How do I configure OpenVPN for accessing the internet with one NIC?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Lekensteyn on Server Fault See other posts from Server Fault or by Lekensteyn
Published on 2011-02-14T23:30:37Z Indexed on 2011/02/15 23:27 UTC
Read the original article Hit count: 395

Filed under:

I've been trying to get OpenVPN to work for three days. After reading many questions, the HOWTO, the FAQ and even parts of a guide to Linux networking, I cannot get my an Internet connection to the Internet.

I'm trying to set up a OpenVPN server on a VPS, which will be used for:

  • secure access to the Internet
  • bypassing port restrictions (directadmin/2222 for example)
  • an IPv6 connection (my client does only have IPv4 connectivity, while the VPS has both IPv4 and native IPv6 connectivity) (if possible)

I can connect to my server and access the machine (HTTP), but Internet connectivity fails completely. I'm using ping 8.8.8.8 for testing whether my connection works or not.

Using tcpdump and iptables -t nat -A POSTROUTING -j LOG, I can confirm that the packets reach my server. If I ping to 8.8.8.8 on the VPS, I get an echo-reply from 8.8.8.8 as expected. When pinging from the client, I do not get an echo-reply.

The VPS has only one NIC: etho. It runs on Xen.

Summary: I want to have a secure connection between my laptop and the Internet using OpenVPN. If that works, I want to have IPv6 connectivity as well.

Network setup and software:

 Home laptop    (eth0: 192.168.2.10) (tap0: 10.8.0.2)
  |      |       (running Kubuntu 10.10; OpenVPN 2.1.0-3ubuntu1)
  | wifi |
router/gateway  (gateway 192.168.2.1)
      |
  INTERNET
      |
     VPS        (eth0:1.2.3.4)       (gateway, tap0: 10.8.0.1)
                  (running Debian 6; OpenVPN 2.1.3-2)

wifi and my home router should not cause problems since all traffic goes encrypted over UDP port 1194.

I've turned IP forwarding on:

# echo 1 > /proc/sys/net/ipv4/ip_forward

iptables has been configured to allow forwarding traffic as well:

iptables -F FORWARD
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j DROP

I've tried each of these rules separately without luck (flushing the chains before executing):

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 1.2.3.4
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

route -n before (server):

1.2.3.4         0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         1.2.3.4         0.0.0.0         UG    0      0        0 eth0

route -n after (server):

1.2.3.4         0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
0.0.0.0         1.2.3.4         0.0.0.0         UG    0      0        0 eth0

route -n before (client):

192.168.2.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 wlan0

route -n after (client):

1.2.3.4         192.168.2.1     255.255.255.255 UGH   0      0        0 wlan0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.2.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tap0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tap0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 wlan0

SERVER config

proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
log-append openvpn-log
verb 3
mute 10

CLIENT config

dev tap
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
mute 20

traceroute 8.8.8.8 works as expected (similar output without OpenVPN activated):

 1  10.8.0.1 (10.8.0.1)  24.276 ms  26.891 ms  29.454 ms
 2  gw03.sbp.directvps.nl (178.21.112.1)  31.161 ms  31.890 ms  34.458 ms
 3  ge0-v0652.cr0.nik-ams.nl.as8312.net (195.210.57.105)  35.353 ms  36.874 ms  38.403 ms
 4  ge0-v3900.cr0.nik-ams.nl.as8312.net (195.210.57.53)  41.311 ms  41.561 ms  43.006 ms
 5  * * *
 6  209.85.248.88 (209.85.248.88)  147.061 ms  36.931 ms  28.063 ms
 7  216.239.49.36 (216.239.49.36)  31.109 ms  33.292 ms 216.239.49.28 (216.239.49.28)  64.723 ms
 8  209.85.255.130 (209.85.255.130)  49.350 ms 209.85.255.126 (209.85.255.126)  49.619 ms 209.85.255.122 (209.85.255.122)  52.416 ms
 9  google-public-dns-a.google.com (8.8.8.8)  41.266 ms  44.054 ms  44.730 ms

If you have any suggestions, please comment or answer.

Thanks in advance.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about openvpn

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle