I have setup an OpenVPN server in my home LAN on a Ubuntu VM. OpenVPN version is "2.4.7-1ubuntu2", Ubuntu version is is "20.04.2 LTS".
My router's (Unifi USG) WAN is connected to a fiber provider ("Deutsche Glasfaser") where only the IPv6 is directly accessible (there is a public IPv4, but this from a carrier grade NAT range not reachable from the internet) and OpenVPN is set up with IPv6 support. So I opened port 1194 for UDP in the router's firewall to the public IPv6 address of my OpenVPN server and registered the IPv6 address with a DynDNS provider.
OpenVPN client (iPhone not connected to LAN but to 4G with IPv6 address) connects immediately and some things work as expected:
- I can ping all the servers on my internal network from the iPhone using their IPv4 addresses
- I can SSH into the hosts where SSH is available
- I can also ping the IP of the connected iOS client from my servers
- I cannot open a web site hosted on one of my local servers
- I cannot RDP into one of my Windows servers (telnet to port 3389 on the same server works, so I can reach the server/port, just no response)
- And what is really strange: I have an iPerf3 server running on one of my VMs which I use for intranet performance measurements. The OpenVPN client can upload to the iPerf3 server with no problems with the expected line speed but cannot download (no error, just a rate of 0 bytes). And I can ping the iOS client from the server running iPerf3
This is my OpenVPN server.conf file:
keepalive 10 120
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
#push "route 192.168.0.0 255.255.255.0"
Also had a 'push "route 192.168.0.0 255.255.255.0"' originally in the conf - makes no difference, all above still working / not working as before.
IP forwarding is enabled on the server running OpenVPN and routing between tun0 / eth0 enabled:
I have also checked my LAN firewall rules to check if anything was logged as blocked for 10.8.0.* - all fine.
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Any suggestions / ideas?