LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-09-2016, 05:22 AM   #1
Darkyere
LQ Newbie
 
Registered: Jun 2016
Posts: 7

Rep: Reputation: Disabled
OpenVPN Can ping Clients and server but have no internet


Hi all im a happy user of a RPI2 and have had fun so far.
Like making a OpenVPN so that i may connect to my LAN and acces my computers.

Up until now i had managed to make a server and client that connect i can ping 10.8.0.1 and 10.8.0.6.
I allso managed to acces my LAN and can ping/connect my RPI2 on the network.

What i cant seem to get is how to make it acces the internet while connected.
It randomly happened two times i think but it eventually failed after a restart where i was trying to figure out what i did correct so i could learn from it.

The following will be what info i have gathered and if more is needed i will add it.


My server.conf is

Code:
    port 1194
    proto udp
    dev tun
    ca /my/path/to/ca
    crt /my/path/to/crt
    key /my/path/to/key
    dh /my/path/to/dh4096.pem
    tls-auth /my/path/to/ta.key 0
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 10.8.0.1"
    client-to-client
    keepalive 10 120
    cipher DES-EDE3-CBC  # Triple-DES
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    log         /home/pi/.OVPN/openvpn.log
    verb 4


My Client.conf

Code:
    client
    dev tun
    proto udp
    remote MyPubIP 1194
    resolv-retry infinite
    nobind
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    ca /my/path/to/ca
    crt /my/path/to/crt
    key /my/path/to/key
    dh /my/path/to/dh4096.pem
    ns-cert-type server
    tls-auth /home/kaeranon/.OVPN/ta.key 1
    cipher DES-EDE3-CBC
    comp-lzo
    verb 4


I have portforwarded 1149 to my RPI2.


What i cant grasp is how to get it to connect to the internet.
Ive tried as can be send to add different versions of

Code:
    push "route 192.168.1.0 255.255.255.0"
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 10.8.0.1"


And have made even more versions of iptables etc.


Code:
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
    iptables -I FORWARD -i tun0 -o wlan0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A INPUT -i wlan0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i wlan0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

    service openvpn restart


or


Code:
    # OpenVPN
    iptables -A INPUT -i wlan0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
     
    # Allow TUN interface connections to OpenVPN server
    iptables -A INPUT -i tun+ -j ACCEPT
     
    # Allow TUN interface connections to be forwarded through other interfaces
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i wlan0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
     
    # NAT the VPN client traffic to the internet
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE

    service openvpn restart


Ive kept it pretty simple so far and followed the premade config files from /usr/share/doc/openvpn/examples/sample-config-files
and rewrote them as needed so its still 10.8.0.1 port 1149.

So many factors to make up for and im not sure i get it completly like im usually testing it at home with
router 192.168.1.0
And at other places with
router 192.168.0.0
which are so common. That most how to / guides on the net contains these so it should have been simple.

But i still cant seem to get the internet running when im on my OpenVPN.
Anyone here who can somehow explain or tell me a way to fix it.

Btw. ty for your time on reading this.

Best regards,
Darkyere
 
Old 06-09-2016, 08:01 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,577
Blog Entries: 4

Rep: Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890
Superficially, it looks to me like every address in the 192.168.1.x network ... which is most-likely the entirety of your home network ... is being routed through the tunnel, and that a DNS-server on the other side (10.8.0.1) is going to be serving as the only accessible DNS from now on. Other directives such as "redirect-gateway" appear to be consistent with that.

But, I daresay that this is not what you intended to do.

The OpenVPN example files are just that: examples. At this point, you're just flailing in the dark. (I sympathize completely ... )

What I suggest that you should do is to grab a piece of paper and draw what you want the network topology to be, both when OpenVPN is connected and when it is not. OpenVPN can operate in two different modes: in tunnel mode, it acts as a router, while in (wire...)tap mode it acts as a switch. Tunnel-mode is the most common, and so, when drawing your network diagram, treat it exactly like a physical router box.

Traffic will appear on a subnet as specified in the server directive, and you must consider how those packets will be routed on each subnet. The OpenVPN process (client or server) is the router that leads to the subnet on the other side of the link, and replies that are being sent back to clients on 10.8.0.x must find their way back to the OpenVPN process, e.g. through fixed-routing directives set up in a physical device or appropriate route commands (in the appropriate places), in order to make their way back home. (Exactly as would be the case if the OpenVPN process were "a physical box," as in fact sometimes it is.

To "reach the Internet" through the tunnel, several things must be correct. The machines on the far side must know to default-route traffic through the tunnel. (This is done by route directives in the client file, or that are "pushed" from the server, in which case the client must specify pull, as your client-config presently does not! That's wrong ...) But then, the server on the other side must know to "NAT" the traffic that's coming out of the pipe, and forward it to the Internet gateway router. (And then, when the replies come back, the gateway router has to know to route them back to OpenVPN.)

Last edited by sundialsvcs; 06-09-2016 at 08:06 AM.
 
Old 06-11-2016, 05:36 AM   #3
Darkyere
LQ Newbie
 
Registered: Jun 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
I have all-ready edited this thread 2 times and this be a third.

First time i thank you your cause it works, next time i write the bottom message ---- cause it suddenly didnt work.

now again it does work. Got LAN and Internet and can ping Client/Servers.

So i am gonna stick with the it does work for now and come back again to this tread if it keeps on failing in the hope that you can help ..
Than you for your time and your really helpful explanation on the subject.
It was well written and seemed logical what i needed to do.

So after searching on the net based on what u wrote i added

Code:
pull
direct-gateway autolocal
and got an internet connection.

Best regards and thank you,

Darkyere

----

# Ignore this message for now.

Ty a lot for your time and explanation for a while it seemed like i got it but i am still in cable of actually making it work.
You were really good at explaining thank you for that and it seemed simple while reading it. But i must be to much of a newbie cause is till cant make it work.

I tried to put in

pull

on client and it didn't work

i all so tried to add
redirect-gateway autolocal

to the client side after doing some thread searching.

But i cant in any way make this work.

is there any way you can stick around for a little while and help me fix this again.

Ty and best regards,
Darkyere

Last edited by Darkyere; 06-11-2016 at 03:18 PM.
 
Old 06-11-2016, 01:43 PM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
First of all, what do you mean by not being able to connect to the internet? You can't browse the web or you can't even ping? Can you ping the the inner lan, which I take it to be 192.168.0.0/24?

Secondly, are you sure that pushing the dhcp-dns from your own server is correct? Do you have bind or some other DNS software configured on your linux? And if you do, are you certain that it listens to the vpn interface? The answer to this last question is most definitely not

My guess is that the main router offers both dhcp and dns, so I suppose you should be pushing 192.168.0.1 as dns, or am I wrong?

You keep saying 1149, instead of 1194, although in your quoted code the port is correct. You should keep that in mind so that you don't mix it up.

To my mind, the second rule in your FORWARD chain doesn't make sens if you're already allowing full nonstateful access from your tun interface.
 
Old 06-11-2016, 01:50 PM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
There are several issues with your iptables. But what's important to know is that the RELATED,ESTABLISHED rule should always take precedence over the specific rules NEW-state rules. If you place them at the end they're worthless.

Edit: ok, they're not worthless, but they're much more effective if they're at the beginning of the chain. Otherwise the kernel(I think) needs to parse all the rules until it reaches the RELATED,ESTABLISHED rule. And if you've got hundreds of rules or thousands, that's really going to take a toll on your cpu. Ok, it might not apply here, but it's good practice.

Last edited by vincix; 06-11-2016 at 01:53 PM.
 
Old 06-11-2016, 03:00 PM   #6
Darkyere
LQ Newbie
 
Registered: Jun 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
First of all, what do you mean by not being able to connect to the internet? You can't browse the web or you can't even ping? Can you ping the the inner lan, which I take it to be 192.168.0.0/24?
I mean that while connected to OpenVPN i can ping both client from server and ping server from client.
And that i can ping/connect to devices on the LAN while connected to the OpenVPN

But when trying to access etc. a web page it times out. Or even like ping 8.8.8.8 (google dns) it times out to.

Quote:
Secondly, are you sure that pushing the dhcp-dns from your own server is correct? Do you have bind or some other DNS software configured on your linux? And if you do, are you certain that it listens to the vpn interface? The answer to this last question is most definitely not
Yes i ended up adding 8.8.8.8 as DNS server (to make sure it wasnt my OpenVPN Server that failed) and havent changed that since. (just didnt wrote that i added that).

Quote:
My guess is that the main router offers both dhcp and dns, so I suppose you should be pushing 192.168.0.1 as dns, or am I wrong?
Interesting that i can use 192.168.0.1 as DNS i might try that at some point of playing around.

Quote:
You keep saying 1149, instead of 1194, although in your quoted code the port is correct. You should keep that in mind so that you don't mix it up.
Yeah i mean Port 1194 i must just have hit the buttons in wrong order. While writing the code part is copy/pasted so that's why its correct.

Quote:
There are several issues with your iptables. But what's important to know is that the RELATED,ESTABLISHED rule should always take precedence over the specific rules NEW-state rules. If you place them at the end they're worthless.

Edit: ok, they're not worthless, but they're much more effective if they're at the beginning of the chain. Otherwise the kernel(I think) needs to parse all the rules until it reaches the RELATED,ESTABLISHED rule. And if you've got hundreds of rules or thousands, that's really going to take a toll on your cpu. Ok, it might not apply here, but it's good practice.
Ty for that info i had no idea about that. Sounds like i still need to play more around with iptables.

To be honest i ended up making a internet connection (web page / ping google DNS)
By opening 1194 in gufw and by adding only these to commands to iptables on boot.

Code:
iptables -i FORWARD -j ACCEPT

iptables -t nat -i POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
Hope those commands are acceptable or i will just have to play around with iptables again (with i am considering to do anyway).

yet another time thank you for spending the time and going through what i have done.
I am pretty much driving blind folded here (and i don't even own a car license) so its highly appreciated.

So far you have made me get internet access (web page and ping google dns) so im pretty happy for the info you have given.

Best regards,
Darkyere

Last edited by Darkyere; 06-11-2016 at 03:14 PM.
 
Old 06-11-2016, 04:30 PM   #7
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
In my opinion, after you get the gist of it, it becomes really easy to configure and it works really fast. After configuring my first openvpn, it was quite easy to configure it on other servers.

This is how my client side looks like. It's quite simple:
Quote:
client
remote 1.1.1.1 1194
ca "ca.crt"
cert "client.crt"
key "client.key"
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
remote-cert-tls server
Of course, it's configured for tun, not tap (which works at OSI Layer 2) - which is what you seem to prefer.

I myself don't use any push route directives. I only do it by tinkering with iptables. So if I want to communicate with my LAN through VPN, I simply forward the traffic. And I can do it in a stateful way:
Quote:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i tun0 -s 10.8.0.0/24 -d 192.168.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -i eth0 -s 192.168.0.0/24 -d 10.8.0.0/24 -o tun0 -j ACCEPT
It might be a little bit more restrictive than necessary, but anyhow. This works as it if if eth0 is the only interface your server is connecting through. If you have another interface (such as wlan0 or eth1 or whatever), then you need to forward traffic to and from that interface also.
 
Old 06-11-2016, 05:14 PM   #8
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,240

Rep: Reputation: 103Reputation: 103
By the way, this "iptables -i FORWARD -j ACCEPT" can't work. And it doesn't really mean anything. -i means input interface. -I means inserting a rule at a certain position. For instance, iptables -I INPUT 5 means inserting the rule in the 5th position.

If you want to change the chain policy, then you need to run "iptables -P FORWARD ACCEPT". This way, you're accepting all traffic if there are no matches.

Last edited by vincix; 06-11-2016 at 05:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenVPN clients have no internet access pinaki Linux - Networking 2 08-27-2015 03:11 PM
openvpn client can ping server but can't ping viceversa Gil@LQ Linux - Networking 1 09-05-2013 05:25 PM
LXer: Internet & LAN Over VPN Using OpenVPN Linux Server Windows/Linux Clients LXer Syndicated Linux News 0 08-17-2011 04:20 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM
OpenVPN Bridge... Clients cant ping server or network ligerous Linux - Networking 1 05-24-2008 07:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration