I am pretty new to OpenVPN, so forgive me if I will make stupid questions.
I setupped an OpenVPN server in a VPS running Debian 8. Here is the server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 local bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 9
I am connecting to VPN with a Mac OS and Tunnelblick, here the client.ovpn:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=NY, L=New York City, O=OVH, OU=Community, CN=OVH CA/name=server/emailAddress=xxx@gmail.com
Validity
Not Before: Dec 27 17:31:52 2019 GMT
Not After : Dec 24 17:31:52 2029 GMT
Subject: C=US, ST=NY, L=New York City, O=OVH, OU=Community, CN=client1/name=server/emailAddress=xxx@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a0:d5:51:af:44:cb:b7:bd:0d:9b:2d:07:5a:03:
1e:20:50:fb:64:4e:2a:80:ba:ff:1c:d3
c5:08:2c:8e:64:54:e4:4f:0f:8e:5c:a5:02:95:52:
00:6e:a2:9b:f5:fe:0e:fc:37:14:60:b0:f3:df:ca:
ad:6a:65
ee:5f:80:d6:74:e7:fd:e2:b4:07:13:88:59:f7:5d:
8c:1f:b2:32:c8:fc:a0:da:70:2a:05:0e:ec:10:06:
49:63:59:cc:52:8f:f4:1c:35:9b:fb:43:91:92:45:
5b:45:cf:af:6f:67:b4:52:63:d6:80:b0:9e:a6:7a:
55:96:18:85:bc:05:59:be:7d:3c:a6:61:34:a6:49:
ad:14:17:a1:8d:b9:ee:33:f6:28:67:43:34:fa:54:
aa:5f:d8:52:10:82:68:a0:8e:91:2e:69:e0:ba:eb:
4f:ef:8a:38:78:9a:34:78:7b:0c:1c:43:eb:77:af:
83:b4
29:4a:6c:6d:2d:b8:36:d5:2d:f3:3a:27:a9:b5:35:
f7:2c:88:7d:ba:14:fe:b8:5e:61:2b:44:e4:8b:93:
7e:bd:ef:b5:14:16:bb:b2:6f:f7:d6:03:59:bb:2f:
3e:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
35:C0:21:36:7E:E3:56:EF:55:C3:E9:A6:2B:DE:90:96:3A:F9:F9:C1
X509v3 Authority Key Identifier:
keyid:4F:1F:19:98:CC:21:97:29:F7:F0:97:D1:18:09:06:D6:46:4E:F6:E7
DirName:/C=US/ST=NY/L=New York City/O=OVH/OU=Community/CN=OVH CA/name=server/emailAddress=micciadriano@gmail.com
serial:08:44:D5:C6:1B:30:5D:6A:82:C2:B0:CF:F4:95:A8:C9:C4:E1:52:0A
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
21:c2:56:71:ca:9f:74:33:e5:8d:d2:a9:85:1d:a1:71:13:ef:
fe:5b:73:a4:17:c4:1d:17:89:e2:5e:8c:73:6d:69:5c:52:bb:
a3:3a:e7:81:4a:be:0e:ca:d1:c5:6b:88:f7:29:58:f3:4b:47:
16:e0:5b:e9:09:c1:a2:e2:5d:bc:22:ad:ed:0d:68:8d:66:71:
9b:bc:19:95:0c:37:b8:08:94:57:b5:23:7e:61:bd:2c:63:bf:
31:0c:af:4a:b4:c0:1f:8d:df:ea:6c:9c:43:79:64:7e:c8:d7:
da:03:c1:46:4b:7f:a0:3c:06:0b:26:f8:61:10:57:5b:4e:36:
92:f0:1c:a2:13:c6:07:f4:8a:10:34:63:8b:3e:87:13:97:73:
f2:d2:47:97:ee:13:aa:11:a9:2a:5a:e9:1d:03:c5:3a:f8:af:
4e:fd:63:89:85:20:52:14:0c:67:98:77:6a:46:4f:bd:b0:f0:
d4:9f:c8:9e:10:e9:7f:c4:79:ed:ac:3f:06:78:64:a9:6e:2b:
eb:bb:9b:6f:97:12:76:c9:02:e9:6c:2f:ee:85:5b:56:36:f1:
1b:27:bf:6f:17:5f:f1:cf:02:c6:28:8c:c6:92:6d:2e:dd:9f:
33:b4:92:28:b1:19:ba:92:27:4f:3e:8f:41:ac:3e:e4:7c:75:
07:d4:30:42
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
PRIVATE KEY STRING
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
OPENVPN STATIC KEY
-----END OpenVPN Static key V1-----
</tls-auth>
I also modified /etc/default/ufw:
Code: Select all
DEFAULT_FORWARD_POLICY="ACCEPT"
Code: Select all
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Code: Select all
sysctl -w net.ipv4.ip_forward=1
However although client and server are in the same network, I cannot use internet on client.
Where is the mistake? Thank you in advance.