H
H
hostadmin2015-12-27 16:49:00
linux
hostadmin, 2015-12-27 16:49:00

What rules to prescribe on the OpenVPN server so that the Internet goes through it to the client?

There is a VPS (based on KVM) from the German hosting provider Contabo. I'm trying to raise OpenVPN there so that I can go to the Internet from all sorts of "dumb" places.
The openvpn connection itself is working fine. Pings to vpn addresses (10.8.0.0) go back and forth, the client can also ping the server's external IP. But the client cannot ping any IP from the Internet (8.8.8.8) (the server, of course, can itself).
The trace from the client is quite expected:

C:\Windows\System32>tracert ya.ru

Трассировка маршрута к ya.ru [213.180.193.3]
с максимальным числом прыжков 30:

  1    44 ms    44 ms    44 ms  10.8.0.1
  2     *        *        *     Превышен интервал ожидания для запроса.
  3     *        *        *     Превышен интервал ожидания для запроса.

I tried all sorts of different combinations of iptables commands from manuals from the Internet, but the result is the same - there is no Internet on the client.
configs.
server:
port 1194
proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir ccd
ifconfig-pool-persist ipp.txt
cipher BF-CBC
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
mute 20
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "route-gateway 10.8.0.1"
push "route-method exe"
push "route-delay 2"

route 192.168.1.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
+ccd: iroute 192.168.1.0 255.255.255.0
client:
client
dev tap
proto udp
remote server_ip 1194
resolv-retry infinite
ca "c:/PROGRAM files/openvpn/ca.crt"
cert "c:/PROGRAM files/openvpn/client.crt"
key "c:/PROGRAM files/openvpn/client.key"
cipher BF-CBC
remote-cert-tls server
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log "c:/PROGRAM files/openvpn/openvpn.log"
verb 3
mute 20
nobind

ip_forward:
/etc/openvpn/ccd# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

iptables-save:
*nat
:PREROUTING ACCEPT [222:12657]
:INPUT ACCEPT [220:12460]
:OUTPUT ACCEPT [72:4320]
:POSTROUTING ACCEPT [72:4320]
:NAT_POSTROUTING_CHAIN - [0:0]
:NAT_PREROUTING_CHAIN - [0:0]
:POST_NAT_POSTROUTING_CHAIN - [0:0]
:POST_NAT_PREROUTING_CHAIN - [0:0]
-A PREROUTING -j NAT_PREROUTING_CHAIN
-A PREROUTING -j POST_NAT_PREROUTING_CHAIN
-A POSTROUTING -j NAT_POSTROUTING_CHAIN
-A POSTROUTING -j POST_NAT_POSTROUTING_CHAIN
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source SERVER_IP
COMMIT
...
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -j BASE_INPUT_CHAIN
-A INPUT -j INPUT_CHAIN
-A INPUT -j HOST_BLOCK_SRC
-A INPUT -j SPOOF_CHK
-A INPUT -i eth0 -j VALID_CHK
-A INPUT -i eth0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i eth0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i eth0:0 -j VALID_CHK
-A INPUT -i eth0:0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i eth0:0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i eth0:0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i tun0 -j VALID_CHK
-A INPUT -i tun0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i tun0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i tun0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -i tap0 -j VALID_CHK
-A INPUT -i tap0 ! -p icmp -m state --state NEW -j EXT_INPUT_CHAIN
-A INPUT -i tap0 -p icmp -m state --state NEW -m limit --limit 60/sec --limit-burst 100 -j EXT_INPUT_CHAIN
-A INPUT -i tap0 -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-A INPUT -j POST_INPUT_CHAIN
-A INPUT -m limit --limit 1/sec -j LOG --log-prefix "AIF:Dropped INPUT packet: " --log-level 6
-A INPUT -j DROP
-A FORWARD -j BASE_FORWARD_CHAIN
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0:0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tap0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j FORWARD_CHAIN
-A FORWARD -j HOST_BLOCK_SRC
-A FORWARD -j HOST_BLOCK_DST
-A FORWARD -i eth0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o eth0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i eth0:0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o eth0:0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i tun0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o tun0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -i tap0 -j EXT_FORWARD_IN_CHAIN
-A FORWARD -o tap0 -j EXT_FORWARD_OUT_CHAIN
-A FORWARD -j SPOOF_CHK
-A FORWARD -j POST_FORWARD_CHAIN
-A FORWARD -m limit --limit 1/min --limit-burst 3 -j LOG --log-prefix "AIF:Dropped FORWARD packet: " --log-level 6
-A FORWARD -j DROP
-A OUTPUT -j BASE_OUTPUT_CHAIN
-A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o eth0:0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o tap0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j OUTPUT_CHAIN
-A OUTPUT -j HOST_BLOCK_DST
-A OUTPUT -f -m limit --limit 3/min -j LOG --log-prefix "AIF:Fragment packet: " --log-level 6
-A OUTPUT -f -j DROP
-A OUTPUT -o eth0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o eth0:0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o tun0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -o tap0 -j EXT_OUTPUT_CHAIN
-A OUTPUT -j POST_OUTPUT_CHAIN
-A OUTPUT -j ACCEPT
-A BASE_FORWARD_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_FORWARD_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_FORWARD_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_FORWARD_CHAIN -i lo -j ACCEPT
-A BASE_INPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_INPUT_CHAIN -p tcp -m state --state RELATED -m tcp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p udp -m state --state RELATED -m udp --dport 1024:65535 -j ACCEPT
-A BASE_INPUT_CHAIN -p icmp -m state --state RELATED -j ACCEPT
-A BASE_INPUT_CHAIN -i lo -j ACCEPT
-A BASE_OUTPUT_CHAIN -m state --state ESTABLISHED -j ACCEPT
-A BASE_OUTPUT_CHAIN -o lo -j ACCEPT
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV TCP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 0:1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV UDP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p tcp -m tcp --dport 1024:65535 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV TCP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV UDP broadcast: " --log-level 6
-A EXT_BROADCAST_CHAIN -j DROP
-A EXT_FORWARD_IN_CHAIN -j VALID_CHK
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-unreachable flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 3 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-time-exceeded fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 11 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-param-problem fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 12 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-request(ping) fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 8 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-reply(pong) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 0 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP-source-quench fld: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m icmp --icmp-type 4 -j POST_INPUT_DROP_CHAIN
-A EXT_ICMP_FLOOD_CHAIN -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "AIF:ICMP(other) flood: " --log-level 6
-A EXT_ICMP_FLOOD_CHAIN -p icmp -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Port 0 OS fingerprint: " --log-level 6
-A EXT_INPUT_CHAIN -p tcp -m tcp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p udp -m udp --dport 0 -j POST_INPUT_DROP_CHAIN
-A EXT_INPUT_CHAIN -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:TCP source port 0: " --log-level 6
-A EXT_INPUT_CHAIN -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "AIF:UDP source port 0: " --log-level 6
...

