No Internet through VPN, LAN works
-
here we go! 8)
dev ovpns3
dev-type tun
tun-ipv6
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 173.31.29.136
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server3.php via-env
tls-verify /var/etc/openvpn/server3.tls-verify.php
lport 1194
management /var/etc/openvpn/server3.sock unix
max-clients 10
push "dhcp-option DOMAIN rykhoek.home"
push "dhcp-option DNS 10.0.0.30"
push "redirect-gateway def1"
duplicate-cn
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server3.crl-verify
tls-auth /var/etc/openvpn/server3.tls-auth 0
comp-lzo
persist-remote-ip
float -
One thing I see is that you are missing is a route to your LAN, which I'm assuming is 10.0.0.0/24. My guess is that since you specified a DNS of 10.0.0.30, your DNS queries are getting dropped.
-
Go to your config, uncheck "Force all client generated traffic thorough the tunnel"
-
Add your LAN subnet to "IPv4 Local Network/s"
-
Re-check "Force all client generated traffic thorough the tunnel"
-
Save
Re-connect your client. Verify 10.0.0.30 is answering DNS queries. You should be good to go.
-
-
Well that kind of works. I do get internet but all my traffic isn't going through to my VPN. I still have the public IP as if i wasn't connected to the VPN server.
-
Two things:
1. Firewall rules need to be set to allow traffic out of the VPN to the wan and from the network is the VPN interface
2. Nat needs to be set up so that traffic is directed to the VPNIf you need help with these, please ask
-
Well it used to work so i'm not sure what changed. How do I need to set it up on the NAT page?
Attached has my firewall ovpn and wan rules
-
May I get some assistance to make sure that I am getting my firewall and NAT rules correct to allow internet through the VPN? I am still having this issue where only the internet does not work when I connect to the VPN.
-
Me too, please.
Best regards
Kostas
-
I've had also troubles with the check at "Force all client generated traffic thorough the tunnel" in 2.1.x combined with windows clients.
However push route work perfectly.
So you may try enter 0.0.0.0/0 in the "IPv4 Local Network/s" field to set the default route to VPN gateway. -
Tried entering push "route 0.0.0.0 255.255.255.0" in the servers advanced config and that didnt work. I didn't see a IPv4 Local Networks field anywhere so I assumed you meant where I put it?
-
Tried entering push "route 0.0.0.0 255.255.255.0" in the servers advanced config and that didnt work. I didn't see a IPv4 Local Networks field anywhere so I assumed you meant where I put it?
That will just push a route for the IP range 0.0.0.0 to 0.0.0.255!
Beyond that, I've read here that the push command in advanced setting is deprecated and shouldn't be used anymore.
The "IPv4 Local Network/s" field in sever config > tunnel settings is destined for pushing routes to clients now. There you have entered your LAN network currently. Replace it with 0.0.0.0/24. -
When I do that it wont connect.
Tue Feb 10 15:26:53 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 10 15:26:53 2015 TLS Error: TLS handshake failed
Tue Feb 10 15:26:53 2015 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 10 15:26:55 2015 UDPv4 link local (bound): [undef]
Tue Feb 10 15:26:55 2015 UDPv4 link remote: [AF_INET]MYIPADDRESS:1194If i just change it back to my network of 10.0.8.0 instead of 0.0.0.0 it connects no problem like it did before.
-
I've just tested this at my system. The connection is established anyway and the route is set on the client, however, with a higher metric than default route. So the default route is not overridden and this is no solution for you.
Then I've the "Force all client generated traffic through the tunnel." option and that worked.
What's about outbound NAT? If you have set it manual rule generation you have to add a rule for the VPN tunnel network also.
-
For outbound NAT i have the following:
WAN 10.0.0.0/24 * * * WAN address * NO WAN bound
I had "Force all client generated traffic through the tunnel" checked as well.
-
You have to add an additional rule for VPN outbound!
WAN 10.0.8.0/24 * * * WAN address * NO Description -
Yes! That works! Thank You! :) Im not sure if that entry got deleted somehow or what happened because I know at some point or another it did work just fine!
Sweet!