After reading many questions, the HOWTO, the FAQ and even parts of a guide to Linux networking, I cannot get my an Internet connection to the Internet.
I'm trying to set up a OpenVPN server on a VPS, which will be used for:
- secure access to the Internet
- bypassing port restrictions (directadmin/2222 for example)
- an IPv6 connection (my client does only have IPv4 connectivity, while the VPS has both IPv4 and native IPv6 connectivity) (if possible)
I can connect to my server and access the machine (HTTP), but Internet connectivity fails completely. I'm using ping 8.8.8.8
for testing whether my connection works or not.
Using tcpdump
and iptables -t nat -A POSTROUTING -j LOG
, I can confirm that the packets reach my server. If I ping to 8.8.8.8 on the VPS, I get an echo-reply
from 8.8.8.8 as expected. When pinging from the client, I do not get an echo-reply
.
The VPS has only one NIC: etho
. It runs on Xen. I would like to avoid network bridging (br0).
Summary: I want to have a secure connection between my laptop and the Internet using OpenVPN. If that works, I want to have IPv6 connectivity as well.
Network setup and software:
Home laptop (eth0: 192.168.2.10) (tap0: 10.8.0.2)
| | (running Kubuntu 10.10; OpenVPN 2.1.0-3ubuntu1)
| wifi |
router/gateway (gateway 192.168.2.1)
|
INTERNET
|
VPS (eth0:1.2.3.4) (gateway, tap0: 10.8.0.1)
(running Debian 6; OpenVPN 2.1.3-2)
wifi and my home router should not cause problems since all traffic goes encrypted over UDP port 1194.
I've turned IP forwarding on:
# echo 1 > /proc/sys/net/ipv4/ip_forward
iptables
has been configured to allow forwarding traffic as well:
iptables -F FORWARD
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j DROP
I've tried each of these rules separately without luck (flushing the chains before executing):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 1.2.3.4
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
route -n
before (server):
1.2.3.4 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 1.2.3.4 0.0.0.0 UG 0 0 0 eth0
route -n
after (server):
1.2.3.4 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
0.0.0.0 1.2.3.4 0.0.0.0 UG 0 0 0 eth0
route -n
before (client):
192.168.2.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0
route -n
after (client):
1.2.3.4 192.168.2.1 255.255.255.255 UGH 0 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
192.168.2.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tap0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0
SERVER config
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log-append openvpn-log
verb 3
mute 10
CLIENT config
dev tap
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
user nobody
group nogroup
verb 3
mute 20
traceroute 8.8.8.8
works as expected (similar output without OpenVPN activated):
1 10.8.0.1 (10.8.0.1) 24.276 ms 26.891 ms 29.454 ms
2 gw03.sbp.directvps.nl (178.21.112.1) 31.161 ms 31.890 ms 34.458 ms
3 ge0-v0652.cr0.nik-ams.nl.as8312.net (195.210.57.105) 35.353 ms 36.874 ms 38.403 ms
4 ge0-v3900.cr0.nik-ams.nl.as8312.net (195.210.57.53) 41.311 ms 41.561 ms 43.006 ms
5 * * *
6 209.85.248.88 (209.85.248.88) 147.061 ms 36.931 ms 28.063 ms
7 216.239.49.36 (216.239.49.36) 31.109 ms 33.292 ms 216.239.49.28 (216.239.49.28) 64.723 ms
8 209.85.255.130 (209.85.255.130) 49.350 ms 209.85.255.126 (209.85.255.126) 49.619 ms 209.85.255.122 (209.85.255.122) 52.416 ms
9 google-public-dns-a.google.com (8.8.8.8) 41.266 ms 44.054 ms 44.730 ms
If you have any suggestions, please comment or answer.
Thanks in advance.