Connected by can't ping vpn or any external ip
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Connected by can't ping vpn or any external ip
Ive been going crazy trying to fix this and hoping someone can help.
I'm able to connect to the VPN from another network fine and when connected can ping all the devices on my LAN. However i can't ping the VPN IP nor any external IPs and so no web browser will resolve any addresses. Using DD-WRT and TCP 443. Here is my Server, Client and Firewall config:
Server
push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
keepalive 10 120
management 127.0.0.1 5002
client-to-client
Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -p tcp -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport=443 -j ACCEPT
iptables -I OUTPUT -p tcp --sport=443 -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT -p tcp -i br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Client
client
dev tun0
proto tcp
remote xxxxxxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server
comp-lzo
float
I'm able to connect to the VPN from another network fine and when connected can ping all the devices on my LAN. However i can't ping the VPN IP nor any external IPs and so no web browser will resolve any addresses. Using DD-WRT and TCP 443. Here is my Server, Client and Firewall config:
Server
push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
keepalive 10 120
management 127.0.0.1 5002
client-to-client
Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -p tcp -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport=443 -j ACCEPT
iptables -I OUTPUT -p tcp --sport=443 -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -I INPUT -p tcp -i br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Client
client
dev tun0
proto tcp
remote xxxxxxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server
comp-lzo
float
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Re: Connected by can't ping vpn or any external ip
Sorry I missed something here. I also have this line in my server config:
push "redirect-gateway"
This line seems to be causing the problem because if I remove it I can ping external IPs and use the browser fine. However doing this does not change my external IP to the external IP of my home network which is what I want to use VPN for. Hope that makes sense
push "redirect-gateway"
This line seems to be causing the problem because if I remove it I can ping external IPs and use the browser fine. However doing this does not change my external IP to the external IP of my home network which is what I want to use VPN for. Hope that makes sense
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Re: Connected by can't ping vpn or any external ip
Thanks. I've checked and double checked and still can't find the problem. I have also tried a restore of factory defaults on DD-WRT and reconfigured using UDP 1194 defaults but still have the same problem. I have posted my routing tables below if it helps? (This is from an external network connection and connected by OVN)
10.8.0.0 is my Open VPN network server
192.168.1.1 is my router
xx.xx.xxx.xxx is the external WAN of my home network.
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.8.0.1 UGSc 1 0 utun0
default 10.21.163.145 UGSc 7 0 en0
10.8/24 10.8.0.2 UGSc 5 0 utun0
10.8.0.2 10.8.0.2 UH 1 0 utun0
10.21.163.144/28 link#4 UCS 1 0 en0
10.21.163.145/32 link#4 UCS 1 0 en0
10.21.163.145 88:a6:c6:17:91:8a UHLWIir 4 18 en0 1182
10.21.163.147/32 link#4 UCS 1 0 en0
10.21.163.159 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
xx.xx.xxx.xxx/32 10.21.163.145 UGSc 1 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 2243 lo0
128.0/1 10.8.0.1 UGSc 2 0 utun0
169.254 link#4 UCS 0 0 en0
224.0.0 link#4 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#4 UCS 0 0 en0
10.8.0.0 is my Open VPN network server
192.168.1.1 is my router
xx.xx.xxx.xxx is the external WAN of my home network.
