OpenVPN Server on Debian - No Internet

[xan]

Hi all,
I am pretty new to OpenVPN, so forgive me if I will make stupid questions.

I setupped an OpenVPN server in a VPS running Debian 8. Here is the server.conf:

View Originalserver.conf

#Comment
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 local bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 9

I am connecting to VPN with a Mac OS and Tunnelblick, here the client.ovpn:

View Originalclient.ovpn

#Comment
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=NY, L=New York City, O=OVH, OU=Community, CN=OVH CA/name=server/emailAddress=xxx@gmail.com
Validity
Not Before: Dec 27 17:31:52 2019 GMT
Not After : Dec 24 17:31:52 2029 GMT
Subject: C=US, ST=NY, L=New York City, O=OVH, OU=Community, CN=client1/name=server/emailAddress=xxx@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a0:d5:51:af:44:cb:b7:bd:0d:9b:2d:07:5a:03:
1e:20:50:fb:64:4e:2a:80:ba:ff:1c:d371:0e:
c5:08:2c:8e:64:54:e4:4f:0f:8e:5c:a5:02:95:52:
00:6e:a2:9b:f5:fe:0e:fc:37:14:60:b0:f3:df:ca:
ad:6a:653e:ea:5e:b0:3f:eb:92:0d:1f:6d:ee:
ee:5f:80:d6:74:e7:fd:e2:b4:07:13:88:59:f7:5d:
8c:1f:b2:32:c8:fc:a0:da:70:2a:05:0e:ec:10:06:
49:63:59:cc:52:8f:f4:1c:35:9b:fb:43:91:92:45:
5b:45:cf:af:6f:67:b4:52:63:d6:80:b0:9e:a6:7a:
55:96:18:85:bc:05:59:be:7d:3c:a6:61:34:a6:49:
ad:14:17:a1:8d:b9:ee:33:f6:28:67:43:34:fa:54:
aa:5f:d8:52:10:82:68:a0:8e:91:2e:69:e0:ba:eb:
4f:ef:8a:38:78:9a:34:78:7b:0c:1c:43:eb:77:af:
83:b443:42:4d:af:ac:d2:c9:aa:f2:84:68:b1:
29:4a:6c:6d:2d:b8:36:d5:2d:f3:3a:27:a9:b5:35:
f7:2c:88:7d:ba:14:fe:b8:5e:61:2b:44:e4:8b:93:
7e:bd:ef:b5:14:16:bb:b2:6f:f7:d6:03:59:bb:2f:
3e:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
35:C0:21:36:7E:E3:56:EF:55:C3:E9:A6:2B:DE:90:96:3A:F9:F9:C1
X509v3 Authority Key Identifier:
keyid:4F:1F:19:98:CC:21:97:29:F7:F0:97:D1:18:09:06:D6:46:4E:F6:E7
DirName:/C=US/ST=NY/L=New York City/O=OVH/OU=Community/CN=OVH CA/name=server/emailAddress=micciadriano@gmail.com
serial:08:44:D5:C6:1B:30:5D:6A:82:C2:B0:CF:F4:95:A8:C9:C4:E1:52:0A

