OpenVPN: Client cannot ping 4.2.2.2 when connected

on

brad asked:

My client cannot surf the internet when connected to the vpn. I have

push "redirect-gateway def1"

and

[email protected]:/home# cat /proc/sys/net/ipv4/ip_forward
1

set.

Sserver and client connect just fine and error free and can ping each other across the VPN, but that’s as far as it goes.

[email protected]:/home# cat /etc/openvpn/server.conf

mode server
tls-server
port 1194
proto udp
dev tun

#ca      /usr/share/easy-rsa/keys/ca.crt    # generated keys
#cert    /usr/share/easy-rsa/keys/server.crt
#key     /usr/share/easy-rsa/keys/server.key  # keep secret
#dh      /usr/share/easy-rsa/keys/dh2048.pem

ca      /pki/ca.crt
cert    /pki/issued/vortex.trade.com.crt
key     /pki/private/vortex.trade.com.key
dh      /pki/dh.pem

server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 1  # verbose mode
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd
client-to-client
push "redirect-gateway def1"
push "redirect-gateway bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
#push "dhcp-option DNS 188.120.247.2"
#push "dhcp-option DNS 188.120.247.8"
#push "dhcp-option DNS 82.146.59.250"
push "dhcp-option DNS 4.2.2.2"

log /var/log/openvpn/openvpn.log

[email protected]:/home# cat /etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j DROP
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 695 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 3128 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 6667 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9001 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 9030 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 10.9.8.0/24 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.9.8.14/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 2222 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 695 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9001 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 9030 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*nat
:PREROUTING ACCEPT [58:7571]
:INPUT ACCEPT [8:2109]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:120]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020
# Generated by iptables-save v1.6.0 on Mon Jul 20 07:13:41 2020
*mangle
:PREROUTING ACCEPT [254:43256]
:INPUT ACCEPT [216:40502]
:FORWARD ACCEPT [7:420]
:OUTPUT ACCEPT [93:16424]
:POSTROUTING ACCEPT [100:16844]
COMMIT
# Completed on Mon Jul 20 07:13:41 2020

The issue does seem to have appeared following a knockd installation, but not sure.

[email protected]:/home# cat /etc/knockd.conf

[options]
        UseSyslog
    Interface = IFACE
[SSH]
        sequence = 90,90,90
        seq_timeout = 15
        tcpflags = syn
        start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
        stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 2222 -j ACCEPT
        cmd_timeout = 20

client:

[email protected]:/home/# cat /etc/openvpn/client.conf 
client
remote 188.120.224.182
dev tun
#ifconfig 10.9.8.2 10.9.8.1
nobind
#persist-key
#persist-tun
tls-client
ca /etc/openvpn/ca.crt
cert /etc/openvpn/dell.trade.com.crt
key /etc/openvpn/dell.trade.com.key
comp-lzo
verb 3
redirect-gateway def1
ping-restart 60
log /var/log/openvpn/openvpn.log

The tunnel interface comes up fine

[email protected]:/home/# ifconfig

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1044649  bytes 565199288 (565.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1044649  bytes 565199288 (565.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.9.8.10  netmask 255.255.255.255  destination 10.9.8.9
        inet6 fe80::82a9:e454:8136:6d9f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 4077 (4.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.160  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 fe80::3fdf:a130:31c3:32eb  prefixlen 64  scopeid 0x20<link>
        inet6 2600:100a:b128:d429:ef84:249c:a98d:f078  prefixlen 64  scopeid 0x0<global>
        inet6 2600:100a:b128:d429:9cdb:5dbf:2415:6022  prefixlen 64  scopeid 0x0<global>
        ether dc:53:60:6d:f3:62  txqueuelen 1000  (Ethernet)
        RX packets 7446346  bytes 5129002739 (5.1 GB)
        RX errors 0  dropped 212149  overruns 0  frame 0
        TX packets 4900063  bytes 859603059 (859.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlx1cbfcebf5fba: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.43.25  netmask 255.255.255.0  broadcast 192.168.43.255
        inet6 2600:100a:b128:d429:fc6e:cdca:d721:6d6c  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::fde3:a1d3:3dc5:56ec  prefixlen 64  scopeid 0x20<link>
        inet6 2600:100a:b128:d429:c93:106a:f84a:4f78  prefixlen 64  scopeid 0x0<global>
        ether 1c:bf:ce:bf:5f:ba  txqueuelen 1000  (Ethernet)
        RX packets 526561  bytes 480490738 (480.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 456675  bytes 94595265 (94.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I can ping the WAN interface of the VPN from the tunnel from the client when connected.

[email protected]:/home/# ping 188.120.224.182
PING 188.120.224.182 (188.120.224.182) 56(84) bytes of data.
64 bytes from 188.120.224.182: icmp_seq=1 ttl=46 time=212 ms
64 bytes from 188.120.224.182: icmp_seq=2 ttl=46 time=310 ms
64 bytes from 188.120.224.182: icmp_seq=3 ttl=46 time=329 ms
64 bytes from 188.120.224.182: icmp_seq=4 ttl=46 time=180 ms
^C
--- 188.120.224.182 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 180.428/257.780/328.903/63.126 ms

But no farther

[email protected]:/home/# ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
^C
--- 4.2.2.2 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5098ms

I suspect firewall but I can’t find the issue.

My answer:

You’re missing a NAT rule on the VPN server to translate IPv4 traffic. Maybe it was deleted, maybe you never had one. It’s not possible for me to say. But you should start getting IPv4 traffic as soon as you add such a rule to the nat table. Something like:

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

should get you started.

WARNING: Your VPN server isn’t providing IPv6 connectivity. This means your IPv6 traffic will not go through the VPN but will continue to flow through your existing local connection. This is called a leak, and it is generally a serious problem. You need to reconfigure your VPN server to provide IPv6 connectivity to your clients.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Related Post

Yum repo server as archive cache

Ruby app onetimesecret failing to start from systemd unit

Centos7 can't boot with shim-x64-15-7.el7_9.x86_64

Why du -sh * tells me sys has 0 size?

MYSQL – Use longblob with 4GB despite max_allowed_packet of 1GB

My yum repository able to search packages, but not able to install it in RHEL?