Not able to connect Internet through OpenVPN



  • Hi all!
    I have an OpenVPN server set up and working fine connecting to my LAN remotely, but I would like to route all traffic of the client through the VPN. The corresponding tick is on on the server settings. I have an outbound NAT setting from the tunnel network to the wan network (as what the wizard does). I have also tried to make an interface out of the server instance and applied the "allow all" fw rules to this also. Again, connecting to the LAN is ok, but no internet.

    On my client (Tunnelblick on Mac) there is routes made to the LAN network from the tunnel network, but not to the default gateway. Does it need to be pushed manually to the config allow internet traffic for the clients? If I add it to the config, my tunnelblick states the config is wrong. Where should I troubleshoot next?



  • I found this description in the book for the redirect option that might give you a clue.

    "When the Redirect Gateway option is selected the server will push a message to clients instructing them to forward all traffic, including Internet traffic, over the VPN tunnel. This only works in SSL/TLS modes with a tunnel network larger than a /30 subnet."


  • Netgate

    @raffi_ said in Not able to connect Internet through OpenVPN:

    I found this description in the book for the redirect option that might give you a clue.

    "When the Redirect Gateway option is selected the server will push a message to clients instructing them to forward all traffic, including Internet traffic, over the VPN tunnel. This only works in SSL/TLS modes with a tunnel network larger than a /30 subnet."

    Right. It will work with a point-to-point OpenVPN tunnel (shared-key or a /30 tunnel network) but the setting cannot be pushed from the server to the client. It must be controlled with the same setting on the client.



  • Take a look on the firewall-rules- open VPN "interface", something happend with the wizard rules created by wizard are wrong.



  • @derelict I do have a /24 tunnel network. It is also introduced on the client settings, so I think it cannot be the matter.



  • @musote I have re-done the rules, to the OpenVPN "interface" as well as the assigned interface OVPN1, and both have ipv4 all all allow rule applied.


  • Netgate

    And?



  • Well, it is not solved. I have done all that prior to posting here. My VPN traffing is not routed to internet. Currently, I have the "route all traffic to tunnel" option off, because I cannot get it to work. I just have to realize that whenever I am connected to that VPN, my internet traffic is not encrypted.


  • Netgate

    I don't use Tunnelblick personally. The general recommendation for a quality Mac OpenVPN client is Viscosity.

    If you have redirect gateway checked in the server and you do not end up with two routes on the client (0.0.0.0/1 and 128.0.0.0/1) then it is likely a setting on the client telling it not to honor the routes being pushed. There is not much else to it.

    Did you use the configuration export package?



  • OK,
    I have to give Viscosity a try. I have been using Tunnelblick for quite a while now, and with the recent WatchGuard Firebox firewall I experienced zero problems using it.
    And yes, I exported the settings using the latest version of the "openvpn-client-export".



  • Hi, I had the same problem and I solved with an additional command.
    push "redirect-gateway def1";push "dhcp-option DNS 192.168.254.1";verb 1;mute-replay-warnings

    192.168.254.1 it's my vpn network0_1535608391771_Schermata del 2018-08-30 07-34-26.png



  • @claudio69 OK,
    Have to try this!
    Are you able to clarify, what does the options do? I know that the "redirect-gateway def1" introduces the default gateway of the router to the VPN client, but what about the "dhcp-option DNS xxx.yyy", do you have a DNS option on the VPN server settings or is it blank?



  • I have no DNS set up on the VPN server.
    I searched the internet for a long time and found this series of commands that solved the problem,I hope it works for you too.
    Greetings