[Solved iptables] Cannot connect to internet - VPN connects

[UF8FF]

Greetings everyone,

I have been really trying to figure out a solution but I can't really find one apparently tailored to my exact situation. So my VPN connects just fine (running off of a raspberrypi) but once I am connected I can no longer connect to the internet and Tunnelblick (3.5.5) states

After connecting to client, the Internet does not appear to be reachable.

I removed my firewall just for testing purposes to see if that was the issue but I haven’t been able to connect still.
I found a few things from adding a cipher to setting the nameserver to topic14286.html and I have yet to find a solution so I am here to ask for some help. Maybe I'm missing something completely obvious, I don't know, but I'm hoping someone can point me in the right direction. Thank you!


Here's all the info I have. Please ask if anything else is needed.

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert phungyou.crt
key phungyou.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Client

Code: Select all

client
dev tun
proto udp
remote my_public_ip 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert Marylyn.crt
key Marylyn.key
ns-cert-type server
comp-lzo
verb 3
<cert>

iptables -t nat -L

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  c-My-public-ip.hsd1.ut.comcast.net  anywhere    

iptables -S

Code: Select all

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT

iptables -L

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW

sysctl -p

Code: Select all

net.ipv4.ip_forward = 1

syslog

Code: Select all

Jan  7 01:17:55 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:47663 [Marylyn] Inactivity timeoVT (--ping-restart), restarting
Jan  7 01:17:55 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:47663 SIGUSR1[soft,ping-restart] received, client-instance restarting
Jan  7 01:18:31 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 TLS: Initial packet from [AF_INET]My.Public.Ip.Add:43408, sid=7ea1255e 26607b7f
Jan  7 01:18:31 phungyoubich rsyslogd-2007: action 'action 18' suspended, next retry is Thu Jan  7 01:19:31 2016 [try http://www.rsyslog.com/e/2007 ]
Jan  7 01:18:31 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 VERIFY OK: depth=1, C=US, ST=VT, L=NN, O=organi, OU=MyOrganizationalUnit, CN=organi CA, name=phungyou, emailAddress=email@mail.com
Jan  7 01:18:31 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 VERIFY OK: depth=0, C=US, ST=VT, L=NN, O=organi, OU=MyOrganizationalUnit, CN=Marylyn, name=phungyou, emailAddress=email@mail.com
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:43408 [Marylyn] Peer Connection Initiated with [AF_INET]My.Public.Ip.Add:43408
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 MULTI: Learn: 10.8.0.6 -> Marylyn/My.Public.Ip.Add:43408
Jan  7 01:18:32 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 MULTI: primary virtual IP for Marylyn/My.Public.Ip.Add:43408: 10.8.0.6
Jan  7 01:18:34 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 PUSH: Received control message: 'PUSH_REQUEST'
Jan  7 01:18:34 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 send_push_reply(): safe_cap=940
Jan  7 01:18:34 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:43408 SENT CONTROL [Marylyn]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,roVTe 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Jan  7 01:35:24 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 TLS: Initial packet from [AF_INET]My.Public.Ip.Add:44381, sid=1137e709 e1ee093e
Jan  7 01:35:24 phungyoubich rsyslogd-2007: action 'action 18' suspended, next retry is Thu Jan  7 01:36:24 2016 [try http://www.rsyslog.com/e/2007 ]
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 VERIFY OK: depth=1, C=US, ST=VT, L=NN, O=organi, OU=MyOrganizationalUnit, CN=organi CA, name=phungyou, emailAddress=email@mail.com
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 VERIFY OK: depth=0, C=US, ST=VT, L=NN, O=organi, OU=MyOrganizationalUnit, CN=Marylyn, name=phungyou, emailAddress=email@mail.com
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: My.Public.Ip.Add:44381 [Marylyn] Peer Connection Initiated with [AF_INET]My.Public.Ip.Add:44381
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: MULTI: new connection by client 'Marylyn' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: MULTI: Learn: 10.8.0.6 -> Marylyn/My.Public.Ip.Add:44381
Jan  7 01:35:25 phungyoubich ovpn-server[1033]: MULTI: primary virtual IP for Marylyn/My.Public.Ip.Add:44381: 10.8.0.6
Jan  7 01:35:27 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:44381 PUSH: Received control message: 'PUSH_REQUEST'
Jan  7 01:35:27 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:44381 send_push_reply(): safe_cap=940
Jan  7 01:35:27 phungyoubich ovpn-server[1033]: Marylyn/My.Public.Ip.Add:44381 SENT CONTROL [Marylyn]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,roVTe 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

