I have installed OpenVPN on a Raspberry PI (server: 192.168.0.2) and on my Ubuntu laptop (client: 192.168.0.3). Both machines are connected to the same wireless network and have their addresses assigned by DHCP from the wireless router at 192.168.0.1. However, when the VPN is started, I cannot access the Internet from the client.
When I start OpenVPN on the server (with the following options), it appears to start correctly.
port 1194proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.keydh /etc/openvpn/keys/dh2048.pemcipher AES-256-CBCauth SHA512topology subnetserver 10.8.0.0 255.255.255.0push "dhcp-option DNS 18.104.22.168"ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3
When I start OpenVPN on the client (with the following options), it too appears to start correctly.
ca keys/ca.crtcert keys/client-no-pass.crtkey keys/client-no-pass.keyremote 192.168.0.2 1194comp-lzoclientdev tunredirect-gateway localremote-cert-tls servercipher AES-256-CBCauth SHA512proto udpresolv-retry infinitenobindpersist-keypersist-tunverb 3mute 20
On the client, I can see that my IP routing table has been manipulated to use the server's VPN IP address as the default route, and that all traffic to the VPN network will be sourced with tun0's IP address of 10.8.0.4.
me@client:~$ ip routedefault via 10.8.0.1 dev tun0 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 169.254.0.0/16 dev wlp4s0 scope link metric 1000 192.168.0.0/24 dev wlp4s0 proto kernel scope link src 192.168.0.3 metric 600
When the VPN is disconnected, I can ping 22.214.171.124 (a DNS server).When the VPN is connected, I cannot.
After searching Google, I tried adding this on the server, but it doesn't help:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.0.2
What am I doing wrong? How can I fix it? Is my local WLAN VPN scenario simply unsupported? I've tried running Wireshark to capture tun0 traffic from the client but haven't been able to resolve the issue.
The server's IP address was "reserved" (by MAC address) so that the router always assigns it the same address
The server is configured (by way of editing
/etc/sysctl.conf) to forward IPV4 packets, and this has been tested by running
cat /proc/sys/net/ipv4/ip_forward(returns 1)
The server routing table shows this:
me@server:~$ ip routedefault via 192.168.0.1 dev wlan0 metric 30310.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.119126.96.36.199/24 dev wlan0 proto kernel scope link src 192.168.0.2 metric 303
- The server's firewall looks like this:
me@server:~ $ sudo iptables -S-P INPUT ACCEPT-P FORWARD ACCEPT-P OUTPUT ACCEPT-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -s 10.8.0.0/24 -i tun0 -o wlan0 -m conntrack --ctstate NEW -j ACCEPTme@server:~ $ sudo iptables -t nat -S-P PREROUTING ACCEPT-P INPUT ACCEPT-P OUTPUT ACCEPT-P POSTROUTING ACCEPT-A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE