Connected by can't ping vpn or any external ip

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Connected by can't ping vpn or any external ip

Post by AdamC » Tue Feb 28, 2017 10:02 pm

Ive been going crazy trying to fix this and hoping someone can help.

I'm able to connect to the VPN from another network fine and when connected can ping all the devices on my LAN. However i can't ping the VPN IP nor any external IPs and so no web browser will resolve any addresses. Using DD-WRT and TCP 443. Here is my Server, Client and Firewall config:

Server

push "route 192.168.1.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
keepalive 10 120
management 127.0.0.1 5002
client-to-client

Firewall

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -p tcp -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport=443 -j ACCEPT
iptables -I OUTPUT -p tcp --sport=443 -j ACCEPT

iptables -I INPUT -p tcp -i eth0 -j ACCEPT
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -I INPUT -p tcp -i br0 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Client
client
dev tun0
proto tcp
remote xxxxxxx 443
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert laptop.crt
key laptop.key

ns-cert-type server
comp-lzo

float

AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Re: Connected by can't ping vpn or any external ip

Post by AdamC » Wed Mar 01, 2017 10:21 am

Sorry I missed something here. I also have this line in my server config:

push "redirect-gateway"

This line seems to be causing the problem because if I remove it I can ping external IPs and use the browser fine. However doing this does not change my external IP to the external IP of my home network which is what I want to use VPN for. Hope that makes sense


AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Re: Connected by can't ping vpn or any external ip

Post by AdamC » Fri Mar 03, 2017 12:15 am

Thanks. I've checked and double checked and still can't find the problem. I have also tried a restore of factory defaults on DD-WRT and reconfigured using UDP 1194 defaults but still have the same problem. I have posted my routing tables below if it helps? (This is from an external network connection and connected by OVN)

10.8.0.0 is my Open VPN network server
192.168.1.1 is my router
xx.xx.xxx.xxx is the external WAN of my home network.

Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.8.0.1 UGSc 1 0 utun0
default 10.21.163.145 UGSc 7 0 en0
10.8/24 10.8.0.2 UGSc 5 0 utun0
10.8.0.2 10.8.0.2 UH 1 0 utun0
10.21.163.144/28 link#4 UCS 1 0 en0
10.21.163.145/32 link#4 UCS 1 0 en0
10.21.163.145 88:a6:c6:17:91:8a UHLWIir 4 18 en0 1182
10.21.163.147/32 link#4 UCS 1 0 en0
10.21.163.159 ff:ff:ff:ff:ff:ff UHLWbI 0 3 en0
xx.xx.xxx.xxx/32 10.21.163.145 UGSc 1 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 2243 lo0
128.0/1 10.8.0.1 UGSc 2 0 utun0
169.254 link#4 UCS 0 0 en0
224.0.0 link#4 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#4 UCS 0 0 en0

AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Re: Connected by can't ping vpn or any external ip

Post by AdamC » Fri Mar 03, 2017 1:26 am

Oh btw i can ping my open vpn server now when connected (10.8.0.0). Just can't get any external ping to work, it just times out

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connected by can't ping vpn or any external ip

Post by TinCanTech » Fri Mar 03, 2017 2:07 pm

AdamC wrote:Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Re: Connected by can't ping vpn or any external ip

Post by AdamC » Sat Mar 04, 2017 4:43 pm

Still no joy I'm afraid

Routing Table

Code: Select all

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.8.0.1           UGSc            0        0   utun0
default            192.168.1.1        UGSc            4        0     en0
10.8/24            10.8.0.2           UGSc            5        0   utun0
10.8.0.2           10.8.0.2           UH              1        0   utun0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              3     6556     lo0
128.0/1            10.8.0.1           UGSc            3        0   utun0
169.254            link#4             UCS             0        0     en0
192.168.1          link#4             UCS             4        0     en0
192.168.1.1/32     link#4             UCS             2        0     en0
192.168.1.1        2c:30:33:d4:a4:dc  UHLWIi          3      107     en0   1173
192.168.1.117      5c:aa:fd:47:29:c0  UHLWI           0        0     en0   1085
192.168.1.141      5c:aa:fd:47:29:a   UHLWI           0        0     en0   1091
192.168.1.146/32   link#4             UCS             0        0     en0
192.168.1.147      94:9f:3e:a:14:50   UHLWI           0        0     en0   1110
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        6     en0
224.0.0            link#4             UmCS            1        0     en0
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
255.255.255.255/32 link#4             UCS             0        0     en0
TunnelBlick Log