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.8.0.1 UGSc 1 0 utun0
default 10.21.163.145 UGSc 7 0 en0
10.8/24 10.8.0.2 UGSc 5 0 utun0
10.8.0.2 10.8.0.2 UH 1 0 utun0
10.21.163.144/28 link#4 UCS 1 0 en0
10.21.163.145/32 link#4 UCS 1 0 en0
10.21.163.145 88:a6:c6:17:91:8a UHLWIir 4 18 en0 1182
10.21.163.147/32 link#4 UCS 1 0 en0
10.21.163.159 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
xx.xx.xxx.xxx/32 10.21.163.145 UGSc 1 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 2243 lo0
128.0/1 10.8.0.1 UGSc 2 0 utun0
169.254 link#4 UCS 0 0 en0
224.0.0 link#4 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#4 UCS 0 0 en0
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Re: Connected by can't ping vpn or any external ip
Oh btw i can ping my open vpn server now when connected (10.8.0.0). Just can't get any external ping to work, it just times out
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Connected by can't ping vpn or any external ip
AdamC wrote:Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Re: Connected by can't ping vpn or any external ip
Still no joy I'm afraid
Routing Table
TunnelBlick Log
P.S I xx.xx.xx.xxx my home external IP
This is my bridging table in dd-wrt
br0 no vlan1 eth1 eth2
Routing Table
Code: Select all
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.8.0.1 UGSc 0 0 utun0
default 192.168.1.1 UGSc 4 0 en0
10.8/24 10.8.0.2 UGSc 5 0 utun0
10.8.0.2 10.8.0.2 UH 1 0 utun0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 6556 lo0
128.0/1 10.8.0.1 UGSc 3 0 utun0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 4 0 en0
192.168.1.1/32 link#4 UCS 2 0 en0
192.168.1.1 2c:30:33:d4:a4:dc UHLWIi 3 107 en0 1173
192.168.1.117 5c:aa:fd:47:29:c0 UHLWI 0 0 en0 1085
192.168.1.141 5c:aa:fd:47:29:a UHLWI 0 0 en0 1091
192.168.1.146/32 link#4 UCS 0 0 en0
192.168.1.147 94:9f:3e:a:14:50 UHLWI 0 0 en0 1110
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en0
224.0.0 link#4 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#4 UCS 0 0 en0
Code: Select all
*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.0 (build 4790)
2017-03-04 16:35:15 *Tunnelblick: Attempting connection with Client Config; Set nameserver = 769; monitoring connection
2017-03-04 16:35:15 *Tunnelblick: openvpnstart start Client\ Config.tblk 1337 769 0 3 0 1065776 -ptADGNWradsgnw 2.3.14-openssl-1.0.2k
2017-03-04 16:35:15 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 28 2017
2017-03-04 16:35:15 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
2017-03-04 16:35:15 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-03-04 16:35:15 Need hold release from management interface, waiting...
2017-03-04 16:35:15 *Tunnelblick: openvpnstart starting OpenVPN
2017-03-04 16:35:16 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.14-openssl-1.0.2k/openvpn
--daemon
--log
/Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SClient Config.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065776.1337.openvpn.log
--cd
/Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources
--verb
3
--config
/Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources/config.ovpn
--verb
3
--cd
/Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources
--management
127.0.0.1
1337
--management-query-passwords
--management-hold
--redirect-gateway
def1
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2017-03-04 16:35:16 *Tunnelblick: Established communication with OpenVPN
2017-03-04 16:35:16 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-03-04 16:35:16 MANAGEMENT: CMD 'pid'
2017-03-04 16:35:16 MANAGEMENT: CMD 'state on'
2017-03-04 16:35:16 MANAGEMENT: CMD 'state'
2017-03-04 16:35:16 MANAGEMENT: CMD 'bytecount 1'
2017-03-04 16:35:16 MANAGEMENT: CMD 'hold release'
2017-03-04 16:35:16 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-03-04 16:35:16 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,RESOLVE,,,
2017-03-04 16:35:16 UDPv4 link local: [undef]
2017-03-04 16:35:16 UDPv4 link remote: [AF_INET]xx.xx.xx.xxx:1194
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,WAIT,,,
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,AUTH,,,
2017-03-04 16:35:16 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=1ba39c43 580850ca
2017-03-04 16:35:17 VERIFY OK: depth=1, CN=server
2017-03-04 16:35:17 Validating certificate key usage
2017-03-04 16:35:17 ++ Certificate has key usage 00a0, expects 00a0
2017-03-04 16:35:17 VERIFY KU OK
2017-03-04 16:35:17 Validating certificate extended key usage
2017-03-04 16:35:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-03-04 16:35:17 VERIFY EKU OK
2017-03-04 16:35:17 VERIFY OK: depth=0, CN=server
2017-03-04 16:35:18 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1442'
2017-03-04 16:35:18 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1400'
2017-03-04 16:35:18 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-03-04 16:35:18 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-03-04 16:35:18 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-03-04 16:35:18 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-03-04 16:35:18 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-03-04 16:35:18 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-03-04 16:35:18 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2017-03-04 16:35:18 [server] Peer Connection Initiated with [AF_INET]192.168.1.1:1194
2017-03-04 16:35:19 MANAGEMENT: >STATE:1488645319,GET_CONFIG,,,
2017-03-04 16:35:20 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-03-04 16:35:20 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
2017-03-04 16:35:20 OPTIONS IMPORT: timers and/or timeouts modified
2017-03-04 16:35:20 OPTIONS IMPORT: --ifconfig/up options modified
2017-03-04 16:35:20 OPTIONS IMPORT: route options modified
2017-03-04 16:35:20 OPTIONS IMPORT: route-related options modified
2017-03-04 16:35:20 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-03-04 16:35:20 Opened utun device utun0
2017-03-04 16:35:20 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-03-04 16:35:20 MANAGEMENT: >STATE:1488645320,ASSIGN_IP,,10.8.0.2,
2017-03-04 16:35:20 /sbin/ifconfig utun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-03-04 16:35:20 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-03-04 16:35:20 /sbin/ifconfig utun0 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
2017-03-04 16:35:20 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
2017-03-04 16:35:20 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun0 1500 1542 10.8.0.2 255.255.255.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'AX88x72A'
Retrieved from OpenVPN: name server(s) [ 8.8.8.8 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
WARNING: Ignoring ServerAddresses '8.8.8.8' because ServerAddresses was set manually
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Did not change DNS ServerAddresses setting of '208.67.220.220 208.67.222.222' (but re-set it)
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from 'cable.virginmedia.net' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '208.67.220.220 208.67.222.222' were set manually
DNS servers '208.67.220.220 208.67.222.222' will be used for DNS queries when the VPN is active
The DNS servers include only free public DNS servers known to Tunnelblick.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2017-03-04 16:35:24 *Tunnelblick: No 'connected.sh' script to execute
2017-03-04 16:35:24 /sbin/route add -cloning -net 192.168.1.1 -netmask 255.255.255.255 -interface en0
route: writing to routing socket: File exists
add net 192.168.1.1: gateway en0: File exists
2017-03-04 16:35:24 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.1
2017-03-04 16:35:24 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.1
2017-03-04 16:35:24 MANAGEMENT: >STATE:1488645324,ADD_ROUTES,,,
2017-03-04 16:35:24 /sbin/route add -net 192.168.1.0 10.8.0.1 255.255.255.0
route: writing to routing socket: File exists
add net 192.168.1.0: gateway 10.8.0.1: File exists
2017-03-04 16:35:24 Initialization Sequence Completed
2017-03-04 16:35:24 MANAGEMENT: >STATE:1488645324,CONNECTED,SUCCESS,10.8.0.2,192.168.1.1
2017-03-04 16:35:29 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-03-04 16:36:05 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
This is my bridging table in dd-wrt
br0 no vlan1 eth1 eth2
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Connected by can't ping vpn or any external ip
TinCanTech wrote:AdamC wrote:Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADECode: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Set the output interface correctly.AdamC wrote:Still no joy I'm afraid
Routing TableCode: Select all
Internet: Destination Gateway Flags Refs Use Netif Expire 0/1 10.8.0.1 UGSc 0 0 utun0 default 192.168.1.1 UGSc 4 0 en0
-
- OpenVpn Newbie
- Posts: 6
- Joined: Tue Feb 28, 2017 9:53 pm
Re: Connected by can't ping vpn or any external ip
Setting it as this you mean?
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o en0 -j MASQUERADE
Just tried it but it didn't work (tried utun0 as well)
en0 is the interface being used by my macbook.
Thanks for helping btw, its really doing my head in!
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o en0 -j MASQUERADE
Just tried it but it didn't work (tried utun0 as well)
en0 is the interface being used by my macbook.
Thanks for helping btw, its really doing my head in!
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Connected by can't ping vpn or any external ip
Randomly applying things to other things will get you nowhere.AdamC wrote:Just tried it but it didn't work (tried utun0 as well)
Start here:
HOWTO: For OpenVPN Community Edition
Also,
- NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24
You may also need to try DD-WRT Support.