OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

nat openvpn

https://forums.openvpn.net/viewtopic.php?t=35951

Page 1 of 1

nat openvpn

Posted: Fri Jul 14, 2023 1:13 pm
by fafar
hi,
My openvpn server was on an ubuntu 18.04, and it worked well.
I just upgrade to 20.04 but i have a problem :
my android or linux clients can easily connect to the openvpn server, i can access to the other server's services (web page...).
My server has 10.8.0.1 ip and 192.168.1.21 in my personal network.
I can ping 10.8.0.1 and 192.168.1.21 but i can't access to other pcs in my network.
What can I do ?
Thanks for advance
Emmanuel

here is my server.conf :

root@odroid:~# cat /etc/openvpn/server.conf
# OpenVPN serveur
# local 192.168.3.20 --> Voir Trouble shooting
# Tunnel mode
dev tun
# Protocole udp ou tcp
proto tcp
# Port 1194 ou 443
port 993
# La CA
ca /etc/openvpn/easy-rsa/keys/ca.crt
# Le certificat serveur
cert /etc/openvpn/easy-rsa/keys/openvpn.crt
# La clé du certificat serveur
key /etc/openvpn/easy-rsa/keys/openvpn.key
# clé Diffie-Hellman generé, si 4096, modifier la
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# Le serveur dhcp, on definit la plage, par defaut 10.8.0.0/24
server 10.8.0.0 255.255.255.0
# serveur et client distant.
ifconfig 10.8.0.1 10.8.0.2
# Ajout de la route pour le client OpenVPN Server.
push "route 10.8.0.1 255.255.255.255"

# Ajout de la route pour les clients du sous-reseau.
push "route 10.8.0.0 255.255.255.0"
#push "client-nat dnat 192.168.1.0 255.255.255.0 10.8.0.1"
# le réseau local du serveur Openvpn.
push "route 192.168.1.0 255.255.255.0"

# Adresse du serveur DNS, si pas de domaine, utilisez dns public.
push "dhcp-option DNS 208.67.222.222"
# Le serveur sera la passerelle par défaut et tout le trafic sera router par lui.
push "redirect-gateway def1"
#push "redirect-gateway def1 bypass-dhcp"
client-to-client
# Pour dupliquer le meme certificat
# duplicate-cn
keepalive 10 120
# la clé partagée
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
#user openvpn
#group openvpn



persist-key
persist-tun
# Des logs
status /var/logvpn/openvpn-status.log 20
log /var/logvpn/openvpn.log
#status /var/log/openvpn-status.log 20
#log /var/log/openvpn.log


verb 1

Re: nat openvpn

Posted: Fri Jul 14, 2023 2:27 pm
by fafar
my log (I put verb 3) :

Fri Jul 14 16:24:15 2023 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Fri Jul 14 16:24:15 2023 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Fri Jul 14 16:24:15 2023 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Fri Jul 14 16:24:15 2023 Diffie-Hellman initialized with 2048 bit key
Fri Jul 14 16:24:15 2023 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 14 16:24:15 2023 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 14 16:24:15 2023 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:1e:06:36:56:3b
Fri Jul 14 16:24:15 2023 TUN/TAP device tun0 opened
Fri Jul 14 16:24:15 2023 TUN/TAP TX queue length set to 100
Fri Jul 14 16:24:15 2023 /sbin/ip link set dev tun0 up mtu 1500
Fri Jul 14 16:24:16 2023 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Jul 14 16:24:16 2023 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri Jul 14 16:24:16 2023 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Jul 14 16:24:16 2023 Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri Jul 14 16:24:16 2023 Listening for incoming TCP connection on [AF_INET][undef]:993
Fri Jul 14 16:24:16 2023 TCPv4_SERVER link local (bound): [AF_INET][undef]:993
Fri Jul 14 16:24:16 2023 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Jul 14 16:24:16 2023 GID set to nogroup
Fri Jul 14 16:24:16 2023 UID set to nobody
Fri Jul 14 16:24:16 2023 MULTI: multi_init called, r=256 v=256
Fri Jul 14 16:24:16 2023 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Jul 14 16:24:16 2023 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Jul 14 16:24:16 2023 Initialization Sequence Completed
Fri Jul 14 16:24:27 2023 TCP connection established with [AF_INET]109.208.39.187:55732
Fri Jul 14 16:24:27 2023 109.208.39.187:55732 TLS: Initial packet from [AF_INET]109.208.39.187:55732, sid=55b237dd 7ef75480
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 VERIFY OK: depth=1, C=FR, ST=France, L=Paris, O=., OU=., CN=openvpn, name=EasyRSA, emailAddress=
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 VERIFY OK: depth=0, C=FR, ST=France, L=Paris, O=., OU=., CN=fafar, name=EasyRSA, emailAddress=
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_VER=2.5.5
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_PLAT=linux
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_PROTO=6
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_NCP=2
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZ4=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZ4v2=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_LZO=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_COMP_STUB=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_COMP_STUBv2=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 peer info: IV_TCPNL=1
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Fri Jul 14 16:24:28 2023 109.208.39.187:55732 [fafar] Peer Connection Initiated with [AF_INET]109.208.39.187:55732
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI: Learn: 10.8.0.6 -> fafar/109.208.39.187:55732
Fri Jul 14 16:24:28 2023 fafar/109.208.39.187:55732 MULTI: primary virtual IP for fafar/109.208.39.187:55732: 10.8.0.6
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 SENT CONTROL [fafar]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,route 10.8.0.0 255.255.255.0,route 192.168.1.0 255.255.255.0,dhcp-option DNS 208.67.222.222,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul 14 16:24:29 2023 fafar/109.208.39.187:55732 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul 14 16:25:03 2023 fafar/109.208.39.187:55732 Connection reset, restarting [0]
Fri Jul 14 16:25:03 2023 fafar/109.208.39.187:55732 SIGUSR1[soft,connection-reset] received, client-instance restarting
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/