OpenVPN - Connects but no internet on Linux, works perfectly on Windows

2

I have set up an Amazon EC2 server with OpenVPN configured. I can connect using a windows machine and everything works as expected - internet traffic is all routed through the VPN. With the Ubuntu client, I am able to connect to the server successfully but cannot view web pages in a browser or ping external IPs (such as 8.8.8.8). Does anybody have any idea what I need to change to get this to work? Configurations are posted below:

Ubuntu Server

port 443
proto tcp
dev tun
ca ca.crt
cert singa.crt
key singa.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Ubuntu Client

client
dev tun
proto tcp
remote (delete) 443
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
<ca>
(deleted)
</ca>
<cert>
(deleted)
</cert>
<key>
(deleted)
</key>

Windows Config

client
dev tun
proto tcp
remote (delete) 443
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
<ca>
(deleted)
</ca>
<cert>
(deleted)
</cert>
<key>
(deleted)
</key>

Client routing table before connect:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0

Client routing table after connect:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
** SERVERIP **  192.168.1.1     255.255.255.255 UGH   0      0        0 wlan0
128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0

jonolumb

Posted 2014-02-03T10:48:00.960

Reputation: 316

On Ubuntu, which method do you use to initiate the connection? It can be done either via NetworkManager (the newer approach) or with /etc/init.d/openvpn? – Jan Hudec – 2014-02-03T11:04:55.880

NetworkManager defaults to setting default route to the VPN, but the init script does not. You have to do it manually in the up and down scripts. – Jan Hudec – 2014-02-03T11:11:34.523

Answers

3

I finally got to the bottom of this one.

It turns out that as I am based in China, DNS requests to visit websites such as facebook.com and twitter.com were being filtered by "The Great Firewall". It was therefore necessary to push DNS through the OpenVPN tunnel too.

This can be done in the following manner:

Append these two lines to the client config (.ovpn) file:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Ensure these two lines are included in the server config file:

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Run the client using the following command (the script security flags allow the up and down scripts to be run in order to modify /etc/resolv.conf, your system DNS settings)

sudo openvpn --script-security 2 --config client-settings.ovpn

I now have a fully working connection.

Thanks to everybody who tried to help with this!

jonolumb

Posted 2014-02-03T10:48:00.960

Reputation: 316

0

Insert this line

  redirect-gateway def1

in the Ubuntu client config file.

MariusMatutiae

Posted 2014-02-03T10:48:00.960

Reputation: 41 321

Have tried that - didn't work unfortunately. – jonolumb – 2014-02-13T05:50:44.430

@jonolumb Can you post the client's routing table? – MariusMatutiae – 2014-02-13T06:28:01.597

@jonolumb cannot be read, like this – MariusMatutiae – 2014-02-14T18:01:01.317

Asked: 2014-02-03T10:48:00.960

Viewed: 5 620 times

Active: 2017-01-08T14:54:00.377