Answer the question

In order to leave comments, you need to log in

3 answer(s)
H
hostadmin, 2015-12-31
@hostadmin

In general, I found the reason by looking at dmesg. It was in arno-iptables-firewall. I pointed out to him the internal interface "tun +", internal network 10.8.0.0/24 and it all worked.

M
Maksim, 2015-12-27
@chumayu

Turn off the monitor, get dressed and walk...then with fresh brains:
1.Configuration (Openvpn) of the server
2.Configuration (Openvpn) of the client
3.Configuration of Iptables on the server, forward packet settings.
In short, most likely - NAT is not enabled, packet forward is not allowed.

H
Hatifnatt, 2015-12-28
@Hatifnatt

Of course, your iptables rules are rich. For example, here is an almost minimal OpenVPN config, try this option, and then add what you need:

local 11.22.33.44
port 1194
proto udp
dev tun
ca ca-keys/ca.crt
cert ca-keys/ovpnserver.crt
key ca-keys/ovpnserver.key
dh ca-keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 60
tls-auth ca-keys/ta.key 0
comp-lzo
max-clients 10
script-security 2
up ./addmasq.sh
down ./delmasq.sh
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20

Customer:
client
remote 11.22.33.44
resolv-retry infinite
dev tun
proto udp
# Use pkcs12 which contains CA cert, client cert and key
pkcs12 client.p12
# Or provide them separately 
#ca ca.crt
#cert hatifnatt-sip-pc.crt
#key hatifnatt-sip-pc.key
tls-auth hatifnatt-sip-ta.key 1
ns-cert-type server
persist-tun
persist-key
comp-lzo
verb 3

NAT, in the OpenVPN config folder there are a couple of scripts responsible for the "masquerade":
addmasq.sh
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -o eth0 -j MASQUERADE

delmasq.sh
#!/bin/bash
iptables -t nat -D POSTROUTING -s '10.8.0.0/24' -o eth0 -j MASQUERADE

By itself:
chmod +x addmasq.sh delmasq.sh

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question