OpenVPN - Connects but no internet on Linux, works perfectly on Windows
I finally got to the bottom of this one.
It turns out that as I am based in China, DNS requests to visit websites such as facebook.com and twitter.com were being filtered by "The Great Firewall". It was therefore necessary to push DNS through the OpenVPN tunnel too.
This can be done in the following manner:
Append these two lines to the client config (.ovpn) file:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Ensure these two lines are included in the server config file:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
Run the client using the following command (the script security flags allow the up and down scripts to be run in order to modify /etc/resolv.conf, your system DNS settings)
sudo openvpn --script-security 2 --config client-settings.ovpn
I now have a fully working connection.
Thanks to everybody who tried to help with this!
jonolumb
Updated on September 18, 2022Comments
-
jonolumb over 1 year
I have set up an Amazon EC2 server with OpenVPN configured. I can connect using a windows machine and everything works as expected - internet traffic is all routed through the VPN. With the Ubuntu client, I am able to connect to the server successfully but cannot view web pages in a browser or ping external IPs (such as 8.8.8.8). Does anybody have any idea what I need to change to get this to work? Configurations are posted below:
Ubuntu Server
port 443 proto tcp dev tun ca ca.crt cert singa.crt key singa.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
Ubuntu Client
client dev tun proto tcp remote (delete) 443 tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 <ca> (deleted) </ca> <cert> (deleted) </cert> <key> (deleted) </key>
Windows Config
client dev tun proto tcp remote (delete) 443 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server comp-lzo verb 3 <ca> (deleted) </ca> <cert> (deleted) </cert> <key> (deleted) </key>
Client routing table before connect:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
Client routing table after connect:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 ** SERVERIP ** 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
-
Jan Hudec over 10 yearsOn Ubuntu, which method do you use to initiate the connection? It can be done either via NetworkManager (the newer approach) or with
/etc/init.d/openvpn
? -
Jan Hudec over 10 yearsNetworkManager defaults to setting default route to the VPN, but the init script does not. You have to do it manually in the
up
anddown
scripts.
-
-
jonolumb over 10 yearsHave tried that - didn't work unfortunately.
-
MariusMatutiae over 10 years@jonolumb Can you post the client's routing table?
-
MariusMatutiae over 10 years@jonolumb cannot be read, like this