Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Client can connect to OpenVPN server but with no internet access
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Client can connect to OpenVPN server but with no internet access

rev3rserev3rse Member
edited August 2014 in Help

Hello everyone!

I'm trying to setup OpenVPN with static key authentication(instead of TLS) on TCP port 443; but the client cannot access the internet over the VPN after connecting to the server

The logs for the client/server show nothing useful.

Here's my current setup:

Server

It's a Debian VPS running on OpenVZ with TUN/TAP enabled.
Here's the configuration file:

dev tun
proto tcp-server
port 443
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

And here's the iptables script that I applied too, it's the one provided by OpenVPN (firewall.sh) with minor modifications as I'm running on OpenVZ(venet0 instead of eth0, SNAT). Also I changed the protocol to TCP and the port to 443 to work accordingly with my configurations

 #!/bin/bash

# A Sample OpenVPN-aware firewall.

# vetnet0 is connected to the internet.
# eth1 is connected to a private subnet.

# Change this subnet to correspond to your private
# ethernet subnet.  Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=10.0.0.0/24

# Loopback address
LOOP=127.0.0.1

# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Prevent external packets from using loopback addr
iptables -A INPUT -i vetnet0 -s $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -s $LOOP -j DROP
iptables -A INPUT -i vetnet0 -d $LOOP -j DROP
iptables -A FORWARD -i vetnet0 -d $LOOP -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i vetnet0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i vetnet0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i vetnet0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i vetnet0 -s 10.0.0.0/8 -j DROP

# Block outgoing NetBios (if you have windows machines running
# on the private subnet).  This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o vetnet0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o vetnet0 -j DROP

# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP

# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.

iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface.  Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o vetnet0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#SNAT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vetnet0 -j SNAT --to-source SERVER_IP
# Masquerade local subnet
#iptables -t nat -A POSTROUTING -s $PRIVATE -o vetnet0 -j MASQUERADE

Output of iptables -L -v -n

 Chain INPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       all  --  vetnet0 *       127.0.0.1            0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       0.0.0.0/0            127.0.0.1                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       192.168.0.0/16       0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       172.16.0.0/12        0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       10.0.0.0/8           0.0.0.0/0                                                                                                                                                               
  486 1016K ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            127.0.0.1                                                                                                                                                                
    4   240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        icmp type 8
  691 78432 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:80
 1705  152K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp dpt:1194
  102  8054 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp dpt:443
    9   756 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
   40  5988 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       all  --  vetnet0 *       127.0.0.1            0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       0.0.0.0/0            127.0.0.1                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       192.168.0.0/16       0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       172.16.0.0/12        0.0.0.0/0                                                                                                                                                               
    0     0 DROP       all  --  vetnet0 *       10.0.0.0/8           0.0.0.0/0                                                                                                                                                               
    0     0 DROP       tcp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp spts:137:139
    0     0 DROP       udp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp spts:137:139
    0     0 DROP       all  --  eth1   *      !10.0.0.0/24          0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  tap+   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                
    0     0 ACCEPT     all  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 3046 packets, 2269K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                              
    0     0 DROP       tcp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        tcp spts:137:139
    0     0 DROP       udp  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        udp spts:137:139
    0     0 ACCEPT     all  --  *      vetnet0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                                        state NEW

Output of ifconfig

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12007 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21446320 (20.4 MiB)  TX bytes:21446320 (20.4 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:25189 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27831 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2689401 (2.5 MiB)  TX bytes:18616342 (17.7 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:  P-t-P: Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Output of netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 venet0

Client

The client is a Windows 8.1 machine running OpenVPN 2.3
Here's the configuration file:

remote  443
dev tun
proto tcp-client
ifconfig 10.8.0.2 10.8.0.1
secret "C:\\Program Files\\OpenVPN\\config\\static.key"
verb 6

Upon connecting the client, a connection is created on Windows for OpenVPN, but it doesn't have access to the internet(I also made sure it was on top of the connections list).

Comments

  • sc754sc754 Member
    edited August 2014

    @rev3rse said:
    Hello everyone!

    iptables -I INPUT 1 -p udp --dport 443 -j ACCEPT
    iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
    iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to YOURIP
    

    I use these iptables commands to get mine working when it has no net access. You can use the Masquerade for when you are using a vps or SNAT if the openvpn server is on a dedicated server. Also if its a vps your adapter might not be eth0 as in my example and make sure you have ipv4 forwarding set to 1

    Edit: for yours use venet0 instead of eth0 in the above commands

  • Just noticed your firewall script is using adapter vetnet0 ??? Shouldn't that be venet0?

  • You can't push with static key

  • @sc754
    I applied the iptables commands(I also substituted eth0 with vetent0). Still didn't work.

  • @agentsmith said:
    You can't push with static key

    Do I have to replace the static key authentication method to get this to work?

  • Yes, that's the easiest way. Otherways set one /32 and two /1 routes manually.

  • rev3rserev3rse Member
    edited August 2014

    @agentsmith said:
    set one /32 and two /1 routes manually.

    Explain please?

  • @rev3rse said:
    sc754
    I applied the iptables commands(I also substituted eth0 with vetent0). Still didn't work.

    Do iptables -F first to flush out your old rules then do it. Remeber to change eth0 to venet0 in my example. Also make sure you have sysctl ipv4 forwarding to one and then do sysctl -p to set it.

  • One route to the OpenVPN Server, 0.0.0.0/1 and 128.0.0.0/1 to the tunnel device and a route for "bypass-dhcp" to the client's local gateway if it has something like DHCP relay. You would need a script to do that ... or simply create certificates.

  • sc754sc754 Member
    edited August 2014

    @rev3rse said:
    sc754
    I applied the iptables commands(I also substituted eth0 with vetent0). Still didn't work.

    You could make it a lot easier for yourself by installing Nyr's script on a fresh copy of debian 6.

    Run the below after reinstalling fresh debian:

    wget http://git.io/vpn --no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh

    Found at: https://github.com/Nyr/openvpn-install

  • @sc754 said:
    Just noticed your firewall script is using adapter vetnet0 ??? Shouldn't that be venet0?

    Changed it, sadly that didn't fix the issue anyway.

  • @agentsmith said:
    One route to the OpenVPN Server, 0.0.0.0/1 and 128.0.0.0/1 to the tunnel device and a route for "bypass-dhcp" to the client's local gateway if it has something like DHCP relay. You would need a script to do that ... or simply create certificates.

    I can't use SSL as the organization the client connects from uses DPI and interrupts the connection, it seems like static keys are the only way.

    Can you please provide more insight or a resource to route internet traffic on static key authentication?

  • agentsmithagentsmith Member
    edited August 2014

    Does DPI also interrupt if you use:
    1) tls-auth
    2) https://github.com/clayface/openvpn_xorpatch
    3) obfsproxy
    ?

    Or you can manually set the routes as described in previous post. Type "route help" if you want to see how to do it in windows.

    You can see which 3 routes I mean if you connect a OpenVPN client. See the routes before and after connect.

  • You can check if tun and tap are open.

Sign In or Register to comment.