Pritunl Zero not handling permitted network correctly, if permitted network is pritunl (vpn) managed

Pritunl Pritunl Zero
1

Hi everyone,

I’m seeing a rather specific issue and would like to know if this is known or someone experienced similar.

The following setup:
Pritunl Zero handling a service running on localhost (accessed through 127.0.0.1)
→ There is a permitted network configured, the network is managed by pritunl vpn (OVPN)

Pritunl VPN is handling clients on the same Host as Pritunl zero is running. Accessing pritunl Zero is possible by calling the first IP of this network.

Clients connected to the VPN are receiving altered DNS records (split DNS) pointing to x.x.x.1 → The Address of pritunl zero inside the VPNs Network.

What we try to achieve: Mobile app and API access to services should be possible from clients connected to the VPN. If not inside the VPN, access through Browsers should still be possible, but protected through pritunl zero.

What we see:

9 out of 10 requests running through the whitelisted source are failing. Looking at curl with host-override, we see the the TCP connection opening and the TLS Handshake succeeding. Afterwards we don’t receive data 9 out of 10 times. The connection will pause and then timeout with (sorry, server is configured in german):

* Recv failure: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt
* OpenSSL SSL_read: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt, errno 104
* Failed receiving HTTP2 data: 56(Failure when receiving data from the peer)
* Connection #0 to host xxxx.xxxx.de left intact
curl: (56) Recv failure: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt

Before this failure, we see most Headers of the application received correctly. This includes specifics, as CSP and CORS, including service-specific data.

The GUI Logs of Pritunl-Zero do not show any issue. The only hint we see is through journalctl of pritunl-zero, where following line stands out:

http: TLS handshake error from xxx.xxx.xxx.xx:xxxxx: local error: tls: bad record MAC

where the IP is the source IP of the VPN Client. It looks like pritunl-zero has issues with the TLS MAC on those requests.

We are also seing this issue, if the service accessed through pritunl-zero is running on a different machine.

Any input in this topic is greatly appreciated :slight_smile:

Best!

2

Both Pritunl VPN and Pritunl Zero should not be run on the same server. It can create conflicts with networking changes made by the VPN and both are web servers. The request that is working is most likely an OPTIONS allowed by Permit unauthenticated options requests. Also the internal application should be on a different server.