OpenVPN Full Tunnel not working (command line)

Question

I can ping the server but not google.com or 8.8.8.8, traceroute also fails.

Server:

$iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE
$openvpn --dev tun1 --server 10.9.8.0 255.255.255.0 --dh /etc/openvpn/easy-rsa/keys/dh2048.pem --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/Hal.crt --key /etc/openvpn/easy-rsa/keys/Hal.key --reneg-sec 60 --verb 5 --duplicate-cn --mode server --client-to-client --push "redirect-gateway def1"

Client:

$openvpn --remote 10.0.0.102 --dev tun1 --client --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/client1.crt --key /etc/openvpn/easy-rsa/keys/client1.key --reneg-sec 60 --verb 5

Routes table on client after above commands are run:

$route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.9.8.5        128.0.0.0       UG    0      0        0 tun1
default         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 eth0
routbuntu-2.loc 10.0.0.1        255.255.255.255 UGH   0      0        0 eth0
10.9.8.0        10.9.8.5        255.255.255.0   UG    0      0        0 tun1
10.9.8.5        *               255.255.255.255 UH    0      0        0 tun1
128.0.0.0       10.9.8.5        128.0.0.0       UG    0      0        0 tun1

Answer 1

---- in general:

you should use the openvpn's sample .conf-file`s. you can improve of them, becouse they are explaining important options.

use the command ifconfig to see if a virtual tunnel device e.g. tun0 is configured(up/online) on the server and on the client after starting the vpn.

@verbosity, maybe you should try the default value verb 3 becouse verb 5 can be overwhelming and read the output and if there are problems post that output. openvpn is giving you verbose output for you to analyze it.

---- addressing the problem:

you can ping your "server"... by its lan-ipaddress or by its vpn-virtual-ip-address 10.9.8.1. i guess you ping its LAN/WAN-ipaddress, becouse i assume, that your vpn-connection will not be established with these settings. and pinging its LAN/WAN-ip would not tell you anything about wether your vpn is working or not.

your question is very vague and a lot of information is missing. but i assume that you want to route all internet traffic from the vpn-client's computer through the vpn server.

in that case:

-- if you want to set up the openvpn-server as a sotware-router, i think this one iptables rules is not enough.

usually an iptables configuration for routing looks something like this iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i tun0 -s 10.9.8.0/24 -o eth0 -j ACCEPT the openvpn-manpages only mention the option "--push "redirect-gateway def1" and the ip-tables nat line, that you have used. but you should try if this iptables rules help.

-- and i think ip-forwarding has to be activated on the openvpn-server's computer:

sysctl net.ipv4.ip_forward=1 sysctl net.ipv6.conf.default.forwarding=1 sysctl net.ipv6.conf.all.forwarding=1

@ your openvpn server configuration:

-- you can choose between dev tun and dev tap, there is no option tun0 or tun1.

-- mode server is incorrect, and you already set the mode with server 10.9.8.0 255.255.255.0

@ your openvpn client configuration:

-- also use dev tun here

-- remote YourServersIpAddress make shure that this is really the ipaddress of your openvpn-server in the LAN or internet. 10.0.0.102 seems unusual to me.