, while having access to the protected network.

One of the reeasons to do this on VPN is that some organizations do not want to have split connections to avoid infomration leaks that could happen, should ouy have a trojan that could spy on you.