Problem statement: Openvpn client cannot surf the web.
Setup:
I run on a CENTOS 7 home server that acts also as modem/router and as such has an internal/exteral network
Dynamic IP updated by ddclient. openvpn 2.4.6
On the client side, I use the openvpn client on my iPhone.
Description
The client can connect to the openvpn servers and obtains also an IP. But there is no connection to internet.
I set verbose to 6, but there is no error message in the openpvn.log file I can find.
Thank you in advance for your help. Wolfgang
Config firewall:
iptables -t nat -A POSTROUTING -o $EXT_DEV -s $VPN_NET -j MASQUERADE (ext EXT_DEV = ppp0)
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
IP forwarding set: net.ipv4.ip_forward = 1
Config DNC / resolv.conf
I run an authoritive DNS server. Initially I only had set nameserver 127.0.0.1 in /etc/resolv.conf, but added later the DNS server of my ISP (Telefónica España
IP: 80.58.61.250). That did not help either.
dig wo-lar.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> wo-lar.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wo-lar.com. IN A
;; ANSWER SECTION:
wo-lar.com. 86400 IN A 10.5.2.1
;; AUTHORITY SECTION:
wo-lar.com. 86400 IN NS home.wo-lar.com.
;; ADDITIONAL SECTION:
home.wo-lar.com. 86400 IN A 10.5.2.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 18 13:33:26 CET 2018
;; MSG SIZE rcvd: 90
Server config:
port 1194
proto udp
dev tun
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/LHS.crt
key /etc/openvpn/ssl/LHS.key
dh /etc/openvpn/ssl/dh.pem
server $VPN_NET 255.255.255.0
ifconfig-pool-persist server-ipp.txt 0
push "route <LAN NET> 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS <LAN IP>1"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ssl/ta.key 0
auth SHA512
cipher AES-256-CBC
comp-lzo adaptive
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
explicit-exit-notify 1
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
crl-verify /etc/openvpn/ssl/crl.pem
Client config:
client
dev tun
proto udp
port 1194
remote www.*****.com 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----
</tls-auth>
openvpn clients have no internet connection
Re: openvpn clients have no internet connection
I need two forwards, but you have only the second one:
(br0 ist the interface with internet connection.)
Code: Select all
-A FORWARD -i br0 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o br0 -j ACCEPT
-
wp.rauchholz
- Posts: 133
- Joined: 2016/11/20 11:58:45
Re: openvpn clients have no internet connection
Thank you for responding.chemal wrote: ↑2018/12/18 17:48:30I need two forwards, but you have only the second one:(br0 ist the interface with internet connection.)Code: Select all
-A FORWARD -i br0 -o tun+ -j ACCEPT -A FORWARD -i tun+ -o br0 -j ACCEPT
I don't have a br0 bridge NIC I only have these:
enp3s0: - internal network
enp5s0: external network, attached to ppp0
lo:
ppp0:
tun0:
It is crazy. I had it running before w/o br0. I have to re-build my server. Did backup everything but config files. Lesson learned....
Wolfgang
Re: openvpn clients have no internet connection
Of course you have to replace br0 with whatever is the inernet-facing adapter in your setup.
The point is that you need to forward traffic in both directions: from tunnel to internet and vice versa.
The point is that you need to forward traffic in both directions: from tunnel to internet and vice versa.
-
wp.rauchholz
- Posts: 133
- Joined: 2016/11/20 11:58:45
Re: openvpn clients have no internet connection
These are the changes I made to my firewall script. Unfortunately it did not yield desired results.
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i enp3s0 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i ppp0 -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o ppp0 -j ACCEPT
Other suggestions? Wolfgang
Re: openvpn clients have no internet connection
Probably not a good idea. If you are using the iptables service, all rules should be in /etc/sysconfig/iptables.... my firewall script.
If you are using firewalld, you shouldn't issue iptable commands in parallel, but use firewall-cmd: https://www.google.com/search?q=centos+ ... +firewalld
-
wp.rauchholz
- Posts: 133
- Joined: 2016/11/20 11:58:45
Re: openvpn clients have no internet connection
It is working now.
This page helped me quite a bit. :https://arashmilani.com/post?id=53
I also changes the configuration of the openvpn server, from
;push "dhcp-option DNS <internal DNS>" to ;push "dhcp-option DNS 8.8.8.8"
Wolfgang
This page helped me quite a bit. :https://arashmilani.com/post?id=53
I also changes the configuration of the openvpn server, from
;push "dhcp-option DNS <internal DNS>" to ;push "dhcp-option DNS 8.8.8.8"
Wolfgang
-
wp.rauchholz
- Posts: 133
- Joined: 2016/11/20 11:58:45
Re: openvpn clients have no internet connection
I executed the script and first and saved it after: iptables-save > /etc/sysconfig/iptableschemal wrote: ↑2018/12/19 21:48:11Probably not a good idea. If you are using the iptables service, all rules should be in /etc/sysconfig/iptables.... my firewall script.
If you are using firewalld, you shouldn't issue iptable commands in parallel, but use firewall-cmd: https://www.google.com/search?q=centos+ ... +firewalld
Wolfgang
Re: openvpn clients have no internet connection
The default /etc/sysconfig/iptables isn't empty and you should add your new rules at the right places. Something like this:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i br0 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o br0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.17.0/24 -j SNAT --to-source 100.101.102.103
COMMIT
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i br0 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o br0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.17.0/24 -j SNAT --to-source 100.101.102.103
COMMIT