I'm running OpenVPN 2.3.2 on Ubuntu. I'm having an issue when trying to force all traffic to be nat'ed over the server for connected clients. When a client connects, the client is unable to access the internet or ping anything besides the server. Possibly an issue with my iptables?
server config.
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert myhostname.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:536 (536.0 B) TX bytes:536 (536.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:731 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:50294 (50.2 KB) TX bytes:288 (288.0 B)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2a04:ad80::70ce:67d9/128 Scope:Global
inet6 addr: 2a04:ad80::bc79:ef29/128 Scope:Global
inet6 addr: 2a04:ad80::1a35:c0bf/128 Scope:Global
inet6 addr: 2a04:ad80::db9:d432/128 Scope:Global
inet6 addr: 2a04:ad80::4e34:95b2/128 Scope:Global
inet6 addr: 2a04:ad80::f1e1:69f9/128 Scope:Global
inet6 addr: 2a04:ad80::4f8d:f42e/128 Scope:Global
inet6 addr: 2a04:ad80::78cf:d4f7/128 Scope:Global
inet6 addr: 2a04:ad80::5e97:2edb/128 Scope:Global
inet6 addr: 2a04:ad80::57c8:763b/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:900587 errors:0 dropped:0 overruns:0 frame:0
TX packets:1003154 errors:0 dropped:18530 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:116834285 (116.8 MB) TX bytes:184228022 (184.2 MB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:x.x.x.x P-t-P:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Current iptables
Code: Select all
*nat
:PREROUTING ACCEPT [113:6983]
:POSTROUTING ACCEPT [85:5677]
:OUTPUT ACCEPT [6:376]
-A POSTROUTING -o vnet0:0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [189387:22609148]
-A INPUT -i lo -j ACCEPT
-A INPUT -f -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 1194 -j ACCEPT
:FORWARD ACCEPT [1018:66893]
:OUTPUT ACCEPT [86:4860]
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [838358:104378039]
:INPUT ACCEPT [837339:104311094]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o venet0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i venet0:0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [956907:175496868]
:POSTROUTING ACCEPT [957925:175563761]
COMMIT
*raw
:PREROUTING ACCEPT [838358:104378039]
:OUTPUT ACCEPT [956907:175496868]
COMMIT
Thanks
