1

Client is connected but there is no Internet connection.

EC2 settings:

Change Source / destination check - Stopped

Security group:

Inbound rules enter image description here

Outbound rules: enter image description here

ip a output

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0a:ff:cd:eb:b7:33 brd ff:ff:ff:ff:ff:ff
    inet 172.31.19.143/20 metric 100 brd 172.31.31.255 scope global dynamic ens5
       valid_lft 1926sec preferred_lft 1926sec
    inet6 fe80::8ff:cdff:feeb:b733/64 scope link
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::24ec:9277:58c2:c0da/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

iptables-save output:

# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 21 02:08:53 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [7640:598644]
-A POSTROUTING -s 0.0.0.0/2 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

sysctl net.ipv4.ip_forward gives

net.ipv4.ip_forward = 1

server configuration:

port 1194
proto udp
dev tun
ca ca.crt
cert myservername.crt
key myservername.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

Client config:

client
dev tun
proto udp
remote ec2-...amazonaws.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
key-direction 1
cipher AES-256-CBC
verb 3

sudo iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 162 packets, 18513 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    eth0    0.0.0.0/2            anywhere
    0     0 MASQUERADE  all  --  any    eth0    ip-10-8-0-0.ec2.internal/24  anywhere

tracert 8.8.8.8 goes with all the timeouts

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

  1    11 ms    10 ms    14 ms  10.8.0.1
  2     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Any ideas what to check?

Improve this question
9
  • What does the network look like? Where is the EC2 (public/private subnet), what routes does it have, what security groups? is the egress via NAT gateway or direct? Have you disabled the source/dest check on the instance? If you can add this detail to the question it will help potential answerers.
    – shearn89
    Commented Jun 20 at 8:05
  • @shearn89, thanks for the question. I added some details, other settings are default ec2 settings (at least I didn't find any documentation what should be adjusted for the openvpn setup), if you don't mind can you clarify what to else check?
    – Andrew
    Commented Jun 20 at 12:47
  • Please add the output of ip a, iptables-save and sysctl net.ipv4.ip_forward from the EC2.
    – Tom Yan
    Commented Jun 20 at 14:06
  • 1
    Also, if you actually need outbound rules for http(s), then most likely you need ones for DNS too (UDP 53 and TCP 53), unless the DNS servers you pushed to the client are some "internal hosts" (I mean like other EC2 instances in the same virtual network or so) that are covered by some "implicit rules". (But the IPs are public IPs, so. Yet I don't really know much about AWS.)
    – Tom Yan
    Commented Jun 20 at 14:12
  • Yep, security groups are stateful but if you're not allowing DNS then you won't get any name resolution.
    – shearn89
    Commented Jun 20 at 15:36

1 Answer 1

Reset to default
0

Thanks to all the comments! In my case the error was wrong iptables rules. I saw them many times in different docs and they are wrong, it must be:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

-- no -o parameter.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .