server client tun routing - no internet access - no routing

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

server client tun routing - no internet access - no routing

Post by pw44 » Wed May 20, 2020 6:26 pm

Hi,

i have the following configuration:
- ubuntu 18.04 server
- ios iphone client

connection works, but routing don't. when connected, ios client is unable to access to server and the internet (tunneled).

Maybe i oversaw something and that's why i ask for kind help.

Server config

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
tls-crypt /etc/openvpn/server/tc.key
topology subnet
server 10.10.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.10.30.4 255.255.255.0 10.10.30.50 10.10.30.100
;server-bridge
push "route 192.168.80.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway local def1 bypass-dhcp"
;push "redirect-gateway local def1"
push "dhcp-option DNS 192.168.80.4"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
;mute 20
explicit-exit-notify 1
verb 5
auth SHA512


Server config

client
dev tun
proto udp
remote wolke.myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...........
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...........
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...........
-----END OpenVPN Static key V1-----
</tls-crypt>



Log (server)

Code: Select all

Wed May 20 15:16:35 2020 us=743877 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 20 2020
Wed May 20 15:16:35 2020 us=743887 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Wed May 20 15:16:35 2020 us=745241 Diffie-Hellman initialized with 2048 bit key
Wed May 20 15:16:35 2020 us=745657 CRL: loaded 1 CRLs from file /etc/openvpn/server/crl.pem
Wed May 20 15:16:35 2020 us=745726 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 20 15:16:35 2020 us=745741 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 20 15:16:35 2020 us=745749 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 20 15:16:35 2020 us=745759 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 20 15:16:35 2020 us=745769 TLS-Auth MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed May 20 15:16:35 2020 us=746047 TUN/TAP device tun0 opened
Wed May 20 15:16:35 2020 us=746073 TUN/TAP TX queue length set to 100
Wed May 20 15:16:35 2020 us=746088 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed May 20 15:16:35 2020 us=746102 /sbin/ifconfig tun0 10.10.30.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.30.255
Wed May 20 15:16:35 2020 us=746928 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed May 20 15:16:35 2020 us=746952 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed May 20 15:16:35 2020 us=746969 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 20 15:16:35 2020 us=746985 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed May 20 15:16:35 2020 us=746993 UDPv4 link remote: [AF_UNSPEC]
Wed May 20 15:16:35 2020 us=747003 MULTI: multi_init called, r=256 v=256
Wed May 20 15:16:35 2020 us=747022 IFCONFIG POOL: base=10.10.30.2 size=252, ipv6=0
Wed May 20 15:16:35 2020 us=747042 ifconfig_pool_read(), in='iPH6PW,10.10.30.48', TODO: IPv6
Wed May 20 15:16:35 2020 us=747050 succeeded -> ifconfig_pool_set()
Wed May 20 15:16:35 2020 us=747058 IFCONFIG POOL LIST
Wed May 20 15:16:35 2020 us=747066 iPH6PW,10.10.30.48
Wed May 20 15:16:35 2020 us=747092 Initialization Sequence Completed
Wed May 20 15:17:26 2020 us=375947 MULTI: multi_create_instance called
Wed May 20 15:17:26 2020 us=375990 201.5.167.225:12879 Re-using SSL/TLS context
Wed May 20 15:17:26 2020 us=376092 201.5.167.225:12879 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed May 20 15:17:26 2020 us=376102 201.5.167.225:12879 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed May 20 15:17:26 2020 us=376149 201.5.167.225:12879 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed May 20 15:17:26 2020 us=376157 201.5.167.225:12879 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
RWed May 20 15:17:26 2020 us=376190 201.5.167.225:12879 TLS: Initial packet from [AF_INET]201.5.167.225:12879, sid=ff5e13c2 9b496347
WRWWWWWRRRRWRWed May 20 15:17:28 2020 us=75732 201.5.167.225:12879 VERIFY OK: depth=1, C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
Wed May 20 15:17:28 2020 us=75880 201.5.167.225:12879 VERIFY OK: depth=0, C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=iPH6PW, emailAddress=webmaster@myserver.com
WRWed May 20 15:17:28 2020 us=184672 201.5.167.225:12879 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Wed May 20 15:17:28 2020 us=184698 201.5.167.225:12879 peer info: IV_VER=3.git::f225fcd0
Wed May 20 15:17:28 2020 us=184706 201.5.167.225:12879 peer info: IV_PLAT=ios
Wed May 20 15:17:28 2020 us=184712 201.5.167.225:12879 peer info: IV_AUTO_SESS=1
Wed May 20 15:17:28 2020 us=184797 201.5.167.225:12879 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 20 15:17:28 2020 us=184811 201.5.167.225:12879 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 20 15:17:28 2020 us=184827 201.5.167.225:12879 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 20 15:17:28 2020 us=184836 201.5.167.225:12879 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
WRWed May 20 15:17:28 2020 us=254842 201.5.167.225:12879 Control Channel: TLSv1.2, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 20 15:17:28 2020 us=254873 201.5.167.225:12879 [iPH6PW] Peer Connection Initiated with [AF_INET]201.5.167.225:12879
Wed May 20 15:17:28 2020 us=254895 iPH6PW/201.5.167.225:12879 MULTI_sva: pool returned IPv4=10.10.30.48, IPv6=(Not enabled)
Wed May 20 15:17:28 2020 us=254940 iPH6PW/201.5.167.225:12879 MULTI: Learn: 10.10.30.48 -> iPH6PW/201.5.167.225:12879
Wed May 20 15:17:28 2020 us=254949 iPH6PW/201.5.167.225:12879 MULTI: primary virtual IP for iPH6PW/201.5.167.225:12879: 10.10.30.48
RWed May 20 15:17:28 2020 us=255013 iPH6PW/201.5.167.225:12879 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 20 15:17:28 2020 us=255062 iPH6PW/201.5.167.225:12879 SENT CONTROL [iPH6PW]: 'PUSH_REPLY,route 192.168.80.0 255.255.255.0,redirect-gateway local def1 bypass-dhcp,dhcp-option DNS 192.168.80.4,route-gateway 10.10.30.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.30.48 255.255.255.0' (status=1)
WWRRwRwRwrWrWrWRwWRRwRWwrWRwrWRwrWRwRwRwRwRwRwRwRwRwRwRwrWrWRwRwRwrWrWrWrWrWrWrWRwRwrWrWrWrWrWRwRwrWRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRWed May 20 15:18:08 2020 us=580902 iPH6PW/201.5.167.225:12879 SIGTERM[soft,remote-exit] received, client-instance exiting
client log:

