OpenVPN client connects to VPN server, but no internet connection

linux networking vpn openvpn
7,662

Solved I just had to replace dev tun by dev tap

Share:
7,662

Related videos on Youtube

Mercury
Author by

Mercury

Updated on September 18, 2022

Comments

  • Mercury
    Mercury over 1 year

    I followed this guide to set up an OpenVPN server:

    https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

    OpenVPN server is a VPS on Ubuntu-18.04-x86_64

    Client is Raspberry Pi 3 B+ on Raspbian Stretch Lite

    Problem: client successfully connects to server (Initialization Sequence Completed) but there is no internet connection.

    Pinging www.google.com works.

    Asking for public IP works: it outputs the server's IP.

    But downloading something (e.g. using wget or apt install) doesn't work.

    Edit: I tried to connect to the same server with another client (Windows 10), I get the same problem, the internet connection doesn't work. I guess the issue comes from the server (VPS) not from the client side.

    server.conf

    port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

    client.ovpn

    client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-snip-
</ca>
<cert>
-snip-
</cert>
<key>
-snip-
</key>
<tls-auth>
-snip-
</tls-auth>

    /etc/sysctl.conf (server)

    net.ipv4.ip_forward=1

    /etc/ufw/before.rules (server)

    I added these lines:

    # START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

    ufw status (server)

    Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT IN    Anywhere
1194/udp                   ALLOW IN    Anywhere
22/tcp (v6)                LIMIT IN    Anywhere (v6)
1194/udp (v6)              ALLOW IN    Anywhere (v6)

    OpenVPN Client output during connection

    OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=3eb50ad7 3b03202e
VERIFY OK: depth=1, CN=Easy-RSA CA
Validating certificate key usage
++ Certificate has key usage  00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=server
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1624
OPTIONS IMPORT: data channel crypto options modified
Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
/sbin/ip route add XXX.XXX.XXX.XXX/32 via 192.168.1.1
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
GID set to nogroup
UID set to nobody
Initialization Sequence Completed

    OpenVPN Client output when I disconnect

    event_wait : Interrupted system call (code=4)
/sbin/ip route del 10.8.0.1/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del XXX.XXX.XXX.XXX/32
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 0.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
/sbin/ip route del 128.0.0.0/1
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
/etc/openvpn/update-resolv-conf tun0 1500 1552 10.8.0.6 10.8.0.5 init
Cannot write to /run/resolvconf/lock
WARNING: Failed running command (--up/--down): external program exited with error status: 1
Exiting due to fatal error

    /etc/resolv.conf (client)

    # Generated by resolvconf
domain home
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 192.168.1.1

    Client routing table

    VPN off

    Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
XXX.XXX.XX.XX   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

    VPN on

    Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
XXX.XXX.XX.XX   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

    mtr google.com (client)

     Host                               Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 10.8.0.1                         1.6%    62   55.3 541.2  53.9 2056. 669.3
 2.                                  0.0%    62   55.2 561.6  54.0 2277. 685.9
 3. 10.95.48.15                      0.0%    62   56.3 563.4  53.9 2228. 691.4
 4. 10.95.48.10                      0.0%    62   57.5 577.0  55.6 2236. 688.9
 5. be100-1258.gsw-1-a9.fr.eu        0.0%    62   65.4 567.7  63.2 2172. 671.9
 6. ???
 7. 108.170.244.193                  0.0%    62   64.8 563.5  63.4 2163. 672.7
 8. 216.239.59.209                   0.0%    59   65.6 530.8  63.0 2162. 650.7
 9. par21s11-in-f4.1e100.net         0.0%    59   64.4 522.3  63.5 2093. 647.6
    • tink
      tink over 5 years
      I'm slightly confused; if you can ping www.google.com, what makes you say that you have no internet connection? Does traffic of the ping traverse the server, what does an mtr www.google.com tell you?
    • Mercury
      Mercury over 5 years
      Added mtr google.com The ping goes through the server. There is some packets loss it seems. No internet connection means when I try to download a package with apt install for instance, nothing happens. Same with git clone. On Windows 10, when I use a web browser, no website opens.
  • robertspierre
    robertspierre over 3 years
    Can you explain why you had to do that, and what this achieves?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
How do I connect to SSH over an existing OpenVPN connection?
OpenVPN not starting tun0
iptables - how to keep source IP after forwarding?
How to bridge tap to eth0 on raspberry pi?
How to Share openvpn connection over ethernet?
OpenVPN Certificate does not have key usage extension
How to configure OpenVPN multiple authentication method?
Peering two sites in a VPN: DIY mode with twin Raspberry Pi
OpenVPN server disable and reenable clients