unable to access openvpn community server

kashyap009 · Post by **kashyap009** » Thu Jul 15, 2021 12:54 pm

Hi,

I have installed openvpn community server in centos 7 .After connecting to window client i cannot access my openvpn server.

I could do the same before but that time all local LAN internet traffic was going through openvpn which i dont want to avoid uncessary traffic to my servers.

After adding these lines on my .ovpn file i could use internet and public ip also remain same.
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

But now i am unable to access opnvpn server. but able to access internet. Let me know where and what changes i need to do to connect to my openvpn server.

Thanks in advance.

300000 · Post by **300000** » Thu Jul 15, 2021 7:36 pm

you need ipforward and nat , how to do that depend your system.

you can try this one to see if it work for you . open your terminal and type

Code: Select all

sudo su

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/proc/sys/net/ipv4/ip_forward =1

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 4:39 am

Thanks for reply.

first command runs fines but second one gives me permission denied error so i run sysctl -w net.ipv4.ip_forward=1 and it worked fine but still i am unable to access openvpn server.

my /etc/sysctl.conf file include net.ipv4.ip_forward=1

and when i connect to my vpn client sucessfully gets error ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=23]

Hope above details helps.
Thanks

300000 · Post by **300000** » Fri Jul 16, 2021 7:20 am

You need two more command to make it work.

Code: Select all

iptables -I INPUT 2 -i tun0 -j ACCEPT 
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

Check network card name to correct it. It should work for you

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 10:45 am

i added above lines as well in my openvpn server but still no luck

iptables -I INPUT 2 -i tun0 -j ACCEPT
iptables -I FORWARD -i enp2s0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o enp2s0 -j ACCEPT

But now i am not getting any error after connecting to my vpn client but accessing openvpn server issue is same.

Previously when i was able to route all local lan traffic from my vpn that time i was able to access all servers including openvpn server. but as i dont want to send all my traffic through openvpn i am getting this issue.
Let me know if any more details need from my side.

300000 · Post by **300000** » Fri Jul 16, 2021 10:50 am

You needpost full server config and client config and full log .only say cant access nobody konw how your network is . How can we help

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 11:17 am

-------------------------------------------------------------------client.vpn config------------------------------------------------------------------

client
proto udp
explicit-exit-notify
remote 183.82.101.59 1194
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_z8Y45sGGHi9Ojfyh name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

------------------------------------------------------------------------serverconfig-----------------------------------------------------------------------

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_z8Y45sGGHi9Ojfyh.crt
key server_z8Y45sGGHi9Ojfyh.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
-------------------------------------------------------------Log file-------------------------------------------------------------------------

