Configuring OpenVPN for Secure Web Browsing?

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
physiii
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 09, 2017 2:00 am

Configuring OpenVPN for Secure Web Browsing?

Post by physiii » Thu Nov 09, 2017 2:13 am

I can connect my client to the VPN I installed on my webhost (Ubuntu 15.10) and ping other clients but still can not browse the web. I can reach a few sites (youtube.com, example.com) but most give no response.

UFW is not installed and there is no nat table in iptables:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
server.conf:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "route 192.169.244.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 10.0.0.2"
;push "dhcp-option DNS 10.1.0.2"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 1 3
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
netstat -rn:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
192.169.169.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.169.169.254 0.0.0.0         UG        0 0          0 eth0
client.conf:

Code: Select all

client
dev tun
proto udp
remote pyfi.org 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
;remote-cert-tls server
;tls-auth ta.key 1
;cipher AES-256-CBC
comp-lzo
verb 3
netstat -rn:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 enp3s0
10.8.0.0        10.8.0.5        255.255.255.0   UG        0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 enp3s0
192.169.169.10  192.168.0.1     255.255.255.255 UGH       0 0          0 enp3s0
Can anyone tell me why I'm not able to reach the internet?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Configuring OpenVPN for Secure Web Browsing?

Post by TinCanTech » Thu Nov 09, 2017 10:25 am

physiii wrote:
Thu Nov 09, 2017 2:13 am
Can anyone tell me why I'm not able to reach the internet?
Because you don't have iptables installed and so you don't have NAT enabled.

By the way:
physiii wrote:
Thu Nov 09, 2017 2:13 am
netstat -rn:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
192.169.169.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.169.169.254 0.0.0.0         UG        0 0          0 eth0
192.169/16 is not an RFC1918 (Private) subnet, it is a real subnet on the internet and is not suitable for home use.
You want 192.168/16 .. which is any subnet that starts with 192.168.x.x
(To avoid network conflicts don't use 192.168.0 or 1 .. use something obscure like 192.168.147.0/24)

physiii
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 09, 2017 2:00 am

Re: Configuring OpenVPN for Secure Web Browsing?

Post by physiii » Thu Nov 09, 2017 1:11 pm

TinCanTech wrote:
Thu Nov 09, 2017 10:25 am
Because you don't have iptables installed and so you don't have NAT enabled.
I am showing output from iptables, so what do you mean it's not installed? How do I enable NAT?
TinCanTech wrote:
Thu Nov 09, 2017 10:25 am
192.169/16 is not an RFC1918 (Private) subnet, it is a real subnet on the internet and is not suitable for home use.
You want 192.168/16 .. which is any subnet that starts with 192.168.x.x
(To avoid network conflicts don't use 192.168.0 or 1 .. use something obscure like 192.168.147.0/24)
Yes, that is the public IP (destination) for the VPN that I am trying to connect to. I don't understand why you would want to VPN to a local network you are already physically connected to?

Now I'm confused even more lol. I do have iptables installed and I am using the right public address.

any suggestions?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Configuring OpenVPN for Secure Web Browsing?

Post by TinCanTech » Thu Nov 09, 2017 7:50 pm

physiii wrote:
Thu Nov 09, 2017 1:11 pm
Yes, that is the public IP (destination) for the VPN that I am trying to connect to
TinCanTech wrote:
Thu Nov 09, 2017 10:25 am
client dev tun proto udp remote pyfi.org 1194
Please ask pyfi.org ..

Please see:
HOWTO: Request Help ! {2}

physiii
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 09, 2017 2:00 am

Re: Configuring OpenVPN for Secure Web Browsing?

Post by physiii » Fri Nov 10, 2017 12:42 pm

TinCanTech wrote:
Thu Nov 09, 2017 7:50 pm
physiii wrote:
Thu Nov 09, 2017 1:11 pm
Yes, that is the public IP (destination) for the VPN that I am trying to connect to
TinCanTech wrote:
Thu Nov 09, 2017 10:25 am
client dev tun proto udp remote pyfi.org 1194
Please ask pyfi.org ..

Please see:
HOWTO: Request Help ! {2}
Can you please remove my domain you added to the headline for some reason? I meant to use IP, didn't know that was in there.

What do you mean ask them - I am them?

You said iptables isn't installed....yet I'm showing you output from iptables

You say I am connecting to a public IP - but that is exactly what I want to do?


Anyone know what's going on?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3347
Joined: Fri Jun 03, 2016 1:17 pm

Re: Configuring OpenVPN for Secure Web Browsing?

Post by TinCanTech » Fri Nov 10, 2017 1:04 pm

physiii wrote:
Fri Nov 10, 2017 12:42 pm
You said iptables isn't installed....yet I'm showing you output from iptables
physiii wrote:
Thu Nov 09, 2017 2:13 am
I can connect my client to the VPN I installed on my webhost (Ubuntu 15.10) and ping other clients but still can not browse the web. I can reach a few sites (youtube.com, example.com) but most give no response.

UFW is not installed and there is no nat table in iptables:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
did you read the output ?

Skaperen
OpenVPN Power User
Posts: 76
Joined: Fri Aug 05, 2011 3:02 pm
Contact:

Re: Configuring OpenVPN for Secure Web Browsing?

Post by Skaperen » Sun Nov 12, 2017 3:31 am

you are showing output from the iptables command that is saying that the iptables module is not in the Linux kernel. it can be compiled into the Linux kernel when you compile it, or it can be inserted at run time if the Linux kernel was compiled with module insert capability. most Linux distributions use do the latter but you may need to also install the module file(s) and/or configure init time code to insert the module.

probably you installed the iptables command package and think you installed everything this way.

what Linux distribution are you running at every host involved? what all have you done to set this up?

Skaperen
OpenVPN Power User
Posts: 76
Joined: Fri Aug 05, 2011 3:02 pm
Contact:

Re: Configuring OpenVPN for Secure Web Browsing?

Post by Skaperen » Sun Nov 12, 2017 3:51 am

your network being so close to an RFC1918 network, it can easily be concluded as a typo or other error. when i do a lookup of the address of pyfi.org i do get 192.169.244.100, but a reverse lookup of 192.169.244.100 gives ip-192-169-244-100.ip.secureserver.net. and the ARIN registration of 192.169.128.0/17 (the latter half of 192.169.0.0/16) is by GoDaddy.com, LLC. where did you get this IP? from your ISP? what is their name? (all this to convince me this IP is allocated correctly. yes i do see a PYFI web site when my browser asks for that, even with just the IP in the URL. and tell us the big picture of what you and your company are trying to accomplish.

Post Reply