redirect gateway not allowing internet traffic through

[magepug]

I'm trying to configure openvpn server such that all client traffic is redirected through the vpn tunnel. When I connect the client, the client is able to ping the internal and external server IP addresses, however it is unable to reach any other internet address (e.g. 8.8.8.8).

I've got ip forwarding enabled on the server:

Code: Select all

root@server:/etc/openvpn# cat /proc/sys/net/ipv4/ip_forward
1

I must be missing something else. Does anyone see where I've screwed up?
General info:
server IP: 1.2.3.4
server private subnet range: 192.168.12.0/24
client internal private network: 10.168.12.0/24
server external interface: eth0
server internal interface: tun0
client external interface: eth0
client internal interface: tun0

route on client after connection:

Code: Select all

root@client:~# ip route show
0.0.0.0/1 via 192.168.12.5 dev tun0
default via 10.168.12.1 dev eth0
10.168.12.0/24 dev eth0  proto kernel  scope link  src 10.168.12.56
128.0.0.0/1 via 192.168.12.5 dev tun0
1.2.3.4 via 10.168.12.1 dev eth0
192.168.12.1 via 192.168.12.5 dev tun0
192.168.12.5 dev tun0  proto kernel  scope link  src 192.168.12.6

output from client connection:

Code: Select all

root@client:/etc/openvpn# openvpn --config /etc/openvpn/client.conf
Sat Jan  2 14:32:46 2016 OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jul  8 2015
Sat Jan  2 14:32:46 2016 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Sat Jan  2 14:32:46 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Jan  2 14:32:46 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  2 14:32:46 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  2 14:32:46 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Jan  2 14:32:46 2016 UDPv4 link local: [undef]
Sat Jan  2 14:32:46 2016 UDPv4 link remote: [AF_INET]1.2.3.4:1194
Sat Jan  2 14:32:46 2016 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=bb1a9841 77477ef0
Sat Jan  2 14:32:47 2016 VERIFY OK: depth=1, C=UK, ST=GB, L=London, O=Swarthy, OU=SwarthyUK, CN=Swarthy CA, name=SwarthyUK, emailAddress=admin@home.swth
Sat Jan  2 14:32:47 2016 Validating certificate key usage
Sat Jan  2 14:32:47 2016 ++ Certificate has key usage  00a0, expects 00a0
Sat Jan  2 14:32:47 2016 VERIFY KU OK
Sat Jan  2 14:32:47 2016 Validating certificate extended key usage
Sat Jan  2 14:32:47 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Jan  2 14:32:47 2016 VERIFY EKU OK
Sat Jan  2 14:32:47 2016 VERIFY OK: depth=0, C=UK, ST=GB, L=London, O=Swarthy, OU=SwarthyUK, CN=server, name=SwarthyUK, emailAddress=admin@home.swth
Sat Jan  2 14:32:48 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan  2 14:32:48 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  2 14:32:48 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan  2 14:32:48 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan  2 14:32:48 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jan  2 14:32:48 2016 [server] Peer Connection Initiated with [AF_INET]1.2.3.4:1194
Sat Jan  2 14:32:51 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jan  2 14:32:51 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.168.12.11,dhcp-option DNS 8.8.8.8,route 192.168.12.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.12.6 192.168.12.5'
Sat Jan  2 14:32:51 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan  2 14:32:51 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan  2 14:32:51 2016 OPTIONS IMPORT: route options modified
Sat Jan  2 14:32:51 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jan  2 14:32:51 2016 ROUTE_GATEWAY 10.168.12.1/255.255.255.0 IFACE=eth0 HWADDR=00:16:3e:13:83:b8
Sat Jan  2 14:32:51 2016 TUN/TAP device tun0 opened
Sat Jan  2 14:32:51 2016 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Sat Jan  2 14:32:51 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jan  2 14:32:51 2016 /sbin/ip link set dev tun0 up mtu 1500
Sat Jan  2 14:32:51 2016 /sbin/ip addr add dev tun0 local 192.168.12.6 peer 192.168.12.5
Sat Jan  2 14:32:51 2016 /sbin/ip route add 1.2.3.4/32 via 10.168.12.1
Sat Jan  2 14:32:51 2016 /sbin/ip route add 0.0.0.0/1 via 192.168.12.5
Sat Jan  2 14:32:51 2016 /sbin/ip route add 128.0.0.0/1 via 192.168.12.5
Sat Jan  2 14:32:51 2016 /sbin/ip route add 192.168.12.1/32 via 192.168.12.5
Sat Jan  2 14:32:51 2016 Initialization Sequence Completed

client configuration file:

Code: Select all

client
dev tun
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3

server configuration file:

Code: Select all

local 1.2.3.4
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 192.168.12.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.168.12.11"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

[Traffic]

Please see this HOWTO:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

* Note: NAT requirement.