OpenVPN and routing/iptables
Solution 1
I see several issues with your server.conf:
- "dev tun" should be "dev tun0". If you don't specify the exact device by providing a number on the end, OpenVPN will create one dynamically.
- You have the topology setting commented out with a semicolon. It's required.
- You have the DNS setting for the clients commented out with a semicolon; anything starting with "push" is a setting for the clients.
Not an issue, but in your client.conf, "pull" is redundant with "client" specified. The client/pull options enable the VPN server to push settings to it. See their man page for more details.
Solution 2
DNS should work with adding this to the client config:
dhcp-option DNS 10.0.1.1
Your server config contains a push dhcp dns - this should work if uncommented and not set to the openvpn server network. There is no DNS - unless you'll configure a server there which I do not recommend.
Your route add command does not make sense to me - openvpn sets the necessary routing.
Your firewall setup seems to be OK. So if your phone can't ping LAN (by the way how do you ping? Which app?) a traceroute result would be great to investigate.
Related videos on Youtube
![Tony762](https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg?sz=256)
Tony762
Updated on September 18, 2022Comments
-
Tony762 almost 2 years
I want to setup an OpenVPN with route on my Xubuntu server (router/gateway/share/dhcp/dns/wifi/switch... all in one).
WAN - enp4s0f1 - 77.xxx.xxx.xxx
LAN - br0 - 10.0.1.1
VPN - tun0 - 10.0.2.1
I have to use Tun because of OpenVPN client is iphone. I want to redirect all traffic trough VPN and access all services on server and hosts in LAN.
With current setup I can access internet and services running on server via iphone. Ping from Host on LAN to iphone is working.
I can't use my DNS on iphone and can't access hosts on LAN. Ping from iphone to Host on LAN is not working.
### server.conf
local 77.xxx.xxx.xxx port 1194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh2048.pem ;topology subnet server 10.0.2.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "route 10.0.1.0 255.255.255.0" push "redirect-gateway def1" ;push "dhcp-option DNS 10.0.2.1" client-to-client keepalive 10 120 tls-auth /etc/openvpn/ta.key 0 cipher AES-256-CBC user nobody group nogroup tun-mtu 1500 mssfix 1450 persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3
### client.ovpn
client dev tun proto tcp remote 77.xxx.xxx.xxx 1194 cipher AES-256-CBC nobind tun-mtu 1500 mssfix 1450 ca ca.crt dh dh2048.pem tls-auth ta.key 1 cert client_phone.crt key client_phone.key ns-cert-type server verb 3 pull
### IPtables
# Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018 *nat :POSTROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.0.2.0/24 -o enp4s0f1 -j MASQUERADE -A POSTROUTING -o enp4s0f1 -j MASQUERADE COMMIT # Completed on Sat Dec 29 20:47:38 2018 # Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018 *mangle :PREROUTING ACCEPT [9:438] :INPUT ACCEPT [3:184] :FORWARD ACCEPT [6:254] :OUTPUT ACCEPT [5:632] :POSTROUTING ACCEPT [11:886] COMMIT # Completed on Sat Dec 29 20:47:38 2018 # Generated by iptables-save v1.6.1 on Sat Dec 29 20:47:38 2018 *filter :OUTPUT ACCEPT [0:0] :FORWARD DROP [0:0] :INPUT DROP [0:0] -A INPUT -p tcp -m tcp -i enp4s0f1 --dport 1194 -j ACCEPT -A INPUT -p tcp -m tcp -i enp4s0f1 --dport 41 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i br0 -j ACCEPT -A INPUT -m state -i enp4s0f1 --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp ! -i enp4s0f1 -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A FORWARD -s 10.0.2.0/24 -i tun0 -o enp4s0f1 -j ACCEPT -A FORWARD -m conntrack -d 10.0.2.0/24 -i enp4s0f1 -o tun0 --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.2.0/24 -d 10.0.1.0/24 -i tun0 -o br0 -j ACCEPT -A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -i br0 -o tun0 -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A FORWARD -m state -i enp4s0f1 --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp ! -i enp4s0f1 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT COMMIT # Completed on Sat Dec 29 20:47:38 2018
### sysctl.conf
net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_source_route = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.accept_redirects = 1
route -n
0.0.0.0 77.xxx.xxx.xxx 0.0.0.0 UG 100 0 0 enp4s0f1 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 10.0.2.0 10.0.2.2 255.255.255.0 UG 0 0 0 tun0 10.0.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 77.xxx.xxx.xxx 0.0.0.0 255.255.255.240 U 0 0 0 enp4s0f1 77.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 100 0 0 enp4s0f1
When I try to add route my LAN stop to respond.
