I can't figure out why my openvpn connection is not working. It seems that it works fine on connection. I can connect to my server but once when I'm connected I can't use internet through vpn.

This is a VPS server running on Debian

Here is my openvpn server.conf file

port 1194proto udpdev tunca ca.crtcert server.crtkey server.key # This file should be kept secretdh dh2048.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 10 120comp-lzouser nobodygroup nogrouppersist-keypersist-tunstatus openvpn-status.loglog openvpn.logverb 6mute 20

And here is my client.conf file

clientdev tunproto udpremote server_ip 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keyns-cert-type servercomp-lzoverb 3remote-cert-tls server

I've added firewall rules also to accept connection and route but strange thing is that some rules appear multiple times. Here is my iptables save file

# Generated by iptables-save v1.4.8 on Sun Dec 22 04:36:18 2013*nat:PREROUTING ACCEPT [53:9749]:POSTROUTING ACCEPT [9:675]:OUTPUT ACCEPT [9:675]-A PREROUTING -d server_ip/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports 1194 -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source server_ip -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT# Completed on Sun Dec 22 04:36:18 2013# Generated by iptables-save v1.4.8 on Sun Dec 22 04:36:18 2013*filter:INPUT ACCEPT [946:112417]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [824:172939]-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT COMMIT# Completed on Sun Dec 22 04:36:18 2013

I also checked /etc/sysctl.conf to make sure that

net.ipv4.ip_forward=1

I also have

net.ipv6.conf.all.forwarding=1

So I've tried OpenVPN connection on my linux pc and on Virtualbox XP and both have connection but none of them have access to internet once connected.

Strangest thing of all this is when I do traceroute it shows connection through VPN.

For example I do traceroute google.com

1 my ip from vpn connection2 openvpn server ip3 ...4 ...5 ... few hops between server to google6 and finally google server ip

So traceroute shows that connection goes through vpn, and also when I ping, ping is increased to 100ms in difference when I'm not connected to vpn when ping is about 20ms.

But when I try to browse the internet with any program (firefox, chrome, iexplorer) I don't get anything. Nothing will load and connection times out.

It's not that my server is slow so pages won't load, speed test shows about 70mbit connection on server, and I have 6mbit connection.

And when I try to connect to other vpn like cloudnymous everything works fine. It's just something wrong on my openvpn setup.

EDIT: After all I thought I finally made it working, after messing around a lot of settings I finally can connect to my VPN and get internet from there.

Now I have one final problem. Since I'm on linux few programs doesn't work here and I use virtualbox with windows XP installation but when connected to vpn on virtualbox I can surf the internet. But no program can connect to the internet. Also my vpn connection is loosing internet from time to time, and it's not my internet or server connection because during that time when I loose internet over vpn I can still connect with putty over ssh to the server and do various things.

migrated from serverfault.com Dec 22 '13 at 5:33

This question came from our site for system and network administrators.

  • Wow.. Is it a bible? just kidding.. well, did you open the ports in your firewall?– B4NZ41Dec 22 '13 at 5:17
  • What is the REDIRECT rule good for if you have default port 1194 configured on both client and server? How's the proxy set up for your browsers? For testing you should deactivate all proxies. Can you load any of the web pages using e.g. wget?– Marcus RickertDec 22 '13 at 10:51
  • I don't even have firewall enabled on my pc, and if i turn off redirect than i get connection to vpn but i get internet from my home network. using wget i can download files from ip but entering any domain address it got stuck.– Aleksandar ĐorđevićDec 22 '13 at 12:44
  • give me output off: netstat -rn– Pol HallenDec 22 '13 at 18:56
  • from server or my pc?– Aleksandar ĐorđevićDec 22 '13 at 18:59

Masquerading does not work on a VPS .. you must use iptables Source NAT instead:

iptables -t nat -A POSTROUTING -s 10.x.x.x/xx -j SNAT --to-source y.y.y.y

x.x.x.x/x is the VPN subnet - y.y.y.y is the IP address of your server output interface.

  • Somebody must have found this useful by now ?– dotvotdotNov 18 '15 at 16:29

I had a similar problem where OpenVPN was working OK until I changed the router. I suspected the router firewall although I had opened the required ports. However, I looked at rc.local and saw that, when first configured, the iptables line had been set up with the actual IP address rather than the $MY_IP variable I expected like this:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.0.15

rather than:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $MY_IP

Problem was changing the router assigned a different IP to the server and I just made a reservation for the new IP and expected all to work.

If I had reserved the same IP for the server as before I could have saved a lot of head scratching.

    Your Answer

     
    discard

    By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

    Not the answer you're looking for? Browse other questions tagged or ask your own question.