Help: Connected to VPN server but cannot ping other IP's

Post by **xauen** » Tue May 10, 2011 8:12 pm

Hello,

Hope someone can help me here.
I have successfully installed open vpn on our CentOS 5.6 VPS server. I have also succesfully created a client called "sample". The client succesfully pinged the werver but it cannot ping other IPs including other websites,

Could there be a problem with my .conf?

below is my server.conf:

Code: Select all

local 173.224.217.130 
port 9200 
proto udp
dev tun
tun-mtu 1500
cipher BF-CBC
tun-mtu-extra 32
mssfix 145
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
client-to-client
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
push "route 10.66.0.0 255.255.255.0"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

my client.conf:

Code: Select all

client
dev tun
proto udp
remote 173.224.217.130 9200 #-- your ip here
resolv-retry infinite
nobind
cipher BF-CBC
persist-key
persist-tun
ca ca.crt
cert denbagus.crt
key denbagus.key
comp-lzo
verb 3

Could there be anything something wrong with my .conf file?

Hope someone can help me here...

Thank you in advanced!

Post by **xauen** » Tue May 10, 2011 8:17 pm

Additional

Below is my client log:

Code: Select all

Tue May 10 21:02:26 2011 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 12 2009
Tue May 10 21:02:32 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue May 10 21:02:32 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 10 21:02:32 2011 LZO compression initialized
Tue May 10 21:02:32 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 10 21:02:32 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue May 10 21:02:32 2011 Local Options hash (VER=V4): 'd3a7571a'
Tue May 10 21:02:32 2011 Expected Remote Options hash (VER=V4): '5b1533a2'
Tue May 10 21:02:32 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue May 10 21:02:32 2011 UDPv4 link local: [undef]
Tue May 10 21:02:32 2011 UDPv4 link remote: 173.224.217.130:9200
Tue May 10 21:02:33 2011 TLS: Initial packet from 173.224.217.130:9200, sid=1b99fa60 83b5f0cd
Tue May 10 21:02:33 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 10 21:02:35 2011 VERIFY OK: depth=1, /C=PH/ST=Cavite/L=Silang/O=StreamPinas/OU=Internet_Service/CN=HyperNET/name=John_Doe/emailAddress=hypernetvpn@gmail.com
Tue May 10 21:02:35 2011 VERIFY OK: depth=0, /C=PH/ST=Cavite/L=Silang/O=StreamPinas/OU=Internet_Service/CN=server/name=John_Doe/emailAddress=hypernetvpn@gmail.com
Tue May 10 21:02:36 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 21:02:36 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 21:02:36 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 10 21:02:36 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 10 21:02:36 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 10 21:02:36 2011 [server] Peer Connection Initiated with 173.224.217.130:9200
Tue May 10 21:02:38 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue May 10 21:02:38 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 4.2.2.1,route 10.66.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
Tue May 10 21:02:38 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 10 21:02:38 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 10 21:02:38 2011 OPTIONS IMPORT: route options modified
Tue May 10 21:02:38 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue May 10 21:02:38 2011 ROUTE default_gateway=192.168.1.254
Tue May 10 21:02:38 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{27A22C60-0545-429F-B8F2-E29E04991353}.tap
Tue May 10 21:02:38 2011 TAP-Win32 Driver Version 9.8 
Tue May 10 21:02:38 2011 TAP-Win32 MTU=1500
Tue May 10 21:02:38 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {27A22C60-0545-429F-B8F2-E29E04991353} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue May 10 21:02:38 2011 Successful ARP Flush on interface [19] {27A22C60-0545-429F-B8F2-E29E04991353}
Tue May 10 21:02:43 2011 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Tue May 10 21:02:43 2011 C:\WINDOWS\system32\route.exe ADD 173.224.217.130 MASK 255.255.255.255 192.168.1.254
Tue May 10 21:02:43 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue May 10 21:02:43 2011 Route addition via IPAPI succeeded [adaptive]
Tue May 10 21:02:43 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue May 10 21:02:43 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue May 10 21:02:43 2011 Route addition via IPAPI succeeded [adaptive]
Tue May 10 21:02:43 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue May 10 21:02:43 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue May 10 21:02:43 2011 Route addition via IPAPI succeeded [adaptive]
Tue May 10 21:02:43 2011 C:\WINDOWS\system32\route.exe ADD 10.66.0.0 MASK 255.255.255.0 10.8.0.5
Tue May 10 21:02:43 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue May 10 21:02:43 2011 Route addition via IPAPI succeeded [adaptive]
Tue May 10 21:02:43 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Tue May 10 21:02:44 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Tue May 10 21:02:44 2011 Route addition via IPAPI succeeded [adaptive]
Tue May 10 21:02:44 2011 Initialization Sequence Completed

Post by **janjust** » Tue May 10, 2011 9:02 pm

everything looks fine, including the client log file.
The fact that you can ping the server (both VPN IP and LAN IP?) suggest that your VPN is functional.
What is now left to do for you is to set up routing : try the following

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -i tun+ -j ACCEPT 
iptables -I FORWARD -o tun+ -j ACCEPT 
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

to enable IP masquerading for all traffic that leaves your VPN server. After doing this, try pinging an IP address first, e.g.

Code: Select all

ping 8.8.8.8

the last step is to enable DNS lookups via the VPN

Post by **xauen** » Wed May 11, 2011 3:47 am

Sir thank you . but im a newbie on this.
Sir what you mean is to "PING" from client side any ip?
Enable dns lookup via the client side? or server side?

sorry newbie here...

Post by **xauen** » Wed May 11, 2011 8:05 am

janjust wrote:everything looks fine, including the client log file.
The fact that you can ping the server (both VPN IP and LAN IP?) suggest that your VPN is functional.
What is now left to do for you is to set up routing : try the following
Code: Select all
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -i tun+ -j ACCEPT 
iptables -I FORWARD -o tun+ -j ACCEPT 
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
to enable IP masquerading for all traffic that leaves your VPN server. After doing this, try pinging an IP address first, e.g.
Code: Select all
ping 8.8.8.8
the last step is to enable DNS lookups via the VPN

ok, i did the following but i've learned that MASQUERADE should not be used with VPS.
Do you have other solutions to this sir?
Also as a total newbie in linux i cannot seem to understand how to DNS lookup on VPN as what you were telling me.
Should dns lookup be on the server side or the client side?
Can you also please give me the detailed steps to follow?
Sorry again for being a total newbie here.

Post by **xauen** » Wed May 11, 2011 8:15 am

ok sir i did this:

Code: Select all

#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

*where 123.123.123.123 is my server IP

then

Code: Select all

sudo iptables -t nat -L

This is result:

Code: Select all

Chain PREROUTING  (policy ACCEPT)
target     prot    opt    source      destination

Chain POSTROUTING (policy ACCEPT)
target     prot    opt    source      destination
SNAT       all       --     10.8.0.0/24           anywhere         to: 123.123.123.123

Chain OUTPUT (policy ACCEPT)
target     prot    opt    source      destination

thats is but still not pinging to other IP (sample: ping yahoo.com no response)
what could be the problem?

Help me please..

OpenVPN Support Forum

Help: Connected to VPN server but cannot ping other IP's

Help: Connected to VPN server but cannot ping other IP's

Re: Help: Connected to VPN server but cannot ping other IP's

Re: Help: Connected to VPN server but cannot ping other IP's

Re: Help: Connected to VPN server but cannot ping other IP's

Re: Help: Connected to VPN server but cannot ping other IP's

Re: Help: Connected to VPN server but cannot ping other IP's