route add -net 10.0.2.0/24 gw 10.0.1.1
Could somebody point me to what I am doing wrong? Thank You
Edit 1: Ping and traceroute
Host to Iphone
ping 10.0.2.6 Pinging 10.0.2.6 with 32 bytes of data: Reply from 10.0.2.6: bytes=32 time=110ms TTL=63 tracert 10.0.2.6 Tracing route to 10.0.2.6 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms HTPC-IMON [10.0.1.1] 2 51 ms 48 ms 54 ms 10.0.2.6 Trace complete.
Iphone (iNetTools-Comsoft.com) - to server:
PING 10.0.1.1 (10.0.1.1): 56 data bytes 64 bytes from 10.0.1.1: icmp_seq=0 ttl=32 time=88.080 Trace route 10.0.1.1 (10.0.1.1), 5 relative hops max, 52 byte packets 1 10.0.1.1 (10.0.1.1) 97.182 ms 193.557 ms 201.693 ms
Iphone to host:
PING 10.0.1.10 (10.0.1.10): 56 data bytes Request timeout for icmp_seq 0 traceroute to 10.0.1.10 (10.0.1.10), 5 relative hops max, 52 byte packets 1 10.0.2.1 (10.0.2.1) 64.630 ms 127.072 ms 129.492 ms 2 *** 3 *** 4 *** 5 *
Server - to host
ping 10.0.1.10 PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data. 64 bytes from 10.0.1.10: icmp_seq=1 ttl=128 time=0.308 ms inetutils-traceroute -I 10.0.1.10 traceroute to 10.0.1.10 (10.0.1.10), 64 hops max 1 10.0.1.10 0,251ms 0,147ms 0,251ms
Edit 2: Nslookup
Host to google.com
Server: UnKnown Address: 10.0.1.1 Non-authoritative answer: Name: google.com Addresses: 2a00:1450:4014:801::200e 172.217.23.206
Iphone to google.com (without dns set)
google.com 59 IN SOA ns1.google.com Email: [email protected] Serial: 227281678 Refresh: 900 Retry: 900 Expire: 1800 Minimum TTL: 60 google.com 21599 IN NS ns3.google.com
Iphone (NSlookup) to google.com (10.0.1.1)
No result.
Iphone (NSlookup) to google.com (10.0.2.1)
No result.
Bind9
options { directory "/var/cache/bind"; forwarders { 8.8.8.8; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; check-names master ignore; check-names slave ignore; check-names response ignore; listen-on { 127.0.0.1; 10.0.1.1;10.0.2.1; }; };
-
T. Israel over 5 yearsYour description says LAN is 10.0.1.1 - your route would add a route to VPN via LAN. --> route add gw 10.0.1.1. Why are you trying to do this?
-
Tony762 over 5 yearsI read many comments saying I have to set it manually.
-
T. Israel over 5 yearsNo - you don't.
-
Tony762 over 5 yearsPing, trace route and NSlookup added to question.
-
T. Israel over 5 yearsOK - there is an issue with routing or firewall. What happens if you clear the firewall rules - for hints please look here: kerneltalks.com/virtualization/…
-
Tony762 over 5 yearsCleared all rules. Allowed all traffic. Internet working only on server. Host and iphone no. Ping still possible only from host to iphone.