Code: Select all

2020-05-20 15:17:25 1

2020-05-20 15:17:25 ----- OpenVPN Start -----
OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31

2020-05-20 15:17:25 OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31

2020-05-20 15:17:25 Frame=512/2048/512 mssfix-ctrl=1250

2020-05-20 15:17:25 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
11 [ignore-unknown-option] [block-outside-dns] 
12 [block-outside-dns] 
13 [verb] [3] 

2020-05-20 15:17:25 EVENT: RESOLVE

2020-05-20 15:17:26 Contacting [201.19.181.221]:1194/UDP via UDP

2020-05-20 15:17:26 EVENT: WAIT

2020-05-20 15:17:26 Connecting to [wolke.myserver.com]:1194 (201.19.181.221) via UDPv4

2020-05-20 15:17:26 EVENT: CONNECTING

2020-05-20 15:17:26 Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client

2020-05-20 15:17:26 Creds: UsernameEmpty/PasswordEmpty

2020-05-20 15:17:26 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.2-3096
IV_VER=3.git::f225fcd0
IV_PLAT=ios
IV_AUTO_SESS=1

2020-05-20 15:17:27 VERIFY OK : depth=1
cert. version     : 3
serial number     : 72:4D:9B:78:52:15:9B:C0:CE:CF:B1:4E:91:7B:A6:5A:3E:1D:79:03
issuer name       : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
subject name      : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
issued  on        : 2020-05-10 15:40:14
expires on        : 2030-05-08 15:40:14
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2020-05-20 15:17:27 VERIFY OK : depth=0
cert. version     : 3
serial number     : 71:FA:EC:8B:1F:FD:60:6C:A3:74:10:EC:D3:FA:0E:81
issuer name       : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
subject name      : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=server, emailAddress=webmaster@myserver.com
issued  on        : 2020-05-10 15:40:14
expires on        : 2030-05-08 15:40:14
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2020-05-20 15:17:28 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA

2020-05-20 15:17:28 Session is ACTIVE

2020-05-20 15:17:28 EVENT: GET_CONFIG

2020-05-20 15:17:28 Sending PUSH_REQUEST to server...

2020-05-20 15:17:28 OPTIONS:
0 [route] [192.168.80.0] [255.255.255.0] 
1 [redirect-gateway] [local] [def1] [bypass-dhcp] 
2 [dhcp-option] [DNS] [192.168.80.4] 
3 [route-gateway] [10.10.30.1] 
4 [topology] [subnet] 
5 [ping] [10] 
6 [ping-restart] [120] 
7 [ifconfig] [10.10.30.48] [255.255.255.0] 


2020-05-20 15:17:28 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA512
  compress: NONE
  peer ID: -1

2020-05-20 15:17:28 EVENT: ASSIGN_IP

2020-05-20 15:17:28 NIP: preparing TUN network settings

2020-05-20 15:17:28 NIP: init TUN network settings with endpoint: 201.19.181.221

2020-05-20 15:17:28 NIP: adding IPv4 address to network settings 10.10.30.48/255.255.255.0

2020-05-20 15:17:28 NIP: adding (included) IPv4 route 10.10.30.0/24

2020-05-20 15:17:28 NIP: adding (included) IPv4 route 192.168.80.0/24

2020-05-20 15:17:28 NIP: redirecting all IPv4 traffic to TUN interface

2020-05-20 15:17:28 NIP: adding DNS 192.168.80.4

2020-05-20 15:17:28 Connected via NetworkExtensionTUN

2020-05-20 15:17:28 EVENT: CONNECTED wolke.myserver.com:1194 (201.19.181.221) via /UDPv4 on NetworkExtensionTUN/10.10.30.48/ gw=[/]

2020-05-20 15:18:08 EVENT: DISCONNECTED

2020-05-20 15:18:08 Raw stats on disconnect:
  BYTES_IN : 7351
  BYTES_OUT : 16847
  PACKETS_IN : 24
  PACKETS_OUT : 93
  TUN_BYTES_IN : 5803
  TUN_BYTES_OUT : 1194
  TUN_PACKETS_IN : 80
  TUN_PACKETS_OUT : 10

2020-05-20 15:18:08 Performance stats on disconnect:
  CPU usage (microseconds): 443690
  Tunnel compression ratio (uplink): 2.90315
  Tunnel compression ratio (downlink): 6.15662
  Network bytes per CPU second: 54538
  Tunnel bytes per CPU second: 15770
Can anyone help find out what is wrong?

Thx in advance.
Last edited by Pippin on Sun May 24, 2020 1:05 pm, edited 1 time in total.
Reason: Formatting

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Thu May 21, 2020 4:24 pm

Anyone able to help?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Thu May 21, 2020 4:52 pm

You have come so far on your own ....

https://community.openvpn.net/openvpn/wiki/HOWTO

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Thu May 21, 2020 6:29 pm

TinCanTech wrote:
Thu May 21, 2020 4:52 pm
You have come so far on your own ....

https://community.openvpn.net/openvpn/wiki/HOWTO
Yes, i also read it, but i am not finding the error :-( Can you help me out?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Thu May 21, 2020 7:11 pm

Make sure you have setup NAT etc on your server.

And then try pushing a real DNS server.

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Thu May 21, 2020 9:33 pm

TinCanTech wrote:
Thu May 21, 2020 7:11 pm
Make sure you have setup NAT etc on your server.

And then try pushing a real DNS server.
Thx for the answer.

Could you post an example?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Thu May 21, 2020 10:04 pm

pw44 wrote:
Thu May 21, 2020 9:33 pm
Could you post an example?

Code: Select all

--push "dhcp-option DNS 1.1.1.1"

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Thu May 21, 2020 10:40 pm

TinCanTech wrote:
Thu May 21, 2020 10:04 pm
pw44 wrote:
Thu May 21, 2020 9:33 pm
Could you post an example?

Code: Select all

--push "dhcp-option DNS 1.1.1.1"
is there:

push "dhcp-option DNS 192.168.80.4" - 192.168.80.4 is my openvpn server + dns server.


seams that my problem is routing..... just not finding out where.

With wireguard, no problem. but i want to make openvpn work ;-)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Thu May 21, 2020 10:50 pm

Maybe something to do with PiVPN ?

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Thu May 21, 2020 11:30 pm

TinCanTech wrote:
Thu May 21, 2020 10:50 pm
Maybe something to do with PiVPN ?
and what does PiVPN means?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Thu May 21, 2020 11:34 pm

pw44 wrote:
Thu May 21, 2020 10:40 pm
With wireguard, no problem. but i want to make openvpn work
Just use wireguard

pw44
OpenVpn Newbie
Posts: 7
Joined: Wed May 20, 2020 5:54 pm

Re: server client tun routing - no internet access - no routing

Post by pw44 » Fri May 22, 2020 10:31 am

TinCanTech wrote:
Thu May 21, 2020 11:34 pm
pw44 wrote:
Thu May 21, 2020 10:40 pm
With wireguard, no problem. but i want to make openvpn work
Just use wireguard
Yea, but now it became a challenge ;-) Are you able to help or not?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: server client tun routing - no internet access - no routing

Post by TinCanTech » Fri May 22, 2020 11:29 am

Your configs look fine, your logs look fine and you use Ubuntu for your server OS.

The Howto is literally written for you .. so follow it.

300000
OpenVPN Power User
Posts: 153
Joined: Tue May 01, 2012 9:30 pm

Re: server client tun routing - no internet access - no routing

Post by 300000 » Sat May 23, 2020 9:59 pm

there is no lan routing , there is no NAT rule on iptables so it is stay like that , this is free software so that is up to you make it work or leave it like that


your iptables not perform correct NAT so it is not going to work for you . check firewall rule .

Post Reply