OpenVPN client connects but can't access internet
I setup an Openvpn server on a centos box and I can get the client to connect (osx) but can't access the internet or even the local network. I thought maybe DNS but couldn't access any sites via IP. Any help would be appreciated. I will list my config files below.
server.conf:::
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
client.conf:::
client
dev tun
proto udp
remote My server IP 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
auth-user-pass
comp-lzo
verb 3
ifconfig (client)::
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 10:40:f3:88:27:6c
inet6 fe80::1240:f3ff:fe88:276c%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 02:40:f3:88:27:6c
media: autoselect
status: inactive
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
open (pid 7494)
ifconfig (server)::
eth0 Link encap:Ethernet HWaddr 00:23:54:03:F2:BB
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::223:54ff:fe03:f2bb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:113530 errors:0 dropped:0 overruns:0 frame:0
TX packets:13376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25518343 (24.3 MiB) TX bytes:1310138 (1.2 MiB)
Interrupt:26 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:828 (828.0 b) TX bytes:828 (828.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:397 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Fr0ntSight4 Answers
In client box, do these testing:
1. Ping 10.8.0.1, if not ok check client/server firewall let ICMP can pass through, then we can debug deeply.
2. Ping 192.168.0.10, if not ok check:
A. Client routing table, where the traffic goes while destination network is 192.168.0.0/24, it should go to 10.8.0.5/tun0
B. Server sysctl net.ipv4.ip_forward, it should be 1.
C. Server NAT/MASQUERADE with iptables.
3. Traceroute 8.8.8.8, if not ok check which hop stopped the traffic.
SunryFirstly check that you can ping the OpenVPN Servers VPN Range IP, 10.8.0.1, assuming that is successful:
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
Follow the instructions under Using Routing, it assumes your internet connection is eth0, if it isn't change the value to your internet connections adapter identifier (ppp0, atm0) etc. It also assumes that your OpenVPN server is your main router for the internet connection.
Aaron TateAfter configuring your OpenVPN server and client, there's one more thing which needs to be done: Add a route on each computer (or in your network's router) in the local network which is supposed to communicate with computers in the vpn network.
Example:
My home network is: 10.13.0.0/24
OpenVPN network is: 10.14.0.0/24
The OpenVPN server physical NIC is configured as: 10.13.0.1/24
The OpenVPN server vpn NIC is configured as: 10.14.0.1/24
When my client connects to the VPN it gets IP: 10.14.0.6/24
In order for the other computers on the 10.13.0.0/24 network (home computers) to be able to communicate with machines which are connected through vpn I had to add a specific route:
route add -net 10.14.0.0/24 gw 10.13.0.1 metric 1
This enables computers on the home network to communicate with computers on the OpenVPN network and vice versa.
In your case it will enable your network computers to communicate with the vpn computers.
I wrote a very detailed article on How to install and configure OpenVPN server and the above steps are described there, feel free to check it out... it may help you: How To: OpenVPN on CentOS
Itai Ganoton windows, the client have to run as "Administrator" otherwise the routing will not work. I wonder if there is something similar on mac? what openvpn client (if any) do you use on the mac? have you tried to run with elevated permissions?
SverreUser contributions licensed under CC BY-SA 3.0