Setup OpenVPN server

Good afternoon,

I've followed this guide in order to run my linode as a VPN server, to be able to connect to it from my desktop (Windows8):

https://www.linode.com/docs/networking/ … d-debian-7">https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7

I have opened UDP port 1194 and made all necessary configurations. However, when I try to connect to my hostname and port, the OpenVPN log at the server (using tail -f) says nothing at all

I have:

1) Set hostname and port in server.conf

2) Opened post 1194 (UDP) in my firewall (csf)

3) Started the service.

One remark on this.. I'm using a wildcard SSL issued by GlobalSign, where CA in the server.conf is Globalsigns "Trusted Root", and CERT and KEY are the wildcard certificates resp. files.

But I don't think it's a certficiate related issue, since the log says nothing when trying to connect.

An help on this would be highly appreciated. Thanks!

38 Replies

What's your server IP? What's the output of iptables -L -n -v and netstat -lpntu ?

The netstat command gave me this interesting line: udp 0 0 0.0.0.0:1194 0.0.0.0:* 17476/openvpn

Looks like it doesn't listen to any ipadress? Where in the configuration do I set this?

I've tried a few more thing. In server.conf I've added local 127.0.0.1 in the setting Which local IP address should OpenVPN listen on?

Now netstat shows the correct address. Tried to telnet "hostname 1194" but nothing happens. At the same time, if I telnet "hostname 21" (ftp) or "hostname 587" (smtp) I get connected.

When using port 1194 I'm just getting "Connection lost", no lines in syslog, openvpn log which is strange?

No it's listening on all IP addresses that's what 0.0.0.0 means, what about the other information I asked for?

Sorry, here's iptables:````
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !lo * 109.74.193.20 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- !lo * 109.74.193.20 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- !lo * 109.74.193.20 0.0.0.0/0 tcp spt:53
32 4055 ACCEPT udp -- !lo * 109.74.193.20 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- !lo * 109.74.192.20 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- !lo * 109.74.192.20 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- !lo * 109.74.192.20 0.0.0.0/0 tcp spt:53
32 4511 ACCEPT udp -- !lo * 109.74.192.20 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- !lo * 109.74.194.20 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- !lo * 109.74.194.20 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- !lo * 109.74.194.20 0.0.0.0/0 tcp spt:53
21198 3688K ACCEPT udp -- !lo * 109.74.194.20 0.0.0.0/0 udp spt:53
151K 711M LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0
82042 25M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
22118 4195K INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0
20960 4143K ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
3 160 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
3 164 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
1 40 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
510 30600 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10031
0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194
0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
1 58 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmp type 3
48 2194 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.193.20 tcp dpt:53
32 1763 ACCEPT udp -- * !lo 0.0.0.0/0 109.74.193.20 udp dpt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.193.20 tcp spt:53
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 109.74.193.20 udp spt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.192.20 tcp dpt:53
32 1767 ACCEPT udp -- * !lo 0.0.0.0/0 109.74.192.20 udp dpt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.192.20 tcp spt:53
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 109.74.192.20 udp spt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.194.20 tcp dpt:53
21198 1473K ACCEPT udp -- * !lo 0.0.0.0/0 109.74.194.20 udp dpt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 109.74.194.20 tcp spt:53
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 109.74.194.20 udp spt:53
202K 32M LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
96 7095 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53
82042 25M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
23659 8669K INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0
20250 8444K ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
846 50760 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
11 660 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
1 75 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113
9 684 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmp type 3
3196 298K DROP all -- * !lo 0.0.0.0/0 0.0.0.0/0

Chain ALLOWIN (1 references)
pkts bytes target prot opt in out source destination
4530 297K ACCEPT all -- !lo * 121.54.32.164 0.0.0.0/0
36 1779 ACCEPT all -- !lo * 64.20.227.0/24 0.0.0.0/0
0 0 ACCEPT all -- !lo * 195.74.38.28 0.0.0.0/0
62007 470M ACCEPT all -- !lo * 192.168.129.118 0.0.0.0/0
517 59504 ACCEPT all -- !lo * 192.168.133.2 0.0.0.0/0
61969 237M ACCEPT all -- !lo * 192.168.165.29 0.0.0.0/0
0 0 ACCEPT all -- !lo * 112.198.90.180 0.0.0.0/0

