Internet connection does not work with Azure P2S VPN on Linux

MrFlinstone 481

Azure VPN setup and fully working, configuration allows for Azure AD authentication and using certificates for Linux users. Linux users are complaining of being unable to browse the internet when the VPN is switched on.

Appears to be some sort of configuration issue from the client side, users who use Azure AD do not report such issues. Is there a configuration setting that must be in place to allow for internet traffic to work alongside VPN traffic. VPN has a DNS forwarder in place, no issues with other users only Linux users.

KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-01-16T07:32:44.1166667+00:00
@MrFlinstone

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are facing internet issues with Linux P2S Clients using certificate authentication.

It is important to check if the DNS is failing or internet is failing once you connect to the P2S VPN Client.

After connecting to VPN, can you please do a nslookup www.google.com

And check what is the response and what is the DNS server used here?

Try doing a TCP ping to 8.8.8.8 on Port 443 and see if that works.

Was this working previously or is it a new set up?

Cheers,

Kapil
KapilAnanth-MSFT 35,001 Reputation points Microsoft Employee

2023-01-17T04:02:47.0433333+00:00

@MrFlinstone

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil

2 answers

msrini-MSFT 9,256 Reputation points Microsoft Employee

2023-01-16T07:22:44.4833333+00:00

Hi, This happens when you route all traffic via VPN from the client. Can you do a route print and check the routing table of the client when connected to vpn gateway? If you see default route via the vpn interface, you will need to add a static route to get your internet connection on you client.
Please sign in to rate this answer.
MrFlinstone 481 Reputation points

2023-01-17T13:10:29.8133333+00:00

Please see the details below. Is there a way to stop all the traffic from being routed via the VPN, only route traffic related to specific azure resources onto the VPN. Will this be within the VPN configuration XML file ?

Please what are the options, to edit the XML file or a local configuration change from the VM ?

ip route output (without VPN)

default via 192.168.74.2 dev ens33 proto dhcp metric 100 169.254.0.0/16 dev ens33 scope link metric 1000 192.168.74.0/24 dev ens33 proto kernel scope link src 192.168.74.128 metric 100

ip route (with VPN)

default via 149.16.254.1 dev tun0 proto static metric 50 default via 192.168.74.2 dev ens33 proto dhcp metric 100 10.1.0.0/16 via 149.16.254.1 dev tun0 proto static metric 50 52.157.77.17 via 192.168.74.2 dev ens33 proto static metric 50 149.16.254.0/24 dev tun0 proto kernel scope link src 149.16.254.2 metric 50 169.254.0.0/16 dev ens33 scope link metric 1000 192.168.74.0/24 dev ens33 proto kernel scope link src 192.168.74.128 metric 100 192.168.74.2 dev ens33 proto static scope link metric 50
Sign in to comment
Bas Pruijn 946 Reputation points

2023-01-17T14:56:05.8566667+00:00

I see in your previous answers you are using the 149.16.254.0/24 network as a range for your P2S addresses. This should not be done, unless you own that range of IP addresses. You should use a subset of the RFC1918 range address ([https://netbeez.net/blog/rfc1918/).

Furthermore I see the metric of the VPN connection is lower than the metric of the internet connection. This routes all traffic via the VPN. Therefor it seems logical that no internet traffic is possible anymore.
Please sign in to rate this answer.
MrFlinstone 481 Reputation points

2023-01-17T16:30:40.9233333+00:00

How can the metric be raised to resolve the issue. Secondly, even if traffic is being routed via the VPN, there are VPN DNS forwarders configured in Azure, can these not still work or are the DNS forwarders a red herring ?
Sign in to comment