OpenVPN connection established but no Internet connection.

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
coface
Level 1
Level 1
Posts: 8
Joined: Sun Sep 28, 2014 5:24 pm

OpenVPN connection established but no Internet connection.

Post by coface »

Hi there,

I read the whole day so much and spent about 8 hours to figure out what is wrong. I don't know what is wrong.... :( I appreciate any hints.
My OpenVPN-Server is running on Debian 7.8. I fail to get it working.
Could it be, there is some heavy DNS issue?
So this are my settings:

server.conf

Code: Select all

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert vpn-topos.crt
key vpn-topos.key  # This file should be kept secret
dh dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20
client.conf
appended extra code with no effect

Code: Select all

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Code: Select all

client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote ip.my.ser.ver
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ./ca.crt
cert ./eymes.crt
key ./eymes.key
ns-cert-type server
;tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
;mute 20
redirect-gateway
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
the start log

Code: Select all

Tue Dec 29 19:12:28 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Tue Dec 29 19:12:28 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec 29 19:12:28 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Dec 29 19:12:28 2015 UDPv4 link local: [undef]
Tue Dec 29 19:12:28 2015 UDPv4 link remote: [AF_INET]ip.my.ser.ver:1194
Tue Dec 29 19:12:28 2015 TLS: Initial packet from [AF_INET]ip.my.ser.ver:1194, sid=f45ee217 515231c1
Tue Dec 29 19:12:28 2015 VERIFY OK: depth=1, C=CH, ST=BS, L=Basel, O=Fort-Funston, OU=changeme, CN=vpn.ip.my.ser.ver, name=topos, emailAddress=mail@post.com
Tue Dec 29 19:12:28 2015 VERIFY OK: nsCertType=SERVER
Tue Dec 29 19:12:28 2015 VERIFY OK: depth=0, C=DE, ST=BS, L=Brunn, O=Fort-Funston, OU=changeme, CN=vpn-topos, name=topos, emailAddress=mail@post.com
Tue Dec 29 19:12:29 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Dec 29 19:12:29 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 29 19:12:29 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Dec 29 19:12:29 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 29 19:12:29 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Tue Dec 29 19:12:29 2015 [vpn-topos] Peer Connection Initiated with [AF_INET]ip.my.ser.ver:1194
Tue Dec 29 19:12:31 2015 SENT CONTROL [vpn-topos]: 'PUSH_REQUEST' (status=1)
Tue Dec 29 19:12:32 2015 PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.20.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Dec 29 19:12:32 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 29 19:12:32 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 29 19:12:32 2015 OPTIONS IMPORT: route options modified
Tue Dec 29 19:12:32 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec 29 19:12:32 2015 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlan0 HWADDR=60:57:18:d0:dd:42
Tue Dec 29 19:12:32 2015 TUN/TAP device tun0 opened
Tue Dec 29 19:12:32 2015 TUN/TAP TX queue length set to 100
Tue Dec 29 19:12:32 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 29 19:12:32 2015 /sbin/ip link set dev tun0 up mtu 1500
Tue Dec 29 19:12:32 2015 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Dec 29 19:12:32 2015 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.8.0.6 10.8.0.5 init
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
Tue Dec 29 19:12:33 2015 /sbin/ip route add ip.my.ser.ver/32 via 192.168.178.1
Tue Dec 29 19:12:33 2015 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Tue Dec 29 19:12:33 2015 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Tue Dec 29 19:12:33 2015 /sbin/ip route add 192.168.10.0/24 via 10.8.0.5
Tue Dec 29 19:12:33 2015 /sbin/ip route add 192.168.20.0/24 via 10.8.0.5
Tue Dec 29 19:12:33 2015 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Tue Dec 29 19:12:33 2015 Initialization Sequence Completed
Tue Dec 29 19:12:35 2015 event_wait : Interrupted system call (code=4)
Tue Dec 29 19:12:35 2015 /sbin/ip route del 10.8.0.1/32
Tue Dec 29 19:12:35 2015 /sbin/ip route del 192.168.20.0/24
Tue Dec 29 19:12:35 2015 /sbin/ip route del 192.168.10.0/24
Tue Dec 29 19:12:35 2015 /sbin/ip route del ip.my.ser.ver/32
Tue Dec 29 19:12:35 2015 /sbin/ip route del 0.0.0.0/1
Tue Dec 29 19:12:35 2015 /sbin/ip route del 128.0.0.0/1
Tue Dec 29 19:12:35 2015 Closing TUN/TAP interface
Tue Dec 29 19:12:35 2015 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Dec 29 19:12:35 2015 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.8.0.6 10.8.0.5 init
Tue Dec 29 19:12:36 2015 SIGINT[hard,] received, process exiting
my route -n (client)

Code: Select all

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.137.1   0.0.0.0         UG    0      0        0 wlan0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
ip.my.ser.ver   192.168.137.1   255.255.255.255 UGH   0      0        0 wlan0
192.168.10.0    10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.20.0    10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.137.0   0.0.0.0         255.255.255.0   U     9      0        0 wlan0
my ip tables settings on my server

Code: Select all

iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT 
iptables -A INPUT -i tun+ -j ACCEPT 
iptables -A FORWARD -i tun+ -j ACCEPT 
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
I got NO idea anymore what is going wrong.
Best regards and many thanks for some hints in advance!
:?

User avatar
txba516
Level 3
Level 3
Posts: 197
Joined: Fri Aug 10, 2007 11:57 am
Location: Atlanta, GA

Re: OpenVPN connection established but no Internet connectio

Post by txba516 »

Hi coface,

While I'm not an expert in OpenVPN specifically, I know VPN behavior well. It looks like the gateway setting for routing your traffic over the VPN is using the wrong subnet mask.

Code: Select all

Tue Dec 29 19:12:32 2015 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.8.0.6 10.8.0.5 init
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
Tue Dec 29 19:12:33 2015 /sbin/ip route add ip.my.ser.ver/32 via 192.168.178.1
Tue Dec 29 19:12:33 2015 [b]/sbin/ip route add 0.0.0.0/1 via 10.8.0.5[/b]
Tue Dec 29 19:12:33 2015 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Tue Dec 29 19:12:33 2015 /sbin/ip route add 192.168.10.0/24 via 10.8.0.5
Should be using 0.0.0.0/0 instead of 0.0.0.0/1 if you want all of your Internet traffic to route through the VPN. Using the /1 mask will only send traffic starting with 10.x.x.x over the VPN. So your DNS queries to 8.8.8.8 and 8.8.4.4 will attempt to connect through 192.168.137.1 per your client route table shown.

It seems the push "redirect-gateway def1 bypass-dhcp" line on the server conf may not need the bypass-dhcp part.
Also, the client conf doesn't specify def1 on the redirect-gateway line. So it's conflicting with the push parameter from the server. Let's comment out the client conf line for redirect-gateway and let the server push the directive.
You may also want to add a line to the server conf for

Code: Select all

push "remote-gateway 10.8.0.5"
Cheers!
LM17.2 x64 Cinnamon
Help the forums get answers faster! Mark your fixed problem thread as [SOLVED]

Post Reply

Return to “Other networking topics”