Chain ALLOWOUT (1 references)
pkts bytes target prot opt in out source destination
3361 935K ACCEPT all -- * !lo 0.0.0.0/0 121.54.32.164
27 1962 ACCEPT all -- * !lo 0.0.0.0/0 64.20.227.0/24
0 0 ACCEPT all -- * !lo 0.0.0.0/0 195.74.38.28
88216 11M ACCEPT all -- * !lo 0.0.0.0/0 192.168.129.118
494 45856 ACCEPT all -- * !lo 0.0.0.0/0 192.168.133.2
85707 11M ACCEPT all -- * !lo 0.0.0.0/0 192.168.165.29
0 0 ACCEPT all -- * !lo 0.0.0.0/0 112.198.90.180

Chain DENYIN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- !lo * 109.63.109.182 0.0.0.0/0
0 0 DROP all -- !lo * 58.137.72.110 0.0.0.0/0
0 0 DROP all -- !lo * 117.253.106.71 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.93 0.0.0.0/0
0 0 DROP all -- !lo * 184.168.107.159 0.0.0.0/0
0 0 DROP all -- !lo * 182.74.88.26 0.0.0.0/0
0 0 DROP all -- !lo * 109.161.237.190 0.0.0.0/0
0 0 DROP all -- !lo * 188.135.155.234 0.0.0.0/0
0 0 DROP all -- !lo * 184.168.116.249 0.0.0.0/0
0 0 DROP all -- !lo * 109.63.95.90 0.0.0.0/0
0 0 DROP all -- !lo * 203.113.130.207 0.0.0.0/0
0 0 DROP all -- !lo * 109.63.124.202 0.0.0.0/0
0 0 DROP all -- !lo * 190.60.31.107 0.0.0.0/0
0 0 DROP all -- !lo * 218.87.111.118 0.0.0.0/0
0 0 DROP all -- !lo * 109.63.85.22 0.0.0.0/0
0 0 DROP all -- !lo * 200.145.214.205 0.0.0.0/0
0 0 DROP all -- !lo * 182.74.219.250 0.0.0.0/0
0 0 DROP all -- !lo * 117.253.218.191 0.0.0.0/0
0 0 DROP all -- !lo * 200.222.97.71 0.0.0.0/0
0 0 DROP all -- !lo * 182.72.186.146 0.0.0.0/0
0 0 DROP all -- !lo * 177.200.144.10 0.0.0.0/0
0 0 DROP all -- !lo * 109.161.204.46 0.0.0.0/0
0 0 DROP all -- !lo * 189.90.36.125 0.0.0.0/0
0 0 DROP all -- !lo * 87.249.47.6 0.0.0.0/0
0 0 DROP all -- !lo * 184.168.115.157 0.0.0.0/0
0 0 DROP all -- !lo * 189.126.169.176 0.0.0.0/0
0 0 DROP all -- !lo * 109.161.193.240 0.0.0.0/0
0 0 DROP all -- !lo * 117.253.168.114 0.0.0.0/0
0 0 DROP all -- !lo * 109.161.238.77 0.0.0.0/0
0 0 DROP all -- !lo * 95.191.203.92 0.0.0.0/0
0 0 DROP all -- !lo * 109.63.68.14 0.0.0.0/0
0 0 DROP all -- !lo * 117.253.221.139 0.0.0.0/0
0 0 DROP all -- !lo * 177.154.77.148 0.0.0.0/0
0 0 DROP all -- !lo * 182.74.219.170 0.0.0.0/0
0 0 DROP all -- !lo * 71.13.204.170 0.0.0.0/0
0 0 DROP all -- !lo * 218.87.111.117 0.0.0.0/0
0 0 DROP all -- !lo * 124.234.13.254 0.0.0.0/0
0 0 DROP all -- !lo * 61.160.215.102 0.0.0.0/0
0 0 DROP all -- !lo * 203.94.243.84 0.0.0.0/0
0 0 DROP all -- !lo * 188.190.115.58 0.0.0.0/0
0 0 DROP all -- !lo * 182.100.67.102 0.0.0.0/0
0 0 DROP all -- !lo * 183.195.114.70 0.0.0.0/0
0 0 DROP all -- !lo * 43.255.191.169 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.96 0.0.0.0/0
0 0 DROP all -- !lo * 1.214.119.230 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.204.248 0.0.0.0/0
