[beetlejuice7]

Hi,

I've set up openvpn on my pi and am running into a small issue. I can connect to the VPN server and ping it just fine, and I can also connect to other machines on my local network. However I am unable, when connected to the VPN, to reach the outside world (either by name lookup or IP).

here are the details:

On the server the tun0 interface:

$this->bbcode_second_pass_code('', '
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
')

I can ping it just fine:

$this->bbcode_second_pass_code('', '
# ping -c 3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.155 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.156 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
')

Routing table

$this->bbcode_second_pass_code('', '
# ip route show
default via 192.168.1.1 dev eth0 metric 204
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.6 metric 204
')

I also have ip traffic forwarding:

$this->bbcode_second_pass_code('', '
net.ipv4.ip_forward = 1
')

On the client, I can connect to the VPN. Here is my tun0:

$this->bbcode_second_pass_code('', '
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21 bytes 1527 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
')

And on the client I can ping it:

$this->bbcode_second_pass_code('', '
sudo ping -c 3 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 10.8.0.6: icmp_seq=2 ttl=64 time=0.026 ms
64 bytes from 10.8.0.6: icmp_seq=3 ttl=64 time=0.032 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.026/0.031/0.035/0.003 ms
')

I can ssh from the client into another server on my LAN (192.168.1.x), however I cannot reach anything outside my LAN.

Here's some of the server logs:

$this->bbcode_second_pass_code('', '
Wed Jun 11 14:37:40 2014 OpenVPN 2.3.4 armv6l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on May 15 2014
Wed Jun 11 14:37:40 2014 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.06
Wed Jun 11 14:37:40 2014 WARNING: --keepalive option is missing from server config
Wed Jun 11 14:37:40 2014 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Jun 11 14:37:40 2014 Diffie-Hellman initialized with 2048 bit key
Wed Jun 11 14:37:40 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Jun 11 14:37:40 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:5f:4e:1a
Wed Jun 11 14:37:40 2014 TUN/TAP device tun0 opened
Wed Jun 11 14:37:40 2014 TUN/TAP TX queue length set to 100
Wed Jun 11 14:37:40 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jun 11 14:37:40 2014 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Jun 11 14:37:40 2014 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 11 14:37:40 2014 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 11 14:37:40 2014 GID set to nobody
Wed Jun 11 14:37:40 2014 UID set to nobody
Wed Jun 11 14:37:40 2014 UDPv4 link local (bound): [undef]
Wed Jun 11 14:37:40 2014 UDPv4 link remote: [undef]
Wed Jun 11 14:37:40 2014 MULTI: multi_init called, r=256 v=256
Wed Jun 11 14:37:40 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 11 14:37:40 2014 Initialization Sequence Completed
Wed Jun 11 14:37:50 2014 24.143.52.178:51880 TLS: Initial packet from [AF_INET]24.143.52.178:51880, sid=0470250f c302cfe6
Wed Jun 11 14:37:50 2014 24.143.52.178:51880 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Jun 11 14:37:50 2014 24.143.52.178:51880 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client1, name=changeme, emailAddress=mail@host.domain
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 11 14:37:51 2014 24.143.52.178:51880 [client1] Peer Connection Initiated with [AF_INET]24.143.52.178:51880
Wed Jun 11 14:37:51 2014 client1/24.143.52.178:51880 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 11 14:37:51 2014 client1/24.143.52.178:51880 MULTI: Learn: 10.8.0.6 -> client1/24.143.52.178:51880
Wed Jun 11 14:37:51 2014 client1/24.143.52.178:51880 MULTI: primary virtual IP for client1/24.143.52.178:51880: 10.8.0.6
Wed Jun 11 14:37:53 2014 client1/24.143.52.178:51880 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 11 14:37:53 2014 client1/24.143.52.178:51880 send_push_reply(): safe_cap=940
Wed Jun 11 14:37:53 2014 client1/24.143.52.178:51880 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Wed Jun 11 14:39:55 2014 24.143.52.178:54871 TLS: Initial packet from [AF_INET]24.143.52.178:54871, sid=e0cdbcfd 299193b5
Wed Jun 11 14:39:55 2014 24.143.52.178:54871 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Jun 11 14:39:55 2014 24.143.52.178:54871 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client1, name=changeme, emailAddress=mail@host.domain
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jun 11 14:39:56 2014 24.143.52.178:54871 [client1] Peer Connection Initiated with [AF_INET]24.143.52.178:54871
Wed Jun 11 14:39:56 2014 MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Wed Jun 11 14:39:56 2014 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
')

I am frankly out of ideas! I had OpenVPN installed on the pi before using debian and it worked, so I don't think it's my router but of course anything is possible.

[WarheadsSE]

And you read this? https://wiki.archlinux.org/index.php/Openvpn

[beetlejuice7]

I did read it. Anything I can run to help diagnose the issue?

[beetlejuice7]

Solved it by adding two iptables rules:

$this->bbcode_second_pass_code('', '
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -a FORWARD -i tun0 -j ACCEPT
')

[WarheadsSE]