2021-07-16 16:10:33 OpenVPN 2.5.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-07-16 16:10:33 Windows version 10.0 (Windows 10 or greater) 64bit
2021-07-16 16:10:33 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Enter Management Password:
2021-07-16 16:10:33 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-07-16 16:10:33 Need hold release from management interface, waiting...
2021-07-16 16:10:33 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-07-16 16:10:33 MANAGEMENT: CMD 'state on'
2021-07-16 16:10:33 MANAGEMENT: CMD 'log all on'
2021-07-16 16:10:33 MANAGEMENT: CMD 'echo all on'
2021-07-16 16:10:33 MANAGEMENT: CMD 'bytecount 5'
2021-07-16 16:10:33 MANAGEMENT: CMD 'hold off'
2021-07-16 16:10:33 MANAGEMENT: CMD 'hold release'
2021-07-16 16:10:33 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-07-16 16:10:33 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-07-16 16:10:33 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-07-16 16:10:33 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-07-16 16:10:33 TCP/UDP: Preserving recently used remote address: [AF_INET]183.82.101.59:1194
2021-07-16 16:10:33 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-07-16 16:10:33 UDP link local: (not bound)
2021-07-16 16:10:33 UDP link remote: [AF_INET]183.82.101.59:1194
2021-07-16 16:10:33 MANAGEMENT: >STATE:1626432033,WAIT,,,,,,
2021-07-16 16:10:33 MANAGEMENT: >STATE:1626432033,AUTH,,,,,,
2021-07-16 16:10:33 TLS: Initial packet from [AF_INET]183.82.101.59:1194, sid=ced7f75d e86ce0ed
2021-07-16 16:10:34 VERIFY OK: depth=1, CN=cn_4FGIPODdV0ajYu4u
2021-07-16 16:10:34 VERIFY KU OK
2021-07-16 16:10:34 Validating certificate extended key usage
2021-07-16 16:10:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-07-16 16:10:34 VERIFY EKU OK
2021-07-16 16:10:34 VERIFY X509NAME OK: CN=server_z8Y45sGGHi9Ojfyh
2021-07-16 16:10:34 VERIFY OK: depth=0, CN=server_z8Y45sGGHi9Ojfyh
2021-07-16 16:10:34 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2021-07-16 16:10:34 [server_z8Y45sGGHi9Ojfyh] Peer Connection Initiated with [AF_INET]183.82.101.59:1194
2021-07-16 16:10:35 MANAGEMENT: >STATE:1626432035,GET_CONFIG,,,,,,
2021-07-16 16:10:35 SENT CONTROL [server_z8Y45sGGHi9Ojfyh]: 'PUSH_REQUEST' (status=1)
2021-07-16 16:10:35 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
2021-07-16 16:10:35 OPTIONS IMPORT: timers and/or timeouts modified
2021-07-16 16:10:35 OPTIONS IMPORT: --ifconfig/up options modified
2021-07-16 16:10:35 OPTIONS IMPORT: route options modified
2021-07-16 16:10:35 OPTIONS IMPORT: route-related options modified
2021-07-16 16:10:35 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-07-16 16:10:35 OPTIONS IMPORT: peer-id set
2021-07-16 16:10:35 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-07-16 16:10:35 OPTIONS IMPORT: data channel crypto options modified
2021-07-16 16:10:35 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-07-16 16:10:35 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2021-07-16 16:10:35 interactive service msg_channel=640
2021-07-16 16:10:35 ROUTE_GATEWAY 192.168.29.1/255.255.255.0 I=23 HWADDR=d8:9c:67:4e:93:fd
2021-07-16 16:10:35 open_tun
2021-07-16 16:10:35 tap-windows6 device [OpenVPN TAP-Windows6] opened
2021-07-16 16:10:35 TAP-Windows Driver Version 9.24
2021-07-16 16:10:35 Set TAP-Windows TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
2021-07-16 16:10:35 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.0 on interface {5EE52799-7F39-46FA-B038-2698B4A84523} [DHCP-serv: 10.8.0.254, lease-time: 31536000]
2021-07-16 16:10:35 Successful ARP Flush on interface [17] {5EE52799-7F39-46FA-B038-2698B4A84523}
2021-07-16 16:10:35 MANAGEMENT: >STATE:1626432035,ASSIGN_IP,,10.8.0.2,,,,
2021-07-16 16:10:35 IPv4 MTU set to 1500 on interface 17 using service
2021-07-16 16:10:35 Blocking outside dns using service succeeded.
2021-07-16 16:10:40 TEST ROUTES: 5/5 succeeded len=4 ret=1 a=0 u/d=up
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 183.82.101.59 MASK 255.255.255.255 192.168.29.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 MANAGEMENT: >STATE:1626432040,ADD_ROUTES,,,,,,
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 64.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 C:\WINDOWS\system32\route.exe ADD 192.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:10:40 Route addition via service succeeded
2021-07-16 16:10:40 Initialization Sequence Completed
2021-07-16 16:10:40 MANAGEMENT: >STATE:1626432040,CONNECTED,SUCCESS,10.8.0.2,183.82.101.59,1194,,
2021-07-16 16:19:20 SIGTERM received, sending exit notification to peer
2021-07-16 16:19:21 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:19:21 Route deletion via service succeeded
2021-07-16 16:19:21 C:\WINDOWS\system32\route.exe DELETE 64.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:19:21 Route deletion via service succeeded
2021-07-16 16:19:21 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:19:21 Route deletion via service succeeded
2021-07-16 16:19:21 C:\WINDOWS\system32\route.exe DELETE 192.0.0.0 MASK 192.0.0.0 192.168.29.1
2021-07-16 16:19:22 Route deletion via service succeeded
2021-07-16 16:19:22 C:\WINDOWS\system32\route.exe DELETE 183.82.101.59 MASK 255.255.255.255 192.168.29.1
2021-07-16 16:19:22 ROUTE: route deletion failed using service: Element not found. [status=1168 if_index=23]
2021-07-16 16:19:22 Route deletion via service failed
2021-07-16 16:19:22 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.0.1
2021-07-16 16:19:22 Route deletion via service succeeded
2021-07-16 16:19:22 C:\WINDOWS\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.0.1
2021-07-16 16:19:22 Route deletion via service succeeded
2021-07-16 16:19:22 Closing TUN/TAP interface
2021-07-16 16:19:22 TAP: DHCP address released
2021-07-16 16:19:22 Unblocking outside dns using service succeeded.
2021-07-16 16:19:22 SIGTERM[soft,exit-with-notification] received, process exiting
2021-07-16 16:19:22 MANAGEMENT: >STATE:1626432562,EXITING,exit-with-notification,,,,,

300000 · Post by **300000** » Fri Jul 16, 2021 11:59 am

At the moment there is no route 10.8.0.0 push to your client so it cant find the way going to your server .you can try this one on your server config.

