sharing internet/vpn with murus, can't access google.com over https

Murus
Post Reply
kainotes
Posts: 5
Joined: Tue Jan 02, 2018 6:32 pm

sharing internet/vpn with murus, can't access google.com over https

Post by kainotes » Wed Feb 28, 2018 9:56 pm

I am sharing my internet connection / IKEv2 VPN connection over pf via Murus static NAT. My network architecture is as follows:

internet modem ->
wired router (serving 192.168.1.1/24) ->
Mac mini (192.168.1.2) -> ((en4) 192.168.2.1 ) ->
airport extreme (192.168.2.2) (DHCP, no NAT, serving 192.168.2.0/24)

I am sharing my internet / vpn connection via `en4` to `192.168.2.0/24`. Sharing internet works. Sharing the VPN works. I am doing DNS resolution on the router and not forwarding DNS requests through pf.

Image

However, certain sites (namely https://google.com) will not load. Other https sites will. `ping google.com` works fine on client and server. It resolves to different ip addresses on each, although both connections are behind the same VPN and use the same DNS servers.

`curl google.com` of course yields a `301`. `curl https://google.com` works fine on the server, but `curl -v https://google.com` on the client yields the following if you wait long enough:

stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

The browser just times out. Both are running `LibreSSL 2.2.7`.

Wireshark output for the client and its preferred Google IP is pretty colorful, although unintelligible:

Image

Strangely enough, the Safari browser seems to be using the server's Google IP and doesn't show up in this filter (this is from a `curl` request.)

I have had this working in the past, and am trying again with a different router and one less layer of NAT. I can't say it's always been snarl-free, but I was definitely able to browse sites like google.com with the shared VPN connection.

It should be noted that turning off the VPN causes the shared internet connection to work just fine.

What next steps do I need to take to figure out why some `https` connections don't work, and to get this network fully functional?

Post Reply