I am sharing my internet connection / IKEv2 VPN connection over pf via Murus static NAT. My network architecture is as follows:
internet modem ->
wired router (serving 192.168.1.1/24) ->
Mac mini (192.168.1.2) -> ((en4) 192.168.2.1 ) ->
airport extreme (192.168.2.2) (DHCP, no NAT, serving 192.168.2.0/24)
I am sharing my internet / vpn connection via en4
to 192.168.2.0/24
. Sharing internet works. Sharing the VPN works. I am doing DNS resolution on the router and not forwarding DNS requests through pf.
However, certain sites (namely https://google.com) will not load. Other https sites will. ping google.com
works fine on client and server. It resolves to different ip addresses on each, although both connections are behind the same VPN and use the same DNS servers.
curl google.com
of course yields a 301
. curl https://google.com
works fine on the server, but curl -v https://google.com
on the client yields the following if you wait long enough:
stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443
The browser just times out. Both are running LibreSSL 2.2.7
.
Wireshark output for the client and its preferred Google IP is pretty colorful, although unintelligible:
Strangely enough, the Safari browser seems to be using the server's Google IP and doesn't show up in this filter (this is from a curl
request.)
I have had this working in the past, and am trying again with a different router and one less layer of NAT. I can't say it's always been snarl-free, but I was definitely able to browse sites like google.com with the shared VPN connection.
It should be noted that turning off the VPN causes the shared internet connection to work just fine.
What next steps do I need to take to figure out why some https
connections don't work, and to get this network fully functional?
Best Answer
Selecting "Clamp MSS" in the Murus Static NAT options allows access to https://google.com (and apple.stackexchange.com)!. There are still issues (can't speed test at fast.com and others) but this does provide the fix.