3

The clients can all connect through OpenVPN.

OpenVPN serves the following pool: server 10.8.0.0 255.255.255.0

I've configured the server's iptable with the following rule:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

and

echo 1 > /proc/sys/net/ipv4/ip_forward

This used to work back on the old vps I used. Now I've migrated to a vps which has ipv6 connectivity.

Is it possible that Ipv6 has something to do with the fact that the clients can't reach the internet?

womble
  • 96,255
  • 29
  • 175
  • 230
Carroarmato0
  • 31
  • 2

3 Answers3

3

I was having the same problem, it was being caused by this iptables rule:

iptables -A FORWARD -j DROP

To fix it, I added these rules before the rule above:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT

Also, make sure to do this:

echo 1 > /proc/sys/net/ipv4/ip_forward
Timbo White
  • 31
  • 2
1

Well, there's the redirect-gateway option for the clients: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect

Though it sounds like you've got that far already. You've got the NAT setup, but what about the firewall?

iptables -t filter -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT

...ought to do it (though you may need to restrict that a bit depending on your requirements). Either than or do it the interface way:

iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT

This blanket ACCEPTs all traffic coming in on the vpn tunnel adaptor (may not be tun0 in your case) and bound for the internet.

SmallClanger
  • 9,127
  • 1
  • 32
  • 47
  • Unfortunatly that didn't work either :( – Carroarmato0 Nov 18 '10 at 09:05
  • I checked to see if the routes pushed to the clients where correct, and couldn't see anything wrong. – Carroarmato0 Nov 18 '10 at 09:07
  • The server clearly receives all the connection requests from the clients, but doesn't do anything with them. Iptables are configured to use NAT, with ipv4 forwarding enabled. This used to work on any other OpenVPN server I've installed. The only reason for me to suspect Ipv6 is because none of the previouse OpenVPN servers had a globally reachable ipv6 address. – Carroarmato0 Nov 18 '10 at 09:10
  • I noticed on the client side, by executing a tcpdump while trying to ping google over the VPN the following output: 10:16:14.024853 IP 10.8.0.1 > lithium-flower.local: ICMP 10.8.0.1 udp port domain unreachable, length 63 10:16:23.076021 IP 10.8.0.1 > lithium-flower.local: ICMP 10.8.0.1 udp port domain unreachable, length 63 10:16:32.127651 IP 10.8.0.1 > lithium-flower.local: ICMP 10.8.0.1 udp port domain unreachable, length 71 Lithium-flower.local being the hostname of the client – Carroarmato0 Nov 18 '10 at 09:18
1

I believe you issue is due to a DNS problem as most NAT setups with local dhcp (connection prior to VPN) have a local DNS forward on the router, you'll need to set up the server to push a new DNS server to the clients via the option:

push "dhcp-option DNS ".

This way the hosts are no longer trying to connect to the local (private ip) from the remote VPN server.

Jimsmithkka
  • 570
  • 4
  • 13