Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OPENVPN - Routing all client traffic (including web-traffic) through the VPN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OPENVPN - Routing all client traffic (including web-traffic) through the VPN

Hi,

I have a KVM and I'm running a VPN server.

I'm running a Openvpn server on a (example IP, not real) real IP 81.64.82.217, however, when client connects, can't surf on the web and don't get this real IP 81.64.82.217

server can ping client and vice-versa

Follows server.conf and client.conf

server.conf

port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key log openvpn.log dh dh1024.pem server 100.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun verb 3

client.conf

client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key log openvpnlog.log ns-cert-type server cipher bf-cbc comp-lzo verb 3

what should I modifie in order that client can surf on the web with real IP from server side?

Many thanks

«1

Comments

  • @plopes said:
    Hi,

    I have a KVM and I'm running a VPN server.

    I'm running a Openvpn server on a (example IP, not real) real IP 81.64.82.217, however, when client connects, can't surf on the web and don't get this real IP 81.64.82.217

    server can ping client and vice-versa

    Follows server.conf and client.conf

    server.conf

    port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key log openvpn.log dh dh1024.pem server 100.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun verb 3

    client.conf

    client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key log openvpnlog.log ns-cert-type server cipher bf-cbc comp-lzo verb 3

    what should I modifie in order that client can surf on the web with real IP from server side?

    Many thanks

    On server.conf put push "redirect-gateway def1" and you don't even specify DNS use push "dhcp-option DNS 8.8.8.8" and push "dhcp-option DNS 8.8.4.4"

  • Also, the private network you are assigning to the server looks incorrect. 100.0.0.0/8 subnet is public. Try 10.0.0.0.

    Thanked by 1plopes
  • tomletomle Member, LIR

    you will need to nat the traffic as well, for example with iptables. Try Nyr's script if it's too complicated for you to setup yourself.

    Thanked by 1plopes
  • @souvarine said:
    Also, the private network you are assigning to the server looks incorrect. 100.0.0.0/8 subnet is public. Try 10.0.0.0.

    Also be sure nano /etc/sysctl.conf is setted on ipv4-forward = 1

    Thanked by 1plopes
  • Many thanks @SandwichVPN @tomle @souvarine

    I have done that on /etc/sysctl.conf
    uncomment ipv4-forward = 1

    "you will need to nat the traffic as well, for example with iptables. Try Nyr's script if it's too complicated for you to setup yourself."

    how I can do that?

  • If you run openvpn client on windows, don't forget to run it as administrator

    Thanked by 1plopes
  • plopesplopes Member
    edited November 2015

    can anyone give me a link of Nyr's script?

    I think on iptables it's more and less like this?

    Allow traffic from OpenVPN client to eth0

    -A POSTROUTING -s 100.0.0/8 -o eth0 -j MASQUERADE

    It's correct? Or I need more changes on iptables side?

  • The client on Windoze 8?

    Thanked by 1plopes
  • plopesplopes Member
    edited November 2015

    no,
    2 clients - iOS iMAC
    3 clients - iOS iPhone
    1 client - windows 7
    1 client - windows XP

    Server can ping clients and clients can ping server.
    Clients receive ip from server
    all of them still can´t surf on web with IP from VPN server.

    I have done all the changes as required on this post:

    server.conf
    port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key log openvpn.log dh dh1024.pem server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun verb 3 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"

    /etc/sysctl.conf
    net.ipv4.ip_forward=1

    I still miss iptables side :(
    Anyone give me help on that side? Iptables?

  • @plopes said:
    can anyone give me a link of Nyr's script?

    Here you are https://github.com/Nyr/openvpn-install

    Thanked by 1plopes
  • thanks for that, but I have everything setup, only missing something with iptables in order to clients from vpn server surf on net with that Ip from openvpn server

  • plopesplopes Member
    edited November 2015

    root@myplopes:~# ifconfig eth0 Link encap:Ethernet HWaddr 04:01:5a::9b:01 inet addr:XXX.226.XXX.91 Bcast:XXX.226.XXX.255 Mask:255.255.255.0 inet6 addr: XXXX:5afXXXX9b01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9957294 errors:0 dropped:0 overruns:0 frame:0 TX packets:10878010 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1233941163 (1.1 GiB) TX bytes:1563201156 (1.4 GiB)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5578575 errors:0 dropped:0 overruns:0 frame:0 TX packets:5328779 errors:0 dropped:35 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:345159939 (329.1 MiB) TX bytes:336518747 (320.9 MiB)

    what command under iptables should I use in order to Route all client traffic (including web-traffic) through the VPN?

  • your iptables command should (most likely) be

    iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

    note "-t nat" is missing in your post above and you need to fix the IP to be 10.0.0.0 again.

    The push commands in openvpn server config direct the client to change its gateway and DNS. The iptables and sysctl commands allow your server to act as a gateway. Remember to restart openvpn on both ends and run sysctl -p on your server to make sure that change is picked up.

    That should be all you need - just check you've fixed all the 100.0.0... addresses. Also make sure your local network isn't offering IPv6 as well, because otherwise you'll leak a lot of stuff via your local connection.

    If its still not working, please paste output of 'iptables -t nat -L'

    Thanked by 1plopes
  • plopesplopes Member
    edited November 2015

    @tehdan said:

    just check you've fixed all the 100.0.0... addresses. '

    on server.conf I have

    server 10.0.0.0 255.255.255.0

    is this ok?

    @tehdan said:

    >

    Also make sure your local network isn't offering IPv6 as well, because otherwise you'll leak a >lot of stuff via your local connection. `

    how can I check?

  • ZeastZeast Member
    edited November 2015

    push "redirect-gateway def1 bypass-dhcp"

    on VPN Server (nat boyz)

    iptables -t nat -A PREROUTING -p tcp -d SERVER_IP --dport 1:65000 -j DNAT --to-destination 192.168.168.2
    iptables -A FORWARD -p udp -d CLIENT_VPN --dport 1:65000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    iptables -t nat -A PREROUTING -p tcp -d SERVER_IP --dport 1:65000 -j DNAT --to-destination 192.168.168.2
    iptables -A FORWARD -p udp -d CLIENT_VPN --dport 1:65000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
  • @Zeast said:

    on VPN Server (nat boyz)

    iptables -t nat -A PREROUTING -p tcp -d SERVER_IP --dport 1:65000 -j DNAT --to-destination 192.168.168.2
    iptables -A FORWARD -p udp -d CLIENT_VPN --dport 1:65000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    iptables -t nat -A PREROUTING -p tcp -d SERVER_IP --dport 1:65000 -j DNAT --to-destination 192.168.168.2
    iptables -A FORWARD -p udp -d CLIENT_VPN --dport 1:65000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    

    :o I'm confuse... what is all this?

  • tehdantehdan Member
    edited November 2015

    Your ifconfig doesn't show any IPv6 addresses, so you should be fine.

    You don't need those the extra iptables from @Zeast if:
    a - you have no other firewalling on the server, and
    b - you just want your clients to browse from behind a nat (ie act as clients).

    If you want your VPN client to provide services (like a web server) from behind the NAT you need extra iptables - but I'd get the basics going first.

    Thanked by 1plopes
  • @tehdan said:
    Your ifconfig doesn't show any IPv6 addresses, so you should be fine.

    You don't need those the extra iptables from Zeast if:
    a - you have no other firewalling on the server, and
    b - you just want your clients to browse from behind a nat (ie act as clients).

    If you want your VPN client to provide services (like a web server) from behind the NAT you need extra iptables - but I'd get the basics going first.

    ufff tha's where my feeling...

    on command line I will do

    iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

    that's all, right? on iptables...

  • Yes - you should probably make it 10.0.0/24 but either will work.

    Once it works, stick it in /etc/etc.local (lazy) or look up your diatro's means of saving iptables for restoring at startup (the 'proper' way)

    Thanked by 1plopes
  • Did you turn on tun/tap on the server? Check ifconfig to see if the interface it there.

  • Also, did you turn on tun/tap on the server? Check ifconfig (on the server) to see that the interface is there too. And it should probably be venet0 rather than eth0.

  • tehdantehdan Member
    edited November 2015

    Ah yes if your server is openvz you'll need

    iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j SNAT --to-source server-public-IP

    Edit - I see you have Kvm - this will work there too with fractionally less overhead

    Thanked by 1plopes
  • @tehdan said:
    Ah yes if your server is openvz you'll need

    iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j SNAT --to-source server-public-IP

    Edit - I see you have Kvm - this will work there too with fractionally less overhead

    Yes, it's KVM ;)

    off-topic

    why cannot use range ip of 100.0.0.X?

    Cause since I have VPN running, I had use 100.0.0.X range. Only now I need that VPN's client access internet

  • netomxnetomx Moderator, Veteran
    edited November 2015

    plopes said: why cannot use range ip of 100.0.0.X?

    :

    souvarine said: Also, the private network you are assigning to the server looks incorrect. 100.0.0.0/8 subnet is public. Try 10.0.0.0.

  • You can use it, you just shouldn't. 100.0.0.0/8 is public IP space - if you use it, you won't be able to access anything on the Internet that uses those addresses.

    10.0.0.0/8 (and a few others) are specifically reserved by RFC1918 as private address space - ie for VPNs, and home/office networks where public IPs are not required by every machine.

    Thanked by 1plopes
  • Thanks for your kind explanation ;)

    I have setup 10.0.0.X and on other 2 networks that I have 11.0.0.X and 22.0.0.X

  • Do you mean you have VPNs giving clients addresses as 11.0.0.X and 22.0.0.X ?

    Thanked by 1plopes
  • yes, I have 3 VPN, each one in a different VPS.

  • @plopes said:
    Thanks for your kind explanation ;)

    I have setup 10.0.0.X and on other 2 networks that I have 11.0.0.X and 22.0.0.X

    Do you know different between private and public ip address?

  • Right, don't use those addresses. They are also public!

    The reserved ranges are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16

    Your simplest bet is probably to set up your 3 servers as different chunks of the 10.0.0.0 range.

    on each server, change the server line in your openvpn config to
    server 10.0.X.0 255.255.255.0
    (change X to 1/2/3 - or any number you like - for each server)

    and make sure your iptables command is also changes to use the same 10.0.X.0/24 range, ie -
    -s 10.0.X.0/24

    You can use any range you like from the ones above, but don't use the same range you have on your home LAN (most often this is 192.168.X.Y...)

    Thanked by 1plopes
Sign In or Register to comment.