Cannot set up routing to go out of the OpenVPN subnet

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
manuel_russello
OpenVpn Newbie
Posts: 4
Joined: Wed Apr 05, 2023 5:06 pm

Cannot set up routing to go out of the OpenVPN subnet

Post by manuel_russello » Wed Apr 05, 2023 5:38 pm

Hi all,
I'm setting up an OpenVPN server and its related client, to use as a networking bridge from my client to the internet (precisely to a specific IP but that's a future step).
I'm using TUN mode as it seemed easier and I did not need BRIDGE specificities.
I read carefully the complete How To (https://openvpn.net/community-resources/how-to/).

My issue is that I cannot manage to make, on my server, my incoming VPN trafic go outside of the private subnet of the VPN.
I tried routing a specific IP through the VPN as it's my final goal, but I'm already first trying following the documentation and routing all internet traffic following the "Routing all client traffic (including web-traffic) through the VPN" section of the How-To.

When connected to the VPN, I cannot ping a single address that is not in the 10.8.0.0/24 subnet.
I'm using Ubuntu 22.04 LTS, fresh install, and I disabled ufw to try not interfering with my setup

Here are my configuration files

Code: Select all

# OPENVPN SERVER CONFIG
port 38330
proto udp
dev tun
ca OBFUSCATED.DOMAIN.NAME_ca.crt
cert OBFUSCATED.DOMAIN.NAME_openvpnserver.crt
key OBFUSCATED.DOMAIN.NAME_openvpnserver.key
dh OBFUSCATED.DOMAIN.NAME_openvpnserver_dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
;push "route OBFUSCATED.REMOTE.SERVER.IP" # Commented this one out until I fix routing
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
tls-auth OBFUSCATED.DOMAIN.NAME_openvpnserver_ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1

Code: Select all

# OPENVPN CLIENT CONFIG
client
dev tun
proto udp
remote OBFUSCATED.OPENVPN.SERVER.IP 38330
resolv-retry infinite
nobind
persist-key
persist-tun
ca OBFUSCATED.DOMAIN.NAME_ca.crt
cert OBFUSCATED.DOMAIN.NAME_openvpnclient.crt
key OBFUSCATED.DOMAIN.NAME_openvpnclient.key
tls-auth OBFUSCATED.DOMAIN.NAME_openvpnserver_ta.key 1
cipher AES-256-CBC
verb 3
mute 20
I did this iptables command following the recommendations on the How To to try routing traffic from my OpenVPN subnet (10.8.0.0/24) to the internet through my local network interface (enp1s0f0)

Code: Select all

# iptables command I ran
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0f0 -j MASQUERADE

Code: Select all

# "iptables -L -t nat" result
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.8.0.0/24          anywhere

Code: Select all

# "ip addr" result
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether ob:fu:sc:at:ed:ma brd ff:ff:ff:ff:ff:ff
    inet OBFUSCATED.OPENVPN.SERVER.IP/24 metric 100 brd OBFUSCATED.SERVER.SUBNET.IP scope global dynamic enp1s0f0
       valid_lft 49136sec preferred_lft 49136sec
    inet6 2001:41d0:403:5e25::/56 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::d250:99ff:fedb:ee43/64 scope link 
       valid_lft forever preferred_lft forever
3: enp1s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ob:fu:sc:at:ed:ma brd ff:ff:ff:ff:ff:ff
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::4d29:3ebf:c41b:2ebf/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
I also added a LOG rule to watch my traffic and cannot even see traffic trying to get elsewhere than to 10.8.0.0/24 when it's from 10.8.0.0/24

Code: Select all

# "iptables -L" global result
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
LOG        all  --  10.8.0.0/24          anywhere             LOG level warning
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-input (0 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination


Thank you for your help, I'm available for any suggestions or need of more info.
Manuel.
Top
never-stop-learning
OpenVPN User
Posts: 43
Joined: Sat Oct 02, 2021 3:57 pm

Re: Cannot set up routing to go out of the OpenVPN subnet

Post by never-stop-learning » Thu Apr 06, 2023 4:23 am

hey man, when your client is connected, what is the routing table of the machine?
what is the traceroute result? You can share it here.
Top
manuel_russello
OpenVpn Newbie
Posts: 4
Joined: Wed Apr 05, 2023 5:06 pm

Re: Cannot set up routing to go out of the OpenVPN subnet

Post by manuel_russello » Thu Apr 06, 2023 3:55 pm

Hi,
Here is my routing table and traceroute when NOT connected:

Code: Select all

➜ ~ ip route
default via 192.168.1.254 dev enx00e04cb6fee2 proto dhcp metric 100 
default via 192.168.1.254 dev wlp0s20f3 proto dhcp metric 600 
OBFUSCATED.COMPANY.VPN.IP via 192.168.1.254 dev enx00e04cb6fee2 
169.254.0.0/16 dev enx00e04cb6fee2 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-8f2369d1184f proto kernel scope link src 172.18.0.1 linkdown 
172.20.0.0/16 dev br-628c5e466e29 proto kernel scope link src 172.20.0.1 linkdown 
172.21.0.0/16 dev br-36778850064a proto kernel scope link src 172.21.0.1 linkdown 
172.24.0.0/16 dev br-a9c0b7620879 proto kernel scope link src 172.24.0.1 linkdown 
172.26.0.0/16 dev br-078ff3424509 proto kernel scope link src 172.26.0.1 linkdown 
172.27.0.0/16 dev br-efe5ebcd891d proto kernel scope link src 172.27.0.1 linkdown 
172.29.0.0/16 dev br-3cb3102974a0 proto kernel scope link src 172.29.0.1 linkdown 
192.168.1.0/24 dev enx00e04cb6fee2 proto kernel scope link src 192.168.1.12 metric 100 
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.5 metric 600 
➜ ~ traceroute openvpn.net
traceroute to openvpn.net (104.18.110.96), 30 hops max, 60 byte packets
 1  bbox.lan (192.168.1.254)  3.039 ms  3.830 ms  3.793 ms
 2  OBFUSCATED.ISP.REVERSE.DNS.bbox.fr (OBFUSCTATED.ISP.BOX.IP)  11.371 ms  11.337 ms  11.305 ms
 3  * * *
 4  * * *
 5  62.34.2.101 (62.34.2.101)  23.187 ms  23.992 ms  23.959 ms
 6  be5.cbr01-cro.net.bbox.fr (212.194.171.141)  23.091 ms  17.435 ms  15.895 ms
 7  62.34.2.250 (62.34.2.250)  15.844 ms  15.823 ms  20.264 ms
 8  * * *
 9  cloudflare.par.franceix.net (37.49.237.49)  21.046 ms  21.030 ms  21.014 ms
10  172.71.132.2 (172.71.132.2)  19.673 ms 141.101.67.52 (141.101.67.52)  14.749 ms 172.71.132.2 (172.71.132.2)  19.591 ms
11  104.18.110.96 (104.18.110.96)  15.205 ms  17.835 ms  17.746 ms
➜ ~
Here it is with my new VPN active:

Code: Select all

➜ ~ ip route
0.0.0.0/1 via 10.8.0.5 dev tun0 
default via 192.168.1.254 dev enx00e04cb6fee2 proto dhcp metric 100 
default via 192.168.1.254 dev wlp0s20f3 proto dhcp metric 600 
10.8.0.1 via 10.8.0.5 dev tun0 
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 
OBFUSCTATED.NEW.VPN.IP via 192.168.1.254 dev enx00e04cb6fee2 
OBFUSCTATED.COMPANY.VPN.IP via 192.168.1.254 dev enx00e04cb6fee2 
128.0.0.0/1 via 10.8.0.5 dev tun0 
169.254.0.0/16 dev enx00e04cb6fee2 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-8f2369d1184f proto kernel scope link src 172.18.0.1 linkdown 
172.20.0.0/16 dev br-628c5e466e29 proto kernel scope link src 172.20.0.1 linkdown 
172.21.0.0/16 dev br-36778850064a proto kernel scope link src 172.21.0.1 linkdown 
172.24.0.0/16 dev br-a9c0b7620879 proto kernel scope link src 172.24.0.1 linkdown 
172.26.0.0/16 dev br-078ff3424509 proto kernel scope link src 172.26.0.1 linkdown 
172.27.0.0/16 dev br-efe5ebcd891d proto kernel scope link src 172.27.0.1 linkdown 
172.29.0.0/16 dev br-3cb3102974a0 proto kernel scope link src 172.29.0.1 linkdown 
192.168.1.0/24 dev enx00e04cb6fee2 proto kernel scope link src 192.168.1.12 metric 100 
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.5 metric 600 
➜ ~ traceroute openvpn.net
traceroute to openvpn.net (104.18.110.96), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
➜ ~
Could it be that my company VPN (that ISN'T active right now) causes issues?

