11

I have openvpn on a remote server, it's Arch Linux. I'm able to connect to it, but there's no internet after I connect, meaning, when I open a browser and trying to load a website, it's getting stock at "looking up..."

No errors on either side. The server isn't behind NAT, as far as I can see, I'm -- a client -- is.

No firewall on the server.

Something related to routing, forwarding I figure?

Jodarim255
  • 115
  • 1
  • 1
  • 6

3 Answers3

18

I checked your logs and haven't find any problems. But you said that there is No firewall on the server. It could cause problems, because you should enable forwarding for working NAT. Here is output from guide.

ufw

In order to configure your ufw settings for VPN traffic first add the following to /etc/default/ufw:

DEFAULT_FORWARD_POLICY="ACCEPT"

Now change /etc/ufw/before.rules, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in /etc/openvpn/server/server.conf. The adapter ID in the example is generically called eth0 so edit it for your system accordingly.

/etc/ufw/before.rules

# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT

Open OpenVPN port 1194:

# ufw allow 1194

Lastly, reload UFW:

# ufw reload

iptables

In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [3] on the server, assuming the interface you want to forward to is named eth0:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

And don't forget to enable forwarding in sysctl

sysctl -w net.ipv4.ip_forward=1
Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
  • if there's no firewall, why on earh woul there be any problem? no nat, no firewall – Jodarim255 May 19 '17 at 10:54
  • @Jodarim255 you don't have internet on your machine? Or you want to pass al your traffic trough VPN? Because during connection it route all traffic to your VPN connection – Alexander Tolkachev May 19 '17 at 11:07
  • these 2 questions are unrelated. "you didn't eat your breakfest? or you're a java programmer?" – Jodarim255 May 19 '17 at 11:59
  • I want to connect to openvpn on the server, what's not clear? of course, I have internet, of course, all traffic will be tunnelled through vpn. – Jodarim255 May 19 '17 at 12:00
  • @Jodarim255 so, you should use NAT on your OpenVPN server to have access to Internet trough VPN, as you use NAT to have access to Internet from your home, – Alexander Tolkachev May 19 '17 at 12:03
  • I don't have home: one day I access it from one place, next day from other, some places have NAT, some don't. – Jodarim255 May 19 '17 at 12:05
  • @Jodarim255 i'll try to describe. You have private IP address on your VPN client, to access to Internet with private IP you should use NAT, that's why you should use firewall. – Alexander Tolkachev May 19 '17 at 12:37
  • 1) I have a direct IP on my server, is it also called private? – Jodarim255 May 19 '17 at 13:08
  • 2) is NAT something I can create? I thought NAT was something I'm given -- I'm behind NAT or not, depends on my ISP, that's it. if my ISP wants, it can put me behind NAT, if not - I have a direct IP. How can I control that? – Jodarim255 May 19 '17 at 13:10
  • @Jodarim255 please read Tero's anwer. He described your situation well. – Alexander Tolkachev May 19 '17 at 13:55
  • In my case, the problem was that the ufw firewall was off. I don't understand exactly why, but as soon as I added the `nat` and `postrouting` rules, opened the `1194` and enabled the firewall, the connection started to work from the tunnel. Cool, but.. Any ideas why? – Marino Oct 23 '17 at 21:08
  • @marino, without running `ufw` or another firewall NAT is not working. – Alexander Tolkachev Oct 24 '17 at 14:00
  • Great, I didn't know that! Thanks! – Marino Oct 24 '17 at 22:43
  • @AlexanderTolkachev, this was totally my problem. I've been stuck on it for 2 days THANKS! – answerSeeker Jun 14 '18 at 01:06
  • 1
    It's worth nothing using ufw with nftables can result in weird behavior and things not working properly... In my case, I had NAT and forwarding configured and working fine for years but after a Debian upgrade, packets would go no further than the OpenVPN server. It turns out that Buster defaults to using nftables. Going back to iptables-legacy fixes the issue. – Léo Lam Feb 12 '20 at 18:19
  • I wish I could upvote this answer 50 times, I have lost so much time trying to figure this out, before getting to your post pointing to sysctl. Thanks! – A.N. Jun 16 '20 at 00:39
  • Real heroes don't wear capes. – php_nub_qq Aug 27 '20 at 10:54
5

When you create a VPN connection between your client and VPN server, a private network is formed between the two, with address starting with 192.168.x.x, 10.x.x.x or 172.16.x.x.

When you want to route traffic from the VPN client to the global Internet, you must use NAT on the server so that it translates the VPN client's private network address to the server's public IP address.

This is independent of the fact that your client's connection is behind NAT or not.

So, in addition to installing the VPN software, you need to add firewall rules for NAT in your server.

IsaacS
  • 103
  • 5
Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • ok. 1) why particulary `192.168.x.x, 10.x.x.x or 172.16.x.x.` ? 2) by firewall rules, do you mean I have to install and turn on firewall? 3) and create forwarding rules via iptables? – Jodarim255 May 19 '17 at 13:58
  • 1
    1) Those are subnets specified in RFC1918 for non-routable private networks. 2,3) Yes. – Tero Kilkanen May 19 '17 at 13:59
0

Perhaps permissions on install of the OpenVPN Linux client as it was NOT creating a TUN. So I made one myself (that was the actual issue):

sudo ip tuntap add name tun0 mode tun
sudo ip link show

and it connected after asking for VPN Username & Password.

FYI openvpn3 linux client auto installer may help you too: https://github.com/OpenVPN/openvpn3-linux

social
  • 111
  • 3