I've been following the forum the last days but I decided to post now since I dont seem to be able to solve this myself. So here is the deal:
Debian Wheezy server with Windows 7 client. The connection is successful and the server can ping the client but the client cant ping the server and cant access the internet at all.
iptables nat:
Code: Select all
Chain PREROUTING (policy ACCEPT 893 packets, 149K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 84 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28 packets, 2001 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 28 packets, 2001 bytes)
pkts bytes target prot opt in out source destination
1 40 MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
iptables -L:
Code: Select all
Chain PREROUTING (policy ACCEPT 893 packets, 149K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 84 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28 packets, 2001 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 28 packets, 2001 bytes)
pkts bytes target prot opt in out source destination
1 40 MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
root@techcity:/etc/openvpn/easy-rsa/2.0# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !lo any anywhere loopback/8
414K 1461M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
940 56396 ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any base-address.mcast.net/4 anywhere
14406 4433K PUB_IN all -- eth+ any anywhere anywhere
0 0 PUB_IN all -- ppp+ any anywhere anywhere
0 0 PUB_IN all -- slip+ any anywhere anywhere
0 0 PUB_IN all -- venet+ any anywhere anywhere
0 0 PUB_IN all -- bond+ any anywhere anywhere
282 91273 DROP all -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcpflags: ACK/ACK
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:domain dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:33434:33523
0 0 ACCEPT esp -- any any 10.8.0.0/24 anywhere
0 0 ACCEPT udp -- any any 10.8.0.0/24 anywhere multiport sports isakmp,10000
0 0 ACCEPT all -- tun+ any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
7524 362K DROP all -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 9797 packets, 61M bytes)
pkts bytes target prot opt in out source destination
182K 132M PUB_OUT all -- any eth+ anywhere anywhere
0 0 PUB_OUT all -- any ppp+ anywhere anywhere
0 0 PUB_OUT all -- any slip+ anywhere anywhere
0 0 PUB_OUT all -- any venet+ anywhere anywhere
0 0 PUB_OUT all -- any bond+ anywhere anywhere
0 0 ACCEPT esp -- any any anywhere 10.8.0.0/24
0 0 ACCEPT udp -- any any anywhere 10.8.0.0/24 multiport dports isakmp,10000
0 0 ACCEPT all -- any tun+ anywhere anywhere
Chain INT_IN (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain INT_OUT (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
Chain PAROLE (20 references)
pkts bytes target prot opt in out source destination
17 952 ACCEPT all -- any any anywhere anywhere
Chain PUB_IN (5 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
2 64 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp-data
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssh
4 216 PAROLE tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:domain
1 60 PAROLE tcp -- any any anywhere anywhere tcp dpt:http
1 64 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:imap2
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:https
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:imaps
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:pop3s
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:mysql
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:http-alt
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:tproxy
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:webmin
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:submission
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:ssmtp
9 492 PAROLE tcp -- any any anywhere anywhere tcp dpt:3389
2 120 PAROLE tcp -- any any anywhere anywhere tcp dpt:10011
0 0 PAROLE tcp -- any any anywhere anywhere tcp dpt:1723
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:mysql
4 823 ACCEPT udp -- any any anywhere anywhere udp dpt:9987
48 2016 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 DROP icmp -- any any anywhere anywhere