Manuel.
Top
manuel_russello
OpenVpn Newbie
Posts: 4
Joined: Wed Apr 05, 2023 5:06 pm

Re: Cannot set up routing to go out of the OpenVPN subnet

Post by manuel_russello » Thu Apr 06, 2023 5:09 pm

OK I start seeing logs
I added these LOG rules to start watching everything:

Code: Select all

iptables -A PREROUTING -j LOG 
iptables -A PREROUTING -j LOG
iptables -t nat -I POSTROUTING 1 -j LOG
iptables -t nat -I PREROUTING 1 -j LOG
iptables -I INPUT 1 -j LOG
And now I see these in my server's kern.log when doing a "ping OBFUSCATED.OTHER.SERVER.IP" on my client :

Code: Select all

root@OBFUSCATED_SERVER:/# tail -f /var/log/kern.log | grep IN=tun
Apr  6 17:07:09 OBFUSCATED_SERVER kernel: [295248.545156] IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=OBFUSCATED.OTHER.SERVER.IP LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32738 DF PROTO=ICMP TYPE=8 CODE=0 ID=11 SEQ=4 
Apr  6 17:07:10 OBFUSCATED_SERVER kernel: [295249.569121] IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=OBFUSCATED.OTHER.SERVER.IP LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32807 DF PROTO=ICMP TYPE=8 CODE=0 ID=11 SEQ=5 
Apr  6 17:07:11 OBFUSCATED_SERVER kernel: [295250.593136] IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=OBFUSCATED.OTHER.SERVER.IP LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32899 DF PROTO=ICMP TYPE=8 CODE=0 ID=11 SEQ=6
The traffic still gets lost somewhere in my server and the ping never answers.

-- EDIT --
More info from the logs.
I tried removing the iptables rule and I get no logs.
I got it back again and I get logs.
I then assume my rule works and traffic is indeed treated by my POSTROUTING, however the "ping" result never gets back. Do I need another route to redirect the result to my "tun0" network?

Code: Select all

root@OBFUSCATED_SERVER:/home/manuel# iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o enp1s0f0 -j MASQUERADE
root@OBFUSCATED_SERVER:/home/manuel# tail -f /var/log/kern.log | grep IN=tun
# Nothing here happens
^C
root@OBFUSCATED_SERVER:/home/manuel# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0f0 -j MASQUERADE
root@OBFUSCATED_SERVER:/home/manuel# tail -f /var/log/kern.log | grep IN=tun
Apr  6 17:16:07 OB kernel: [295786.522676] IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=OBFUSCATED.OTHER.SERVER.IP LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40900 DF PROTO=ICMP TYPE=8 CODE=0 ID=13 SEQ=116 
Apr  6 17:16:08 OBFUSCATED_SERVER kernel: [295787.546715] IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=OBFUSCATED.OTHER.SERVER.IP LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=40952 DF PROTO=ICMP TYPE=8 CODE=0 ID=13 SEQ=117

Manuel.
Top
manuel_russello
OpenVpn Newbie
Posts: 4
Joined: Wed Apr 05, 2023 5:06 pm

Re: Cannot set up routing to go out of the OpenVPN subnet

Post by manuel_russello » Fri Apr 14, 2023 12:19 pm

Found it.
I was missing IP forwarding.

Edited the /etc/sysctl.conf file and uncommented this line :
net.ipv4.ip_forward=1

Restarted the networking and all traffic between networks went smoothly.
The official How To may need to precise the IP Forwarding is mandatory to route traffic outside the VPN network.
Top
Post Reply

Return to “Configuration”