Help with NAT after successful installation

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Help with NAT after successful installation

Post by VpnCoyote » Fri Jun 17, 2022 7:09 am

I've successfully installed OpenVPN on a Raspberry Pi 4 running Debian following this tutorial, created an ovpn file and imported it into the OpenVPN Connect app on my Android. It connects just fine via my internet router's (FRITZ!Box 6951 Cable) manufacture's DynDNS service (MyFritz) using port forwarding (1194) from the router to the Raspi. The Raspi is has UFW installed, but currently disabled as log as stuff isn't working.

Thing is, once I've connected, all calls to URLs either inside or outside the local network, either by IP address or DNS name, just time out after a while.

I understood that I need to set up some static route in the router, so that the response packages from the URLs endpoints find their way back into the tunnel. That would explain the timeouts instead of a 404, I suppose. Some tutorial suggested to add a route between 10.10.10.0, Subnet 255.255.255.0 to my Raspi, let that be 192.168.178.17 (fixed IP over wired ethernet). I did that, but it didn't help. Maybe I need to use a different IP than 10.10.10.0, but I wouldn't know which one instead. I don't even know where they got 10.10.10.0 from. It can't be the client's IP adress, as that one might change constantly?

I'm fairly certain there's one last step missing to make it work, and that it's one step everybody must have done. But I just can't get my head around it. To be really frank: I already fail at understanding the Wikipedia article about NATs. I do have basic network knowledge, but not in-depth, and also sadly have an issue that I simply can't concentrate enough to dive into all those details. While I know how to program software and occasionally do it, I also can't read other people's code for the same reason. Brain just goes "boooring, la la la, what's the weather outside, and oh, what's on today's menu?"

So I hope someone here is willing to guide me through the steps of where to define what to make it work. The FRITZ!Box comes with its own VPN solution that does work, but it's a PITA to set it up with clients. So far I managed to get it working on my Smartphone, but still fail with my wife's phone (even though she has the same model) or my laptop, let alone other clients like a piCore Player, and from what I've understoof the solution also has some issues with my Internet provider (Vodafone Cable) in combination with IPv6. That's why I'd like to use OpenVPN instead.

My server.conf is this:

Code: Select all

local 192.168.[removed]
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.[removed]"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
Thread viewtopic.php?p=106952 and viewtopic.php?p=106859 seem to suggest I just need to enable the line "net.ipv4.ip_forward=1" in /etc/sysctl.conf? I don't want to touch it without confirmation as I don't know what I might break if I'm doing the wrong thing. Would be bad if the Raspi became unreachable afterwards, and it's also running other stuff like an Apache Tomcat or ioBroker.

Edit: I went and enabled "net.ipv4.ip_forward=1" and ran "sudo sysctl -p" which listed the aforementioned line. I also went and added a static route between 10.10.10.0/255.255.255.0 and 192.168.[IP of the OpenVPN server] to the internet router again. But that didn't change anything, I still get the timeouts.

VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Mon Jun 20, 2022 9:43 am

Doesn't anybody know at least what I have to do, even without guidance?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help with NAT after successful installation

Post by TinCanTech » Mon Jun 20, 2022 6:56 pm

Your question is titled as: Help with NAT after successful installation

But your question is confused and you don't want to follow the tutorials ..

Have you setup a NAT rule, yet ?

eg:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
And , Yes, you require IP_Forwarding.

VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Tue Jun 21, 2022 8:19 am

TinCanTech wrote:
Mon Jun 20, 2022 6:56 pm
Your question is titled as: Help with NAT after successful installation

But your question is confused and you don't want to follow the tutorials ..
It's confusion from lack of understanding. Hence it's not about not wanting to follow the tutorials but rather not grasping them. Since I also installed OpenVPN using the install-openvpn script, the installation I had differs somewhat from what's written somewhere else and I have problems recognizing where to "hop in".
Have you setup a NAT rule, yet ?

eg:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
And , Yes, you require IP_Forwarding.
IP forwarding is enabled by now. I haven't set up the NAT rule - I'm puzzled about 10.8.0.0/24 - is that a constant meaning "all outside IP addresses" or do I need to find out the specific one for my case? In which case: how? (And what exactly is that line accomplishing in the first place?)

Thank you so far.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help with NAT after successful installation

Post by TinCanTech » Tue Jun 21, 2022 8:43 am

VpnCoyote wrote:
Tue Jun 21, 2022 8:19 am
Since I also installed OpenVPN using the install-openvpn script
Then this is all done for you.

VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Tue Jun 21, 2022 9:10 am

TinCanTech wrote:
Tue Jun 21, 2022 8:43 am
Then this is all done for you.
Then maybe you now see what my problems are - stuff doesn't work, I don't know why (except that I figure that the client's packages reach their destination server, but the response packages don't find their way back to the client, which leads to timeouts) and I don't know what to do or even what exactly to look for.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help with NAT after successful installation

Post by TinCanTech » Tue Jun 21, 2022 2:51 pm


VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Wed Jun 22, 2022 7:29 am

Can't we fix the current installation? I'm not sure whether running yet another installation won't run into the same issue.

For instance, I just did this, for curiosity:

Code: Select all

user@raspi:~ $ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
user@raspi:~ $ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
Which led me to do this:

Code: Select all

user@raspi:~ $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
user@raspi:~ $ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
user@raspi:~ $ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
So apparently "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" was already set indeed.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help with NAT after successful installation

Post by TinCanTech » Wed Jun 22, 2022 9:33 am

VpnCoyote wrote:
Wed Jun 22, 2022 7:29 am
Can't we fix the current installation?
You can try..

Please start by reading the howto.

VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Thu Jun 23, 2022 1:13 pm

Well, I'm trying.

I did the following change to the server.conf:

Code: Select all

push "redirect-gateway def1 bypass-dhcp"
to

Code: Select all

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
Then I restarted all services. Now I can access via webbrowser
* "outside" websites
* my router
* the server Open-VPN is running on
... but no other server (requests still time out).

I then added

Code: Select all

push "route 10.66.0.0 255.255.255.0"
as described in "Including multiple machines on the server side when using a routed VPN (dev tun)". After that, set a static IPv4 route in my server from 10.8.0.0/255.255.255.0 to the OpenVPN-Server. Then I restarted the Open-VPN services again.

This made things stop working (also with subnet 255.255.0.0), so I reverted both the server.conf and the route changes. "dev tun" was already set and ip-farwarding is enabled. I don't see what else to do or how to troubleshoot my installaiton with https://openvpn.net/community-resources ... ver-subnet .

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help with NAT after successful installation

Post by TinCanTech » Thu Jun 23, 2022 10:38 pm

VpnCoyote wrote:
Thu Jun 23, 2022 1:13 pm
I then added

Code: Select all

push "route 10.66.0.0 255.255.255.0"
as described in "Including multiple machines on the server side when using a routed VPN (dev tun)"
Can you ping any of the devices on that subnet ?

VpnCoyote
OpenVpn Newbie
Posts: 7
Joined: Mon May 16, 2022 5:22 am

Re: Help with NAT after successful installation

Post by VpnCoyote » Fri Jun 24, 2022 5:47 am

Which devices are on that subnet? I don't even understand where the 10.66.0.0 comes from. Maybe it's really just an example but then, how do I find the real address?

Post Reply