OpenVPN Support Forum

Hi everyone,
Been pulling my hair out. I have been renting an OPENVZ container, and asked them to enable everything I'd need for openvpn. The hosting co said they have, but try as I might, I can't get NAT to work, and I'm not sure if even ipforwarding is working.

There's a TON of documentation on the OPENVZ site, but so much of it deals with configuring the host which doesn't help me at all. Been trying to get this:

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to {my IP}

to work, but no go. I changed the default private network in OPENVPN btw to the 10.9.x.x subnet. Just hoping some kind soul out there has been through all of this before and would be able to point me in the right direction here. I'm no IPTables guru either.

Thank you,
-S

I can help you with this.

First read: topic7722.html

Its a guide I specifically created for circumstances such as yours. In the guide, the 2nd batch of code is specific to OpenVZ.

To break it down for you though, these lines are essential: Your code says whilst mine says Whether or not that is a fatal difference or not, I don't know, but I do recommend you change yours to --to-source, at least until you get it all working as you please.

Also in your code you have completely omitted

I would suggest you also add it to yours (unless you don't have a venet0 interface, but I would bet that you do).

Bebop, that tutorial was excellent. I just wish it resolved the problem. I turned the code into a shell script, and executed it. Below is what shows with iptables -L

___________________________________

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.9.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
___________________________________

From my openvpn client
___________________________________
Thu Mar 03 18:14:48 2011 OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 30 2010
Thu Mar 03 18:14:56 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 03 18:14:56 2011 LZO compression initialized
Thu Mar 03 18:14:56 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Mar 03 18:14:56 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Mar 03 18:14:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 03 18:14:56 2011 Local Options hash (VER=V4): '41690919'
Thu Mar 03 18:14:56 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Mar 03 18:14:56 2011 UDPv4 link local: [undef]
Thu Mar 03 18:14:56 2011 UDPv4 link remote: {vps ip address}:1194
Thu Mar 03 18:14:56 2011 TLS: Initial packet from {vps ip address}:1194, sid=6a82dccb 0fea6eda
Thu Mar 03 18:14:57 2011 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Thu Mar 03 18:14:57 2011 VERIFY OK: nsCertType=SERVER
Thu Mar 03 18:14:57 2011 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain
Thu Mar 03 18:14:57 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 03 18:14:57 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 18:14:57 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 03 18:14:57 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 18:14:57 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 03 18:14:57 2011 [Test-Server] Peer Connection Initiated with {vps ip address}:1194
Thu Mar 03 18:15:00 2011 SENT CONTROL [Test-Server]: 'PUSH_REQUEST' (status=1)
Thu Mar 03 18:15:00 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway local def1 bypass-dhcp,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5'
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: route options modified
Thu Mar 03 18:15:00 2011 ROUTE default_gateway=192.168.0.1
Thu Mar 03 18:15:00 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7A91B7B4-7D17-45A4-934F-8AEC114E39E4}.tap
Thu Mar 03 18:15:00 2011 TAP-Win32 Driver Version 9.7
Thu Mar 03 18:15:00 2011 TAP-Win32 MTU=1500
Thu Mar 03 18:15:00 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.9.0.6/255.255.255.252 on interface {7A91B7B4-7D17-45A4-934F-8AEC114E39E4} [DHCP-serv: 10.9.0.5, lease-time: 31536000]
Thu Mar 03 18:15:00 2011 Successful ARP Flush on interface [19] {7A91B7B4-7D17-45A4-934F-8AEC114E39E4}
Thu Mar 03 18:15:06 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 10.9.0.1 MASK 255.255.255.255 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 Initialization Sequence Completed
____________________________________

So to me it looks like openvpn is behaving both on the server end, and on the client end. Any further ideas you can contribute I'd very much appreciate.

-S

BTW, to be clear, the way I'm testing whether it works is I pinged a popular website, and made note of it's IP, then tried to open the IP on a web browser. This is with a machine that is not VPNned into anything and to make sure it opens the site. Then I copied that IP into the web browser of the machine that is VPNed in so that the address field of the browser looks like this: http://{ipaddress}, and tried opening while connected. No-go. Also, pings to live IP's (that respond on when not connected to the vpn) do not respond.

-S

More help on its way.

schnibitz wrote:I pinged a popular website, and made note of it's IP, then tried to open the IP on a web browser. This is with a machine that is not VPNned into anything and to make sure it opens the site. Then I copied that IP into the web browser of the machine that is VPNed in so that the address field of the browser looks like this: http://{ipaddress}, and tried opening while connected

Just be clear: Do you want a NAT'd tunnel that you can use for things such as web-browsing, email, everything else -- through the VPN? (so the client Internet is routed through VPN).

If yes, that's what I've been trying to help you achieve, based on your 1st post. Do let me know if I am trying to help you achieve the wrong goal.

Your testing method might not be reliable (although if you put an IP address in browser and nothing loads, then you're right -- the VPN is not working properly). Visit: http://87.230.55.47 or http://www.whatismyip.org

and see if your VPN server IP is displayed on screen. If yes, everything is working.

Your log looks fine to me. Next step would be to post server.conf

Also, did you make the suggested changes by adding "--to-source" and "-o venet0"?

Your original take was correct. I want a NATed tunnel that will allow me to access the internet using the VPN. The reason I mentioned my testing procedure was because I think I kept saying "it isn't working" or something to that effect which was vague. I tend to be vague sometimes (-:

Browser loading of "http://87.230.55.47" when connected to the VPN is not working BTW.

Oh, I also made sure that the "--to-source" and "-o venet0" items were in the script I executed. I basically copied it verbatim as you posted, then modified stuff the subnet and the external IP. That kind of thing.

Here comes the server.conf:
-------------------------------------------------
local {VPS ip address}
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
verb 3
--script-security 2
auth-user-pass-verify ./auth-pam.pl via-file
client-cert-not-required
username-as-common-name
-----------------------------------------

Two points of note:
1. The certs I'm using are sample certs that come with the install. I don't intend to use them in production, but just to test for now. I have a virtual machine at home that I did this with, and it worked.
2. I have it ask for my username and password. I set up an account on the VPS for this. That seems to be working fine.

Thank you again for your continued help.

-S

I have to be elsewhere now, so I do hope a VPN expert will be here to assist you.

I can only say that you have done everything as I would have done myself. My working setup seems to be exactly as you have described yours to be.

Were there any errors when you ran the iptables script?

It still seems to me that its a forwarding problem.

I can only suggest delving into the log files. Also setup a tcpdump: to see if you can turn up any interesting clues.

Best of luck! (you will get it)

I understand, God bless you for your help!

-S

Update. I restarted openvpn, and it's now working. I'm very thankful for all of your help.

-S