Cannot access internet with current OpenVPN configuration

2

I am trying to get an OpenVPN server working on my Raspberry Pi. The Raspberry Pi is running Arch Linux with OpenVPN version 2.3.8-2.

I'm currently able to connect to the server from the Android device but unable to access the internet (I can however access the device hosting the OpenVPN server by either pinging its eth0 address 192.168.86.3 or pinging it over tun0 at 10.8.0.1). I've tried many different configurations with both the OpenVPN server and iptables but I still haven't had any luck and would appreciate help.

Here's my server's configuration:

port 443
proto tcp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/key.crt
key /etc/openvpn/keys/key.key 
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0

user nobody
group nobody

server 10.8.0.0 255.255.255.0

persist-key
persist-tun

ifconfig-pool-persist ipp.txt

topology subnet 

push "redirect-gateway def1"
push "route 192.168.86.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.86.1"

keepalive 10 120

comp-lzo


status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

My client configuration:

client
dev tun
proto tcp
remote SERVER_IP 443

resolv-retry infinite
nobind

user nobody
group nobody

persist-key
persist-tun

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

comp-lzo

verb 3

Output of running route on the android device:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0

iptables rules on server:

# Generated by iptables-save v1.4.21 on Mon Nov  9 20:43:23 2015
*mangle
:PREROUTING ACCEPT [5137:447124]
:INPUT ACCEPT [3884:334912]
:FORWARD ACCEPT [624:36889]
:OUTPUT ACCEPT [2554:269872]
:POSTROUTING ACCEPT [3178:306761]
COMMIT
# Completed on Mon Nov  9 20:43:23 2015
# Generated by iptables-save v1.4.21 on Mon Nov  9 20:43:23 2015
*nat
:PREROUTING ACCEPT [737:37974]
:INPUT ACCEPT [413:18792]
:OUTPUT ACCEPT [7:508]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Nov  9 20:43:23 2015
# Generated by iptables-save v1.4.21 on Mon Nov  9 20:43:23 2015
*filter
:INPUT ACCEPT [3878:334408]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2564:271200]
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT
# Completed on Mon Nov  9 20:43:23 2015

Pinging 8.8.8.8 fails. Pinging 10.8.0.1 succeeds. Pinging 192.168.86.3 also succeeds.

Edit: Added additional details

Here's the output of ifconfig on the server:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.86.3  netmask 255.255.255.0  broadcast 192.168.86.255
        inet6 fe80::30a2:e462:a8e7:64b8  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:59:26:90  txqueuelen 1000  (Ethernet)
        RX packets 39226  bytes 8815553 (8.4 MiB)
        RX errors 0  dropped 100  overruns 0  frame 0
        TX packets 14621  bytes 1395612 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 131  bytes 10414 (10.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 131  bytes 10414 (10.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 4719  bytes 369475 (360.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 984 (984.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And the result of running "traceroute 8.8.8.8" from the client, while I'm at it.

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  10.8.0.1 (10.8.0.1)  2.718 ms  5.771 ms  2.981 ms
 2  * * *
 3  * * *
 4  * * *

 // And so on...

Edit: Additional Info

Output of sysctl -n net.ipv4.ip_forward

1

Steve

Posted 2015-11-10T05:15:49.183

Reputation: 121

Did you remember to enable IPv4 forwarding? echo 1 > /proc/sys/net/ipv4/ip_forward – MariusMatutiae – 2015-11-10T07:54:50.943

Yup, running cat /proc/sys/net/ipv4/ip_forward returns 1. – Steve – 2015-11-10T14:49:38.307

Are you sure your ethernet is eth0 .. please add ifconfig details to your question – dotvotdot – 2015-11-12T12:08:02.540

I'm pretty sure eth0 is correct. I've added the results of running ifconfig to the post. – Steve – 2015-11-13T05:17:08.620

Please edit your question to show your correct meaning and add the result of sysctl -n net.ipv4.ip_forward as well. – dotvotdot – 2015-11-21T13:57:24.907

Do you mean edit my answer? If not please explain what you're referring to. The result of cat /proc/sys/net/ipv4/ip_forward is included in the second comment to this post which contains equivalent information to the sysctl command. – Steve – 2015-11-21T23:49:24.110

Answers

-1

I disabled "systemd-networkd" which disables IP Forwarding for interfaces by default, rebooted, and now it works!

Edit: To clarify, I disabled "systemd-netword" because "systemd-networkd" was preventing IP Forwarding in its default configuration and I wasn't using it for anything. I did not disable the service in order to disable IP Forwarding.

Steve

Posted 2015-11-10T05:15:49.183

Reputation: 121

If you disabled IP_Forward then you are not connecting to the internet via you VPN. You have done something very wrong. – dotvotdot – 2015-11-21T02:47:51.360

I am certain that IP forwarding is taking place seeing as my IP is changing. Perhaps I should have been more clear though, I meant that systemd_networkd disables IP Forwarding by default, not that by disabling it I was disabling IP Forwarding. – Steve – 2015-11-21T04:53:30.663

Add details of sysclt -n net.ipv4.ip_forward to you question. – dotvotdot – 2015-11-21T23:58:49.507

Okay, I've edited the question with the result of sysclt -n net.ipv4.ip_forward – Steve – 2015-11-23T04:43:50.157

Try this simple test: From your Android Device Ping 10.8.0.1, then 192.168.86.3 and then 192.168.86.1 (or what ever the default gateway/router IP address is for your server LAN) – dotvotdot – 2015-11-24T12:50:45.983

Asked: 2015-11-10T05:15:49.183

Viewed: 173 times

Active: 2015-11-22T00:18:23.677