Can't forwarding to internet traffic via Openvpn server

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Mon Apr 17, 2017 7:32 am

I have a problem to forwarding internet traffic on my ovpn server.
I can access my privacy network and LAN network.
When I want tunnel the internet via ovpn server, but I can't get any request by any website.
So, how to resolve the problem by my questions?

1.
SERVER CONFIG:
server
local a.b.c.d

port 1194
proto udp
dev tun

;dev-node MyTap

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 10.8.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;client-config-dir ccd
;route 10.0.0.49 255.255.255.0

;learn-address ./script

push "redirect-gateway local def1"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DOMAIN xxx.xxx.xxx"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 10.0.0.1"

;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0

;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

;max-clients 100

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

;log openvpn.log
;log-append openvpn.log

verb 3

;mute 20


2.
CLIENT CONFIG:
client
client
dev tun
;dev-node MyTap
proto udp
remote xxx.xxx.xxx 1194
remote 10.11.12.13 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings

#ca ca.crt
#cert client.crt
#key client.key


remote-cert-tls server

;tls-auth ta.key 1

cipher AES-128-CBC
auth SHA256

key-direction 1

comp-lzo

verb 3

;mute 20
<ca>

</ca>
<cert>

</cert>
<key>

</key>
<tls-auth>

</tls-auth>


3.
iptables rules:

Code: Select all


*filter

-A INPUT -i enp0s25 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT

# Allow ping and ICMP error returns.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Allow SSH.
-A INPUT -i enp0s25 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT

# Allow UDP traffic on port 1194.
-A INPUT -i enp0s25 -p udp -m state --state NEW,ESTABLISHED --dport 1194 -j ACCEPT
-A OUTPUT -o enp0s25 -p udp -m state --state ESTABLISHED --sport 1194 -j ACCEPT

# Allow DNS resolution and limited HTTP/S on enp0s25.
# Necessary for updating the server and keeping time.
-A INPUT -i enp0s25 -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o enp0s25 -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT

-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED --sport 80 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED --sport 443 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT

# Allow traffic on the TUN interface.
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

# Allow forwarding traffic only from the VPN.
-A FORWARD -i tun0 -o enp0s25 -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# then reject them.
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j REJECT
COMMIT

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2420
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't forwarding to internet traffic via Openvpn server

Postby TinCanTech » Mon Apr 17, 2017 11:27 am


HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Wed Apr 19, 2017 6:03 am



Hi TinCanTech,

I try to follow the comment, but my vpn client still can't visit any website.
This is my client connected log, could you help to check this problems?
Image

TiTex
OpenVPN Expert
Posts: 206
Joined: Tue Apr 12, 2011 6:22 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby TiTex » Wed Apr 19, 2017 6:55 am

seems like you are missing a NAT rule

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s25 -j MASQUERADE

also enable ip forwarding

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Wed Apr 19, 2017 7:18 am

TiTex wrote:seems like you are missing a NAT rule

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s25 -j MASQUERADE

also enable ip forwarding

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward


Hi TiTex,
These config were set on iptables rules and ip_forward.
This is my iptalbes rules.v4 configs.
Could you please help to check which setting were failed.

Code: Select all

# Generated by iptables-save v1.6.0 on Tue Apr 18 10:39:11 2017
*mangle
:PREROUTING ACCEPT [285:91862]
:INPUT ACCEPT [214:26375]
:FORWARD ACCEPT [71:65487]
:OUTPUT ACCEPT [217:129786]
:POSTROUTING ACCEPT [266:193295]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Apr 18 10:39:11 2017
# Generated by iptables-save v1.6.0 on Tue Apr 18 10:39:11 2017
*nat
:PREROUTING ACCEPT [22:8058]
:INPUT ACCEPT [1:44]
:OUTPUT ACCEPT [6:1548]
:POSTROUTING ACCEPT [2:744]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp0s25 -j MASQUERADE
COMMIT
# Completed on Tue Apr 18 10:39:11 2017
# Generated by iptables-save v1.6.0 on Tue Apr 18 10:39:11 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i enp0s25 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -i enp0s25 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i enp0s25 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 445 -j ACCEPT
-A INPUT -i enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 32400 -j ACCEPT
#-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o enp0s25 -j ACCEPT
-A FORWARD -i enp0s25 -o tun0 -j ACCEPT
#-A FORWARD -s 10.8.0.0/24 -i tun0 -o enp0s25 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o enp0s25 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o enp0s25 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 445 -j ACCEPT
-A OUTPUT -o enp0s25 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 32400 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Apr 18 10:39:11 2017

TiTex
OpenVPN Expert
Posts: 206
Joined: Tue Apr 12, 2011 6:22 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby TiTex » Wed Apr 19, 2017 7:28 am

looks ok to me , can you do a traceroute from the client while connected to the VPN ?
also ping 8.8.8.8

HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Wed Apr 19, 2017 7:47 am

TiTex wrote:looks ok to me , can you do a traceroute from the client while connected to the VPN ?
also ping 8.8.8.8


Sure, I can ping 8.8.8.8 no packet loss.
But if ping http://www.google.com can't received any packed.
I use cellular data with iPhone.

TiTex
OpenVPN Expert
Posts: 206
Joined: Tue Apr 12, 2011 6:22 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby TiTex » Wed Apr 19, 2017 8:26 am

looks like DNS settings are not pushed to the client, i have no idea why ... rarely use iOS devices
in your server config you have
push "route 10.8.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DOMAIN xxx.xxx.xxx"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 10.0.0.1"

you do not need to push the VPN subnet because it's added anyway, so you can remove

Code: Select all

push "route 10.8.0.0 255.255.255.0"

next , do you actually use this subnet and have a DNS server at 10.0.0.1 ?
if not remove those lines

Code: Select all

push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"

do you have a DNS server at 10.8.0.1 and accepting queries from VPN clients, if not remove the line

Code: Select all

push "dhcp-option DNS 10.8.0.1"

is your client and server directly connected through WiFi network or similar ? if not replace this line

Code: Select all

push "redirect-gateway local def1"

with

Code: Select all

push "redirect-gateway def1"

or just remove that line and add the setting in your client config

Code: Select all

redirect-gateway def1

read the manual for how to use redirect-gateway https://community.openvpn.net/openvpn/w ... n24ManPage

try ugin Google's public DNS servers instead of OpenDNS

Code: Select all

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

replace with

Code: Select all

push "dhcp-option DNS 8.8.8.8"


and if you copied all those lines from some website , in the future stop doing that and read the actual documentation :)

HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Wed Apr 19, 2017 8:50 am

TiTex wrote:looks like DNS settings are not pushed to the client, i have no idea why ... rarely use iOS devices
in your server config you have
push "route 10.8.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DOMAIN xxx.xxx.xxx"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 10.0.0.1"

you do not need to push the VPN subnet because it's added anyway, so you can remove

Code: Select all

push "route 10.8.0.0 255.255.255.0"

next , do you actually use this subnet and have a DNS server at 10.0.0.1 ?
if not remove those lines

Code: Select all

push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"

do you have a DNS server at 10.8.0.1 and accepting queries from VPN clients, if not remove the line

Code: Select all

push "dhcp-option DNS 10.8.0.1"

is your client and server directly connected through WiFi network or similar ? if not replace this line

Code: Select all

push "redirect-gateway local def1"

with

Code: Select all

push "redirect-gateway def1"

or just remove that line and add the setting in your client config

Code: Select all

redirect-gateway def1

read the manual for how to use redirect-gateway https://community.openvpn.net/openvpn/w ... n24ManPage

try ugin Google's public DNS servers instead of OpenDNS

Code: Select all

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

replace with

Code: Select all

push "dhcp-option DNS 8.8.8.8"


and if you copied all those lines from some website , in the future stop doing that and read the actual documentation :)



Hi TiTex,
Thanks your great comments, but when I follow these setting still can't visit any website.
But Ping google.com can get receive packet from server.
The browser report "The request timed out" by visit website.
Is this a firewall problems? or other NAT problems?
Or if change the protocol from UDP to TCP can resolve this problem?

TiTex
OpenVPN Expert
Posts: 206
Joined: Tue Apr 12, 2011 6:22 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby TiTex » Wed Apr 19, 2017 9:38 am

i don't know , maybe it's an iOS issue
firewall looks ok to me but you could test from a windows client for example and see if it's working on that

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2420
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't forwarding to internet traffic via Openvpn server

Postby TinCanTech » Wed Apr 19, 2017 9:49 am

What does your server config look like now ?

HaroldW
OpenVpn Newbie
Posts: 6
Joined: Mon Apr 17, 2017 6:01 am

Re: Can't forwarding to internet traffic via Openvpn server

Postby HaroldW » Wed Apr 19, 2017 10:48 am

Hi TiTex & TinCanTech,
I try to change the protocol from udp to tcp can resolve my problem.
And I follow the TiTex's comment to set server config and change correct route rule my VPN was worked now.
Website need TCP handshake to communication but UDP didn't.
So, change the protocol this problem were resolved.
Thanks TiTex's support and TinCanTech's comments.

Thanks very much.


Return to “Server Administration”

Who is online

Users browsing this forum: No registered users and 3 guests