2
I am trying to get an OpenVPN server working on my Raspberry Pi. The Raspberry Pi is running Arch Linux with OpenVPN version 2.3.8-2.
I'm currently able to connect to the server from the Android device but unable to access the internet (I can however access the device hosting the OpenVPN server by either pinging its eth0 address 192.168.86.3 or pinging it over tun0 at 10.8.0.1). I've tried many different configurations with both the OpenVPN server and iptables but I still haven't had any luck and would appreciate help.
Here's my server's configuration:
port 443
proto tcp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/key.crt
key /etc/openvpn/keys/key.key
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0
user nobody
group nobody
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
topology subnet
push "redirect-gateway def1"
push "route 192.168.86.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.86.1"
keepalive 10 120
comp-lzo
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
My client configuration:
client
dev tun
proto tcp
remote SERVER_IP 443
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
comp-lzo
verb 3
Output of running route on the android device:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
iptables rules on server:
# Generated by iptables-save v1.4.21 on Mon Nov 9 20:43:23 2015
*mangle
:PREROUTING ACCEPT [5137:447124]
:INPUT ACCEPT [3884:334912]
:FORWARD ACCEPT [624:36889]
:OUTPUT ACCEPT [2554:269872]
:POSTROUTING ACCEPT [3178:306761]
COMMIT
# Completed on Mon Nov 9 20:43:23 2015
# Generated by iptables-save v1.4.21 on Mon Nov 9 20:43:23 2015
*nat
:PREROUTING ACCEPT [737:37974]
:INPUT ACCEPT [413:18792]
:OUTPUT ACCEPT [7:508]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Nov 9 20:43:23 2015
# Generated by iptables-save v1.4.21 on Mon Nov 9 20:43:23 2015
*filter
:INPUT ACCEPT [3878:334408]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2564:271200]
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT
# Completed on Mon Nov 9 20:43:23 2015
Pinging 8.8.8.8 fails. Pinging 10.8.0.1 succeeds. Pinging 192.168.86.3 also succeeds.
Edit: Added additional details
Here's the output of ifconfig on the server:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.86.3 netmask 255.255.255.0 broadcast 192.168.86.255
inet6 fe80::30a2:e462:a8e7:64b8 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:59:26:90 txqueuelen 1000 (Ethernet)
RX packets 39226 bytes 8815553 (8.4 MiB)
RX errors 0 dropped 100 overruns 0 frame 0
TX packets 14621 bytes 1395612 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 131 bytes 10414 (10.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 131 bytes 10414 (10.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 4719 bytes 369475 (360.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12 bytes 984 (984.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
And the result of running "traceroute 8.8.8.8" from the client, while I'm at it.
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 10.8.0.1 (10.8.0.1) 2.718 ms 5.771 ms 2.981 ms
2 * * *
3 * * *
4 * * *
// And so on...
Edit: Additional Info
Output of sysctl -n net.ipv4.ip_forward
1
Did you remember to enable IPv4 forwarding?
echo 1 > /proc/sys/net/ipv4/ip_forward
– MariusMatutiae – 2015-11-10T07:54:50.943Yup, running cat /proc/sys/net/ipv4/ip_forward returns 1. – Steve – 2015-11-10T14:49:38.307
Are you sure your ethernet is
eth0
.. please addifconfig
details to your question – dotvotdot – 2015-11-12T12:08:02.540I'm pretty sure
eth0
is correct. I've added the results of runningifconfig
to the post. – Steve – 2015-11-13T05:17:08.620Please edit your question to show your correct meaning and add the result of
sysctl -n net.ipv4.ip_forward
as well. – dotvotdot – 2015-11-21T13:57:24.907Do you mean edit my answer? If not please explain what you're referring to. The result of
cat /proc/sys/net/ipv4/ip_forward
is included in the second comment to this post which contains equivalent information to thesysctl
command. – Steve – 2015-11-21T23:49:24.110