OpenVPN : client can't access to internet

manuAW · Post by **manuAW** » Mon Nov 14, 2016 12:06 pm

Hi,

I need to use VPN to access to samba network drives. The server openVPN and Samba are on the same machin (ubuntu 14.04). For my tests, I use a client with Win10.
The VPN connection is OK (mode tun - proto upd - port 1194 - NAT rules on modem and on my router RV042), I access to the server, ping the server, Samba drives, but as soon as the client is connected with VPN he loses internet. I try to configure the wifi connection of the client the DNS of Google before to connect to the VPN ( I read that it could come from a routing problem ) the same thing on the DNS of the virtual card of VPN (TAP-Windows Adapter V9).

I also entered these DNS into my OpenVPN configuration :
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

I have add to /etc/rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

As the configuration of the client's network (my Home) is similar of the server (my company) I try to use the shar connection of my phone, it's the same result (chrome give me a ERR_CONNECTION_TIMED_OUT).

I don't know where is the problem, maybe it's a problem with hardware (router ou modem) ou with the configuration ?

Thank's for yours replies and sorry for my bad english.

Manu.

TinCanTech · Post by **TinCanTech** » Mon Nov 14, 2016 1:16 pm

Please see:
HOWTO: Request Help !

manuAW · Post by **manuAW** » Mon Nov 14, 2016 2:51 pm

ok thank's I do it.

manuAW · Post by **manuAW** » Mon Nov 14, 2016 6:30 pm

So, i send you all informations about my VPN (server and client)

My OpenVPN version is : 2.3.13

server.conf :

SERVER

server 10.8.0.0 255.255.255.0
port 1194
proto udp
dev tun
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
user nobody
group nogroup
persist-key
persist-tun
verb 4

log server :

just lines that i think it's important....

Code: Select all

...

Mon Nov 14 16:54:16 2016 us=333722   route_script = '[UNDEF]'
Mon Nov 14 16:54:16 2016 us=333729   route_default_gateway = '[UNDEF]'
Mon Nov 14 16:54:16 2016 us=333736   route_default_metric = 0
Mon Nov 14 16:54:16 2016 us=333743   route_noexec = DISABLED
Mon Nov 14 16:54:16 2016 us=333750   route_delay = 0
Mon Nov 14 16:54:16 2016 us=333757   route_delay_window = 30
Mon Nov 14 16:54:16 2016 us=333764   route_delay_defined = DISABLED
Mon Nov 14 16:54:16 2016 us=333771   route_nopull = DISABLED
Mon Nov 14 16:54:16 2016 us=333778   route_gateway_via_dhcp = DISABLED
Mon Nov 14 16:54:16 2016 us=333785   max_routes = 100
....
Mon Nov 14 16:54:16 2016 us=334658   server_network = 10.8.0.0
Mon Nov 14 16:54:16 2016 us=334666   server_netmask = 255.255.255.0
Mon Nov 14 16:54:16 2016 us=334677   server_network_ipv6 = ::
Mon Nov 14 16:54:16 2016 us=334684   server_netbits_ipv6 = 0
Mon Nov 14 16:54:16 2016 us=334692   server_bridge_ip = 0.0.0.0
Mon Nov 14 16:54:16 2016 us=334699   server_bridge_netmask = 0.0.0.0
Mon Nov 14 16:54:16 2016 us=334707   server_bridge_pool_start = 0.0.0.0
Mon Nov 14 16:54:16 2016 us=334715   server_bridge_pool_end = 0.0.0.0
Mon Nov 14 16:54:16 2016 us=334722   push_entry = 'redirect-gateway def1'
Mon Nov 14 16:54:16 2016 us=334729   push_entry = 'dhcp-option DNS 10.8.0.1'
Mon Nov 14 16:54:16 2016 us=334736   push_entry = 'route 10.8.0.1'
Mon Nov 14 16:54:16 2016 us=334742   push_entry = 'topology net30'
Mon Nov 14 16:54:16 2016 us=334749   push_entry = 'ping 10'
Mon Nov 14 16:54:16 2016 us=334756   push_entry = 'ping-restart 120'
....

