6

i try to setup openvpn on a vps and I'm able to establish a connection to the server, but the gateway isn't assigned to the client.

Here are my config files:

client config:

client
dev tun
proto udp
remote foo.bar 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
redirect-gateway
comp-lzo
verb 3
pull

server config:

port 1194
proto udp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key
dh easy-rsa/2.0/keys/dh2048.pem
server 172.30.90.0 255.255.255.192
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3

ifconfig client:

tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.30.90.6 --> 172.30.90.5 netmask 0xffffffff
open (pid 42823)

iptables rules on the server:

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 

I want to route the whole traffic over the VPN. I already added redirect-gateway, so it should work. I really can't see whats wrong here and I hope that you can help me to fix the issue.

Thanks!

frozenbit
  • 61
  • 1
  • 1
  • 2

2 Answers2

4

After connecting to the VPN, run the command route -n or netstat -rn on the client and see if the gateway address is assigned.

Check if you've done the following:

On the server:

push gateway to client:

Add this to file: /etc/openvpn/server.conf

push "redirect-gateway def1"

Add this to file: /etc/sysctl.conf

net.ipv4.ip_forward=1

Or issue the following command to set this variable for the current session:

echo 1 > /proc/sys/net/ipv4/ip_forward

Issue the following commands to configure iptables to properly forward traffic through the VPN:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s [vpn client subnet] -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s [vpn client subnet] -o eth0 -j MASQUERADE

Source

FoamyBeer
  • 361
  • 1
  • 5
0

Try removing:

redirect-gateway

in the client configuration.

You are already pushing the redirect-gateway configuration via the push mechanism of the server and only in that case you are sending it with the correct parameter (def1).

The behavior of redirect-gateway without parameter is openvpn-version-dependent (and you did not specify your specific version) so better be on the safe side.

If this does not help, I see different possible problems.

I suggest the following troubleshoot:

  • check that you can ping the other side of the tunnel
  • if yes, try adding manually the default gateway pointing to the remote side of the tunnel and try pinging 8.8.8.8 (to remove a possible problem in the DNS you are pushing through the tunnel)
  • if that does not work, your problem is likely in the nat configuration (you did not post the result of iptables -L -t nat) or in the forwarding configuration
  • if that works, but pinging www.google.com does not work your problem is likely in the DNS configuration
Flup
  • 7,688
  • 1
  • 31
  • 43