Score:0

OpenVPN LAN connected - but no internet on client

us flag

I have been trying to get it work for a while, I have an openvpn server (installed using Angristan https://github.com/angristan/openvpn-install ) on Openvz 7 vps running debian 10 . So most of the configuration things were handled by it. It created a client config file (myClient.ovpn) which I downloaded on client. On client (which is linux mint 20.3), I am testing connecting using :

openvpn --client --config myClient.ovpn

It connects fine, I can now ping the vpn gateway ie. (from client):

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=87.9 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=86.6 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=86.6 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 86.551/87.041/87.946/0.640 ms

But I can't ping google or anything else, apparently its routing/ NAT issue I can't find fault with my limited knowledge :

ping 8.8.8.8 is failing .

Dns is working properly as if I use ping yahoo.com then it resolves to yahoo IP but again can't ping.

$ ping yahoo.com
PING yahoo.com (74.6.143.25) 56(84) bytes of data.

--- yahoo.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3154ms```

Server Details :

Openvpn version:

~# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan

uname -a

~#uname -a
Linux mySerer.domainHost.com 4.19.0 #1 SMP Tue Aug 25 11:59:26 MSK 2020 x86_64 GNU/Linux

Note: Its a openvz 7 based vps

Server config:

server
cat /etc/openvpn/server.conf
port 2220
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_JCJHDggypybdTuKJ.crt
key server_JCJHDggypybdTuKJ.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 4 

Networking details after starting openvpn server:

~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/void
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet Y.Y.Y.Y/32 brd Y.Y.Y.Y scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2402:x:x:x:x::dc37/80 scope global
       valid_lft forever preferred_lft forever
    inet6 ::2/128 scope global
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::505f:b97:1101:5f33/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

On server (iptables rules)

  iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      venet0  10.8.0.0/24          0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them 

On server, ip route:

 $ ip route
default dev venet0 scope link
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1

Forwarding status (on server)

sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.venet0.forwarding = 1
net.ipv4.conf.venet0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0
net.ipv6.conf.venet0.forwarding = 0
net.ipv6.conf.venet0.mc_forwarding = 0

The client is able to connect to VPN, I can ping the vpn gateway (10.8.0.1) as already mentioned on top.

route on client after connecting to VPN:

route after connecting to VPN: 
$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         CLIENT-HOSTNAME  0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
SERVER-HOSTNAME  CLIENT-HOSTNAME 255.255.255.255 UGH   0      0        0 eth0
192.168.224.0   0.0.0.0         255.255.240.0   U     0      0        0 eth0

I am currently out of ideas, although NAT rules seems alright on server, client route also shows right configuration. Since I am not into networking, can't figure this out. Setting up simple VPN turned out costly time affair. Does it has something to do with openVZ 7 based server.

CSF is working properly so I suppose required modules for iptabless are available on server.

perl csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

I have been trying it on Debian 10 client as well linuxmin 20.x, same behaviour, client can connect, can use VPN lan but can't browse internet.

If anything else is needed, please let me know.

in flag
tcpdump the interfaces to make sure the packets comes in on vpn interface on the server, then check that they go out the default route interface from the server, and if they come back in or not. etc.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.