I have an Ubuntu machine running as an OpenVPN server in another city. I'm able to access it via ssh. I'm trying use the VPN from a Mac using Tunnelblick.
The server's local subnet is 192.168.80.x. The client's is 192.168.0.x. When the client connects, its IP address is 10.8.0.5.
Tunnelblick connects, but I'm not able to ping 8.8.8.8
, load a webpage, or access any of the remote LAN's devices, except the VPN server using the address 10.8.0.1.
The client's config file:
client
dev tun
proto udp
remote [my server's external IP address] 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
redirect-gateway local def1
The server's:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.80.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
What do I need to change?
Edit: On the server:
$ cat /proc/sys/net/ipv4/ip_forward
1
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ ip route
default via 192.168.80.1 dev enp2s0 proto static metric 100
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
169.254.0.0/16 dev tun0 scope link metric 1000
192.168.80.0/24 dev enp2s0 proto kernel scope link src 192.168.80.5 metric 100
Edit 2:
$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/8 anywhere
/etc/default/ufw includes DEFAULT_FORWARD_POLICY="ACCEPT"
.
/etc/ufw/before.rules includes:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
sysctl net.ipv4.ip_foward
on the server?ip route
?iptables -t nat -L
(req sudo, sorry I didn't ask this the first comment).-o enp2s0
instead of eth0