Code: Select all

push "route 10.8.0.0  255.255.255.0 vpn_gateway "

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 12:40 pm

A suggested i have added above line in my server.confg file as below.

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 10.8.0.0 255.255.255.0 vpn_gateway"
push "redirect-gateway def1 bypass-dhcp"

but no luck and got the same error used to get earlier after adding this line.
ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=23]

And one more thing 10.8.0.0 is pool going to assign my clients when they connected to thta server. Hope i have added above line correctly.

300000 · Post by **300000** » Fri Jul 16, 2021 1:42 pm

can you run to list all iptable nat to see when 10.8.0.0 go from where to where

sudo iptables -t nat -L -n -v

could you command out ifconfig-pool-persist ipp.txt . something you want to set static ip for client but let try to sort thing out first.

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 1:56 pm

Chain PREROUTING (policy ACCEPT 73789 packets, 6640K bytes)
pkts bytes target prot opt in out source destination
73789 6640K PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
73789 6640K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
73789 6640K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 143 packets, 10620 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 125K packets, 7600K bytes)
pkts bytes target prot opt in out source destination
125K 7600K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 58003 packets, 3560K bytes)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
126K 7695K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
125K 7600K POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
125K 7600K POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination

Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
67250 4039K POST_public all -- * enp2s0 0.0.0.0/0 0.0.0.0/0 [goto]
58004 3560K POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
0 0 POST_trusted all -- * * 0.0.0.0/0 10.8.0.0/24 [goto]

Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
1097 95018 SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:10.22.4.16

Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
125K 7600K POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
125K 7600K POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
125K 7600K POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
67250 4039K MASQUERADE all -- * !lo 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * !lo 0.0.0.0/0 0.0.0.0/0

Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain POST_trusted (1 references)
pkts bytes target prot opt in out source destination
0 0 POST_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 POST_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POST_trusted_allow (1 references)
pkts bytes target prot opt in out source destination

Chain POST_trusted_deny (1 references)
pkts bytes target prot opt in out source destination

Chain POST_trusted_log (1 references)
pkts bytes target prot opt in out source destination

Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
72691 6545K PRE_public all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 [goto]
1098 95078 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
1098 95078 PRE_trusted all -- * * 10.8.0.0/24 0.0.0.0/0 [goto]

Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
73789 6640K PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
73789 6640K PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
73789 6640K PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_trusted (1 references)
pkts bytes target prot opt in out source destination
1098 95078 PRE_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
1098 95078 PRE_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1098 95078 PRE_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PRE_trusted_allow (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_trusted_deny (1 references)
pkts bytes target prot opt in out source destination

Chain PRE_trusted_log (1 references)
pkts bytes target prot opt in out source destination

300000 · Post by **300000** » Fri Jul 16, 2021 2:20 pm

you have one rule snat and it have go to 10.22.4.16 , what is address of that ? if you want to snat you server it shout like this,

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to IP of your openvpn server

above iptale command is the same with this iptable rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

your server have more netword card you should back up everything before doing or this will bring you more trouble.

SNAT all -- * * 10.8.0.0/24 !10.8.0.0/24 to:10.22.4.16 this is why you client cant find your server . when it on network 10.8.0.0 it will go to address 10.22.4.16 as getaway . basic your client will get address 10.8.0.2 then it must nat through server address 10.8.0.1 ,

you can try this command

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to IP of your openvpn server

remember back up all iptable first incase somethign going wrong.

kashyap009 · Post by **kashyap009** » Fri Jul 16, 2021 2:31 pm

10.22.4.16 address of openvpn server

300000 · Post by **300000** » Fri Jul 16, 2021 2:41 pm

PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0

I think your iptable block public so when it see your client as public not going thought inside network so it block. that is all i guest , your iptable have a lot more rule and you need to deal with that . . everything work so server is ok but only when you add over net getway it source ip and destination ip difference so it block.

OpenVPN Support Forum

unable to access openvpn community server

unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server

Re: unable to access openvpn community server