Code: Select all

*Tunnelblick: OS X 10.11.6; Tunnelblick 3.7.0 (build 4790)
2017-03-04 16:35:15 *Tunnelblick: Attempting connection with Client Config; Set nameserver = 769; monitoring connection
2017-03-04 16:35:15 *Tunnelblick: openvpnstart start Client\ Config.tblk 1337 769 0 3 0 1065776 -ptADGNWradsgnw 2.3.14-openssl-1.0.2k
2017-03-04 16:35:15 OpenVPN 2.3.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 28 2017
2017-03-04 16:35:15 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
2017-03-04 16:35:15 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-03-04 16:35:15 Need hold release from management interface, waiting...
2017-03-04 16:35:15 *Tunnelblick: openvpnstart starting OpenVPN
2017-03-04 16:35:16 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.14-openssl-1.0.2k/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-SClient Config.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1065776.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources
          --verb
          3
          --config
          /Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources/config.ovpn
          --verb
          3
          --cd
          /Library/Application Support/Tunnelblick/Shared/Client Config.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --redirect-gateway
          def1
          --script-security
          2
          --up
          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down
          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2017-03-04 16:35:16 *Tunnelblick: Established communication with OpenVPN
2017-03-04 16:35:16 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-03-04 16:35:16 MANAGEMENT: CMD 'pid'
2017-03-04 16:35:16 MANAGEMENT: CMD 'state on'
2017-03-04 16:35:16 MANAGEMENT: CMD 'state'
2017-03-04 16:35:16 MANAGEMENT: CMD 'bytecount 1'
2017-03-04 16:35:16 MANAGEMENT: CMD 'hold release'
2017-03-04 16:35:16 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-03-04 16:35:16 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,RESOLVE,,,
2017-03-04 16:35:16 UDPv4 link local: [undef]
2017-03-04 16:35:16 UDPv4 link remote: [AF_INET]xx.xx.xx.xxx:1194
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,WAIT,,,
2017-03-04 16:35:16 MANAGEMENT: >STATE:1488645316,AUTH,,,
2017-03-04 16:35:16 TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=1ba39c43 580850ca
2017-03-04 16:35:17 VERIFY OK: depth=1, CN=server
2017-03-04 16:35:17 Validating certificate key usage
2017-03-04 16:35:17 ++ Certificate has key usage  00a0, expects 00a0
2017-03-04 16:35:17 VERIFY KU OK
2017-03-04 16:35:17 Validating certificate extended key usage
2017-03-04 16:35:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-03-04 16:35:17 VERIFY EKU OK
2017-03-04 16:35:17 VERIFY OK: depth=0, CN=server
2017-03-04 16:35:18 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1442'
2017-03-04 16:35:18 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1400'
2017-03-04 16:35:18 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-03-04 16:35:18 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-03-04 16:35:18 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-03-04 16:35:18 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2017-03-04 16:35:18 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
2017-03-04 16:35:18 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-03-04 16:35:18 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2017-03-04 16:35:18 [server] Peer Connection Initiated with [AF_INET]192.168.1.1:1194
2017-03-04 16:35:19 MANAGEMENT: >STATE:1488645319,GET_CONFIG,,,
2017-03-04 16:35:20 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-03-04 16:35:20 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
2017-03-04 16:35:20 OPTIONS IMPORT: timers and/or timeouts modified
2017-03-04 16:35:20 OPTIONS IMPORT: --ifconfig/up options modified
2017-03-04 16:35:20 OPTIONS IMPORT: route options modified
2017-03-04 16:35:20 OPTIONS IMPORT: route-related options modified
2017-03-04 16:35:20 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-03-04 16:35:20 Opened utun device utun0
2017-03-04 16:35:20 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2017-03-04 16:35:20 MANAGEMENT: >STATE:1488645320,ASSIGN_IP,,10.8.0.2,
2017-03-04 16:35:20 /sbin/ifconfig utun0 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-03-04 16:35:20 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-03-04 16:35:20 /sbin/ifconfig utun0 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
2017-03-04 16:35:20 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
                                        add net 10.8.0.0: gateway 10.8.0.2
2017-03-04 16:35:20 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun0 1500 1542 10.8.0.2 255.255.255.0 init
                                        **********************************************
                                        Start of output from client.up.tunnelblick.sh
                                        Disabled IPv6 for 'AX88x72A'
                                        Retrieved from OpenVPN: name server(s) [ 8.8.8.8 ], search domain(s) [  ] and SMB server(s) [  ] and using default domain name [ openvpn ]
                                        WARNING: Ignoring ServerAddresses '8.8.8.8' because ServerAddresses was set manually
                                        Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
                                        Saved the DNS and SMB configurations so they can be restored
                                        Did not change DNS ServerAddresses setting of '208.67.220.220 208.67.222.222' (but re-set it)
                                        Changed DNS SearchDomains setting from '' to 'openvpn'
                                        Changed DNS DomainName setting from 'cable.virginmedia.net' to 'openvpn'
                                        Did not change SMB NetBIOSName setting of ''
                                        Did not change SMB Workgroup setting of ''
                                        Did not change SMB WINSAddresses setting of ''
                                        DNS servers '208.67.220.220 208.67.222.222' were set manually
                                        DNS servers '208.67.220.220 208.67.222.222' will be used for DNS queries when the VPN is active
                                        The DNS servers include only free public DNS servers known to Tunnelblick.
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        Setting up to monitor system configuration with process-network-changes
                                        End of output from client.up.tunnelblick.sh
                                        **********************************************
2017-03-04 16:35:24 *Tunnelblick: No 'connected.sh' script to execute
2017-03-04 16:35:24 /sbin/route add -cloning -net 192.168.1.1 -netmask 255.255.255.255 -interface en0
                                        route: writing to routing socket: File exists
                                        add net 192.168.1.1: gateway en0: File exists
2017-03-04 16:35:24 /sbin/route add -net 0.0.0.0 10.8.0.1 128.0.0.0
                                        add net 0.0.0.0: gateway 10.8.0.1
2017-03-04 16:35:24 /sbin/route add -net 128.0.0.0 10.8.0.1 128.0.0.0
                                        add net 128.0.0.0: gateway 10.8.0.1
2017-03-04 16:35:24 MANAGEMENT: >STATE:1488645324,ADD_ROUTES,,,
2017-03-04 16:35:24 /sbin/route add -net 192.168.1.0 10.8.0.1 255.255.255.0
                                        route: writing to routing socket: File exists
                                        add net 192.168.1.0: gateway 10.8.0.1: File exists
2017-03-04 16:35:24 Initialization Sequence Completed
2017-03-04 16:35:24 MANAGEMENT: >STATE:1488645324,CONNECTED,SUCCESS,10.8.0.2,192.168.1.1
2017-03-04 16:35:29 *Tunnelblick process-network-changes: A system configuration change was ignored
2017-03-04 16:36:05 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
P.S I xx.xx.xx.xxx my home external IP

This is my bridging table in dd-wrt
br0 no vlan1 eth1 eth2

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connected by can't ping vpn or any external ip

Post by TinCanTech » Sat Mar 04, 2017 4:55 pm

TinCanTech wrote:
AdamC wrote:Firewall
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
AdamC wrote:Still no joy I'm afraid

Routing Table

Code: Select all

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.8.0.1           UGSc            0        0   utun0
default            192.168.1.1        UGSc            4        0     en0
Set the output interface correctly.

AdamC
OpenVpn Newbie
Posts: 6
Joined: Tue Feb 28, 2017 9:53 pm

Re: Connected by can't ping vpn or any external ip

Post by AdamC » Sat Mar 04, 2017 5:07 pm

Setting it as this you mean?
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o en0 -j MASQUERADE

Just tried it but it didn't work (tried utun0 as well)

en0 is the interface being used by my macbook.

Thanks for helping btw, its really doing my head in!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connected by can't ping vpn or any external ip

Post by TinCanTech » Sat Mar 04, 2017 5:49 pm

AdamC wrote:Just tried it but it didn't work (tried utun0 as well)
Randomly applying things to other things will get you nowhere.

Start here:
HOWTO: For OpenVPN Community Edition

Also,
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet. f.e 192.168.143.0/24
Also, ensure IP forwarding is enabled on your server.


You may also need to try DD-WRT Support.

Post Reply