0

I have an Ubuntu machine running as an OpenVPN server in another city. I'm able to access it via ssh. I'm trying use the VPN from a Mac using Tunnelblick.

The server's local subnet is 192.168.80.x. The client's is 192.168.0.x. When the client connects, its IP address is 10.8.0.5.

Tunnelblick connects, but I'm not able to ping 8.8.8.8, load a webpage, or access any of the remote LAN's devices, except the VPN server using the address 10.8.0.1.

The client's config file:

client
dev tun
proto udp
remote [my server's external IP address] 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
redirect-gateway local def1

The server's:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.80.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

What do I need to change?

Edit: On the server:

$ cat /proc/sys/net/ipv4/ip_forward
1

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

$ ip route
default via 192.168.80.1 dev enp2s0  proto static  metric 100
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
169.254.0.0/16 dev tun0  scope link  metric 1000
192.168.80.0/24 dev enp2s0  proto kernel  scope link  src 192.168.80.5  metric 100

Edit 2:

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.0.0/8           anywhere

/etc/default/ufw includes DEFAULT_FORWARD_POLICY="ACCEPT".

/etc/ufw/before.rules includes:

*nat
:POSTROUTING ACCEPT [0:0] 
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
Improve this question
7
  • Is the remote machine configured to perform routing between the tunnel interface and its physical interface? output of sysctl net.ipv4.ip_foward on the server? ip route ?
    – user4556274
    Commented Aug 11, 2016 at 16:03
  • Edited the question with those answers. Thanks for asking.
    – aswine
    Commented Aug 11, 2016 at 16:08
  • iptables -t nat -L (req sudo, sorry I didn't ask this the first comment).
    – user4556274
    Commented Aug 11, 2016 at 16:10
  • Edited again. I don't know much about iptables, but I use ufw, so I included some info about my ufw configuration.
    – aswine
    Commented Aug 11, 2016 at 16:15
  • 1
    I have a feeling the POSTROUTING line should have a -o enp2s0 instead of eth0
    – madeddie
    Commented Aug 11, 2016 at 18:22

1 Answer 1

Reset to default
0

My problem was that I had the wrong interface specified in /etc/ufw/before.rules. I should have had -A POSTROUTING -s 10.8.0.0/8 -o enp2s0 -j MASQUERADE instead of -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE. I copy-pasted from a guide without being discerning.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .