No connection but VPN server

[n0_one]

Hello,

I want to use OpenVPN to connect to my home LAN and to be able to route internet traffic through it. I am running version 2.2.1.

In my home LAN there is a cable modem which is connected to a Wi-Fi router. All devices are connected to this router. One of these devices is my Raspberry Pi on which I installed an OpenVPN server. In my router I forwarded OpenVPN's port and I am able to connect to it via the client for windows as well as 2 android apps (OpenVPN connect and OpenVPN for Android).

My problem is that I am able to connect to the OpenVPN server and can ping my Raspberry Pi at 10.8.0.1 and at 192.168.1.151 (my Raspberry Pi's LAN address) afterwards but I cannot ping/connect to any other device in my LAN. I cannot connect to the internet via VPN as well (even without DNS e. g. ping 8.8.8.8).

I have net.ipv4.ip_forward=1 in my /etc/sysctl.conf and I find a route for 192.168.1.0/24, gateway 10.8.0.5, interface 10.8.0.6 on my client after connecting.

What can I do to solve my problem?

My server.conf:

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 192.168.1.0 255.255.255.0"
log-append /var/log/openvpn
comp-lzo

My client.ovpn:

Code: Select all

dev tun
client
proto udp
remote me.spdns.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

My log file (restart of Raspberry Pi and connection via android device):

Code: Select all

Thu Nov  5 13:07:08 2015 event_wait : Interrupted system call (code=4)
Thu Nov  5 13:07:08 2015 TCP/UDP: Closing socket
Thu Nov  5 13:07:08 2015 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
SIOCDELRT: Operation not permitted
Thu Nov  5 13:07:08 2015 ERROR: Linux route delete command failed: external program exited with error status: 7
Thu Nov  5 13:07:08 2015 Closing TUN/TAP interface
Thu Nov  5 13:07:08 2015 /sbin/ifconfig tun0 0.0.0.0
SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
Thu Nov  5 13:07:08 2015 Linux ip addr del failed: external program exited with error status: 255
Thu Nov  5 13:07:08 2015 SIGTERM[hard,] received, process exiting
Thu Nov  5 13:07:38 2015 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Thu Nov  5 13:07:38 2015 WARNING: --keepalive option is missing from server config
Thu Nov  5 13:07:38 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Nov  5 13:07:38 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Nov  5 13:07:38 2015 Diffie-Hellman initialized with 1024 bit key
Thu Nov  5 13:07:38 2015 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov  5 13:07:38 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Nov  5 13:07:38 2015 ROUTE default_gateway=192.168.1.1
Thu Nov  5 13:07:38 2015 TUN/TAP device tun0 opened
Thu Nov  5 13:07:38 2015 TUN/TAP TX queue length set to 100
Thu Nov  5 13:07:38 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Nov  5 13:07:38 2015 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Thu Nov  5 13:07:38 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Thu Nov  5 13:07:38 2015 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Nov  5 13:07:38 2015 GID set to nogroup
Thu Nov  5 13:07:38 2015 UID set to nobody
Thu Nov  5 13:07:38 2015 UDPv4 link local (bound): [undef]
Thu Nov  5 13:07:38 2015 UDPv4 link remote: [undef]
Thu Nov  5 13:07:38 2015 MULTI: multi_init called, r=256 v=256
Thu Nov  5 13:07:38 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Nov  5 13:07:38 2015 Initialization Sequence Completed
Thu Nov  5 13:08:52 2015 MULTI: multi_create_instance called
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 Re-using SSL/TLS context
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 LZO compression initialized
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 Local Options hash (VER=V4): '530fdded'
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 Expected Remote Options hash (VER=V4): '41690919'
Thu Nov  5 13:08:52 2015 176.4.32.150:46941 TLS: Initial packet from [AF_INET]176.4.32.150:46941, sid=36001c4f ec2e7a90
Thu Nov  5 13:08:53 2015 176.4.32.150:46941 VERIFY OK: depth=1, /C=DE/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
Thu Nov  5 13:08:53 2015 176.4.32.150:46941 VERIFY OK: depth=0, /C=DE/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=client1/name=changeme/emailAddress=mail@host.domain
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Nov  5 13:08:57 2015 176.4.32.150:46941 [client1] Peer Connection Initiated with [AF_INET]176.4.32.150:46941
Thu Nov  5 13:08:57 2015 client1/176.4.32.150:46941 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=c806:e5be:809e:587f:34cb:5d7f:1447:f380
Thu Nov  5 13:08:57 2015 client1/176.4.32.150:46941 MULTI: Learn: 10.8.0.6 -> client1/176.4.32.150:46941
Thu Nov  5 13:08:57 2015 client1/176.4.32.150:46941 MULTI: primary virtual IP for client1/176.4.32.150:46941: 10.8.0.6
Thu Nov  5 13:08:58 2015 client1/176.4.32.150:46941 PUSH: Received control message: 'PUSH_REQUEST'
Thu Nov  5 13:08:58 2015 client1/176.4.32.150:46941 send_push_reply(): safe_cap=960
Thu Nov  5 13:08:58 2015 client1/176.4.32.150:46941 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 192.168.1.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5' (status=1)

[Traffic]

I find a route for 192.168.1.0/24, gateway 10.8.0.5, interface 10.8.0.6 on my client after connecting.

Add a route back to your VPN on the server LAN gateway.

[flash_uk]

I find a route for 192.168.1.0/24, gateway 10.8.0.5, interface 10.8.0.6 on my client after connecting.

Add a route back to your VPN on the server LAN gateway.

@Traffic - how is that done please? I think I have the same issue!

[Traffic]

@Flash_uk:

Code: Select all

ip route add {required details}

@n0_one

My problem is that I am able to connect to the OpenVPN server and can ping my Raspberry Pi at 10.8.0.1 and at 192.168.1.151 (my Raspberry Pi's LAN address) afterwards but I cannot ping/connect to any other device in my LAN. I cannot connect to the internet via VPN as well (even without DNS e. g. ping 8.8.8.8).

Review: Add NAT to your Pi.

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE