Issue with nat'ing traffic over public interface
Posted: Wed Dec 24, 2014 8:32 pm
Hello all,
I'm running OpenVPN 2.3.2 on Ubuntu. I'm having an issue when trying to force all traffic to be nat'ed over the server for connected clients. When a client connects, the client is unable to access the internet or ping anything besides the server. Possibly an issue with my iptables?
server config.
my ifconfig output
Current iptables
Please let me know what other information I should provide.
Thanks
I'm running OpenVPN 2.3.2 on Ubuntu. I'm having an issue when trying to force all traffic to be nat'ed over the server for connected clients. When a client connects, the client is unable to access the internet or ping anything besides the server. Possibly an issue with my iptables?
server config.
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert myhostname.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:536 (536.0 B) TX bytes:536 (536.0 B)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:731 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:50294 (50.2 KB) TX bytes:288 (288.0 B)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2a04:ad80::70ce:67d9/128 Scope:Global
inet6 addr: 2a04:ad80::bc79:ef29/128 Scope:Global
inet6 addr: 2a04:ad80::1a35:c0bf/128 Scope:Global
inet6 addr: 2a04:ad80::db9:d432/128 Scope:Global
inet6 addr: 2a04:ad80::4e34:95b2/128 Scope:Global
inet6 addr: 2a04:ad80::f1e1:69f9/128 Scope:Global
inet6 addr: 2a04:ad80::4f8d:f42e/128 Scope:Global
inet6 addr: 2a04:ad80::78cf:d4f7/128 Scope:Global
inet6 addr: 2a04:ad80::5e97:2edb/128 Scope:Global
inet6 addr: 2a04:ad80::57c8:763b/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:900587 errors:0 dropped:0 overruns:0 frame:0
TX packets:1003154 errors:0 dropped:18530 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:116834285 (116.8 MB) TX bytes:184228022 (184.2 MB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:x.x.x.x P-t-P:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Current iptables
Code: Select all
*nat
:PREROUTING ACCEPT [113:6983]
:POSTROUTING ACCEPT [85:5677]
:OUTPUT ACCEPT [6:376]
-A POSTROUTING -o vnet0:0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [189387:22609148]
-A INPUT -i lo -j ACCEPT
-A INPUT -f -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 1194 -j ACCEPT
:FORWARD ACCEPT [1018:66893]
:OUTPUT ACCEPT [86:4860]
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [838358:104378039]
:INPUT ACCEPT [837339:104311094]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o venet0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i venet0:0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [956907:175496868]
:POSTROUTING ACCEPT [957925:175563761]
COMMIT
*raw
:PREROUTING ACCEPT [838358:104378039]
:OUTPUT ACCEPT [956907:175496868]
COMMIT
Thanks