I have installed OpenVPN on a Raspberry PI (server: 192.168.0.2) and on my Ubuntu laptop (client: 192.168.0.3). Both machines are connected to the same wireless network and have their addresses assigned by DHCP from the wireless router at 192.168.0.1. However, when the VPN is started, I cannot access the Internet from the client.
When I start OpenVPN on the server (with the following options), it appears to start correctly.
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
cipher AES-256-CBC
auth SHA512
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
When I start OpenVPN on the client (with the following options), it too appears to start correctly.
ca keys/ca.crt
cert keys/client-no-pass.crt
key keys/client-no-pass.key
remote 192.168.0.2 1194
comp-lzo
client
dev tun
redirect-gateway local
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
mute 20
On the client, I can see that my IP routing table has been manipulated to use the server's VPN IP address as the default route, and that all traffic to the VPN network will be sourced with tun0's IP address of 10.8.0.4.
me@client:~$ ip route
default via 10.8.0.1 dev tun0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4
169.254.0.0/16 dev wlp4s0 scope link metric 1000
192.168.0.0/24 dev wlp4s0 proto kernel scope link src 192.168.0.3 metric 600
When the VPN is disconnected, I can ping 8.8.8.8 (a DNS server).
When the VPN is connected, I cannot.
After searching Google, I tried adding this on the server, but it doesn't help:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.0.2
What am I doing wrong? How can I fix it? Is my local WLAN VPN scenario simply unsupported? I've tried running Wireshark to capture tun0 traffic from the client but haven't been able to resolve the issue.
EDIT:
Additional information:
-
The server's IP address was "reserved" (by MAC address) so that the router always assigns it the same address
192.168.0.2 -
The server is configured (by way of editing
/etc/sysctl.conf) to forward IPV4 packets, and this has been tested by runningcat /proc/sys/net/ipv4/ip_forward(returns 1) -
The server routing table shows this:
me@server:~$ ip route default via 192.168.0.1 dev wlan0 metric 303 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.2 metric 303
- The server's firewall looks like this:
me@server:~ $ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -i tun0 -o wlan0 -m conntrack --ctstate NEW -j ACCEPT me@server:~ $ sudo iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
Best Answer
You need to confirm that both routing and Network Address Translation (NAT) are working properly on your VPN server. Try using tcpdump to inspect the network traffic on the server's VPN interface and Ethernet port to make sure packets are flowing, and what their addresses are. To answer your comment on whether this can be done with this design, it certainly can, and is a great way to learn about all of the involved concepts.
Here is a good guide on NAT with Linux, and many others are available too. A key thing to check is whether your system is even correctly configured for routing - by default it may be turned off. If
cat /proc/sys/net/ipv4/ip_forwardreturns a zero, then it's switched off and no firewall rules will save you. You can run
echo 1 > /proc/sys/net/ipv4/ip_forwardto turn it on, but rather look at the entire guide to get all the necessary steps completed as well as instructions for making this change permanent (it will be lost every time you reboot otherwise).Also, if you are using DHCP for the VPN server, then you probably want to use MASQUERADE instead of SNAT, since the IP address may change and you firewall rule will then be incorrect.
Note that if you don't want to use NAT, you will need to let your local router (the one plugged into your ISP) know that your VPN subnet (10.8.0.0/24) is behind your VPN server's IP address (192.168.0.2). Right now, it has no idea how to find 10.8.0.4, so will simply discard the reply packets.
Again, if the server's address is assigned by DHCP then this could change and you would need to update the routing entry, and you may not even be able to add this route if you are using your ISP's router and they do not permit you to administer their device.