brad asked:
My client cannot surf the internet when connected to the vpn. I have
push "redirect-gateway def1"
and
[email protected]:/home# cat /proc/sys/net/ipv4/ip_forward
1
set.
Sserver and client connect just fine and error free and can ping each other across the VPN, but that’s as far as it goes.
[email protected]:/home# cat /etc/openvpn/server.conf
mode server
tls-server
port 1194
proto udp
dev tun
#ca /usr/share/easy-rsa/keys/ca.crt # generated keys
#cert /usr/share/easy-rsa/keys/server.crt
#key /usr/share/easy-rsa/keys/server.key # keep secret
#dh /usr/share/easy-rsa/keys/dh2048.pem
ca /pki/ca.crt
cert /pki/issued/vortex.trade.com.crt
key /pki/private/vortex.trade.com.key
dh /pki/dh.pem
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 1 # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
#push "dhcp-option DNS 188.120.247.2"
#push "dhcp-option DNS 188.120.247.8"
#push "dhcp-option DNS 82.146.59.250"
push "dhcp-option DNS 4.2.2.2"
log /var/log/openvpn/openvpn.log
[email protected]:/home# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j DROP
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*nat
:PREROUTING ACCEPT [58:7571]
:INPUT ACCEPT [8:2109]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:120]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*mangle
:PREROUTING ACCEPT [254:43256]
:INPUT ACCEPT [216:40502]
:FORWARD ACCEPT [7:420]
:OUTPUT ACCEPT [93:16424]
:POSTROUTING ACCEPT [100:16844]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
The issue does seem to have appeared following a knockd installation, but not sure.
[email protected]:/home# cat /etc/knockd.conf
[options]
UseSyslog
Interface = IFACE
[SSH]
sequence = 90,90,90
seq_timeout = 15
tcpflags = syn
start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
cmd_timeout = 20
client:
[email protected]:/home/# cat /etc/openvpn/client.conf
client
remote 188.120.224.182
dev tun
#ifconfig 10.9.8.2 10.9.8.1
nobind
#persist-key
#persist-tun
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dell.trade.com.crt
key /etc/openvpn/dell.trade.com.key
comp-lzo
verb 3
redirect-gateway def1
ping-restart 60
log /var/log/openvpn/openvpn.log
The tunnel interface comes up fine
[email protected]:/home/# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1044649 bytes 565199288 (565.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1044649 bytes 565199288 (565.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.9.8.10 netmask 255.255.255.255 destination 10.9.8.9
inet6 fe80::82a9:e454:8136:6d9f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29 bytes 4077 (4.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.160 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::3fdf:a130:31c3:32eb prefixlen 64 scopeid 0x20<link>
inet6 2600:100a:b128:d429:ef84:249c:a98d:f078 prefixlen 64 scopeid 0x0<global>
inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022 prefixlen 64 scopeid 0x0<global>
ether dc:53:60:6d:f3:62 txqueuelen 1000 (Ethernet)
RX packets 7446346 bytes 5129002739 (5.1 GB)
RX errors 0 dropped 212149 overruns 0 frame 0
TX packets 4900063 bytes 859603059 (859.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.25 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c prefixlen 64 scopeid 0x0<global>
inet6 fe80::fde3:a1d3:3dc5:56ec prefixlen 64 scopeid 0x20<link>
inet6 2600:100a:b128:d429:c93:106a:f84a:4f78 prefixlen 64 scopeid 0x0<global>
ether 1c:bf:ce:bf:5f:ba txqueuelen 1000 (Ethernet)
RX packets 526561 bytes 480490738 (480.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 456675 bytes 94595265 (94.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I can ping the WAN interface of the VPN from the tunnel from the client when connected.
[email protected]:/home/# ping 188.120.224.182
PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data.
64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms
64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms
64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms
64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms
^C
--- 188.120.224.182 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms
But no farther
[email protected]:/home/# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5098ms
I suspect firewall but I can’t find the issue.
My answer:
You’re missing a NAT rule on the VPN server to translate IPv4 traffic. Maybe it was deleted, maybe you never had one. It’s not possible for me to say. But you should start getting IPv4 traffic as soon as you add such a rule to the nat table. Something like:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
should get you started.
WARNING: Your VPN server isn’t providing IPv6 connectivity. This means your IPv6 traffic will not go through the VPN but will continue to flow through your existing local connection. This is called a leak, and it is generally a serious problem. You need to reconfigure your VPN server to provide IPv6 connectivity to your clients.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.