1

Background

I have an OpenVPN server on my Debian VPS box.

The purpose is to

  • bypass firewalls (my paranoid ISP blocks TCP port 25)

  • enable safe connection via untrusted networks (mainly for portable machines, but you never know)

  • allow connection between peers (for remote SSH/VNC troubleshooting)

I have authenticated and configured two clients (so far), a Debian Squeeze laptop and an Ubuntu 12.04 desktop to connect to this VPN.

Problem

Connection to the VPN itself works OK from both clients. But the the Ubuntu box cannot reach outside of the VPN (not even using an IP address).

Both clients were set up using Network Manager, and only things I changed from default are that the tunnel uses TCP connection to port 110.

Any tips where to look next?

Data

server.conf:

port 110
proto tcp
dev tun

ca ca.crt
cert myvpn.crt
key myvpn.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

route after connecting the "bad" box (89.x.y.z is my VPS):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
89.x.y.z        192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

and the "good" box:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.13       0.0.0.0         UG    0      0        0 tun0
10.8.0.1        10.8.0.13       255.255.255.255 UGH   0      0        0 tun0
10.8.0.13       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
89.x.y.z        192.168.1.1     255.255.255.255 UGH   0      0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0

(At the time of testing, both are in the same local net.)

and the VPS:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
89.x.y.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         89.x.y.1        0.0.0.0         UG    0      0        0 eth0
Improve this question
5
  • What are at addresses 10.8.0.5 and 10.8.0.13? Shouldn't your two clients both use the same gateway address? Other differences: the "bad" box has avahi enabled and a virbr0 for (I presume) kvm; you might want to try disabling these to see if that makes any difference.
    – jdthood
    Commented Feb 11, 2013 at 9:11
  • @jdthood In normal network I'd expect them to be same; not sure about VPN, though... I tried to disable avahi (stop the daemon), and disable virtbr (stop the network via KVM Manager) and none of these helped. In second case the route table was shorter but the behavior was the same. BTW both boxes get the same GW in any case. (Note that I will need the KVM with virtbr0 for normal operation.)
    – Alois Mahdal
    Commented Feb 11, 2013 at 14:13
  • You say that the Ubuntu box cannot reach outside of the VPN. Is the VPS connected to some LAN that you want to access? Or do you just want to connect to the Internet? In the latter case you can use "Use this connection only for resources on its network".
    – jdthood
    Commented Feb 11, 2013 at 15:06
  • @jdthood The VPS is connected to the Internet and I just want to access the Internet via this VPN (mostly to avoid my ISP blocking SMTP and to allow SSH/VNC between the boxes). I'll try to enable the setting, although I'm not there until cca next week or so. Thanks!
    – Alois Mahdal
    Commented Feb 11, 2013 at 17:03
  • "Use this connection only for resources on its network" won't help you, then; it sets the local default route to the local network interface (e.g., eth0 or wlan0) instead of the VPN network interface (tun0 in your case). Your problem could be imperfect firewall or routing settings on the VPS, although I can't think why one client would have Internet access and the other not.
    – jdthood
    Commented Feb 11, 2013 at 17:22

1 Answer 1

Reset to default
1

You need to edit your VPS's route and add a default gateway. And also you have to make sure that you have enabled ip forwarding by echo 1 > /proc/sys/net/ipv4/ip_forward.

Edit:There must be a row in routing table saying that if no destination was found for packets, then it must be routed to default gateway; This is mine:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

you can add a new entry for default gateway using route add default gw 192.168.1.1. Make sure that routing table is currect in both VPS and client

Improve this answer
4
  • Route tables are kind of around the border of my understanding. Could you be more specific as to what should be added? I have updated Q with my current VPS route.
    – Alois Mahdal
    Commented Mar 1, 2013 at 20:16
  • Also I have verified that IP forwarding is on. (I believe that otherwise Debian box could not reach the net as well, though...)
    – Alois Mahdal
    Commented Mar 1, 2013 at 20:18
  • Edited my answer ;)
    – Mostafa Shahverdy
    Commented Mar 1, 2013 at 20:24
  • I appreciate your help, but honestly the proposed route doesn't make much sense to me: 192.168.1.1 is my local NetGear router, 192.168.1.0/24 is the local network over which I create the tunnel. It's not connected to my VPS's eth0. It does not know/care about it. Any client in the world could realize the (tunnel-bearing) TCP connection via a local router called 192.168.1.1. (Anyway, I don't want to use that box as gateway to the Internet. The purpose of it all is to bypass my ISP by "proxying" all IP via the VPS.)
    – Alois Mahdal
    Commented Mar 2, 2013 at 20:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .