OpenVPN routing problem

Question

I'm running an OpenVPN server on a VPS running Debian 5, and a OpenVPS client on Ubuntu 11.04 Desktop. I want all outgoing traffic from the client to be tunnelled though the VPN server.

I'm able to initiate a connection from the client to the server, and ping successfully between them, but when I try to access outside IP addresses from the client, I am not successful.

For instance, when pinging google by IP:

ping -n 74.125.91.106 PING 74.125.91.106 (74.125.91.106) 56(84) bytes of data. ^C --- 74.125.91.106 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6048ms 

On the server side, I can see the ping requests coming thought the tunnel, but no replies going back down:

tcpdump -i tun0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes 21:24:59.384736 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 1, length 64 21:25:00.391970 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 2, length 64 21:25:01.400394 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 3, length 64 21:25:02.408914 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 4, length 64 21:25:03.416378 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 5, length 64 21:25:04.424289 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 6, length 64 21:25:05.431804 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7537, seq 7, length 64 

I can also see these on the venet0 interface on the server:

tcpdump -i venet0:0 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on venet0:0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 21:39:11.397967 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 1, length 64 21:39:12.407609 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 2, length 64 21:39:13.415194 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 3, length 64 21:39:14.423050 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 4, length 64 21:39:15.431005 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 5, length 64 21:39:16.439687 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 6, length 64 21:39:17.446949 IP 10.8.0.6 > qy-in-f106.1e100.net: ICMP echo request, id 7588, seq 7, length 64 

I can also ping google successfully from the server.

Any idea what might be causing this?

Server config file:

 dev tun server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ca ca.crt cert server.crt key server.key dh dh1024.pem push "route 10.8.0.0 255.255.255.0" push "redirect-gateway" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key group daemon daemon 

Client config file:

 remote <<server IP>> dev tun comp-lzo ca ca.crt cert client1.crt key client1.key route-delay 2 route-method exe redirect-gateway def1 dhcp-option DNS 10.8.0.1 verb 3 

Answer 1

You need to map "incoming" trafic to be properly routed to the client. I.e. you need to set a NAT translation on the server for the IP (the VPN one) of the client.

What you see is that the server does not know how to forward the replies.

Here are instructions how to do this: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect - look at the iptables configuration on the server.

Answer 2

Ip forwarding enabled? Source nating the vpn clients?

Source nating is translating the (vpn client) addresses to the external IP address. As sunny says, the receiving server wouldnt know how to route back to an internal IP, even if your ISP didnt filter it in the first place.

 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -a FORWARD -i tun0 -j ACCEPT