Openvpn connects and responds to ping but no internet access

Question

I have an openvpn server running on raspian and a tunnelblick client on osx. I can connect to the VPN just fine but I have no intenet access. The server responds to ping just fine and the port is open in the router. Does anyone know what might be wrong?

here is the client log: http://pastebin.com/zvBXPv4D

here is the server log: http://pastebin.com/bBsaRK6c

client config:

client
dev tun
proto udp
remote <server external ip> 1194 #change this
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

ca /Users/user1/vpn/ca.crt #change this
cert /Users/user1/vpn/client1.crt #change this
key /Users/user1/vpn/client1.key #change this


<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#removed for pastebin
-----END OpenVPN Static key V1-----

</tls-auth>

server config:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you kept 1024, change it to dh1024.pem
server 10.8.0.0 255.255.255.0
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.2 255.255.255.0" # Enter PI LAN PI
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 10.8.0.1" 
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 5

sysctl net.ipv4.ip_forward gives:

net.ipv4.ip_forward = 1

ip route show gives:

default via 10.0.1.1 dev eth0 
10.0.1.0/24 dev eth0  proto kernel  scope link  src 10.0.1.2 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 

iptables -L -v gives:

Chain INPUT (policy ACCEPT 15492 packets, 1793K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   88  5861 ACCEPT     all  --  tun+   any     anywhere             anywhere            
    1    70 ACCEPT     udp  --  eth0   any     anywhere             anywhere             state NEW udp dpt:openvpn

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun0   eth0    10.8.0.0/24          10.0.1.0/24          ctstate NEW
   13   948 ACCEPT     all  --  tun+   any     anywhere             anywhere            
    0     0 ACCEPT     all  --  tun+   eth0    anywhere             anywhere             state RELATED,ESTABLISHED
    4   776 ACCEPT     all  --  eth0   tun+    anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 18526 packets, 3880K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   27  2584 ACCEPT     all  --  any    tun+    anywhere             anywhere         

Answer 1

OK, I solved the problem. There was a problem in the rules in iptables. I removed the first rule in the FORWARD chain and then I could ping external IP:s. I also changed the DNS server in server.conf to an external DNS-server and after that everything was working fine.

Answer 2

• Check routing on client, especially default route.
• if routing is correct, check (with tcpdump, wireshark or some other packet capture program) where packets are actually sent (check on both interfaces).
• if packets are sent/received correctly - check if DNS is working (what DNS server client is trying to use and does DNS query/responese packets pass).