Tunnel but no "internet" access through VPN

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
MisterSurface
OpenVPN User
Posts: 34
Joined: Wed May 10, 2017 10:08 pm

Tunnel but no "internet" access through VPN

Post by MisterSurface » Fri May 19, 2017 8:12 pm

Hello,

I have been working through as many combinations as I can think of and Googling different approaches to a problem in a new setup from Azure virtual machine (NAT'd) to my home VPN server behind a firewall (NAT'd). I am able to observe only SOME NTP traffic going through the tunnel all other testing does not get through because it appears to be going to the wrong destination, not sure - see tun0 traffic for client. The tunnel is established and I don't see any errors in the logs. Here is the information. I have tried tcp, tcp4, udp, udp4, txqueuelength and mssfix modifications and many combinations of route pushing and setting on the client, routing table on the server, etc. I am at a loss I have literally been working on this setup for 3 weeks. Started with other problems that I resolved with help.

Now I think it might be just a setting on the client or an issue with my routing table.

****************** Server Information ******************

uname -a

Code: Select all

Linux hostname 3.16.0-4-amd4 #1SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
ifconfig -a

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:e0:81:74:16:91  
          inet addr:172.16.234.2  Bcast:172.16.234.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3373 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4902 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1261497 (1.2 MiB)  TX bytes:430493 (420.4 KiB)

eth1      Link encap:Ethernet  HWaddr 00:e0:81:74:16:90  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.235.1  P-t-P:172.16.235.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
netstat -nr

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.234.1    0.0.0.0         UG        0 0          0 eth0
10.0.34.0       172.16.235.2    255.255.255.0   UG        0 0          0 tun0
172.16.234.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
172.16.235.0    172.16.235.2    255.255.255.0   UG        0 0          0 tun0
172.16.235.2    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
iptables -L

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
iptables -t nat -L

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.16.235.0/24      anywhere            
ccd file contents in ccd directory for test host

Code: Select all

iroute 10.0.34.0 255.255.255.0
tun0 contents (just put one exchange of many)

Code: Select all

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       172.16.235.6          91.189.89.198         NTP      76     NTP Version 4, client

Frame 1: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Raw packet data
Internet Protocol Version 4, Src: 172.16.235.6, Dst: 91.189.89.198
User Datagram Protocol, Src Port: 39212, Dst Port: 123
Network Time Protocol (NTP Version 4, client)

No.     Time           Source                Destination           Protocol Length Info
      2 0.112700       91.189.89.198         172.16.235.6          NTP      76     NTP Version 4, server

Frame 2: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Raw packet data
Internet Protocol Version 4, Src: 91.189.89.198, Dst: 172.16.235.6
User Datagram Protocol, Src Port: 123, Dst Port: 39212
Network Time Protocol (NTP Version 4, server)
Server OpenVPN config
Server
port 11111
proto udp4
dev tun
ca ca.crt
cert cert.crt
key key.key
dh dh4096.pem
server 172.16.235.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.0.34.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
tls-auth tls-auth.key 0
tls-version-min 1.2
max-clients 10
persist-key
persist-tun
status /var/log/openvpn-status.log
log /etc/openvpn/openvpn.log
verb 6
****************** Client Information ******************

uname -a

Code: Select all

Linux hostname 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ifconfig -a

Code: Select all

eth0   Link encap:Ethernet  HWaddr 00:0d:3a:90:a0:67  
          inet addr:10.0.34.154  Bcast:10.0.34.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:446323 errors:0 dropped:0 overruns:0 frame:0
          TX packets:611068 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:191577457 (191.5 MB)  TX bytes:124674907 (124.6 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

tun0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.235.6  P-t-P:172.16.235.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:174 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:456 (456.0 B)  TX bytes:456 (456.0 B)
netstat -nr

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.235.5    128.0.0.0       UG        0 0          0 tun0
0.0.0.0         10.0.34.1       0.0.0.0         UG        0 0          0 eth0
10.0.34.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
1.1.1.1     10.0.34.1       255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       172.16.235.5    128.0.0.0       UG        0 0          0 tun0
168.63.129.16   10.0.34.1       255.255.255.255 UGH       0 0          0 eth0
169.254.169.254 10.0.34.1       255.255.255.255 UGH       0 0          0 eth0
172.16.235.1    172.16.235.5    255.255.255.255 UGH       0 0          0 tun0
172.16.235.5    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
tun0 contents from client, other testing for DNS and wget or any other testing shows destination that is not the VPN box

Code: Select all

No.     Time           Source                Destination           Protocol Length Info
      9 40.006453      172.16.235.6          91.189.89.198         NTP      76     NTP Version 4, client

Frame 9: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Raw packet data
Internet Protocol Version 4, Src: 172.16.235.6, Dst: 91.189.89.198
User Datagram Protocol, Src Port: 43545, Dst Port: 123
Network Time Protocol (NTP Version 4, client)

No.     Time           Source                Destination           Protocol Length Info
     10 44.375630      172.16.235.6          172.16.235.1          NTP      76     NTP Version 4, client

Frame 10: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Raw packet data
Internet Protocol Version 4, Src: 172.16.235.6, Dst: 172.16.235.1
User Datagram Protocol, Src Port: 42194, Dst Port: 123
Network Time Protocol (NTP Version 4, client)
Client OpenVPN Config
cleint
client
dev tun
proto udp4
remote 1.1.1.1 11111
redirect-gateway def1
dhcp-option DNS 208.67.222.222
resolv-retry infinite
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth /etc/openvpn/tls-auth.key 1
tls-version-min 1.2
verb 6

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Tunnel but no "internet" access through VPN

Post by TinCanTech » Sat May 20, 2017 3:31 pm

[quote="MisterSurface"]ifconfig -a

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:e0:81:74:16:91  
          inet addr:172.16.234.2  Bcast:172.16.234.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:e0:81:74:16:90  
          BROADCAST MULTICAST  MTU:1500  Metric:1

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.16.235.1  P-t-P:172.16.235.2  Mask:255.255.255.255
Do yourself a favour .. change your VPN subnet to 10.8.0.0/24 ..

As per the damn HOWTO that so many people have successfully used in the past.

MisterSurface
OpenVPN User
Posts: 34
Joined: Wed May 10, 2017 10:08 pm

Re: Tunnel but no "internet" access through VPN

Post by MisterSurface » Mon May 22, 2017 2:28 pm

TinCanTech wrote: Do yourself a favour .. change your VPN subnet to 10.8.0.0/24 ..

As per the damn HOWTO that so many people have successfully used in the past.
How is this a solution? I bet you can't find one thing wrong with my configuration...

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Tunnel but no "internet" access through VPN

Post by TinCanTech » Mon May 22, 2017 3:04 pm

MisterSurface wrote:
TinCanTech wrote: Do yourself a favour .. change your VPN subnet to 10.8.0.0/24 ..

As per the damn HOWTO that so many people have successfully used in the past.
How is this a solution?
Because debugging 172.16.234.x vs 172.16.235.x is an exercise in futility ..
MisterSurface wrote:I bet you can't find one thing wrong with my configuration...
s/cant/wont ...

MisterSurface
OpenVPN User
Posts: 34
Joined: Wed May 10, 2017 10:08 pm

Re: Tunnel but no "internet" access through VPN

Post by MisterSurface » Mon May 22, 2017 3:56 pm

well I got it to work, thanks for nothing, it appears there may be a bug in the code, backgrounding the process with CTRL-Z screws with it somehow. Running it in daemon mode fixes the problem. How does debugging a different subnet become a problem, you can't differentiate between numbers?

Post Reply