can ping server and other ips, but can't connect to internet

[jlntlanyl]

hi i just set up openvpn on a openvz server with iptables set
I can connect, ping server, ping google.com's ip, but can't connect

any ideas why?

Code: Select all

server 10.8.0.0 255.255.255.0
# YOUR LOCAL SERVER IP HERE: (I decided to comment out this value)
# local  a.b.c.d
local a.b.c.d.e.f.g
dev tun
proto udp
comp-lzo
# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:
tun-mtu 1500
tun-mtu-extra 32
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"


keepalive 10 60
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt

# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/awesomevpn.co.cc.crt
key /etc/openvpn/easy-rsa/keys/awesomevpn.co.cc.key
# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
user openvpn
group openvpn
persist-key

config file above, local ip is set correctly (not a.b.c...)

what might be the issue?

*when i connect directly to google's ip on a browser i get, "IT WORKS!" page...

[Mimiko]

I can connect, ping server, ping google.com's ip, but can't connect

I don't understand. You can connect or not? Please explain better.

You can browse google.com from client's browser using dns name or ip?

[screeble]

Dear Sirs,

(Server: ubuntu, client: ubuntu)
I've the same problem. I can use VPN internal network but Internet is unaccessible for the clients' PCs.
Client's routing table:

178.74.248.230 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 10.8.0.1 0.0.0.0 UG 0 0 0 tap0

Client's config:
client
remote 178.74.248.230
port 1194
dev tap
proto udp
ca ca.crt
auth-user-pass authinfo
redirect-gateway
auth-nocache
comp-lzo
auth MD5

Server's routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

Server config:
port 1194
proto udp
dev tap

#certificates&security
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
client-cert-not-required
username-as-common-name

#forwarding
server 10.8.0.0 255.255.255.0
push "redirect-gateway"

client-to-client

#logs
status openvpn-status.log
log openvpn.log
verb 9

client-config-dir /etc/openvpn/client-configs

#commpressing
comp-lzo

auth MD5


Please advise.
Let me know if you need more info.

[screeble]

Mimiko, please look into my issue. Please!!

[Mimiko]

Didn't get an answer from jlntlanyl, assuming problem resolved.

screeble, does OpenVPN server run on a virtual machine? What is the tracert 8.8.8.8 from client looks like?

[screeble]

See the results below:

1) No, OpenVPN server is run on VDS

2) Client without VPN
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Client with VPN:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * 62.117.100.222 (62.117.100.222) 113.401 ms 116.153 ms
6 80.81.193.108 (80.81.193.108) 119.028 ms 81.937 ms 85.511 ms
7 209.85.255.178 (209.85.255.178) 87.216 ms 209.85.255.176 (209.85.255.176) 91.656 ms 209.85.255.178 (209.85.255.178) 88.060 ms
8 72.14.239.60 (72.14.239.60) 83.691 ms 72.14.236.68 (72.14.236.68) 84.153 ms 72.14.239.62 (72.14.239.62) 93.050 ms
9 209.85.254.118 (209.85.254.118) 88.990 ms 209.85.254.116 (209.85.254.116) 81.137 ms 209.85.254.118 (209.85.254.118) 85.719 ms
10 * * *
11 8.8.8.8 (8.8.8.8) 123.518 ms 122.862 ms 123.519 ms

Let me know if you need more info. Thanks.

[Mimiko]

What kind of VDS?

Make same tracert to 8.8.8.8 from server.

In server config disable compresion (in client config too) and use push "redirect-gateway def1".

I see that the traffic goes to some where, but the first hop had to be 10.8.0.1.

[screeble]

Greetings,

Virtual dedicated server with Ubuntu on board.

Starting log:
Wed Oct 5 10:09:39 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Wed Oct 5 10:09:39 2011 WARNING: file 'authinfo' is group or others accessible
Wed Oct 5 10:09:39 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 5 10:09:39 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Oct 5 10:09:39 2011 UDPv4 link local (bound): [undef]
Wed Oct 5 10:09:39 2011 UDPv4 link remote: [AF_INET] a.b.c.d:1194
Wed Oct 5 10:09:39 2011 [server] Peer Connection Initiated with [AF_INET]188.72.65.190:1194
Wed Oct 5 10:09:42 2011 TUN/TAP device tap0 opened
Wed Oct 5 10:09:42 2011 /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Oct 5 10:09:42 2011 Initialization Sequence Completed

Server :
-------------------------------------
mode server
port 1194
proto udp
dev tap

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
client-cert-not-required
username-as-common-name
auth MD5
duplicate-cn
###forwarding
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
client-to-client
###logs
status openvpn-status.log
log openvpn.log
verb 5
client-config-dir /etc/openvpn/client-configs
keepalive 10 120
-----------------------
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 141.101.143.1 (141.101.143.1) 5.681 ms 5.642 ms 5.650 ms
2 94.79.30.57 (94.79.30.57) 0.437 ms 0.502 ms 0.558 ms
3 212.45.2.242 (212.45.2.242) 3.510 ms 3.425 ms 3.473 ms
4 62.117.100.222 (62.117.100.222) 52.687 ms 52.933 ms 52.904 ms
5 de-cix20.net.google.com (80.81.193.108) 60.040 ms 57.759 ms 59.994 ms
6 209.85.255.178 (209.85.255.178) 57.585 ms 57.298 ms 209.85.255.176 (209.85.255.176) 60.656 ms
7 72.14.239.60 (72.14.239.60) 58.721 ms 72.14.239.62 (72.14.239.62) 196.593 ms 72.14.236.68 (72.14.236.68) 69.518 ms
8 209.85.254.116 (209.85.254.116) 61.840 ms 209.85.254.114 (209.85.254.114) 143.018 ms 209.85.254.112 (209.85.254.112) 131.044 ms
9 google-public-dns-a.google.com (8.8.8.8) 130.938 ms 57.875 ms 58.485 ms

Client:
remote a.b.c.d
port 1194
dev tap
proto udp
resolv-retry infinite
ca ca.crt
auth-user-pass authinfo
auth MD5
auth-nocache
persist-tun
redirect-gateway def1
script-security 2

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 20.506 ms 30.805 ms 29.715 ms
2 141.101.143.1 (141.101.143.1) 31.317 ms 31.523 ms 31.715 ms
3 94.79.30.57 (94.79.30.57) 31.745 ms 32.941 ms 36.362 ms
4 212.45.2.242 (212.45.2.242) 37.504 ms 38.666 ms 42.212 ms
5 62.117.100.222 (62.117.100.222) 93.295 ms 93.025 ms 95.054 ms
6 80.81.193.108 (80.81.193.108) 99.893 ms 78.274 ms 80.343 ms
7 209.85.255.178 (209.85.255.178) 199.281 ms 200.234 ms 209.727 ms
8 72.14.239.60 (72.14.239.60) 86.404 ms 72.14.236.68 (72.14.236.68) 93.743 ms 72.14.239.60 (72.14.239.60) 89.890 ms
9 209.85.254.118 (209.85.254.118) 206.724 ms 93.403 ms 209.85.254.114 (209.85.254.114) 90.497 ms
10 8.8.8.8 (8.8.8.8) 95.238 ms 100.420 ms 100.675 ms

I think this problem is related to synchronization.

Please advise.

[Mimiko]

Why you removed "client" statement from client's config file?

The traffic is going thru the VPN. High (relatively) pings are due to slow processors you use. Do you connect to VPN in same LAN? I see that the trace is going out to 141.101.143.1 as from client as from server.

[screeble]

The 'client' record wasn't removed from 'client.conf' file. I didn't copy it.
-----------------------
client
remote a.b.c.d
port 1194
dev tap
proto udp
resolv-retry infinite
ca ca.crt
auth-user-pass authinfo
auth MD5
auth-nocache
persist-tun
redirect-gateway def1
script-security 2
-----------------------
The server and client are located in different countries. May this problem be due to different time zones?
When I try to configure the OpenVPN on Windows 7 PC everything works fine.

[Mimiko]

Time zone doesnot nothing have with the connection.
Windows 7 as OpenVPN client? What do you mean fine? I see that connection is made and traffic is going thru VPN on your linux box.

[screeble]

Yes, the Windows 7 is VPN client, and UBUNTU is another one.
When I create connection through Windows 7 the tunnel and Internet work properly.
But when I try to do the same on Ubuntu only tunnel works.

Something strange.

[Mimiko]

Do you run OpenVPN on ubuntu as root? Show routing table and ip interface configuration when VPN is established.

[screeble]

Dear Mimiko,

Thank you for your response!
Yes, I run it as root(Ubuntu is installed on the VirtualBox):
----------------------
root@ubuntu:/etc/openvpn# openvpn --config client.conf
Thu Oct 6 10:11:30 2011 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Thu Oct 6 10:11:30 2011 WARNING: file 'authinfo' is group or others accessible
Thu Oct 6 10:11:30 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Oct 6 10:11:30 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Oct 6 10:11:38 2011 UDPv4 link local (bound): [undef]
Thu Oct 6 10:11:38 2011 UDPv4 link remote: [AF_INET]178.74.248.230:1194
Thu Oct 6 10:11:38 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Oct 6 10:11:39 2011 [Test-Server] Peer Connection Initiated with [AF_INET]178.74.248.230:1194
Thu Oct 6 10:11:41 2011 TUN/TAP device tap0 opened
Thu Oct 6 10:11:41 2011 /sbin/ifconfig tap0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Oct 6 10:11:41 2011 Initialization Sequence Completed
----------------------

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
178.74.248.230 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
188.72.65.190 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
10.0.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tap0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
----------------------

ifconfig -a
eth0 Link encap:Ethernet HWaddr 08:00:27:34:45:c4
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe34:45c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5144 errors:0 dropped:0 overruns:0 frame:0
TX packets:4410 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3902985 (3.9 MB) TX bytes:396734 (396.7 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2515 (2.5 KB) TX bytes:2515 (2.5 KB)

tap0 Link encap:Ethernet HWaddr 6e:c5:87:54:08:e7
inet addr:10.8.0.2 Bcast:10.8.0.255 Mask:255.255.255.0
inet6 addr: fe80::6cc5:87ff:fe54:8e7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1448 (1.4 KB) TX bytes:17912 (17.9 KB)

----------------------
Server log:
Thu Oct 6 09:11:34 2011 us=112540 MULTI: multi_create_instance called
Thu Oct 6 09:11:34 2011 us=112611 188.72.65.190:49752 Re-using SSL/TLS context
Thu Oct 6 09:11:34 2011 us=112681 188.72.65.190:49752 Control Channel MTU parms [ L:1569 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 6 09:11:34 2011 us=112698 188.72.65.190:49752 Data Channel MTU parms [ L:1569 D:1450 EF:37 EB:4 ET:32 EL:0 ]
Thu Oct 6 09:11:34 2011 us=112738 188.72.65.190:49752 Local Options String: 'V4,dev-type tap,link-mtu 1569,tun-mtu 1532,proto UDPv4,cipher BF-CBC,auth MD5,keysize 128,key-method 2,tls-server'
Thu Oct 6 09:11:34 2011 us=112751 188.72.65.190:49752 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1569,tun-mtu 1532,proto UDPv4,cipher BF-CBC,auth MD5,keysize 128,key-method 2,tls-client'
Thu Oct 6 09:11:34 2011 us=112771 188.72.65.190:49752 Local Options hash (VER=V4): 'feb7a98f'
Thu Oct 6 09:11:34 2011 us=112789 188.72.65.190:49752 Expected Remote Options hash (VER=V4): '8ad20e80'
RThu Oct 6 09:11:34 2011 us=112824 188.72.65.190:49752 TLS: Initial packet from [AF_INET]188.72.65.190:49752, sid=277fca13 a485dcd1
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWWWRRRWRWRWRAUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
Thu Oct 6 09:11:35 2011 us=286162 188.72.65.190:49752 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Thu Oct 6 09:11:35 2011 us=286211 188.72.65.190:49752 TLS: Username/Password authentication succeeded for username 'user' [CN SET]
Thu Oct 6 09:11:35 2011 us=286392 188.72.65.190:49752 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 6 09:11:35 2011 us=286409 188.72.65.190:49752 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
Thu Oct 6 09:11:35 2011 us=286466 188.72.65.190:49752 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 6 09:11:35 2011 us=286481 188.72.65.190:49752 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
WWWRRRThu Oct 6 09:11:35 2011 us=393554 188.72.65.190:49752 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 6 09:11:35 2011 us=393607 188.72.65.190:49752 [user] Peer Connection Initiated with [AF_INET]188.72.65.190:49752
Thu Oct 6 09:11:35 2011 us=407576 user/188.72.65.190:49752 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/client-configs/user
RThu Oct 6 09:11:37 2011 us=412276 user/188.72.65.190:49752 PUSH: Received control message: 'PUSH_REQUEST'
Thu Oct 6 09:11:37 2011 us=412351 user/188.72.65.190:49752 SENT CONTROL [user]: 'PUSH_REPLY,redirect-gateway def1,route-gateway 10.8.0.1,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0' (status=1)
WWWRRRThu Oct 6 09:11:37 2011 us=750515 user/188.72.65.190:49752 MULTI: Learn: 6e:c5:87:54:08:e7 -> user/188.72.65.190:49752
wRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRWwWRWRRWWRWRWRWRWRWR


Please let me know if you need anything else.

[Mimiko]

On virtualBox did you set virtual ethernet in bridged mode? Try using TCP protocol in OpenVPN, change it in server's and client's config.

[screeble]

There is NAT mode in VB.
I'm going to change the settings of server and client and let you know the result.

Thank you for your support.

[screeble]

Looks like I have the same problem as jlntlanyl.

pixel@ubuntu:~$ ping -c4 google.com
ping: unknown host google.com

ping -c4 74.125.232.18
PING 74.125.232.18 (74.125.232.18) 56(84) bytes of data.
64 bytes from 74.125.232.18: icmp_req=1 ttl=55 time=146 ms
64 bytes from 74.125.232.18: icmp_req=2 ttl=55 time=143 ms
64 bytes from 74.125.232.18: icmp_req=3 ttl=55 time=143 ms
64 bytes from 74.125.232.18: icmp_req=4 ttl=55 time=195 ms

pixel@ubuntu:~$ traceroute 74.125.232.18
traceroute to 74.125.232.18 (74.125.232.18), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 111.198 ms 105.080 ms 104.554 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *

I can open google.com site using its IP but can't open it using domain name.
I can ping IPs of another site but can't ping their domain names.

the server IPTABLES (iptables-save):

# Generated by iptables-save v1.4.10 on Thu Oct 6 13:35:29 2011
*filter
:INPUT ACCEPT [271:144773]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300:192799]
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Oct 6 13:35:29 2011
# Generated by iptables-save v1.4.10 on Thu Oct 6 13:35:29 2011
*nat
REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [59:3703]
OSTROUTING ACCEPT [59:3703]
-A POSTROUTING -s 10.0.0.0/8 -o eth1 -j SNAT --to-source 192.168.1.10
COMMIT
# Completed on Thu Oct 6 13:35:29 2011

Can you help me?

[Mimiko]

Its a DNS-client problem. Verify what DNS is used:

Code: Select all

cat /etc/resolv.conf

[screeble]

There are the follwing ones on the client PC:

# Generated by NetworkManager
nameserver 212.188.4.10
nameserver 195.34.32.116
nameserver 192.168.0.1

Which settings we need to use?

[screeble]

Thank you!!! You are amazing!!!

I've set the following settings in /etc/resolv.conf:

# Generated by NetworkManager
nameserver 192.168.1.1

and everything started working properly!!!