OpenVPN and routing/iptables

iptables openvpn local-area-network route xubuntu

10,398

Solution 1

I see several issues with your server.conf:

"dev tun" should be "dev tun0". If you don't specify the exact device by providing a number on the end, OpenVPN will create one dynamically.
You have the topology setting commented out with a semicolon. It's required.
You have the DNS setting for the clients commented out with a semicolon; anything starting with "push" is a setting for the clients.

Not an issue, but in your client.conf, "pull" is redundant with "client" specified. The client/pull options enable the VPN server to push settings to it. See their man page for more details.

Solution 2

DNS should work with adding this to the client config:

dhcp-option DNS 10.0.1.1

Your server config contains a push dhcp dns - this should work if uncommented and not set to the openvpn server network. There is no DNS - unless you'll configure a server there which I do not recommend.

Your route add command does not make sense to me - openvpn sets the necessary routing.

Your firewall setup seems to be OK. So if your phone can't ping LAN (by the way how do you ping? Which app?) a traceroute result would be great to investigate.

10,398

Tony762

Updated on September 18, 2022

Comments

Tony762 almost 2 years

I want to setup an OpenVPN with route on my Xubuntu server (router/gateway/share/dhcp/dns/wifi/switch... all in one).

WAN - enp4s0f1 - 77.xxx.xxx.xxx
LAN - br0 - 10.0.1.1
VPN - tun0 - 10.0.2.1

I have to use Tun because of OpenVPN client is iphone. I want to redirect all traffic trough VPN and access all services on server and hosts in LAN.

With current setup I can access internet and services running on server via iphone. Ping from Host on LAN to iphone is working.

I can't use my DNS on iphone and can't access hosts on LAN. Ping from iphone to Host on LAN is not working.

### server.conf

local 77.xxx.xxx.xxx
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
;topology subnet
server 10.0.2.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.0.1.0 255.255.255.0"
push "redirect-gateway def1"
;push "dhcp-option DNS 10.0.2.1"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 
cipher AES-256-CBC
user nobody
group nogroup
tun-mtu 1500
mssfix 1450
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3

### client.ovpn

client
dev tun
proto tcp
remote 77.xxx.xxx.xxx 1194
cipher AES-256-CBC
nobind
tun-mtu 1500
mssfix 1450
ca ca.crt
dh dh2048.pem
tls-auth ta.key 1
cert client_phone.crt
key client_phone.key
ns-cert-type server
verb 3
pull

### IPtables

# Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018
*nat
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.2.0/24 -o enp4s0f1 -j MASQUERADE
-A POSTROUTING -o enp4s0f1 -j MASQUERADE
COMMIT
# Completed on Sat Dec 29 20:47:38 2018
# Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018
*mangle
:PREROUTING ACCEPT [9:438]
:INPUT ACCEPT [3:184]
:FORWARD ACCEPT [6:254]
:OUTPUT ACCEPT [5:632]
:POSTROUTING ACCEPT [11:886]
COMMIT
# Completed on Sat Dec 29 20:47:38 2018
# Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
-A INPUT -p tcp -m tcp -i enp4s0f1 --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp -i enp4s0f1 --dport 41 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m state -i enp4s0f1 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp ! -i enp4s0f1 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -i tun0 -o enp4s0f1 -j ACCEPT
-A FORWARD -m conntrack -d 10.0.2.0/24 -i enp4s0f1 -o tun0 --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -d 10.0.1.0/24 -i tun0 -o br0 -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -i br0 -o tun0 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state -i enp4s0f1 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp ! -i enp4s0f1 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
COMMIT
# Completed on Sat Dec 29 20:47:38 2018

### sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_source_route = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_redirects = 1

route -n

0.0.0.0         77.xxx.xxx.xxx     0.0.0.0         UG    100    0        0 enp4s0f1
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 br0
10.0.2.0        10.0.2.2        255.255.255.0   UG    0      0        0 tun0
10.0.2.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
77.xxx.xxx.xxx     0.0.0.0         255.255.255.240 U     0      0        0 enp4s0f1
77.xxx.xxx.xxx     0.0.0.0         255.255.255.255 UH    100    0        0 enp4s0f1

When I try to add route my LAN stop to respond.

route add -net 10.0.2.0/24 gw 10.0.1.1

Could somebody point me to what I am doing wrong? Thank You

Edit 1: Ping and traceroute

Host to Iphone

ping 10.0.2.6
Pinging 10.0.2.6 with 32 bytes of data:
Reply from 10.0.2.6: bytes=32 time=110ms TTL=63

tracert 10.0.2.6
Tracing route to 10.0.2.6 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  HTPC-IMON [10.0.1.1]
  2    51 ms    48 ms    54 ms  10.0.2.6
Trace complete.

Iphone (iNetTools-Comsoft.com) - to server:

PING 10.0.1.1 (10.0.1.1): 56 data bytes
64 bytes from 10.0.1.1: icmp_seq=0 ttl=32 time=88.080

Trace route 10.0.1.1 (10.0.1.1), 5 relative hops max, 52 byte packets
1 10.0.1.1 (10.0.1.1) 97.182 ms 193.557 ms 201.693 ms

Iphone to host:

PING 10.0.1.10 (10.0.1.10): 56 data bytes
Request timeout for icmp_seq 0

traceroute to 10.0.1.10 (10.0.1.10), 5 relative hops max, 52 byte packets
1 10.0.2.1 (10.0.2.1) 64.630 ms 127.072 ms  129.492 ms
2 ***
3 ***
4 ***
5 *

Server - to host

ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=128 time=0.308 ms

inetutils-traceroute -I 10.0.1.10
traceroute to 10.0.1.10 (10.0.1.10), 64 hops max
  1   10.0.1.10  0,251ms  0,147ms  0,251ms

Edit 2: Nslookup

Host to google.com

Server:  UnKnown
Address:  10.0.1.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4014:801::200e
          172.217.23.206

Iphone to google.com (without dns set)

google.com                            59 IN        SOA       ns1.google.com
                                         Email:              [email protected]
                                         Serial:             227281678
                                         Refresh:            900
                                         Retry:              900
                                         Expire:             1800
                                         Minimum TTL:        60
google.com                         21599 IN        NS        ns3.google.com

Iphone (NSlookup) to google.com (10.0.1.1)

No result.

Iphone (NSlookup) to google.com (10.0.2.1)

No result.

Bind9

options {
    directory "/var/cache/bind";

     forwarders {
        8.8.8.8;
     };

    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
    check-names master ignore;
    check-names slave ignore;
    check-names response ignore;

    listen-on { 127.0.0.1; 10.0.1.1;10.0.2.1; };
};

T. Israel over 5 years

Your description says LAN is 10.0.1.1 - your route would add a route to VPN via LAN. --> route add gw 10.0.1.1. Why are you trying to do this?
Tony762 over 5 years

I read many comments saying I have to set it manually.
T. Israel over 5 years

No - you don't.

Tony762 over 5 years

Ping, trace route and NSlookup added to question.
T. Israel over 5 years

OK - there is an issue with routing or firewall. What happens if you clear the firewall rules - for hints please look here: kerneltalks.com/virtualization/…
Tony762 over 5 years

Cleared all rules. Allowed all traffic. Internet working only on server. Host and iphone no. Ping still possible only from host to iphone.