VPN Log from Tunnelblick

Code: Select all

2016-01-07 01:35:23 *Tunnelblick: OS X 10.11.2; Tunnelblick 3.5.5 (build 4270.4461)
2016-01-07 01:35:23 *Tunnelblick: Attempting connection with client; Set nameserver = 0; not monitoring connection
2016-01-07 01:35:23 *Tunnelblick: openvpnstart start client.tblk 1337 0 0 3 1 16688 -ptADGNWradsgnw 2.3.6
2016-01-07 01:35:24 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn
          --daemon
          --log
          /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sclient.tblk-SContents-SResources-Sconfig.ovpn.0_0_3_1_16688.1337.openvpn.log
          --cd
          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources
          --config
          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources/config.ovpn
          --cd
          /Library/Application Support/Tunnelblick/Shared/client.tblk/Contents/Resources
          --management
          127.0.0.1
          1337
          --management-query-passwords
          --management-hold
          --script-security
          2

2016-01-07 01:35:23 *Tunnelblick: openvpnstart starting OpenVPN
2016-01-07 01:35:24 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Dec  4 2015
2016-01-07 01:35:24 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.08
2016-01-07 01:35:24 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2016-01-07 01:35:24 Need hold release from management interface, waiting...
2016-01-07 01:35:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2016-01-07 01:35:24 MANAGEMENT: CMD 'pid'
2016-01-07 01:35:24 MANAGEMENT: CMD 'state on'
2016-01-07 01:35:24 MANAGEMENT: CMD 'state'
2016-01-07 01:35:24 MANAGEMENT: CMD 'bytecount 1'
2016-01-07 01:35:24 MANAGEMENT: CMD 'hold release'
2016-01-07 01:35:24 Socket Buffers: R=[196724->65536] S=[9216->65536]
2016-01-07 01:35:24 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2016-01-07 01:35:24 UDPv4 link local: [undef]
2016-01-07 01:35:24 UDPv4 link remote: [AF_INET]my.public.ip.add:1194
2016-01-07 01:35:24 MANAGEMENT: >STATE:1452155724,WAIT,,,
2016-01-07 01:35:24 MANAGEMENT: >STATE:1452155724,AVTH,,,
2016-01-07 01:35:24 TLS: Initial packet from [AF_INET]my.public.ip.add:1194, sid=64767328 ed77a04e
2016-01-07 01:35:24 *Tunnelblick: Established communication with OpenVPN
2016-01-07 01:35:25 VERIFY OK: depth=1, C=US, ST=VT, L=TST, O=Organi, OU=MyOrganizationalUnit, CN=Organi CA, name=phungyou, emailAddress=email@mail.com
2016-01-07 01:35:25 VERIFY OK: nsCertType=SERVER
2016-01-07 01:35:25 VERIFY OK: depth=0, C=US, ST=VT, L=TST, O=Organi, OU=MyOrganizationalUnit, CN=phungyou, name=phungyou, emailAddress=email@mail.com
2016-01-07 01:35:25 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-01-07 01:35:25 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
2016-01-07 01:35:25 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-01-07 01:35:25 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC aVThentication
2016-01-07 01:35:25 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2016-01-07 01:35:25 [phungyou] Peer Connection Initiated with [AF_INET]my.public.ip.add:1194
2016-01-07 01:35:26 MANAGEMENT: >STATE:1452155726,GET_CONFIG,,,
2016-01-07 01:35:27 SENT CONTROL [phungyou]: 'PUSH_REQUEST' (status=1)
2016-01-07 01:35:27 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,roVTe 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
2016-01-07 01:35:27 OPTIONS IMPORT: timers and/or timeoVTs modified
2016-01-07 01:35:27 OPTIONS IMPORT: --ifconfig/up options modified
2016-01-07 01:35:27 OPTIONS IMPORT: roVTe options modified
2016-01-07 01:35:27 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-01-07 01:35:27 Opening VTun (connect(AF_SYS_CONTROL)): Resource busy
2016-01-07 01:35:27 Opened VTun device VTun1
2016-01-07 01:35:27 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-01-07 01:35:27 MANAGEMENT: >STATE:1452155727,ASSIGN_IP,,10.8.0.6,
2016-01-07 01:35:27 /sbin/ifconfig VTun1 delete
                                        ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2016-01-07 01:35:27 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2016-01-07 01:35:27 /sbin/ifconfig VTun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2016-01-07 01:35:27 /sbin/roVTe add -net my.public.ip.add 192.168.1.1 255.255.255.255
                                        roVTe: writing to roVTing socket: File exists
                                        add net my.public.ip.add: gateway 192.168.1.1: File exists
2016-01-07 01:35:27 /sbin/roVTe add -net 0.0.0.0 10.8.0.5 128.0.0.0
                                        add net 0.0.0.0: gateway 10.8.0.5
2016-01-07 01:35:27 /sbin/roVTe add -net 128.0.0.0 10.8.0.5 128.0.0.0
                                        add net 128.0.0.0: gateway 10.8.0.5
2016-01-07 01:35:27 MANAGEMENT: >STATE:1452155727,ADD_ROVTES,,,
2016-01-07 01:35:27 /sbin/roVTe add -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        add net 10.8.0.1: gateway 10.8.0.5
2016-01-07 01:35:27 GID set to nogroup
2016-01-07 01:35:27 UID set to nobody
2016-01-07 01:35:27 Initialization Sequence Completed
2016-01-07 01:35:27 MANAGEMENT: >STATE:1452155727,CONNECTED,SUCCESS,10.8.0.6,my.public.ip.add
2016-01-07 01:35:28 *Tunnelblick: No 'connected.sh' script to execVTe
2016-01-07 01:36:08 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2016-01-07 01:36:43 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.

[Traffic]

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- c-My-public-ip.hsd1.ut.comcast.net anywhere

This does not look right .. what command did you use to setup NAT ?

[UF8FF]

Code: Select all

iptables -t nat -A POSTROUTING -s XXX.XXX.XXX.XXX -o eth0 -j MASQUERADE

[Traffic]

Those XXX's could be your problem

[UF8FF]

Those XXX's could be your problem

I wish it were that easy! haha, I used my public IP there. One thing I did notice was in my server.conf I had server 10.8.0.0... so I changed it to phungyou 10.8.0.0 and that seemed to fix it!

Worked great for a bit, and then I tried to connect via my hotspot on my phone and it says "TLS failed" and after doing route flush I cannot connect anymore at all and get TLS failures. whoops.

[Traffic]

wish it were that easy! haha, I used my public IP there

That was what i thought

The correct iptables command would be:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You might like to review this:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

[UF8FF]

wish it were that easy! haha, I used my public IP there

That was what i thought

The correct iptables command would be:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You might like to review this:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

I knew I did something dumb! You have been a great help so far. I was able to connect on my local network but unable to connect over WAN and I'm sure my NAT is why. I've purged everything and I'm starting fresh again and will use the above command for NAT this time around. I'll report back if that fixes my original issue or not so we can mark this as solved!

[UF8FF]

It's working! Solved! Thank you, traffic.

[Traffic]

You are welcome .. thanks for letting us know

Note For OpenVPN running on OpenVZ Container:

• Because of OpenVZ masquerade does not work use this instead:

  Code: Select all

  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source Real.Server.public.ip.address