VPN connected but no internet

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
darklord4real
OpenVpn Newbie
Posts: 7
Joined: Sun Mar 31, 2013 6:51 pm

VPN connected but no internet

Post by darklord4real » Sun Apr 21, 2013 1:59 am

Hello,

I can successfully connect my iphone to the openvpn server on a ddwrt router but I cant get internet on it. My goal is to configure OpenVPN server on my DD-WRT router and connect my iphone/laptop to it when not at home. Please check out this link which shows my current network.

Image deleted

I have port forwarded 1194 to 192.168.0.27 from my cisco modem/router.

Here is my server config file:

push "route 192.168.5.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1"
server 10.8.0.0 255.255.255.0
dev tun0
proto tcp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001

Here is the client config file:

remote wanip 1194
client
remote-cert-tls server
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
route-delay 30
ca ca.crt
cert client.crt
key client.key

firewall commands:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.5.0/24 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

I used this website as a guide:

http://www.dd-wrt.ca/wiki/index.php/

the problem is I cant get internet access on the phone. But I am able to access the router configs by typing in 192.168.5.1 on safari. I can also ping the router (192.168.5.1 and 192.168.0.27) and the Openvpn server (10.8.0.1) successfully.

If i remove push "redirect-gateway def1" from server config, then i can access internet but thats no use to me because I want my web browsing to be secured which goes through the VPN.

I have tried udp instead of tcp with no success. not sure what else too do.

Please help. Thanks.

shadoweyez
OpenVpn Newbie
Posts: 6
Joined: Sat Apr 06, 2013 6:45 pm

Re: VPN connected but no internet

Post by shadoweyez » Sun Apr 28, 2013 3:02 am

Try a command like this in your firewall rules:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o <external interface> -j MASQUERADE

azze
OpenVpn Newbie
Posts: 2
Joined: Sat Sep 21, 2013 9:40 am

Re: VPN connected but no internet

Post by azze » Sat Sep 21, 2013 9:46 am

I have exactly the same problem as darklord4real. I used the same guide to setup OpenVPN on my DD-WRT router as he did (see link in his post). When I found this thread I followed the recommendation to add

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -o tun0 -j MASQUERADE

to my firewall rules. But I still have no internet access. Any more ideas? Your help is really appreciated!


Thank you very much!

cbr954rr
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 01, 2013 4:58 am

Re: VPN connected but no internet

Post by cbr954rr » Thu Oct 10, 2013 5:55 pm

I was in this same issue. In order for me to get it working so that my iPhone could connect to the OpenVPN server and be able to surf the internet, I had to do the following:

Add
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE -- my VPN IP addressess

to what was already in my firewall which was

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT -- my VPN IP addressess
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

and I had to add
push "route 192.168.5.0 255.255.255.0" -- LAN IP of OpenVPN router
push "dhcp-option DNS xx.xx.xx.xx" --where x's are the DNS IPs supplied by the ISP that my
push "dhcp-option DNS xx.xx.xx.xx" --OpenVPN router is connected to

to the Additional Config box under Services-VPN in my DD-WRT router. I used the GUI to set up the server side instead of using a script file.

Not sure if this is the correct way to do it and I am currently digging to see if there is a better way but it works for me at the moment.

- Dan

mblmblmbl
OpenVpn Newbie
Posts: 2
Joined: Sun Nov 24, 2013 2:30 pm

Re: VPN connected but no internet

Post by mblmblmbl » Sun Nov 24, 2013 2:37 pm

The solution proposed by cbr954rr finally works also for me, thanks a lot !!!

It worked even without the
push "route 192.168.5.0 255.255.255.0" -- LAN IP of OpenVPN router

But needed the POSTROUTING line and both the
push "dhcp-option DNS xx.xx.xx.xx" --where x's are the DNS IPs supplied by the ISP that my
push "dhcp-option DNS xx.xx.xx.xx" --OpenVPN router is connected to

I use a WNDR3700 and an iPhone 4.

Chrisdr2001
OpenVpn Newbie
Posts: 1
Joined: Fri May 01, 2015 4:51 am

Re: VPN connected but no internet

Post by Chrisdr2001 » Fri May 01, 2015 4:53 am

cbr954rr wrote:I was in this same issue. In order for me to get it working so that my iPhone could connect to the OpenVPN server and be able to surf the internet, I had to do the following:

Add
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE -- my VPN IP addressess

to what was already in my firewall which was

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT -- my VPN IP addressess
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

and I had to add
push "route 192.168.5.0 255.255.255.0" -- LAN IP of OpenVPN router
push "dhcp-option DNS xx.xx.xx.xx" --where x's are the DNS IPs supplied by the ISP that my
push "dhcp-option DNS xx.xx.xx.xx" --OpenVPN router is connected to

to the Additional Config box under Services-VPN in my DD-WRT router. I used the GUI to set up the server side instead of using a script file.

