OpenVPN Server not forwarding traffic

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
SnIpY
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 13, 2019 9:04 am

OpenVPN Server not forwarding traffic

Post by SnIpY » Wed Feb 13, 2019 9:12 am

I've setup a new VPN server using https://forge.puppet.com/puppet/openvpn puppet module. This runs on an Amazon Linux 2. I can connect to the VPN server just fine.

I push a few routes trough the VPN. When connected, the clients indeed try to go via the VPN server, however, this keeps timing out. I've read the HOWTO and have all the required settings. A summary:

VPN Server:

Code: Select all

mode server
client-config-dir /etc/openvpn/bastion/client-configs
ca /etc/openvpn/bastion/keys/ca.crt
cert /etc/openvpn/bastion/keys/issued/server.crt
key /etc/openvpn/bastion/keys/private/server.key
dh /etc/openvpn/bastion/keys/dh.pem
crl-verify /etc/openvpn/bastion/crl.pem
proto udp
port 1194
comp-lzo
group nobody
user nobody
log-append /var/log/openvpn/bastion.log
status /var/log/openvpn/bastion-status.log
dev tun0
local 172.31.9.225
server 10.9.0.0 255.255.255.0
push "route 172.31.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "route 10.20.0.0 255.255.0.0"
push "route 10.30.0.0 255.255.0.0"
push "route 10.40.0.0 255.255.0.0"
push "dhcp-option DNS 172.31.0.2"
push "dhcp-option DOMAIN aws.m4e"
push "dhcp-option DOMAIN mind4energy.eu"
topology net30
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
management 172.31.9.225 7505

# Additional custom options
IP Forward on OpenVPN Server

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1
Client Config:

Code: Select all

client
dev tun
proto udp
remote 23.45.123.43 1194
comp-lzo
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
mute-replay-warnings
ns-cert-type server
verb 3
mute 20

# Additional custom options

ca keys/user/ca.crt
cert keys/user/user.crt
key keys/user/user.key
IPTables:

Code: Select all

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn /* Allow incoming VPN connection */
2    ACCEPT     all  --  anywhere             anywhere             /* Accept packets from VPN tunnel adaptor */
3    ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER-USER  all  --  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  anywhere             anywhere
5    ACCEPT     all  --  anywhere             anywhere
6    ACCEPT     all  --  anywhere             anywhere
7    ACCEPT     all  --  ip-10-9-0-0.eu-west-1.compute.internal/24  anywhere             /* Allow VPN forwarding */
8    ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain DOCKER (1 references)
num  target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination
1    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere
2    RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere
What obvious thing am I missing here?

Post Reply