Cannot neither DNS nor default-gateway

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
darklamp
OpenVpn Newbie
Posts: 1
Joined: Thu May 10, 2018 7:24 pm

Cannot neither DNS nor default-gateway

Post by darklamp » Thu May 10, 2018 7:45 pm

Hello everyone,
I'm sorry I have to create another thread on the forum but I just can't figure my situation out.
I currently have a Raspberry Pi 3 with openvpn on it (installed via PiVPN), which, if it matters, is running pihole+dnscrypt too.
Now, I had this VPN server working for 2 days, then I started faceing the same problem again and again, which is: client connects but can't browse (can ping locally). The only way around this I found was to set the DNS push to 127.0.0.1, which is pointless cause it makes the client use his own dns client, when I want it to use MY dns client which is (succesfully) running on the RPi.
The Pi's internal IP is (staticly assigned) 192.168.147.250, and 10.8.147.1 for the VPN subnet. The router is correctly set up to forward connections from 443 and 1194 to my server's 11940 port, on which I am listening.
I've got UFW on the server which should be configured correctly (I'll post the configuration here too).
Also, I get an error from time to time in the server's logs which states that "comp-lzo" is only enabled server-side. I am 101% sure that comp-lzo is NOT enabled, neother server nor client side. In fact, I only enable and push "compress lz4-v2" as you can see in the config files.
Finally, I also tried changing "listen-address" line in dnsmasq to listen on 127.0.0.1, 192,168.147.250, 10.8.147.1, and made sure the pihole listened on all ports, but no no result.
Thanks so much for your time and sorry for the wall of text :)

Server config:

Code: Select all

dev tun
proto udp
port 11940
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/serverf.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh none
topology subnet
server 10.8.147.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.147.1"
push "block-outside-dns"
push "redirect-gateway autolocal def1"
#client-to-client
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
push "compress lz4-v2"
compress lz4-v2
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
Client config : (clients are running ubuntu and android, both have different keys that haven't been revoked)

Code: Select all

client
dev tun
proto udp
remote **myddns** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_abcd name
cipher AES-256-CBC
auth SHA256
compress lz4-v2
verb 3
<ca>
**ca cert**
</cert>
<key>
**key**
</key>
<tls-crypt>
**key**
</tls-crypt>
UFW's before.rules:

Code: Select all

#
# rules.before
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to masquerade 
-A POSTROUTING -s 10.8.147.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT


# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
PiVPN's setupVars.conf:

Code: Select all

pivpnUser=dietpi
UNATTUPG=
pivpnInterface=eth0
IPv4dns=127.0.0.1
IPv4addr=192.168.147.250
IPv4gw=192.168.147.69
pivpnProto=udp
PORT=11940
ENCRYPT=2048
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=
PUBLICDNS=**myddns**
OVPNDNS1=192.168.147.250
OVPNDNS2=

Post Reply