Connected to VPN but no internet connection

galxy_star · Post by **galxy_star** » Wed Oct 27, 2021 9:22 pm

Hi all, I have set a OpenVpn client in my Raspberry Pi which acts as an AP, so the wireless deviceses conected to the AP are connected to the VPN,
each client is conected to a diferent VPN server, eg Device1 (connected wireless to the PI) is connected to VPNServer 1 .. etc
Client:
Raspberry PI 4B, OpenWrt , ClientVPN
Server:
Virtual server, Ubuntu 20.04
For eg Device1 (connected to the Access point of the PI) with ip 192.168.2.20 with the following script it gives the tun20
To do this I set up this cript :
script.sh

Code: Select all

#!/bin/sh
IFACE=${dev}
INDEX=${IFACE//[!0-9]/}
DEVICE_IP=192.168.2.$INDEX
TEST_IP=192.168.2.$(($INDEX+10))
TABLE_NAME=9$INDEX
CONDA_PORT=28153
CONDA_RANGE=$CONDA_PORT:$(($CONDA_PORT+1))

sysctl net.ipv4.ip_forward=1

iptables -w -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
iptables -w -t nat -A PREROUTING -i $IFACE -p tcp --dport $CONDA_RANGE -j DNAT --to-destination $DEVICE_IP:$CONDA_PORT
iptables -w -A FORWARD -d $DEVICE_IP-p tcp --dport $CONDA_PORT -j ACCEPT

ip rule del from $DEVICE_IP
ip rule del from $TEST_IP
ip route flush table $TABLE_NAME
ip rule add from $DEVICE_IPtable $TABLE_NAME
ip rule add from $TEST_IP table $TABLE_NAME
ip route add default dev $IFACE table $TABLE_NAME

When I activate the Openvpn instance in the Raspberry pi it connects to the VPN
server status.log

Code: Select all

OpenVPN CLIENT LIST
Updated,Wed Oct 27 20:38:56 2021
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
mobile,188.26.223.54:45667,3192,2709,Wed Oct 27 20:38:45 2021
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.2,mobile,188.26.223.54:45667,Wed Oct 27 20:38:45 2021
GLOBAL STATS
Max bcast/mcast queue length,1
END

this is the /var/log/openvpn.log if it helps

Code: Select all

Wed Oct 27 19:32:27 2021 mobile/188.26.223.54:37091 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:32:27 2021 mobile/188.26.223.54:37091 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:33:43 2021 mobile/188.26.223.54:37091 SIGTERM[soft,remote-exit] received, client-instance exiting
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 TLS: Initial packet from [AF_INET]188.26.223.54:46523, sid=a9e3e1c9 e49f8b90
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 VERIFY OK: depth=1, CN=cn_Zxd1NYcZBfG9Z7T9
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 VERIFY OK: depth=0, CN=mobile
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_VER=2.5.3
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_PLAT=linux
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_PROTO=6
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_NCP=2
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZ4=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZ4v2=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_LZO=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_COMP_STUB=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_COMP_STUBv2=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 peer info: IV_TCPNL=1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Wed Oct 27 19:34:05 2021 188.26.223.54:46523 [mobile] Peer Connection Initiated with [AF_INET]188.26.223.54:46523
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI: Learn: 10.8.0.2 -> mobile/188.26.223.54:46523
Wed Oct 27 19:34:05 2021 mobile/188.26.223.54:46523 MULTI: primary virtual IP for mobile/188.26.223.54:46523: 10.8.0.2
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 SENT CONTROL [mobile]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:34:06 2021 mobile/188.26.223.54:46523 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Oct 27 19:45:17 2021 event_wait : Interrupted system call (code=4)
Wed Oct 27 19:45:17 2021 OpenVPN CLIENT LIST
Wed Oct 27 19:45:17 2021 Updated,Wed Oct 27 19:45:17 2021
Wed Oct 27 19:45:17 2021 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Wed Oct 27 19:45:17 2021 mobile,188.26.223.54:46523,5833,5350,Wed Oct 27 19:34:05 2021
Wed Oct 27 19:45:17 2021 ROUTING TABLE
Wed Oct 27 19:45:17 2021 Virtual Address,Common Name,Real Address,Last Ref
Wed Oct 27 19:45:17 2021 10.8.0.2,mobile,188.26.223.54:46523,Wed Oct 27 19:34:05 2021
Wed Oct 27 19:45:17 2021 GLOBAL STATS
Wed Oct 27 19:45:17 2021 Max bcast/mcast queue length,1
Wed Oct 27 19:45:17 2021 END

/etc/openvpn/movil.ovpn

Code: Select all

client
proto udp
explicit-exit-notify
remote 82.165.2.238 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_16mFh07n4H6c7Tp8 name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
dev tun20
route-nopull
route-noexec
script-security 2
up /etc/openvpn/script.sh
verb 3
<ca>

client /etc/config/network

Code: Select all

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd80:7ccc:35b0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.171'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '8.8.8.8'
	list dns '1.1.1.1'

config interface 'GUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun20'

client /etc/config/firewall

Code: Select all

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'GUEST'
	list network 'tun20'
	

config forwarding
	option src 'guest'
	option dest 'lan'

server.config

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_16mFh07n4H6c7Tp8.crt
key server_16mFh07n4H6c7Tp8.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn.log
duplicate-cn
verb 3

The VPN server works, the Ap works, but the wireless devices conected to the AP lose Internet connection when I activate the OpenVpn client instance.
I dont know if its the firewall, the dns or the script.sh, (the users already have static ip.)
The final result would be to connect the diferent devices to different VPNs, this is the /etc/config/openvpn of the PI (now im testing with 'movil' device because its not working the internet connection)
/etc/config/openvpn

Code: Select all

config openvpn 'Device1'
	option config '/etc/openvpn/Device1.ovpn'

config openvpn 'Device2'
	option config '/etc/openvpn/Device2.ovpn'

config openvpn 'Device3'
	option config '/etc/openvpn/Device3.ovpn'

config openvpn 'Device4'
	option config '/etc/openvpn/Device4.ovpn'

config openvpn 'Device5'
	option config '/etc/openvpn/Device5.ovpn'

config openvpn 'movil'
	option config '/etc/openvpn/movil.ovpn'
	option enabled '1'

TinCanTech · Post by **TinCanTech** » Wed Oct 27, 2021 9:36 pm

galxy_star wrote: ↑
Wed Oct 27, 2021 9:22 pm
the wireless deviceses conected to the AP are connected to the VPN,
each client is conected to a diferent VPN server

You only need one server.

Please take a look at the howto: https://community.openvpn.net/openvpn/wiki/HOWTO

galxy_star · Post by **galxy_star** » Wed Oct 27, 2021 10:37 pm

I want each client to have a different public IP that’s why I need different servers

OpenVPN Support Forum

Connected to VPN but no internet connection

Connected to VPN but no internet connection

Re: Connected to VPN but no internet connection

Re: Connected to VPN but no internet connection