14335 4429K DROP all -- any any anywhere anywhere
Chain PUB_OUT (5 references)
pkts bytes target prot opt in out source destination
182K 132M ACCEPT all -- any any anywhere anywhere Code: Select all
Sat Jun 22 00:52:02 2013 MULTI: multi_create_instance called
Sat Jun 22 00:52:02 2013 my.ip:63689 Re-using SSL/TLS context
Sat Jun 22 00:52:02 2013 my.ip:63689 LZO compression initialized
Sat Jun 22 00:52:02 2013 my.ip:63689 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 22 00:52:02 2013 my.ip:63689 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 22 00:52:02 2013 my.ip:63689 Local Options hash (VER=V4): '530fdded'
Sat Jun 22 00:52:02 2013 my.ip:63689 Expected Remote Options hash (VER=V4): '41690919'
Sat Jun 22 00:52:02 2013 my.ip:63689 TLS: Initial packet from [AF_INET]my.ip:63689, sid=6af705a5 daeb1ab6
Sat Jun 22 00:52:02 2013 my.ip:63689 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=Funston/CN=techcity.dyndns.org/name=Dimitris/emailAddress=dimitris@techcity.se
Sat Jun 22 00:52:02 2013 my.ip:63689 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=Funston/CN=client1/name=Dimitris/emailAddress=dimitris@techcity.se
Sat Jun 22 00:52:03 2013 my.ip:63689 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 22 00:52:03 2013 my.ip:63689 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 22 00:52:03 2013 my.ip:63689 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 22 00:52:03 2013 my.ip:63689 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 22 00:52:03 2013 my.ip:63689 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jun 22 00:52:03 2013 my.ip:63689 [client1] Peer Connection Initiated with [AF_INET]my.ip:63689
Sat Jun 22 00:52:03 2013 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sat Jun 22 00:52:03 2013 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=e0c0:70f5:637f:0:f277:3bf5:637f:0
Sat Jun 22 00:52:03 2013 MULTI: Learn: 10.8.0.2 -> client1/my.ip:63689
Sat Jun 22 00:52:03 2013 MULTI: primary virtual IP for client1/my.ip:63689: 10.8.0.2
Sat Jun 22 00:52:05 2013 client1/my.ip:63689 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jun 22 00:52:05 2013 client1/my.ip:63689 send_push_reply(): safe_cap=960
Sat Jun 22 00:52:05 2013 client1/my.ip:63689 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0' (status=1)
Sat Jun 22 00:54:27 2013 MULTI: multi_create_instance called
Sat Jun 22 00:54:27 2013 my.ip:51896 Re-using SSL/TLS context
Sat Jun 22 00:54:27 2013 my.ip:51896 LZO compression initialized
Sat Jun 22 00:54:27 2013 my.ip:51896 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jun 22 00:54:27 2013 my.ip:51896 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 22 00:54:27 2013 my.ip:51896 Local Options hash (VER=V4): '530fdded'
Sat Jun 22 00:54:27 2013 my.ip:51896 Expected Remote Options hash (VER=V4): '41690919'
Sat Jun 22 00:54:27 2013 my.ip:51896 TLS: Initial packet from [AF_INET]my.ip:51896, sid=2b2e3a4c 9e11d884
Sat Jun 22 00:54:27 2013 my.ip:51896 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=Funston/CN=techcity.dyndns.org/name=Dimitris/emailAddress=dimitris@techcity.se
Sat Jun 22 00:54:27 2013 my.ip:51896 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=Funston/CN=client1/name=Dimitris/emailAddress=dimitris@techcity.se
Sat Jun 22 00:54:27 2013 my.ip:51896 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 22 00:54:27 2013 my.ip:51896 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 22 00:54:27 2013 my.ip:51896 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 22 00:54:27 2013 my.ip:51896 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 22 00:54:27 2013 my.ip:51896 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jun 22 00:54:27 2013 my.ip:51896 [client1] Peer Connection Initiated with [AF_INET]my.ip:51896
Sat Jun 22 00:54:27 2013 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sat Jun 22 00:54:27 2013 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=f06b:6ff5:637f:0:f277:3bf5:637f:0
Sat Jun 22 00:54:27 2013 MULTI: Learn: 10.8.0.2 -> client1/my.ip:51896
Sat Jun 22 00:54:27 2013 MULTI: primary virtual IP for client1/my.ip:51896: 10.8.0.2