Not sure if this is the correct way to do it and I am currently digging to see if there is a better way but it works for me at the moment.

- Dan
I know I may be late, but its an issue I am having right now with my iphone...I am a little confused where you say "push "dhcp-option DNS xx.xx.xx.xx" --OpenVPN router is connected to", please allow me to understand what you mean? Is that my 192.168.1.1 because its connected to that...or ?

notoriousdds
OpenVpn Newbie
Posts: 1
Joined: Mon Jun 01, 2015 2:49 pm

Re: VPN connected but no internet

Post by notoriousdds » Mon Jun 01, 2015 3:32 pm

For what it's worth, I had to configure my firewall a little differently than cbr954rr's recommendation to gain access to the internet.

My router's firewall (although allowing access to my LAN), wouldn't forward packets onto the internet.

Here's what I did:

I had no problem resolving domain names, so I was able to simply leave "dhcp-option DNS" set to the IP of my OpenVPN server as was done here . (You can test if DNS is an issue simply by pinging "google.com" at the command line. Even if you get no response, you should see the IP being ping'ed if your domain name resolution is working. )

However, I had to replace the lines:

Code: Select all

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
with:

Code: Select all

iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
Now it works.

brissont
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 08, 2015 2:24 pm

Re: VPN connected but no internet

Post by brissont » Tue Sep 08, 2015 4:09 pm

Hello all - first post here so please forgive me if I unknowingly violate any forum rules.

I've been having the same issue - I can access my VPN and internal LAN without any difficulty (SSH and SFTP work), but no matter what I try I can't get Internet working while connected. NOTE: I am not using DD-WRT, but the openvpn package available through the standard Raspbian (DietPi respin) repos on a Raspberry Pi 2. I have gone through every sample configuration and tutorial I can find... Pi-specific, OpenVPN tutorials/How-To documentation, and even the DD-WRT tutorial linked earlier. I believe my config files are correct and suspect that the issue lies in my iptables configuration since everything works except Internet - can anyone spot the weak link here? I left some commented lines to indicate other options I have tried.

Config files are as follows:

SERVER:

Code: Select all

local 192.168.1.103
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/<SERVER>.crt
key /etc/openvpn/easy-rsa/keys/<SERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.103"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1"
#push "remote-gateway vpn_server_ip"
client-to-client
duplicate-cn
keepalive 10 60
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6
CLIENT:

Code: Select all

client
dev tun
proto udp
remote <PUBLIC IP>
resolv-retry infinite
redirect-gateway def1
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 9
mute 20
iptables -L output:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  10.8.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Firewall pre-up script injected into /etc/network/interfaces:

Code: Select all

#!/bin/sh

 # Allow traffic initiated from VPN to access LAN
    #iptables -I FORWARD -i tun0 -o eth0 \
    #     -s 10.8.0.0/24  192.168.1.0/24 \
    #     -m conntrack --ctstate NEW -j ACCEPT

    # Allow traffic initiated from VPN to access "the world"
    # iptables -I FORWARD -i tun0 -o eth1 \
    #     -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow traffic initiated from LAN to access "the world"
    # iptables -I FORWARD -i eth0 -o eth1 \
    #     -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow established traffic to pass back and forth
    #iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
    #     -j ACCEPT
    # Notice that -I is used, so when listing it (iptables -vxnL) it
    # will be reversed.  This is intentional in this demonstration.

    # Masquerade traffic from VPN to "the world" -- done in the nat table
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
	#-o eth0

    iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
    iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
    iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT

    # Masquerade traffic from LAN to "the world"
    #iptables -t nat -I POSTROUTING -o eth0 \
    #      -s 192.168.1.0/24 -j MASQUERADE
Any help/thoughts will be enormously appreciated. Let me know if I can provide anything else, and many thanks in advance to all!

amigob
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 29, 2017 6:51 pm

Re: VPN connected but no internet

Post by amigob » Thu Jun 29, 2017 6:53 pm

I had to enable allow client to client openVPN to be able to use the internet connection

johng1290
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 06, 2017 6:46 pm

Re: VPN connected but no internet

Post by johng1290 » Thu Jul 06, 2017 6:48 pm

Having a similar issue. I can get on the internet from an 'i'device but if there is any kind of streaming of video involved it times out. I can however get to a plea server on my home network without issue. Laptops and Desktops are fine. This is an Open VPN docker sitting on an Unraid server.

Thank you

Post Reply