Openvpn connects and responds to ping but no internet access

networking vpn iptables openvpn
5,023

Solution 1

OK, I solved the problem. There was a problem in the rules in iptables. I removed the first rule in the FORWARD chain and then I could ping external IP:s. I also changed the DNS server in server.conf to an external DNS-server and after that everything was working fine.

Solution 2

  • Check routing on client, especially default route.
  • if routing is correct, check (with tcpdump, wireshark or some other packet capture program) where packets are actually sent (check on both interfaces).
  • if packets are sent/received correctly - check if DNS is working (what DNS server client is trying to use and does DNS query/responese packets pass).
Share:
5,023

Related videos on Youtube

joakimb
Author by

joakimb

Updated on September 18, 2022

Comments

  • joakimb
    joakimb over 1 year

    I have an openvpn server running on raspian and a tunnelblick client on osx. I can connect to the VPN just fine but I have no intenet access. The server responds to ping just fine and the port is open in the router. Does anyone know what might be wrong?

    here is the client log: http://pastebin.com/zvBXPv4D

    here is the server log: http://pastebin.com/bBsaRK6c

    client config:

    client
dev tun
proto udp
remote <server external ip> 1194 #change this
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

ca /Users/user1/vpn/ca.crt #change this
cert /Users/user1/vpn/client1.crt #change this
key /Users/user1/vpn/client1.key #change this


<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#removed for pastebin
-----END OpenVPN Static key V1-----

</tls-auth>

    server config:

    dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you kept 1024, change it to dh1024.pem
server 10.8.0.0 255.255.255.0
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.2 255.255.255.0" # Enter PI LAN PI
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 10.8.0.1" 
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 5

    sysctl net.ipv4.ip_forward gives:

    net.ipv4.ip_forward = 1

    ip route show gives:

    default via 10.0.1.1 dev eth0 
10.0.1.0/24 dev eth0  proto kernel  scope link  src 10.0.1.2 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1

    iptables -L -v gives:

    Chain INPUT (policy ACCEPT 15492 packets, 1793K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   88  5861 ACCEPT     all  --  tun+   any     anywhere             anywhere            
    1    70 ACCEPT     udp  --  eth0   any     anywhere             anywhere             state NEW udp dpt:openvpn

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun0   eth0    10.8.0.0/24          10.0.1.0/24          ctstate NEW
   13   948 ACCEPT     all  --  tun+   any     anywhere             anywhere            
    0     0 ACCEPT     all  --  tun+   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
    4   776 ACCEPT     all  --  eth0   tun+    anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 18526 packets, 3880K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   27  2584 ACCEPT     all  --  any    tun+    anywhere             anywhere

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure an OpenVPN Client Router
UFW or IPTables on Ubuntu for OpenVPN?
iptables - how to keep source IP after forwarding?
OpenVPN without NAT
Route internet traffic from openvpn tun0 to eth0
OpenVPN won't connect from remote location
Load balancing with multiple gateways
Connect two networks with OpenVPN
OpenVPN connection through SSH tunnel
Send all OpenVPN traffic through proxy or TOR proxy?