6

I try to setup OpenVPN on a VPS and I'm able to establish a connection to the server, but the gateway isn't assigned to the client.

Here are my config files:

client config:

client
dev tun
proto udp
remote foo.bar 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
redirect-gateway
comp-lzo
verb 3
pull

server config:

port 1194
proto udp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key
dh easy-rsa/2.0/keys/dh2048.pem
server 172.30.90.0 255.255.255.192
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3

ifconfig client:

tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.30.90.6 --> 172.30.90.5 netmask 0xffffffff
open (pid 42823)

iptables rules on the server:

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I want to route the whole traffic over the VPN. I already added redirect-gateway, so it should work. I really can't see what's wrong here and I hope that you can help me to fix the issue.

Improve this question

2 Answers 2

Reset to default
4

After connecting to the VPN, run the command route -n or netstat -rn on the client and see if the gateway address is assigned.

Check if you've done the following:

On the server:

push gateway to client:

Add this to file: /etc/openvpn/server.conf

push "redirect-gateway def1"

Add this to file: /etc/sysctl.conf

net.ipv4.ip_forward=1

Or issue the following command to set this variable for the current session:

echo 1 > /proc/sys/net/ipv4/ip_forward

Issue the following commands to configure iptables to properly forward traffic through the VPN:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s [vpn client subnet] -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s [vpn client subnet] -o eth0 -j MASQUERADE

Source

Improve this answer
0

Try removing:

redirect-gateway

in the client configuration.

You are already pushing the redirect-gateway configuration via the push mechanism of the server and only in that case you are sending it with the correct parameter (def1).

The behavior of redirect-gateway without parameter is openvpn-version-dependent (and you did not specify your specific version) so better be on the safe side.

If this does not help, I see different possible problems.

I suggest the following troubleshoot:

  • check that you can ping the other side of the tunnel
  • if yes, try adding manually the default gateway pointing to the remote side of the tunnel and try pinging 8.8.8.8 (to remove a possible problem in the DNS you are pushing through the tunnel)
  • if that does not work, your problem is likely in the nat configuration (you did not post the result of iptables -L -t nat) or in the forwarding configuration
  • if that works, but pinging www.google.com does not work your problem is likely in the DNS configuration
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .