Connection ok but no internet access

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
BennyHill67
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 17, 2018 8:56 am

Connection ok but no internet access

Post by BennyHill67 » Sat Feb 17, 2018 9:04 am

Hello,

I have checked now for many days a solution to this... But nothing worked so far. :|

I am trying to setup OpenVPN (I have installed DD-WRT v3.0-r34929 giga (02/12/18) on an Asus RT-AC66U).

Internal IP of the router is 192.168.0.1
External IP of the router is 10.0.0.1

I have setup an OpenVPN server and I can get a connection from my client (iPhone 7). The subnet for the tunnel tun0 interface is 192.168.66.0/24

I have used the push "redirect-gateway def1" in the OpenVPN server configuration. What I want to achieve is to use on my iPhone the same Internet gateway as on the router with DD-WRT.


Client
remote MyIP 1194
client
remote-cert-tls server
dev tun0
proto tcp 4
resolv-retry infinite
nobind
persist-key
persist-tun
route-delay 30
redirect-gateway def1
comp-lzo
cipher AES-256-CBC
auth SHA256
float
# And the key part



Server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 192.168.66.0 255.255.255.0
dev tun2
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
push "redirect-gateway def1"
dev tun0
proto tcp4
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
verb 5
management localhost 5001


This is the firewall script.

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -0 tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE


I connect to the OpenVPN server, this is fine. I can see that the server has assigned the address 192.168.66.2 to my cellphone. If I check my "gateway IP", which should be the one of my ISP, I do not get anything. In fact, no internet connection is available.

So, I can come in, but out out... hehe :|

Is this due to the OpenVPN or routing?

Thank you.

Kind regards,
Last edited by BennyHill67 on Sun Feb 18, 2018 12:19 am, edited 1 time in total.

BennyHill67
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 17, 2018 8:56 am

Re: Connection ok but no internet access

Post by BennyHill67 » Sat Feb 17, 2018 9:10 am

Can't get the oconf code working... Sorry.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection ok but no internet access

Post by TinCanTech » Sat Feb 17, 2018 12:52 pm

BennyHill67 wrote:
Sat Feb 17, 2018 9:04 am
server 192.168.66.0 255.255.255.0
BennyHill67 wrote:
Sat Feb 17, 2018 9:04 am
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables should nat VPN not local subnet .. 66.0/24
BennyHill67 wrote:
Sat Feb 17, 2018 9:04 am
Internal IP of the router is 192.168.0.1
Also,
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
:arrow: Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN :!:
  • You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
    For example: 192.168.143.0/24
BennyHill67 wrote:
Sat Feb 17, 2018 9:10 am
Can't get the oconf code working
[ oconf=server ] .. etc .. [ /oconf ] (without the spaces)

BennyHill67
OpenVpn Newbie
Posts: 3
Joined: Sat Feb 17, 2018 8:56 am

Re: Connection ok but no internet access

Post by BennyHill67 » Sun Feb 18, 2018 12:18 am

Hi TinCanTech!

Thanks for your reply. :)

I have now changed the subnet to 192.168.54.0 255.255.255.0 and updated the firewall script.

iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -0 tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.66.0/24 -o eth0 -j MASQUERADE

I have changed one "push" line to match the new subnet.

push "route 192.168.54.0 255.255.255.0"

server
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto tcp4-server
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
duplicate-cn
client-to-client
push "redirect-gateway def1"
tcp-nodelay
tun-mtu 1500
mtu-disc yes
server 192.168.66.0 255.255.255.0
dev tun2
push "route 192.168.54.0 255.255.255.0"
push "dhcp-option DNS 192.168.66.1"
server 192.168.66.0 255.255.255.0
push "redirect-gateway def1"

dev tun0
proto tcp4
keepalive 10 120

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
verb 5

management localhost 5001


Still no luck.

I have noticed that the DD-WRT web interface added a tun2 automatically, while I specified tun0

I added the following 2 lines in the firewall script and commented once the tun0 and once the tun2 to just have one tun active, and still no luck. :|

iptables -I FORWARD -i br0 -0 tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT

I tried to reach websites from IP adress, and this did not work neither.

Edit:

When I check the eth0 interface, it shows:

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37944 errors:0 dropped:0 overruns:0 frame:0
TX packets:34901 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35556441 (33.9 MiB) TX bytes:21224953 (20.2 MiB)
Interrupt:4 Base address:0x2000


While using the following command, I get the external IP of the router...

# ifconfig `nvram get wan_ifname`
vlan2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17234 errors:0 dropped:6 overruns:0 frame:0
TX packets:9210 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18293740 (17.4 MiB) TX bytes:1374452 (1.3 MiB)

Can this have something to do with the issue?

Post Reply