Forwarding problem

[N3mesis98]

Hello,

I'm currently trying to setup an openvpn server by following the howto tutorial.
For the moment, I'm able to connect to the openvpn server from the client.

But I've still not succeeded in forwarding client's traffic through the VPN.

Here is my server.conf file:

Code: Select all

    #server
    proto tcp
    dev tun
    port 443

    #keys
    ca ca.crt
    cert ovh-vpn.crt
    key ovh-vpn.key
    dh dh1024.pem
    tls-auth ta.key 0

    #network
    server 10.9.8.0 255.255.255.0
    push "redirect-gateway def1"
    ;push "dhcp-option DNS 208.67.222.222"
    ;push "dhcp-option DNS 208.67.220.220"
    keepalive 10 60

    #security
    comp-lzo
    persist-key
    persist-tun
    chroot /etc/openvpn/jail

    #log
    status openvpn-status.log
    ;log-append  openvpn.log
    verb 3
    mute 20

and my client.conf:

Code: Select all

    #client
    client
    dev tun
    proto tcp
    remote server_ip
    resolv-retry infinite
    nobind

    #proxy
    http-proxy-retry
    http-proxy proxy port

    #keys
    ca ca.crt
    cert client.crt
    key client.key
    tls-auth ta.key 1

    #security
    comp-lzo
    persist-key
    persist-tun
    ns-cert-type server

    #output
    verb 3
    mute 20

Here is the command I've executed on the server trying to forward the traffic:

Code: Select all

    iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o venet0:0 -j MASQUERADE

And the resulting iptable:

Code: Select all

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.9.8.2        *               255.255.255.255 UH    0      0        0 tun0
    178.32.35.0     *               255.255.255.0   U     0      0        0 venet0
    10.9.8.0        10.9.8.2        255.255.255.0   UG    0      0        0 tun0
    default         *               0.0.0.0         U     0      0        0 venet0

Same thing for the client:

Code: Select all

    route del default
    route add default gw 10.9.8.5

Code: Select all

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.9.8.5        0.0.0.0         UG    0      0        0 tun0
    10.9.8.1        10.9.8.5        255.255.255.255 UGH   20     0        0 tun0
    10.9.8.5        *               255.255.255.255 UH    0      0        0 tun0
    128.0.0.0       10.9.8.5        128.0.0.0       UG    20     0        0 tun0

Do someone understand where is my error trying to forward this traffic ?


PS:
By the way, do someone know a command to check that I'm well able to connect to the internet through the VPN ?

[maikcat]

is your server a VZ container?

Michael.

[N3mesis98]

I don't really understand what do you mean by "VZ server", but it's a private VPS (Virtual Private Server) server hosted by OVH.

In fact, after some tests, I think it's not even a problem of forwarding, I'm just unable to reach the internet from the client computer.
When I do a

Code: Select all

ping -I enp3s0 google.com

with OpenVPN disabled, I can reach the internet.

But, as soon as I launch the VPN, I'm unable to get a return for these both commands:

Code: Select all

ping -I enp3s0 google.com

Code: Select all

ping -I tun0 google.com

I guess this means that my terminal traffic that should go through the enp3s0 interface is forwarded to tun0...

But my graphical applications seems to not be forwarded through the VPN because I still have access to internet using Firefox even with the VPN up.

[maikcat]

I don't really understand what do you mean by "VZ server", but it's a private VPS (Virtual Private Server) server hosted by OVH.

Please ask them if your VPS is VZ container or KVM/vmware/hyper-v based one.

The reason that i am insist on that is because in case of VZ container the NAT MUST be setup DIFFERENTLY!

Michael.

[N3mesis98]

Here it is : https://www.ovh.com/fr/vps/vps-classic.xml

Virtualization : 64 Bits OpenVZ

So in this case, which command should I use to setup the NAT ?

[maikcat]

ok then,

Code: Select all

iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o venet0 -j SNAT --to-source 1.2.3.4   1.2.3.4 is openvz real ip

Michael.

[N3mesis98]

Thank you very much, I can now reach the internet throughout the VPN !

I just have a last question, do you know a way to check if my graphical applications (mainly Firefox) are using the VPN ?

[maikcat]

simple,open www.whatismyip.com and see which ip it returns

Michael.

[N3mesis98]

That's working, thank you for your help !

[maikcat]

nice to know

Closing topic,

Regards,
Michael.