Solved Can't access forums.freebsd.org over VPN

I am using Surfshark as my VPN provider and strangely I can not access for FreeBSD Forums when the VPN is active:
  • Error message in (ungoogled-)Chromium: ERR_TUNNEL_CONNECTION_FAILED
  • Error message in Firefox: PR_END_OF_FILE_ERROR
  • Error message in Bromite (Android): ERR_CONNECTION_CLOSED
Everything else is working, as well as the freebsd.org main site.

Any idea what could be the reason for this?
 
Well, that's odd, I've just signed up at Surfshark and the problem with accessing the forum is the only problem so far. I'll send them a support request then.
 
Strange, I'm experiencing a similar issue.

If I use GoldenFrog vpn, this site works. If I use NordVPN however, this site does not work:

curl -vvvv https://forums.freebsd.org
* Trying 204.109.59.195...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443

Although "everything else" seems to work correctly with this NordVPN connection I have not used them for long enough to say so with confidence neither have I done extensive debugging yet.
 
Indeed the same error here:

Code:
$ curl -vvvv https://forums.freebsd.org
*   Trying 204.109.59.195:443...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443

Even more strange, this only happens when trying to access the forums while connected to a certain Surfshark VPN node (the one in my country), but not when going through another of their nodes (tested successfully with their USA/NY node).

I have sent a support request to Surfshark by email and I also consulted their online chat, during which the guy on the other end tested it with his Android mobile phone and could not replicate the issue.

I have tested it here with my laptop (currently running Arch Linux using the Gnome Network Manager and Surfshark's OpenVPN config file) and my Android mobile phone (with the Surfshark app) and the problem is 100% reproducible on both devices.

So what's the guess now? A problem with the VPN node or with the website?
 
Can you PM me the IP address you have from the VPN node? There's a possibility the IP has been blocked due to earlier abuse. Not related to you specifically but the address may have been a source of abuse in the past.

Also see if you can connect to the 'plain' HTTP site, it could be specific to SSL.
 
Can you PM me the IP address you have from the VPN node? There's a possibility the IP has been blocked due to earlier abuse. Not related to you specifically but the address may have been a source of abuse in the past.

Also see if you can connect to the 'plain' HTTP site, it could be specific to SSL.

Code:
$ curl -vvvv http://forums.freebsd.org
*   Trying 204.109.59.195:80...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 80 (#0)
> GET / HTTP/1.1
> Host: forums.freebsd.org
> User-Agent: curl/7.67.0
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host forums.freebsd.org left intact
curl: (52) Empty reply from server

I'll send you the IP details by PM.
 
If HTTP works but HTTPS does not it will be unlikely the IP address is blocked. When we ban IPs everything would be blocked. But from your output it's clear that plain HTTP works.
 
If HTTP works but HTTPS does not it will be unlikely the IP address is blocked. When we ban IPs everything would be blocked. But from your output it's clear that plain HTTP works.
I'm sorry, I overlooked that for the plain HTTP test the VPN was switched off. I just tried again and can confirm that it does not work with plain HTTP either (I have corrected the output in my previous posting).

So this must indeed be a blockage at the web server then?
 
Very well, hopefully this issue can be resolved, because right now I always have to disable the VPN for checking the forum.
 
There seem to be two /24 ranges involved and they both appear on a blacklist. I don't know why they're on that list though, I don't maintain it. But that's definitely the reason why it's not working for you.
 
There seem to be two /24 ranges involved and they both appear on a blacklist. I don't know why they're on that list though, I don't maintain it. But that's definitely the reason why it's not working for you.
Whatever the reason, it wasn't me (on one hand I'm using Shurfshark VPN for less than a week now, on the other hand I'm not doing anything here that could result in a blockage).

Can you request the removal of that blockage? Whatever happened in the past, there should be no reason for blocking VPN nodes now.

As fuxjezz mentioned, his test with NordVPN showed the same problem, so there may be more in need to be cleaned up at the used web server.
 
Like I said, I don't maintain that list and there may be a very good reason why those addresses are on there. You may not have any nefarious intent but you don't know all the other users (or abusers) of that VPN service.
 
Can you provide the details which blacklist that is? I can then try to contact the maintainer or at least give that details to Surfshark.
 
It's not a "public" service, it's on one of our own maintained lists.
 
Very well, 1st time I can access the forums with active VPN writing this message now. :)

I just checked again, already delisted at all.s5h.net but not on dnsbl.spfbl.net (but it's not flagged there for certain abuse, but becaues the rDNS entries are missing for the used IP range).

As always, one learns something new all the time, I didn't think of possible problems with blacklisted VPN IP addresses.
 
Very well, 1st time I can access the forums with active VPN writing this message now.
Yes, the ranges have been removed from the blacklist. But as rigoletto@ already noted, it's quite possible they may be added again in the future due to other users abusing that VPN service. There are a lot of legitimate reasons to use a VPN service but unfortunately those same reasons also make them very attractive for spammers and other abusers.
 
Just to follow up: the ipv4 address assigned to me by my VPN provider seems to have been in one of the blocks that were removed from "the list". I don't have issues accessing this site through the specific tunnel anymore.
 
Back
Top