Connects to Openvpn. But cannot browse internet.

SriKolla · Post by **SriKolla** » Sun Apr 28, 2013 6:43 am

I'm trying to connect to ubuntu server 12.04 running openvpn from my ubuntu desktop running ubuntu 12.04.. openvpn client connects. But i cannot browse any ineternet. I can ping and ssh to my server when I'm connected through vpn.

Client config

Code: Select all

dev tun
client
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 50
fragment 1300
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
auth none
cipher none
comp-lzo
reneg-sec 0
verb 3

Server Config

Code: Select all

dev tun
proto udp
port 1194
tun-mtu 1500
tun-mtu-extra 50
mssfix 1450
fragment 1300
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo

Server Logs

Code: Select all

Sun Apr 28 00:18:13 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 27 2013
Sun Apr 28 00:18:13 2013 WARNING: --keepalive option is missing from server config
Sun Apr 28 00:18:13 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Apr 28 00:18:13 2013 Diffie-Hellman initialized with 1024 bit key
Sun Apr 28 00:18:13 2013 TLS-Auth MTU parms [ L:1592 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 28 00:18:13 2013 Socket Buffers: R=[245760->131072] S=[245760->131072]
Sun Apr 28 00:18:13 2013 ROUTE: default_gateway=UNDEF
Sun Apr 28 00:18:13 2013 TUN/TAP device tun0 opened
Sun Apr 28 00:18:13 2013 TUN/TAP TX queue length set to 100
Sun Apr 28 00:18:13 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Apr 28 00:18:13 2013 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Apr 28 00:18:13 2013 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Apr 28 00:18:13 2013 Data Channel MTU parms [ L:1592 D:1450 EF:42 EB:135 ET:50 EL:0 AF:3/1 ]
Sun Apr 28 00:18:13 2013 GID set to nogroup
Sun Apr 28 00:18:13 2013 UID set to nobody
Sun Apr 28 00:18:13 2013 UDPv4 link local (bound): [undef]
Sun Apr 28 00:18:13 2013 UDPv4 link remote: [undef]
Sun Apr 28 00:18:13 2013 MULTI: multi_init called, r=256 v=256
Sun Apr 28 00:18:13 2013 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Apr 28 00:18:13 2013 Initialization Sequence Completed
Sun Apr 28 00:18:25 2013 MULTI: multi_create_instance called
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 Re-using SSL/TLS context
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 LZO compression initialized
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 Control Channel MTU parms [ L:1592 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 Data Channel MTU parms [ L:1592 D:1450 EF:42 EB:135 ET:50 EL:0 AF:3/1 ]
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 Local Options hash (VER=V4): 'ee1ac52f'
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 Expected Remote Options hash (VER=V4): '4b8af814'
Sun Apr 28 00:18:25 2013 xxx.xxx.xxx.xxx:17080 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:17080, sid=116c10cf 9837ceb5
Sun Apr 28 00:18:28 2013 xxx.xxx.xxx.xxx:17080 VERIFY OK: depth=1, /C=US/ST=ML
Sun Apr 28 00:18:28 2013 xxx.xxx.xxx.xxx:17080 VERIFY OK: depth=0, /C=us/ST=ml
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1592', remote='link-mtu 1541'
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1550', remote='tun-mtu 1500'
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Apr 28 00:18:29 2013 xxx.xxx.xxx.xxx:17080 [testserver] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:17080
Sun Apr 28 00:18:29 2013 testserver/xxx.xxx.xxx.xxx:17080 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=1::1f00:0:d7f:0
Sun Apr 28 00:18:29 2013 testserver/xxx.xxx.xxx.xxx:17080 MULTI: Learn: 10.8.0.6 -> testserver/xxx.xxx.xxx.xxx:17080
Sun Apr 28 00:18:29 2013 testserver/xxx.xxx.xxx.xxx:17080 MULTI: primary virtual IP for testserver/xxx.xxx.xxx.xxx:17080: 10.8.0.6
Sun Apr 28 00:18:32 2013 testserver/xxx.xxx.xxx.xxx:17080 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr 28 00:18:32 2013 testserver/xxx.xxx.xxx.xxx:17080 send_push_reply(): safe_cap=960
Sun Apr 28 00:18:32 2013 testserver/xxx.xxx.xxx.xxx:17080 SENT CONTROL [testserver]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Sun Apr 28 00:18:33 2013 testserver/xxx.xxx.xxx.xxx:17080 Bad LZO decompression header byte: 69
Sun Apr 28 00:18:33 2013 testserver/xxx.xxx.xxx.xxx:17080 Bad LZO decompression header byte: 69
Sun Apr 28 00:18:35 2013 testserver/xxx.xxx.xxx.xxx:17080 Bad LZO decompression header byte: 69
Sun Apr 28 00:20:34 2013 MULTI: multi_create_instance called
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 Re-using SSL/TLS context
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 LZO compression initialized
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 Control Channel MTU parms [ L:1592 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 Data Channel MTU parms [ L:1592 D:1450 EF:42 EB:135 ET:50 EL:0 AF:3/1 ]
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 Local Options hash (VER=V4): 'ee1ac52f'
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 Expected Remote Options hash (VER=V4): '4b8af814'
Sun Apr 28 00:20:34 2013 xxx.xxx.xxx.xxx:17085 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:17085, sid=01d0125c 8d8061c6
Sun Apr 28 00:20:38 2013 xxx.xxx.xxx.xxx:17085 VERIFY OK: depth=1, /C=US/ST=ML/L=maryland/O=testserver/OU=ln/CN=testserver/name=testserver/emailAddress=testserver@testserver.com
Sun Apr 28 00:20:38 2013 xxx.xxx.xxx.xxx:17085 VERIFY OK: depth=0, /C=us/ST=ml/L=maryland/O=testserver/OU=ln/CN=testserver/name=testserver/emailAddress=testserver@testserver.com
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1592', remote='link-mtu 1541'
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1550', remote='tun-mtu 1500'
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Apr 28 00:20:39 2013 xxx.xxx.xxx.xxx:17085 [testserver] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:17085
Sun Apr 28 00:20:39 2013 MULTI: new connection by client 'testserver' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sun Apr 28 00:20:39 2013 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=::803b:7e76:d7f:0
Sun Apr 28 00:20:39 2013 MULTI: Learn: 10.8.0.6 -> testserver/xxx.xxx.xxx.xxx:17085
Sun Apr 28 00:20:39 2013 MULTI: primary virtual IP for testserver/xxx.xxx.xxx.xxx:17085: 10.8.0.6
Sun Apr 28 00:20:41 2013 testserver/xxx.xxx.xxx.xxx:17085 PUSH: Received control message: 'PUSH_REQUEST'
Sun Apr 28 00:20:41 2013 testserver/xxx.xxx.xxx.xxx:17085 send_push_reply(): safe_cap=960
Sun Apr 28 00:20:41 2013 testserver/xxx.xxx.xxx.xxx:17085 SENT CONTROL [testserver]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Post by **Douglas** » Mon Apr 29, 2013 4:51 am

