The Openvpn client traffic doesn't route via Openvpn server

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
amna
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 12, 2017 3:13 pm

The Openvpn client traffic doesn't route via Openvpn server

Post by amna » Tue Sep 12, 2017 3:59 pm

Hi,
I have installed Openvpn on Centos 7 and my server with single public network inetrface (by the below link
https://community.openvpn.net/openvpn/w ... LinuxNotes )

The Openvpn server works fine and i can connect via Windows client. After connecting client, i found the below
1- the client has private ip from openvpn server (so it's perfect)
2- when i type my ip in browser. i can see the public IP for openvpn server (it's good as well)
3- the client can access any external app(internet) but when i check the request, i found the request come with the public IP of my internet service provider not openvpn server ip.
please fond my configration:
========================
######server.conf########
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "remote-gateway 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon
log-append /var/log/myvpn/openvpn.log
verb 3
##########Client.ovpn##########
client
dev tun
proto udp
remote server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
redirect-gateway def1
mute-replay-warnings
verb 3
#########Firewall#############
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o enp0s25 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o enp0s25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s25 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -o enp0s25 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT

Code: Select all

 *nat
:PREROUTING ACCEPT [242800:22435355]
:INPUT ACCEPT [2564:160253]
:OUTPUT ACCEPT [15110:912555]
:POSTROUTING ACCEPT [15110:912555]
-A POSTROUTING -s 10.8.0.0/24 -o enp0s25 -j MASQUERADE
COMMIT
# Completed on Tue Sep 12 12:00:01 2017
# Generated by iptables-save v1.4.21 on Tue Sep 12 12:00:01 2017
*mangle
:PREROUTING ACCEPT [349411:43852261]  

amna
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 12, 2017 3:13 pm

Re: The Openvpn client traffic doesn't route via Openvpn server

Post by amna » Wed Sep 13, 2017 8:31 am

Hi,
I have installed Openvpn on Centos 7 and my server with single public network inetrface (by the below link
https://community.openvpn.net/openvpn/w ... LinuxNotes )

The Openvpn server works fine and i can connect via Windows client. After connecting client, i found the below
1- the client has private ip from openvpn server (so it's perfect)
2- when i type my ip in browser. i can see the public IP for openvpn server (it's good as well)
3- the client can access any external app(internet) but when i check the request, i found the request come with the public IP of my internet service provider not openvpn server ip.

please fond my configration:
[oconf=]######server.conf########
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "remote-gateway 10.8.0.1"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon
log-append /var/log/myvpn/openvpn.log
verb 3[/oconf]

[oconf=]##########Client.ovpn##########
client
dev tun
proto udp
remote server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
redirect-gateway def1
mute-replay-warnings
verb 3[/oconf]

[oconf=]#########Firewall#############
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.8.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o enp0s25 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o enp0s25 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s25 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -o enp0s25 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o enp0s25 -j MASQUERADE
[/oconf]

doman
OpenVpn Newbie
Posts: 5
Joined: Mon Mar 20, 2017 2:51 pm

Re: The Openvpn client traffic doesn't route via Openvpn server

Post by doman » Thu Sep 14, 2017 8:23 am

Do you run OVPN windows client with Admin Priviliges? Without that redirect-gateway def1 wont work.

amna
OpenVpn Newbie
Posts: 3
Joined: Tue Sep 12, 2017 3:13 pm

Re: The Openvpn client traffic doesn't route via Openvpn server

Post by amna » Thu Sep 14, 2017 9:51 am

Hi Doman,
thnx for your reply. Actually i did but still don't work.
the issue i am trying to connect via browser on virtual host that located on openvpn server. i can access it but when i track the virtual host log, i see the request IP is service provider IP not vpn IP server. As far as i know it's wrong as the request should be from openvpn server IP and i have added the redirect-gateway def1 to server configuration to route the client traffic to server but the issue still exist. so how can i solve this :(

doman
OpenVpn Newbie
Posts: 5
Joined: Mon Mar 20, 2017 2:51 pm

Re: The Openvpn client traffic doesn't route via Openvpn server

Post by doman » Thu Sep 14, 2017 11:33 am

Well, this problem seems to me quite similar to mine, wich i mentioned in this topic

viewtopic.php?f=6&t=24868&p=72843#p72843

As you see i also have Apache and OVPN on same machine and when i was connecting to tunnel from the same network my server is, Apache seen my true IP. But when i just separate those services on two different IPs, Apache finally seen me as OpenVPN client. It wasnt a problem when client and server were on separate networks.

In you case it will be a bit harder to separate services as you have only one IP (public)

Post Reply