I can't figure out why my openvpn connection is not working. It seems that it works fine on connection. I can connect to my server but once when I'm connected I can't use internet through vpn.
This is a VPS server running on Debian
Here is my openvpn server.conf file
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 6
mute 20
And here is my client.conf file
client
dev tun
proto udp
remote server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
remote-cert-tls server
I've added firewall rules also to accept connection and route but strange thing is that some rules appear multiple times. Here is my iptables save file
# Generated by iptables-save v1.4.8 on Sun Dec 22 04:36:18 2013
*nat
:PREROUTING ACCEPT [53:9749]
:POSTROUTING ACCEPT [9:675]
:OUTPUT ACCEPT [9:675]
-A PREROUTING -d server_ip/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports 1194
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source server_ip
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 22 04:36:18 2013
# Generated by iptables-save v1.4.8 on Sun Dec 22 04:36:18 2013
*filter
:INPUT ACCEPT [946:112417]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [824:172939]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
COMMIT
# Completed on Sun Dec 22 04:36:18 2013
I also checked /etc/sysctl.conf to make sure that
net.ipv4.ip_forward=1
I also have
net.ipv6.conf.all.forwarding=1
So I've tried OpenVPN connection on my linux pc and on Virtualbox XP and both have connection but none of them have access to internet once connected.
Strangest thing of all this is when I do traceroute it shows connection through VPN.
For example I do traceroute google.com
1 my ip from vpn connection
2 openvpn server ip
3 ...
4 ...
5 ... few hops between server to google
6 and finally google server ip
So traceroute shows that connection goes through vpn, and also when I ping, ping is increased to 100ms in difference when I'm not connected to vpn when ping is about 20ms.
But when I try to browse the internet with any program (firefox, chrome, iexplorer) I don't get anything. Nothing will load and connection times out.
It's not that my server is slow so pages won't load, speed test shows about 70mbit connection on server, and I have 6mbit connection.
And when I try to connect to other vpn like cloudnymous everything works fine. It's just something wrong on my openvpn setup.
EDIT: After all I thought I finally made it working, after messing around a lot of settings I finally can connect to my VPN and get internet from there.
Now I have one final problem. Since I'm on linux few programs doesn't work here and I use virtualbox with windows XP installation but when connected to vpn on virtualbox I can surf the internet. But no program can connect to the internet. Also my vpn connection is loosing internet from time to time, and it's not my internet or server connection because during that time when I loose internet over vpn I can still connect with putty over ssh to the server and do various things.
Best Answer
Masquerading does not work on a VPS .. you must use
iptables
Source NAT
instead:iptables -t nat -A POSTROUTING -s 10.x.x.x/xx -j SNAT --to-source y.y.y.y
x.x.x.x/x
is the VPN subnet -y.y.y.y
is the IP address of your server output interface.