I have installed OpenVPN on a Raspberry PI (server: 192.168.0.2) and on my Ubuntu laptop (client: 192.168.0.3). Both machines are connected to the same wireless network and have their addresses assigned by DHCP from the wireless router at 192.168.0.1. However, when the VPN is started, I cannot access the Internet from the client.

When I start OpenVPN on the server (with the following options), it appears to start correctly.

port 1194proto udpdev tunca /etc/openvpn/keys/ca.crtcert /etc/openvpn/keys/server.crtkey /etc/openvpn/keys/server.keydh /etc/openvpn/keys/dh2048.pemcipher AES-256-CBCauth SHA512topology subnetserver 10.8.0.0 255.255.255.0push "dhcp-option DNS 8.8.8.8"ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3

When I start OpenVPN on the client (with the following options), it too appears to start correctly.

ca keys/ca.crtcert keys/client-no-pass.crtkey keys/client-no-pass.keyremote 192.168.0.2 1194comp-lzoclientdev tunredirect-gateway localremote-cert-tls servercipher AES-256-CBCauth SHA512proto udpresolv-retry infinitenobindpersist-keypersist-tunverb 3mute 20

On the client, I can see that my IP routing table has been manipulated to use the server's VPN IP address as the default route, and that all traffic to the VPN network will be sourced with tun0's IP address of 10.8.0.4.

me@client:~$ ip routedefault via 10.8.0.1 dev tun0 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 169.254.0.0/16 dev wlp4s0 scope link metric 1000 192.168.0.0/24 dev wlp4s0 proto kernel scope link src 192.168.0.3 metric 600

When the VPN is disconnected, I can ping 8.8.8.8 (a DNS server).When the VPN is connected, I cannot.

After searching Google, I tried adding this on the server, but it doesn't help:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j SNAT --to-source 192.168.0.2

What am I doing wrong? How can I fix it? Is my local WLAN VPN scenario simply unsupported? I've tried running Wireshark to capture tun0 traffic from the client but haven't been able to resolve the issue.

EDIT:Additional information:

  1. The server's IP address was "reserved" (by MAC address) so that the router always assigns it the same address 192.168.0.2

  2. The server is configured (by way of editing /etc/sysctl.conf) to forward IPV4 packets, and this has been tested by running cat /proc/sys/net/ipv4/ip_forward (returns 1)

  3. The server routing table shows this:

me@server:~$ ip routedefault via 192.168.0.1 dev wlan0 metric 30310.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.2 metric 303
  1. The server's firewall looks like this:
me@server:~ $ sudo iptables -S-P INPUT ACCEPT-P FORWARD ACCEPT-P OUTPUT ACCEPT-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -s 10.8.0.0/24 -i tun0 -o wlan0 -m conntrack --ctstate NEW -j ACCEPTme@server:~ $ sudo iptables -t nat -S-P PREROUTING ACCEPT-P INPUT ACCEPT-P OUTPUT ACCEPT-P POSTROUTING ACCEPT-A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
  • Apart from the valid technical questions you asked. What is your end goal here? Obviously, if both machines are connected to the same network there is no need for a VPN tunnel between them. Is this just for testing?– AppleoddityJul 21 '17 at 15:35
  • Yes, I am just trying to test OpenVPN on my LAN. I understand that there is no need for a VPN in this scenario, but I am also beginning to think that it might not be possible to run a VPN when both the server and client are already on the same network.– JonoJul 22 '17 at 6:10
  • I am not sure whether that's the reason, but usually NAT setups with iptables use -j MASQUERADE in the POSTROUTING rule.– Nathan.Eilisha ShirainiJul 27 '17 at 8:23
  • Nathan, on Liam's suggestion I modified iptables to use MASQUERADE (as shown in my latest edit of the question) but it still hasn't resolved the issue.– JonoJul 28 '17 at 9:20

You need to confirm that both routing and Network Address Translation (NAT) are working properly on your VPN server. Try using tcpdump to inspect the network traffic on the server's VPN interface and Ethernet port to make sure packets are flowing, and what their addresses are. To answer your comment on whether this can be done with this design, it certainly can, and is a great way to learn about all of the involved concepts.

Here is a good guide on NAT with Linux, and many others are available too. A key thing to check is whether your system is even correctly configured for routing - by default it may be turned off. If

cat /proc/sys/net/ipv4/ip_forward

returns a zero, then it's switched off and no firewall rules will save you. You can run echo 1 > /proc/sys/net/ipv4/ip_forward to turn it on, but rather look at the entire guide to get all the necessary steps completed as well as instructions for making this change permanent (it will be lost every time you reboot otherwise).

Also, if you are using DHCP for the VPN server, then you probably want to use MASQUERADE instead of SNAT, since the IP address may change and you firewall rule will then be incorrect.

Note that if you don't want to use NAT, you will need to let your local router (the one plugged into your ISP) know that your VPN subnet (10.8.0.0/24) is behind your VPN server's IP address (192.168.0.2). Right now, it has no idea how to find 10.8.0.4, so will simply discard the reply packets.

Again, if the server's address is assigned by DHCP then this could change and you would need to update the routing entry, and you may not even be able to add this route if you are using your ISP's router and they do not permit you to administer their device.

  • Thanks for letting me know it can be done. I've made an edit to the question to clarify that IPv4 forwarding is enabled, DHCP won't change the server's address, and shown the server's routing table. The one thing I don't grasp is how the router should ever need to know about the VPN addresses... I had expected OpenVPN server to handle the NAT on receiving packets from the public network and forwarding them to the clients on the private network. Perhaps your link will explain it - I'll start reading now.– JonoJul 26 '17 at 16:44
  • 1
    I found this link very helpful community.openvpn.net/openvpn/wiki/BridgingAndRouting as it instructed me on the correct FORWARD entries to be added to the VPN server– JonoJul 28 '17 at 16:09

Your Answer

 

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.