OpenVPN client connects to VPN server, but no internet connection
Solved
I just had to replace dev tun
by dev tap
Related videos on Youtube
Mercury
Updated on September 18, 2022Comments
-
Mercury over 1 year
I followed this guide to set up an OpenVPN server:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
OpenVPN server is a VPS on Ubuntu-18.04-x86_64
Client is Raspberry Pi 3 B+ on Raspbian Stretch Lite
Problem: client successfully connects to server (
Initialization Sequence Completed
) but there is no internet connection.Pinging www.google.com works.
Asking for public IP works: it outputs the server's IP.
But downloading something (e.g. using wget or apt install) doesn't work.
Edit: I tried to connect to the same server with another client (Windows 10), I get the same problem, the internet connection doesn't work. I guess the issue comes from the server (VPS) not from the client side.
server.conf
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth ta.key 0 # This file is secret key-direction 0 cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1
client.ovpn
client dev tun proto udp remote XXX.XXX.XXX.XXX 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server key-direction 1 cipher AES-256-CBC auth SHA256 verb 3 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf <ca> -snip- </ca> <cert> -snip- </cert> <key> -snip- </key> <tls-auth> -snip- </tls-auth>
/etc/sysctl.conf (server)
net.ipv4.ip_forward=1
/etc/ufw/before.rules (server)
I added these lines:
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
ufw status (server)
Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), allow (routed) New profiles: skip To Action From -- ------ ---- 22/tcp LIMIT IN Anywhere 1194/udp ALLOW IN Anywhere 22/tcp (v6) LIMIT IN Anywhere (v6) 1194/udp (v6) ALLOW IN Anywhere (v6)
OpenVPN Client output during connection
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194 Socket Buffers: R=[163840->163840] S=[163840->163840] UDP link local: (not bound) UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e VERIFY OK: depth=1, CN=Easy-RSA CA Validating certificate key usage ++ Certificate has key usage 00a0, expects 00a0 VERIFY KU OK Validating certificate extended key usage ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication VERIFY EKU OK VERIFY OK: depth=0, CN=server Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA [server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified OPTIONS IMPORT: peer-id set OPTIONS IMPORT: adjusting link_mtu to 1624 OPTIONS IMPORT: data channel crypto options modified Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR= TUN/TAP device tun0 opened TUN/TAP TX queue length set to 100 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 /sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1 RTNETLINK answers: File exists ERROR: Linux route add command failed: external program exited with error status: 2 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 GID set to nogroup UID set to nobody Initialization Sequence Completed
OpenVPN Client output when I disconnect
event_wait : Interrupted system call (code=4) /sbin/ip route del 10.8.0.1/32 RTNETLINK answers: Operation not permitted ERROR: Linux route delete command failed: external program exited with error status: 2 /sbin/ip route del XXX.XXX.XXX.XXX/32 RTNETLINK answers: Operation not permitted ERROR: Linux route delete command failed: external program exited with error status: 2 /sbin/ip route del 0.0.0.0/1 RTNETLINK answers: Operation not permitted ERROR: Linux route delete command failed: external program exited with error status: 2 /sbin/ip route del 128.0.0.0/1 RTNETLINK answers: Operation not permitted ERROR: Linux route delete command failed: external program exited with error status: 2 Closing TUN/TAP interface /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5 RTNETLINK answers: Operation not permitted Linux ip addr del failed: external program exited with error status: 2 /etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init Cannot write to /run/resolvconf/lock WARNING: Failed running command (--up/--down): external program exited with error status: 1 Exiting due to fatal error
/etc/resolv.conf (client)
# Generated by resolvconf domain home nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 192.168.1.1
Client routing table
VPN off
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
VPN on
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 XXX.XXX.XX.XX 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
mtr google.com (client)
Host Loss% Snt Last Avg Best Wrst StDev 1. 10.8.0.1 1.6% 62 55.3 541.2 53.9 2056. 669.3 2. 0.0% 62 55.2 561.6 54.0 2277. 685.9 3. 10.95.48.15 0.0% 62 56.3 563.4 53.9 2228. 691.4 4. 10.95.48.10 0.0% 62 57.5 577.0 55.6 2236. 688.9 5. be100-1258.gsw-1-a9.fr.eu 0.0% 62 65.4 567.7 63.2 2172. 671.9 6. ??? 7. 108.170.244.193 0.0% 62 64.8 563.5 63.4 2163. 672.7 8. 216.239.59.209 0.0% 59 65.6 530.8 63.0 2162. 650.7 9. par21s11-in-f4.1e100.net 0.0% 59 64.4 522.3 63.5 2093. 647.6
-
tink over 5 yearsI'm slightly confused; if you can
ping www.google.com
, what makes you say that you have no internet connection? Does traffic of the ping traverse the server, what does anmtr www.google.com
tell you? -
Mercury over 5 yearsAdded mtr google.com The ping goes through the server. There is some packets loss it seems. No internet connection means when I try to download a package with apt install for instance, nothing happens. Same with git clone. On Windows 10, when I use a web browser, no website opens.
-
-
robertspierre over 3 yearsCan you explain why you had to do that, and what this achieves?