openvpn - unable to browse internet after connect to openVPN

AZhu picture AZhu · Feb 22, 2011 · Viewed 37.5k times · Source

I have set up a openVPN tunnel using the following server side configuration:

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
client-to-client
log-append /var/log/openvpn
group daemon
daemon
verb 3

and client configuration file as following:

client
remote ******* 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
route-delay 2
route-method exe
redirect-gateway def1
verb 3

However, upon connection, I can ping 10.8.0.1 with no problem, but I can not even visit Google.

I am running Open VPN 2.1.4, in Windows 7 Ultimate with admin rights. The server is a Ubuntu 10.04 installation with TUN enabled by default.

The only suspicious part I can find in the log is like this:

Mon Feb 21 20:44:33 2011 C:\WINDOWS\system32\route.exe ADD ********* MASK 255.255.255.255 192.168.1.1
OK!
Mon Feb 21 20:44:33 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
OK!
Mon Feb 21 20:44:34 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
OK!
Mon Feb 21 20:44:34 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
OK!
Mon Feb 21 20:44:34 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
The route addition failed: The object already exists.
Mon Feb 21 20:44:34 2011 Initialization Sequence Completed

Not sure if that would help.

Please help!

Thanks!

Answer

Martin picture Martin · Feb 24, 2011

You are using the flag redirect-gateway def1 and since are redirecting all your traffic through the VPN.

I can't see from your post if you have configured NAT or any other adresse translation on your server, but my guess is, that the packets are just being routed through your VPN and then have no way to get back to your client.

If your VPN client is 10.8.0.2 and your server is 10.8.0.1 and has an internet ip that is 12.12.12.12: your call to google will be send from 10.8.0.2 routed through the VPN and then send from there to Google. The problem is, that the originating adress will stay as 10.8.0.2 and therefore the answer packets never can find back to you. You must add some means of translation that takes the packets and translates the origin from 10.8.0.2 to 12.12.12.12 and back:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This is also explained in OpenVPN Manual. I hope this solves your problem, but from the description I could not be sure if you have any NAT translation enabled, so maybe this is isn't helpfull at all :-)