23

I'm trying to make my client forward all traffic through a VPS running OpenVPN. As you can see, it will allow pings to both domains and raw IP addresses, but it will not allow traffic like that made through curl and traceroute doesn't come up with anything. The traffic works correctly when not connected to the VPN.

All information is here: https://pastebin.com/tGspNefn

Thank you.

Working configs thanks to solution below:

Server:

port <integer>
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key  # This file should be kept secret
dh dh4096.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway autolocal"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Client:

client
dev tun
proto udp
remote x.x.x.x <port number>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vpnclient.crt
key vpnclient.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
DrDinosaur
  • 323
  • 2
  • 3
  • 11
  • `/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5` why netmask 128.0.0.0 ? – Antony Gibbs Dec 01 '14 at 02:27
  • Thanks DrDinosaur for pointing out http://serverfault.com/questions/312860/why-openvpn-use-network-0-0-0-0-netmask-128-0-0-0-as-default-route – Antony Gibbs Dec 01 '14 at 02:28
  • 3
    Next time extract the *relevant* information and include it in the question. Pastebin snippets have a limited lifetime. – MLu Dec 02 '14 at 22:06
  • here an update considering ipv4 traffic but also ipv6 https://serverfault.com/questions/408193/how-can-i-configure-openvpn-server-without-push-default-gateway/1053649#1053649 – 200313 Feb 14 '21 at 20:59

1 Answers1

39

There are two parts into the solution:

1. Redirect all the traffic into the tunnel

The easiest solution - use OpenVPN's --redirect-gateway autolocal option (or put it in the config file as redirect-gateway autolocal.

2. Handle the traffic on the OpenVPN server

Now that the tunnel is up all the traffic goes into the tunnel and pops up at the server's end from tun0 interface.

You need to configure two things to make it work:

a. Enable packet forwarding

By default in most distributions the packet forwarding is disabled, hence packets from the tunnel interface never make it to the public interface. You must enable forwarding with:

~ # sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Once tested make the change permanent in /etc/sysctl.conf

Also make sure that iptables are not blocking the forwarded traffic:

~ # iptables -I FORWARD -j ACCEPT

This is good enough for testing - in production you'll want to make the firewall rules a bit more specific, but that's out of scope here.

b. NAT the outgoing packets from the tunnel

With forwarding enabled the packets are by default forwarded with their source address unchanged, that is in your case 10.8.0.6 - such packets are either dropped on the ISP gateway or even if they make it to the destination the reply never finds the way back. These private addresses are not routable on the internet.

The solution is to NAT the egress traffic, i.e. replace the private 10.8.0.6 address with the VPN server's public IP. That will ensure that the replies reach the VPN server and there they will get forwarded back into the tunnel.

~ # iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

3. Test it

Now try ping 8.8.4.4 from your VPN client. You should see a reply. Let us know if not :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • This works perfectly now. Many thanks for the high quality answer. – DrDinosaur Dec 03 '14 at 05:01
  • On the client side add add pull to client.conf file, or or add --pull option to command line, so the client would accept configuration pushed by server. Also if the client runs under Windows Vista or newer disable UAC, otherwise openpn service running on client will be unable to set routes. – Viktor Sep 23 '15 at 08:35
  • > b. NAT the outgoing packets from the tunnel That was helpful to me. – FelikZ Nov 14 '15 at 19:51
  • Really take into account that the FORWARD -j ACCEPT rule makes the Server an open router between all it`s interfaces. It must not be used on production systems. But for an HowTo get it basicly working quickly a very good instruction set. – Sprinterfreak Dec 18 '17 at 17:24
  • Does the `Redirect all the traffic into the tunnel` step in Client config ? – aircraft Sep 02 '18 at 16:29
  • How about the server is Windows? – aircraft Sep 02 '18 at 16:35
  • `redirect-gateway autolocal` was exactly what I needed, thanks – Jacob Evans Sep 04 '19 at 18:45
  • It works, but in server config it must be ```push "redirect-gateway autolocal"``` – PRIHLOP May 18 '20 at 12:35