Sat Jun 22 00:54:30 2013 client1/my.ip:51896 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jun 22 00:54:30 2013 client1/my.ip:51896 send_push_reply(): safe_cap=960
Sat Jun 22 00:54:30 2013 client1/my.ip:51896 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ifconfig 10.8.0.2 255.255.255.0' (status=1)Code: Select all
Sat Jun 22 00:54:24 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [eurephia] [IPv6] built on Jun 3 2013
Sat Jun 22 00:54:24 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jun 22 00:54:24 2013 UDPv4 link local: [undef]
Sat Jun 22 00:54:24 2013 UDPv4 link remote: [AF_INET]server.ip:1194
Sat Jun 22 00:54:24 2013 TLS: Initial packet from [AF_INET]server.ip:1194, s
id=16dcce51 55792489
Sat Jun 22 00:54:24 2013 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort
-Funston, OU=Funston, CN=server, name=dssd, emailAddress=sdsd@sdsd.sd
Sat Jun 22 00:54:24 2013 Validating certificate key usage
Sat Jun 22 00:54:24 2013 ++ Certificate has key usage 00a0, expects 00a0
Sat Jun 22 00:54:24 2013 VERIFY KU OK
Sat Jun 22 00:54:24 2013 Validating certificate extended key usage
Sat Jun 22 00:54:24 2013 ++ Certificate has EKU (str) TLS Web Server Authenticat
ion, expects TLS Web Server Authentication
Sat Jun 22 00:54:24 2013 VERIFY EKU OK
Sat Jun 22 00:54:24 2013 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort
-Funston, OU=Funston, CN=server, name=dssd, emailAddress=sdsd@sdsd.sd
Sat Jun 22 00:54:24 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Jun 22 00:54:24 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Sat Jun 22 00:54:24 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Jun 22 00:54:24 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Sat Jun 22 00:54:24 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 1024 bit RSA
Sat Jun 22 00:54:24 2013 [server] Peer Connection Initiated with [AF_INET]89.160
.118.24:1194
Sat Jun 22 00:54:26 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jun 22 00:54:26 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-ga
teway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.
1,topology subnet,ifconfig 10.8.0.2 255.255.255.0'
Sat Jun 22 00:54:26 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jun 22 00:54:26 2013 OPTIONS IMPORT: route options modified
Sat Jun 22 00:54:26 2013 OPTIONS IMPORT: route-related options modified
Sat Jun 22 00:54:26 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
modified
Sat Jun 22 00:54:26 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 22 00:54:26 2013 open_tun, tt->ipv6=0
Sat Jun 22 00:54:26 2013 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{4E516AD8
-8E9D-468E-A4AB-C5883449C8EB}.tap
Sat Jun 22 00:54:26 2013 TAP-Windows Driver Version 9.9
Sat Jun 22 00:54:26 2013 Set TAP-Windows TUN subnet mode network/local/netmask =
10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]
Sat Jun 22 00:54:26 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of
10.8.0.2/255.255.255.0 on interface {4E516AD8-8E9D-468E-A4AB-C5883449C8EB} [DHC
P-serv: 10.8.0.254, lease-time: 31536000]
Sat Jun 22 00:54:26 2013 Successful ARP Flush on interface [28] {4E516AD8-8E9D-4
68E-A4AB-C5883449C8EB}
Sat Jun 22 00:54:29 2013 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Sat Jun 22 00:54:29 2013 C:\Windows\system32\route.exe ADD server.ip MASK 25
5.255.255.255 192.168.0.1
Sat Jun 22 00:54:29 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Sat Jun 22 00:54:29 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.
0 10.8.0.1
Sat Jun 22 00:54:29 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Sat Jun 22 00:54:29 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.
0.0 10.8.0.1
Sat Jun 22 00:54:29 2013 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Sat Jun 22 00:54:29 2013 Initialization Sequence CompletedCode: Select all
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo adaptiveCode: Select all
dev tun
client
proto udp
remote ip.here 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo adaptive
verb 3
route-method exe
route-delay 2
remote-cert-tls serverI've spent the last 2 days trying to find a solution and I suspect my messed up iptables is the cause of this. Any help would be much appreciated.
Thanks in advance