for client's conf

CLIENT

client
dev tun
proto udp
remote x.x.x.x
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
route-method exe
route-delay 2
ca xx.xxx
cert xxxx.xxx
key xxxx.xxx

and logs file

Code: Select all

Mon Nov 14 16:56:17 2016 SIGUSR1[soft,ping-restart] received, process restarting
Mon Nov 14 16:56:17 2016 MANAGEMENT: >STATE:1479138977,RECONNECTING,ping-restart,,
Mon Nov 14 16:56:17 2016 Restart pause, 2 second(s)
Mon Nov 14 16:56:19 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Nov 14 16:56:19 2016 UDPv4 link local: [undef]
Mon Nov 14 16:56:19 2016 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Mon Nov 14 16:56:19 2016 MANAGEMENT: >STATE:1479138979,WAIT,,,
Mon Nov 14 16:56:19 2016 MANAGEMENT: >STATE:1479138979,AUTH,,,
Mon Nov 14 16:56:19 2016 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=9e9537e0 7981aaca
Mon Nov 14 16:56:21 2016 VERIFY OK: depth=1, C=XX, ST=XXX, L=Xxxxxx, O=XXXX XXX, OU=XX Xxxxx, CN=Xxxxx Xxxx XX, name=EasyRSA, emailAddress=xxxxx@xxxxx.xxx
Mon Nov 14 16:56:21 2016 VERIFY OK: nsCertType=SERVER
Mon Nov 14 16:56:21 2016 VERIFY OK: depth=0, C=XX, ST=XXX, L=Xxxxxx, O=XXXX XXX, OU=XX Xxxxx, CN=Xxxxx Xxxx XX, name=EasyRSA, emailAddress=xxxxx@xxxxx.xxx
Mon Nov 14 16:56:28 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 14 16:56:28 2016 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Nov 14 16:56:28 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 14 16:56:28 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Nov 14 16:56:28 2016 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Mon Nov 14 16:56:28 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 14 16:56:28 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Nov 14 16:56:28 2016 [AWSave] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Mon Nov 14 16:56:29 2016 MANAGEMENT: >STATE:1479138989,GET_CONFIG,,,
Mon Nov 14 16:56:30 2016 SENT CONTROL [AWSave]: 'PUSH_REQUEST' (status=1)
Mon Nov 14 16:56:30 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Nov 14 16:56:30 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 14 16:56:30 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 14 16:56:30 2016 OPTIONS IMPORT: route options modified
Mon Nov 14 16:56:30 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 14 16:56:30 2016 Preserving previous TUN/TAP instance: Ethernet 2
Mon Nov 14 16:56:30 2016 Initialization Sequence Completed
Mon Nov 14 16:56:30 2016 MANAGEMENT: >STATE:1479138990,CONNECTED,SUCCESS,10.8.0.6,x.x.x.x

I hope that it's ok

Thank's.
Manu

TinCanTech · Post by **TinCanTech** » Mon Nov 14, 2016 6:49 pm

Use topology subnet in your server config.

See --topology in The Manual v23x .. Read it carefully.

manuAW · Post by **manuAW** » Tue Nov 15, 2016 8:41 am

Thank's for your help. Finally, I don't use topology subnet, but I have found a solution while I searching information about topology subnet

I add :
# My network is in 192.168.0.x
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

and remove all push about redirect-gateway

Webtrafic don't go through the internet of my openVPN server but it's better in my case, I don't want that illegals downloads of my employee use my internet connection.

many thank's for all

OpenVPN Support Forum

OpenVPN : client can't access to internet

OpenVPN : client can't access to internet

Re: OpenVPN : client can't access to internet

Re: OpenVPN : client can't access to internet

Re: OpenVPN : client can't access to internet

Re: OpenVPN : client can't access to internet

Re: OpenVPN : client can't access to internet