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:client1
Signature Algorithm: sha256WithRSAEncryption
21:c2:56:71:ca:9f:74:33:e5:8d:d2:a9:85:1d:a1:71:13:ef:
fe:5b:73:a4:17:c4:1d:17:89:e2:5e:8c:73:6d:69:5c:52:bb:
a3:3a:e7:81:4a:be:0e:ca:d1:c5:6b:88:f7:29:58:f3:4b:47:
16:e0:5b:e9:09:c1:a2:e2:5d:bc:22:ad:ed:0d:68:8d:66:71:
9b:bc:19:95:0c:37:b8:08:94:57:b5:23:7e:61:bd:2c:63:bf:
31:0c:af:4a:b4:c0:1f:8d:df:ea:6c:9c:43:79:64:7e:c8:d7:
da:03:c1:46:4b:7f:a0:3c:06:0b:26:f8:61:10:57:5b:4e:36:
92:f0:1c:a2:13:c6:07:f4:8a:10:34:63:8b:3e:87:13:97:73:
f2:d2:47:97:ee:13:aa:11:a9:2a:5a:e9:1d:03:c5:3a:f8:af:
4e:fd:63:89:85:20:52:14:0c:67:98:77:6a:46:4f:bd:b0:f0:
d4:9f:c8:9e:10:e9:7f:c4:79:ed:ac:3f:06:78:64:a9:6e:2b:
eb:bb:9b:6f:97:12:76:c9:02:e9:6c:2f:ee:85:5b:56:36:f1:
1b:27:bf:6f:17:5f:f1:cf:02:c6:28:8c:c6:92:6d:2e:dd:9f:
33:b4:92:28:b1:19:ba:92:27:4f:3e:8f:41:ac:3e:e4:7c:75:
07:d4:30:42
-----BEGIN CERTIFICATE-----
CERTIFICATE STRING
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
PRIVATE KEY STRING
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
OPENVPN STATIC KEY
-----END OpenVPN Static key V1-----
</tls-auth>

I also modified /etc/default/ufw:

Code: Select all

DEFAULT_FORWARD_POLICY="ACCEPT"

and /etc/ufw/before.rules:

Code: Select all

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Finally I have added a rule for NAT:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

And I have enabled ipv4 forward:

Code: Select all

sysctl -w net.ipv4.ip_forward=1

So in the server I create a network like 10.8.0.0/24 and client can ping correctly 10.8.0.1.
However although client and server are in the same network, I cannot use internet on client.

Where is the mistake? Thank you in advance.

[TinCanTech]

On your server:

Code: Select all

$ ip link

Post output.

[xan]

Sure, here the output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether fa:16:3e:72:39:4c brd ff:ff:ff:ff:ff:ff
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
link/none

[TinCanTech]

I setupped an OpenVPN server in a VPS running Debian 8

You probably need a different iptables rule.

Replace:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

with:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source server.real.external.IP

[xan]

Hi, I changed iptables rule but client has no internet yet.
Here iptables -t nat --list --line-number POSTROUTING section.

Code: Select all

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    POSTROUTING_direct  all  --  anywhere             anywhere            
2    POSTROUTING_ZONES_SOURCE  all  --  anywhere             anywhere            
3    POSTROUTING_ZONES  all  --  anywhere             anywhere            
4    SNAT       all  --  10.8.0.0/24          anywhere             to:xxx.xxx.xxx.xxx

[TinCanTech]

Please post the output of: iptables-save (Edit for privacy)

[xan]

Sure, here it is:

Code: Select all

# Generated by iptables-save v1.4.21 on Thu Jan 16 14:52:27 2020
*nat
:PREROUTING ACCEPT [3309:153005]
:INPUT ACCEPT [2951:135922]
:OUTPUT ACCEPT [5240:356342]
:POSTROUTING ACCEPT [5240:356342]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 16 14:52:27 2020
# Generated by iptables-save v1.4.21 on Thu Jan 16 14:52:27 2020
*mangle
:PREROUTING ACCEPT [108257:13290451]
:INPUT ACCEPT [108249:13289788]
:FORWARD ACCEPT [8:663]
:OUTPUT ACCEPT [97059:18828669]
:POSTROUTING ACCEPT [97059:18828669]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 16 14:52:27 2020
# Generated by iptables-save v1.4.21 on Thu Jan 16 14:52:27 2020
*security
:INPUT ACCEPT [107265:13223830]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [97063:18828909]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 16 14:52:27 2020
# Generated by iptables-save v1.4.21 on Thu Jan 16 14:52:27 2020
*raw
:PREROUTING ACCEPT [108264:13290855]
:OUTPUT ACCEPT [97064:18828997]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 16 14:52:27 2020
# Generated by iptables-save v1.4.21 on Thu Jan 16 14:52:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90663:18051639]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.8.0.0/24 -p udp -m udp --dport 1194 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 993 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 995 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 3128 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Jan 16 14:52:27 2020

Thank you for your help.

[xan]

@TinCanTech do you think that there is something uncorrected in my iptables-save?

Thank you