#StackBounty: #networking #macos #vpn #dns #ssl sharing internet/vpn with ipfw, can't access google.com over https

Bounty: 50

I am sharing my internet connection / IKEv2 VPN connection over pf via Murus static NAT. My network architecture is as follows:

internet modem -> 
wired router (serving 192.168.1.1/24) -> 
Mac mini (192.168.1.2) -> ((en4) 192.168.2.1  ) ->
airport extreme (192.168.2.2) (DHCP, no NAT, serving 192.168.2.0/24)

I am sharing my internet / vpn connection via en4 to 192.168.2.0/24. Sharing internet works. Sharing the VPN works. I am doing DNS resolution on the router and not forwarding DNS requests through pf.

static nat via murus

However, certain sites (namely https://google.com) will not load. Other https sites will. ping google.com works fine on client and server. It resolves to different ip addresses on each, although both connections are behind the same VPN and use the same DNS servers.

curl google.com of course yields a 301. curl https://google.com works fine on the server, but curl -v https://google.com on the client yields the following if you wait long enough:

 stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

The browser just times out. Both are running LibreSSL 2.2.7.

Wireshark output for the client and its preferred Google IP is pretty colorful, although unintelligible:

enter image description here

Strangely enough, the Safari browser seems to be using the server’s Google IP and doesn’t show up in this filter (this is from a curl request.)

I have had this working in the past, and am trying again with a different router and one less layer of NAT. I can’t say it’s always been snarl-free, but I was definitely able to browse sites like google.com with the shared VPN connection.

It should be noted that turning off the VPN causes the shared internet connection to work just fine.

What next steps do I need to take to figure out why some https connections don’t work, and to get this network fully functional?


Get this bounty!!!

Leave a Reply