OpenVPN suddenly stopped redirecting traffic.

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
iljyable
OpenVpn Newbie
Posts: 3
Joined: Mon Mar 20, 2023 11:13 am

OpenVPN suddenly stopped redirecting traffic.

Post by iljyable » Fri Sep 08, 2023 10:09 am

Hello, I configured OpenVPN on my purchased VPS server with a Debian distribution following the Debian Wiki. And everything worked fine, for 3-4 months, until today.

I can't open any page on the internet.

Code: Select all

# ping  8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3053ms
However, I can connect to my VPS server by pinging or ssh.

Code: Select all

# ping 98.76.54.32
PING 98.76.54.32 (98.76.54.32) 56(84) bytes of data.
64 bytes from 98.76.54.32: icmp_seq=1 ttl=53 time=66.8 ms
64 bytes from 98.76.54.32: icmp_seq=2 ttl=53 time=64.4 ms
64 bytes from 98.76.54.32: icmp_seq=3 ttl=53 time=65.0 ms
64 bytes from 98.76.54.32: icmp_seq=4 ttl=53 time=67.8 ms
64 bytes from 98.76.54.32: icmp_seq=5 ttl=53 time=73.4 ms
64 bytes from 98.76.54.32: icmp_seq=6 ttl=53 time=64.7 ms

--- 98.76.54.32 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5010ms
rtt min/avg/max/mdev = 64.438/67.021/73.408/3.098 ms
Here's what interesting OpenVPN.log showed:

Code: Select all

CLIENT_NAME/12.34.56.78:50518 MULTI: bad source address from client [192.168.1.16], packet dropped
It looks like OpenVPN can't redirect the packet back to the client. But my iptables is configured so that it should redirect all traffic.

Here's my configurations:

Code: Select all

# server.conf

port 1194
proto udp
dev tun

ca      /etc/openvpn/easy-rsa/pki/ca.crt
cert    /etc/openvpn/easy-rsa/pki/issued/server.crt
key     /etc/openvpn/easy-rsa/pki/private/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/pki/dh.pem

askpass /etc/openvpn/pass.txt

topology subnet

server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
# push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

keepalive 10 120

tls-auth /etc/openvpn/server/ta.key 0
auth-nocache

cipher AES-256-CBC
data-ciphers AES-256-CBC

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

verb 4  # verbose mode

client-to-client
explicit-exit-notify 1

Code: Select all

# client.conf

client
dev tun
proto udp

remote 98.76.54.32 1194             # [VPN server IP] [PORT]
resolv-retry infinite
nobind

persist-key
persist-tun

ca      ./path/to/ca.crt
cert    ./path/to/CLIENT_NAME.crt
key     ./path/to/CLIENT_NAME.key

remote-cert-tls server
tls-auth /home/user/Downloads/hyperspace/ta.key 1
auth-nocache

cipher AES-256-CBC
data-ciphers AES-256-CBC

mute-replay-warnings

verb 4

Code: Select all

# cat /proc/sys/net/ipv4/ip_forward

1

Code: Select all

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1
...

Code: Select all

# iptables -L  -n -v

Chain INPUT (policy ACCEPT 6221 packets, 435K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  147 20957 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   89  9293 ACCEPT     all  --  *      eth0    10.9.8.0/24          0.0.0.0/0

Chain OUTPUT (policy ACCEPT 5751 packets, 1299K bytes)
 pkts bytes target     prot opt in     out     source               destination

Code: Select all

# iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 2199 packets, 92559 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2168 packets, 90647 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20 packets, 1486 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20 packets, 1486 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  1732 MASQUERADE  all  --  *      eth0    10.9.8.0/24          0.0.0.0/0
I would appreciate any tips and hints on how to diagnose the problem.

Sincerely,
iljyable
Top
Post Reply

Return to “Server Administration”