0

I'm learning to use OpenVPN and I bought a VPS with OpenVPN (a default installation offered by the hosting provider).

When I configure my client to connect to the server, I notice that the connection is established but I can't browse.

It suposes that the installation is ready to go. Maybe some network configuration is wrong, but I can't find the mistakes.

1. Server Settings

1.1 Basic configuration

enter image description here

1.2 VPN Settings

enter image description here

enter image description here

1.3 Network

as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.0.1 P-t-P:10.0.0.1 Mask:255.255.255.128 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:200 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.0.129 P-t-P:10.0.0.129 Mask:255.255.255.128 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:200 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:51.xx.xx.xxx Bcast:51.xx.xx.xxx Mask:255.255.255.255 inet6 addr: xxxx::xxxx:xxxx:xxxx:xxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:83862 errors:0 dropped:0 overruns:0 frame:0 TX packets:84251 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8108403 (7.7 MiB) TX bytes:11762035 (11.2 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:276 errors:0 dropped:0 overruns:0 frame:0 TX packets:276 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:61294 (59.8 KiB) TX bytes:61294 (59.8 KiB)

1.4 iptables

The following rule was added:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Return of iptables -L:

Chain INPUT (policy ACCEPT) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_ACCEPT all -- anywhere anywhere AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_ACCEPT udp -- anywhere xxx.ip-xx-xx-xx.eu state NEW udp dpt:openvpn AS0_ACCEPT tcp -- anywhere xxx.ip-xx-xx-xx.eu state NEW tcp dpt:https AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_WEBACCEPT tcp -- anywhere xxx.ip-xx-xx-xx.eu state NEW tcp dpt:943 Chain FORWARD (policy ACCEPT) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_OUT_S2C all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination AS0_OUT_LOCAL all -- anywhere anywhere Chain AS0_ACCEPT (5 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain AS0_IN (4 references) target prot opt source destination ACCEPT all -- anywhere 10.0.0.1 all -- default anywhere AS0_IN_POST all -- anywhere anywhere Chain AS0_IN_NAT (1 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x8000000 ACCEPT all -- anywhere anywhere Chain AS0_IN_POST (2 references) target prot opt source destination ACCEPT all -- anywhere 10.0.0.0/24 AS0_OUT all -- anywhere anywhere DROP all -- anywhere anywhere Chain AS0_IN_PRE (2 references) target prot opt source destination AS0_IN all -- anywhere link-local/16 AS0_IN all -- anywhere 192.168.0.0/16 AS0_IN all -- anywhere 172.16.0.0/12 AS0_IN all -- anywhere 10.0.0.0/8 ACCEPT all -- anywhere anywhere Chain AS0_IN_ROUTE (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x4000000 ACCEPT all -- anywhere anywhere Chain AS0_OUT (2 references) target prot opt source destination AS0_OUT_POST all -- anywhere anywhere Chain AS0_OUT_LOCAL (1 references) target prot opt source destination DROP icmp -- anywhere anywhere icmp redirect ACCEPT all -- anywhere anywhere Chain AS0_OUT_POST (1 references) target prot opt source destination DROP all -- anywhere anywhere Chain AS0_OUT_S2C (1 references) target prot opt source destination AS0_OUT all -- anywhere anywhere Chain AS0_U_OPENVPN_IN (0 references) target prot opt source destination AS0_IN_NAT all -- anywhere 172.27.224.0/20 AS0_IN_POST all -- anywhere anywhere Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere

Return of iptables -t nat -nL:

Chain PREROUTING (policy ACCEPT) target prot opt source destination AS0_NAT_PRE_REL_EST all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination AS0_NAT_POST_REL_EST all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED AS0_NAT_PRE all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x2000000/0x2000000 MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0 Chain AS0_NAT (3 references) target prot opt source destination SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:51.xx.xx.xxx ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain AS0_NAT_POST_REL_EST (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain AS0_NAT_PRE (1 references) target prot opt source destination AS0_NAT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x8000000/0x8000000 AS0_NAT_TEST all -- 0.0.0.0/0 169.254.0.0/16 AS0_NAT_TEST all -- 0.0.0.0/0 192.168.0.0/16 AS0_NAT_TEST all -- 0.0.0.0/0 172.16.0.0/12 AS0_NAT_TEST all -- 0.0.0.0/0 10.0.0.0/8 AS0_NAT all -- 0.0.0.0/0 0.0.0.0/0 Chain AS0_NAT_PRE_REL_EST (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain AS0_NAT_TEST (4 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x4000000/0x4000000 ACCEPT all -- 0.0.0.0/0 10.0.0.0/24 AS0_NAT all -- 0.0.0.0/0 0.0.0.0/0

1.5 Additional configuration

The /etc/sysctl.conf was edited uncommenting the following line:

net.ipv4.ip_forward=1

Return of sysctl net.ipv4.ip_forward:

net.ipv4.ip_forward = 1

2. Client Settings

When I connect to the VPN, the client has the following configuration:

IPv6: fe80::159:2b87:b731:8337%6 IPv4: 10.0.0.130 Mask: 255.255.255.128 Gateway: 10.0.0.129
Improve this question
0

1 Answer 1

Reset to default
1

Looking at your VPN settings, we can see the network address is set to 172.27.224.0/20

Looking at your Group Default IP Address Network setting, you would use 172.27.240.0/20

You did add an iptables rules that would NAT egress trafic from 172.27.240.0/20.

Yet your client is connected as 172.27.232.1/21. As such, its traffic is not subjet to your NAT rule.

Either change your NAT rule, including both 172.27.240/20 and 172.27.224/20, or remove the Group Default IP Address Network setting/only NAT 172.27.224/20.

Improve this answer
4
  • I tried the configuration you said, but still can't access to Internet. After, I changed all the VPN settings using a new IP and mask, and the result is the same. I updated the post with the new configuration and I added the complete iptables settings. Commented Nov 16, 2019 at 17:08
  • okay, now this is weird, ... You're quoting your sysctl.conf, but are you sure that setting was applied (run sysctl net.ipv4.ip_forward to be sure). Can we check the nat tables as well (iptables -t nat -nL)? When in doubt, you could use tcpdump on your vpn interface, then eth0, making sure traffic goes through. Or figuring out why it doesn't. Commented Nov 16, 2019 at 17:50
  • sysctl net.ipv4.ip_forward checked: it returns 1. The result of iptables -t nat -nL was added to post. Not sure how to use tcpdump. I will take a look. Commented Nov 16, 2019 at 21:36
  • 1
    Sounds good. AFAIU, you didn't need to add your own NAT rule, you already had one. Looks good anyway. you can use tcpdump -vvni as0t1 for communications within your VPN tunnel, tcpdump -vvni eth0 port not 22 and port not 443 matching what leaves your server, tcpdump -vvni eth0 \( tcp and port 443 \) or \( udp and port 1194 \) to see VPN communications. Commented Nov 17, 2019 at 12:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.