Make sure you do your masquerade rules and no other rules in firewall are interfering...

SriKolla · Post by **SriKolla** » Mon Apr 29, 2013 2:08 pm

Hi,

Mine is openvz I have enterd SNAT rule for firewall. I will paste my code here

SriKolla · Post by **SriKolla** » Mon Apr 29, 2013 5:24 pm

Code: Select all

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx

Post by **Douglas** » Thu May 02, 2013 3:13 pm

iptables -L -t nat

iptables -L

Please

SriKolla · Post by **SriKolla** » Thu May 02, 2013 3:31 pm

Hi,

Code: Select all

iptables -L -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx

if i use above code it says,

Code: Select all

Cannot use -A with -L

Post by **novaflash** » Thu May 02, 2013 4:47 pm

I think what he meant was to give an output of your current rules, using those commands. Not to combine it with the failing commands you're using now.

SriKolla · Post by **SriKolla** » Thu May 02, 2013 5:56 pm

oops sorry

iptables -L -t nat

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -L

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Post by **Douglas** » Thu May 02, 2013 8:30 pm

There are no NAT rules...

SriKolla · Post by **SriKolla** » Fri May 03, 2013 6:27 pm

Yeah that's the issue. I enterd following to edit iptables and saved.. but no success.

Code: Select all

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables-save

Even then no rules displayed in iptables.. What am i missing here

OpenVPN Support Forum

Connects to Openvpn. But cannot browse internet.

Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.

Re: Connects to Openvpn. But cannot browse internet.