Solved Can't access forums.freebsd.org over VPN

MasterOne

Active Member

Reaction score: 36
Messages: 230

I am using Surfshark as my VPN provider and strangely I can not access for FreeBSD Forums when the VPN is active:
  • Error message in (ungoogled-)Chromium: ERR_TUNNEL_CONNECTION_FAILED
  • Error message in Firefox: PR_END_OF_FILE_ERROR
  • Error message in Bromite (Android): ERR_CONNECTION_CLOSED
Everything else is working, as well as the freebsd.org main site.

Any idea what could be the reason for this?
 

rigoletto@

Daemon
Developer

Reaction score: 1,313
Messages: 2,334

I suppose this is a Surfshark issue, I just accessed this forums behind ProtonVPN.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Well, that's odd, I've just signed up at Surfshark and the problem with accessing the forum is the only problem so far. I'll send them a support request then.
 

fuxjezz

New Member


Messages: 7

Strange, I'm experiencing a similar issue.

If I use GoldenFrog vpn, this site works. If I use NordVPN however, this site does not work:

curl -vvvv https://forums.freebsd.org
* Trying 204.109.59.195...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443

Although "everything else" seems to work correctly with this NordVPN connection I have not used them for long enough to say so with confidence neither have I done extensive debugging yet.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Indeed the same error here:

Code:
$ curl -vvvv https://forums.freebsd.org
*   Trying 204.109.59.195:443...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to forums.freebsd.org:443

Even more strange, this only happens when trying to access the forums while connected to a certain Surfshark VPN node (the one in my country), but not when going through another of their nodes (tested successfully with their USA/NY node).

I have sent a support request to Surfshark by email and I also consulted their online chat, during which the guy on the other end tested it with his Android mobile phone and could not replicate the issue.

I have tested it here with my laptop (currently running Arch Linux using the Gnome Network Manager and Surfshark's OpenVPN config file) and my Android mobile phone (with the Surfshark app) and the problem is 100% reproducible on both devices.

So what's the guess now? A problem with the VPN node or with the website?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

Can you PM me the IP address you have from the VPN node? There's a possibility the IP has been blocked due to earlier abuse. Not related to you specifically but the address may have been a source of abuse in the past.

Also see if you can connect to the 'plain' HTTP site, it could be specific to SSL.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Can you PM me the IP address you have from the VPN node? There's a possibility the IP has been blocked due to earlier abuse. Not related to you specifically but the address may have been a source of abuse in the past.

Also see if you can connect to the 'plain' HTTP site, it could be specific to SSL.

Code:
$ curl -vvvv http://forums.freebsd.org
*   Trying 204.109.59.195:80...
* TCP_NODELAY set
* Connected to forums.freebsd.org (204.109.59.195) port 80 (#0)
> GET / HTTP/1.1
> Host: forums.freebsd.org
> User-Agent: curl/7.67.0
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host forums.freebsd.org left intact
curl: (52) Empty reply from server

I'll send you the IP details by PM.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

If HTTP works but HTTPS does not it will be unlikely the IP address is blocked. When we ban IPs everything would be blocked. But from your output it's clear that plain HTTP works.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

If HTTP works but HTTPS does not it will be unlikely the IP address is blocked. When we ban IPs everything would be blocked. But from your output it's clear that plain HTTP works.
I'm sorry, I overlooked that for the plain HTTP test the VPN was switched off. I just tried again and can confirm that it does not work with plain HTTP either (I have corrected the output in my previous posting).

So this must indeed be a blockage at the web server then?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

So this must indeed be a blockage at the web server then?
It's certainly a possibility, I need to check it so we can rule it out as a possible cause.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Very well, hopefully this issue can be resolved, because right now I always have to disable the VPN for checking the forum.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

There seem to be two /24 ranges involved and they both appear on a blacklist. I don't know why they're on that list though, I don't maintain it. But that's definitely the reason why it's not working for you.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

There seem to be two /24 ranges involved and they both appear on a blacklist. I don't know why they're on that list though, I don't maintain it. But that's definitely the reason why it's not working for you.
Whatever the reason, it wasn't me (on one hand I'm using Shurfshark VPN for less than a week now, on the other hand I'm not doing anything here that could result in a blockage).

Can you request the removal of that blockage? Whatever happened in the past, there should be no reason for blocking VPN nodes now.

As fuxjezz mentioned, his test with NordVPN showed the same problem, so there may be more in need to be cleaned up at the used web server.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

Like I said, I don't maintain that list and there may be a very good reason why those addresses are on there. You may not have any nefarious intent but you don't know all the other users (or abusers) of that VPN service.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Can you provide the details which blacklist that is? I can then try to contact the maintainer or at least give that details to Surfshark.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

It's not a "public" service, it's on one of our own maintained lists.
 
OP
M

MasterOne

Active Member

Reaction score: 36
Messages: 230

Very well, 1st time I can access the forums with active VPN writing this message now. :)

I just checked again, already delisted at all.s5h.net but not on dnsbl.spfbl.net (but it's not flagged there for certain abuse, but becaues the rDNS entries are missing for the used IP range).

As always, one learns something new all the time, I didn't think of possible problems with blacklisted VPN IP addresses.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 14,017
Messages: 40,751

Very well, 1st time I can access the forums with active VPN writing this message now.
Yes, the ranges have been removed from the blacklist. But as rigoletto@ already noted, it's quite possible they may be added again in the future due to other users abusing that VPN service. There are a lot of legitimate reasons to use a VPN service but unfortunately those same reasons also make them very attractive for spammers and other abusers.
 

fuxjezz

New Member


Messages: 7

Just to follow up: the ipv4 address assigned to me by my VPN provider seems to have been in one of the blocks that were removed from "the list". I don't have issues accessing this site through the specific tunnel anymore.
 
Top