[boardbored]

I've setup my Raspberry Pi running Arch Linux as an OpenVPN server. Clients are able to connect to the server however once connected to the server they cannot access the internet. I would like these clients to be able to do so and I'm not sure what I need to change to make this work.

My router's IP address is 192.168.86.1, the Raspberry Pi's is 192.168.86.3 on eth0 and 10.8.0.1 on tun0.
Connected clients can successfully ping both 192.168.86.3 and 10.8.0.1 but pinging anything else fails.

Server Config:
$this->bbcode_second_pass_code('', '
port 443
proto tcp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/key.crt
key /etc/openvpn/keys/key.key
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0

user nobody
group nobody

server 10.8.0.0 255.255.255.0

persist-key
persist-tun

ifconfig-pool-persist ipp.txt

topology subnet

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120

comp-lzo

status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
')

Client config:
$this->bbcode_second_pass_code('', '
client

dev tun
proto tcp

remote SERVER_IP 443
resolv-retry infinite

nobind
user nobody
group nobody

persist-key
persist-tun

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
remote-cert-tls server

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

comp-lzo

verb 3
')

Server's iptables rules:
$this->bbcode_second_pass_code('', '
# Generated by iptables-save v1.4.21 on Wed Nov 11 14:40:14 2015
*nat
:PREROUTING ACCEPT [455:26308]
:INPUT ACCEPT [193:9865]
:OUTPUT ACCEPT [4:351]
:POSTROUTING ACCEPT [4:351]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 11 14:40:14 2015
# Generated by iptables-save v1.4.21 on Wed Nov 11 14:40:14 2015
*filter
:INPUT ACCEPT [1611:153737]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1081:96386]
:sshguard - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i tap+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tap+ -j ACCEPT
COMMIT
# Completed on Wed Nov 11 14:40:14 2015
')
Result of running `route` on android client:
$this->bbcode_second_pass_code('', '
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
')

IPV4 forwarding is enabled on the server.

[WarheadsSE]

How are you configuring your network addresses?

[boardbored]

$this->bbcode_second_pass_quote('WarheadsSE', 'H')ow are you configuring your network addresses?

[WarheadsSE]

Okay, and what software does the DHCP request?

[boardbored]

The Raspberry Pi is using dhcpcd to get its static IP. Here's the config for that.

$this->bbcode_second_pass_code('', '
hostname

duid

persistent

option rapid_commit

option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes

option ntp_servers

require dhcp_server_identifier

slaac private

nohook lookup-hostname
noipv4ll

interface eth0
static ip_address=192.168.86.3/24
static routers=192.168.86.1
static domain_name_servers=8.8.8.8 8.8.4.4 192.168.86.1
')

[WarheadsSE]

Is systemd-networkd active in any way?

[boardbored]

I just checked and it's definitely running. Here's the output of `journalctl -eu systemd-networkd`

$this->bbcode_second_pass_code('', '
Nov 11 20:53:41 alarmpi systemd[1]: Starting Network Service...
Nov 11 20:53:42 alarmpi systemd-networkd[242]: Enumeration completed
Nov 11 20:53:42 alarmpi systemd[1]: Started Network Service.
Nov 11 20:53:42 alarmpi systemd-networkd[242]: tun0: Gained carrier
Nov 11 20:53:43 alarmpi systemd-networkd[242]: eth0: Gained carrier
Nov 11 20:53:45 alarmpi systemd-networkd[242]: eth0: DHCPv4 address 192.168.86.3/24 via 192.168.86.1
Nov 11 20:53:45 alarmpi systemd-networkd[242]: eth0: Configured
')

[WarheadsSE]

systemd-networkd should be disabled if you are not going to use it. It happens to disable ip forwarding on a per-interface basis, and is controlled by part of the systemd.network file. Please see the documentation for it.

[boardbored]

I disabled systemd-networkd, rebooted the system, and now it works! Thanks for the help.