0 0 DROP all -- !lo * 61.160.213.190 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.204.245 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.201.17 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.88 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.204.241 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.97 0.0.0.0/0
9 540 DROP all -- !lo * 222.186.134.89 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.201.19 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.86 0.0.0.0/0
0 0 DROP all -- !lo * 195.154.56.56 0.0.0.0/0
0 0 DROP all -- !lo * 221.229.166.29 0.0.0.0/0
0 0 DROP all -- !lo * 221.229.166.30 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.85 0.0.0.0/0
0 0 DROP all -- !lo * 218.87.111.116 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.91 0.0.0.0/0
0 0 DROP all -- !lo * 221.229.166.27 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.92 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.98 0.0.0.0/0
0 0 DROP all -- !lo * 91.236.75.124 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.213.254 0.0.0.0/0
0 0 DROP all -- !lo * 61.115.79.20 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.199.49 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.204.226 0.0.0.0/0
0 0 DROP all -- !lo * 221.229.166.28 0.0.0.0/0
0 0 DROP all -- !lo * 218.6.168.220 0.0.0.0/0
0 0 DROP all -- !lo * 182.100.67.112 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.87 0.0.0.0/0
0 0 DROP all -- !lo * 222.161.4.147 0.0.0.0/0
0 0 DROP all -- !lo * 74.92.245.100 0.0.0.0/0
0 0 DROP all -- !lo * 123.103.243.254 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.94 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.199.195 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.90 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.58.131 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.21.209 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.99 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.21.198 0.0.0.0/0
0 0 DROP all -- !lo * 58.218.211.190 0.0.0.0/0
0 0 DROP all -- !lo * 182.100.67.115 0.0.0.0/0
0 0 DROP all -- !lo * 218.200.188.213 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.134.95 0.0.0.0/0
0 0 DROP all -- !lo * 221.229.166.98 0.0.0.0/0
0 0 DROP all -- !lo * 218.87.109.62 0.0.0.0/0
0 0 DROP all -- !lo * 222.186.51.228 0.0.0.0/0
0 0 DROP all -- !lo * 222.187.223.214 0.0.0.0/0
0 0 DROP all -- !lo * 42.117.176.195 0.0.0.0/0
0 0 DROP all -- !lo * 218.65.30.73 0.0.0.0/0
0 0 DROP all -- !lo * 61.160.215.103 0.0.0.0/0
0 0 DROP all -- !lo * 202.69.56.190 0.0.0.0/0
0 0 DROP all -- !lo * 103.243.138.30 0.0.0.0/0
0 0 DROP all -- !lo * 115.238.55.163 0.0.0.0/0
0 0 DROP all -- !lo * 125.39.116.219 0.0.0.0/0
0 0 DROP all -- !lo * 61.160.212.27 0.0.0.0/0
0 0 DROP all -- !lo * 216.70.68.137 0.0.0.0/0

Chain DENYOUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * !lo 0.0.0.0/0 109.63.109.182
0 0 DROP all -- * !lo 0.0.0.0/0 58.137.72.110
0 0 DROP all -- * !lo 0.0.0.0/0 117.253.106.71
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.93
0 0 DROP all -- * !lo 0.0.0.0/0 184.168.107.159
0 0 DROP all -- * !lo 0.0.0.0/0 182.74.88.26
0 0 DROP all -- * !lo 0.0.0.0/0 109.161.237.190
0 0 DROP all -- * !lo 0.0.0.0/0 188.135.155.234
0 0 DROP all -- * !lo 0.0.0.0/0 184.168.116.249
0 0 DROP all -- * !lo 0.0.0.0/0 109.63.95.90
0 0 DROP all -- * !lo 0.0.0.0/0 203.113.130.207
0 0 DROP all -- * !lo 0.0.0.0/0 109.63.124.202
0 0 DROP all -- * !lo 0.0.0.0/0 190.60.31.107
0 0 DROP all -- * !lo 0.0.0.0/0 218.87.111.118
0 0 DROP all -- * !lo 0.0.0.0/0 109.63.85.22
0 0 DROP all -- * !lo 0.0.0.0/0 200.145.214.205
0 0 DROP all -- * !lo 0.0.0.0/0 182.74.219.250
0 0 DROP all -- * !lo 0.0.0.0/0 117.253.218.191
0 0 DROP all -- * !lo 0.0.0.0/0 200.222.97.71
0 0 DROP all -- * !lo 0.0.0.0/0 182.72.186.146
0 0 DROP all -- * !lo 0.0.0.0/0 177.200.144.10
0 0 DROP all -- * !lo 0.0.0.0/0 109.161.204.46
0 0 DROP all -- * !lo 0.0.0.0/0 189.90.36.125
0 0 DROP all -- * !lo 0.0.0.0/0 87.249.47.6
0 0 DROP all -- * !lo 0.0.0.0/0 184.168.115.157
0 0 DROP all -- * !lo 0.0.0.0/0 189.126.169.176
0 0 DROP all -- * !lo 0.0.0.0/0 109.161.193.240
0 0 DROP all -- * !lo 0.0.0.0/0 117.253.168.114
0 0 DROP all -- * !lo 0.0.0.0/0 109.161.238.77
0 0 DROP all -- * !lo 0.0.0.0/0 95.191.203.92
0 0 DROP all -- * !lo 0.0.0.0/0 109.63.68.14
0 0 DROP all -- * !lo 0.0.0.0/0 117.253.221.139
0 0 DROP all -- * !lo 0.0.0.0/0 177.154.77.148
0 0 DROP all -- * !lo 0.0.0.0/0 182.74.219.170
0 0 DROP all -- * !lo 0.0.0.0/0 71.13.204.170
0 0 DROP all -- * !lo 0.0.0.0/0 218.87.111.117
0 0 DROP all -- * !lo 0.0.0.0/0 124.234.13.254
0 0 DROP all -- * !lo 0.0.0.0/0 61.160.215.102
0 0 DROP all -- * !lo 0.0.0.0/0 203.94.243.84
0 0 DROP all -- * !lo 0.0.0.0/0 188.190.115.58
0 0 DROP all -- * !lo 0.0.0.0/0 182.100.67.102
0 0 DROP all -- * !lo 0.0.0.0/0 183.195.114.70
0 0 DROP all -- * !lo 0.0.0.0/0 43.255.191.169
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.96
0 0 DROP all -- * !lo 0.0.0.0/0 1.214.119.230
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.204.248
0 0 DROP all -- * !lo 0.0.0.0/0 61.160.213.190
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.204.245
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.201.17
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.88
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.204.241
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.97
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.89
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.201.19
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.86
0 0 DROP all -- * !lo 0.0.0.0/0 195.154.56.56
0 0 DROP all -- * !lo 0.0.0.0/0 221.229.166.29
0 0 DROP all -- * !lo 0.0.0.0/0 221.229.166.30
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.85
0 0 DROP all -- * !lo 0.0.0.0/0 218.87.111.116
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.91
0 0 DROP all -- * !lo 0.0.0.0/0 221.229.166.27
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.92
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.98
0 0 DROP all -- * !lo 0.0.0.0/0 91.236.75.124
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.213.254
0 0 DROP all -- * !lo 0.0.0.0/0 61.115.79.20
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.199.49
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.204.226
0 0 DROP all -- * !lo 0.0.0.0/0 221.229.166.28
0 0 DROP all -- * !lo 0.0.0.0/0 218.6.168.220
0 0 DROP all -- * !lo 0.0.0.0/0 182.100.67.112
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.87
0 0 DROP all -- * !lo 0.0.0.0/0 222.161.4.147
0 0 DROP all -- * !lo 0.0.0.0/0 74.92.245.100
0 0 DROP all -- * !lo 0.0.0.0/0 123.103.243.254
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.94
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.199.195
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.90
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.58.131
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.21.209
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.99
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.21.198
0 0 DROP all -- * !lo 0.0.0.0/0 58.218.211.190
0 0 DROP all -- * !lo 0.0.0.0/0 182.100.67.115
0 0 DROP all -- * !lo 0.0.0.0/0 218.200.188.213
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.134.95
0 0 DROP all -- * !lo 0.0.0.0/0 221.229.166.98
0 0 DROP all -- * !lo 0.0.0.0/0 218.87.109.62
0 0 DROP all -- * !lo 0.0.0.0/0 222.186.51.228
0 0 DROP all -- * !lo 0.0.0.0/0 222.187.223.214
0 0 DROP all -- * !lo 0.0.0.0/0 42.117.176.195
0 0 DROP all -- * !lo 0.0.0.0/0 218.65.30.73
0 0 DROP all -- * !lo 0.0.0.0/0 61.160.215.103
0 0 DROP all -- * !lo 0.0.0.0/0 202.69.56.190
0 0 DROP all -- * !lo 0.0.0.0/0 103.243.138.30
0 0 DROP all -- * !lo 0.0.0.0/0 115.238.55.163
0 0 DROP all -- * !lo 0.0.0.0/0 125.39.116.219
0 0 DROP all -- * !lo 0.0.0.0/0 61.160.212.27
0 0 DROP all -- * !lo 0.0.0.0/0 216.70.68.137

Chain INVALID (2 references)
pkts bytes target prot opt in out source destination
570 31758 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
11 572 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW

Chain INVDROP (10 references)
pkts bytes target prot opt in out source destination
581 32330 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOCALINPUT (1 references)
pkts bytes target prot opt in out source destination
151K 711M ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0
22080 4205K DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0

Chain LOCALOUTPUT (1 references)
pkts bytes target prot opt in out source destination
202K 32M ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0
24379 8795K DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPIN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
2 120 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
17 816 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
16 660 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix Firewall: *TCP_IN Blocked* ' 12 558 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefixFirewall: UDPIN Blocked '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: ICMPIN Blocked
'
28 1218 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix Firewall: *TCP_OUT Blocked* ' 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefixFirewall: UDPOUT Blocked '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix `Firewall: ICMPOUT Blocked
'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

````

My current ip address is listed as the first row in the sections "Chain ALLOWIN" and "Chain ALLOWOUT".

I meant what's the IP of the server, we can't diagnose a connection problem without attempting to connect.

I can connect to openvpn on your server fine (I can't authenticate obviously). So if you can't connect from your machine then it's a problem on your local end, perhaps your ISP blocks the connection? Try changing the port to 443 using tcp (assuming you're not running a https webserver on that box).

Got it to work and I'm now connected to my VPN.

One more issue. I'm not getting the VPN servers gateway and DNS, therefore my public IP won't be the servers. The whole point with this setup is that my ISP provides my (and other customers) ip addresses which are black listed in many countries of the world. So I need to make it "look" like I'm in the same country as the linux box.

How to achieve this? I've been searching a lot and found the push "redirect-gateway" etc. but nothing seems to work.

Thank you!

This is my config that does just that you'll need to adjust it to use whatever settings you have and add in your keys.

server 192.168.255.0 255.255.255.0
verb 3
key-direction 0
keepalive 10 60
persist-key
persist-tun
comp-lzo

proto udp

port 1194
dev tun0
status /tmp/openvpn-status.log

client-config-dir /etc/openvpn/ccd

user nobody
group nogroup
push dhcp-option DNS 8.8.4.4
push dhcp-option DNS 8.8.8.8
route 192.168.254.0 255.255.255.0

Good morning

Still no luck in this matter.

Is it really going to be like this: server 192.168.255.0 255.255.255.0 ... route 192.168.254.0 255.255.255.0

I.e. 255.0 as server and 254.0 in "route" ?

When I'm connected the network settings looks like this:

https://www.dropbox.com/s/d18d12e2o4xgh … 6.png?dl=0">https://www.dropbox.com/s/d18d12e2o4xghcf/Screenshot_2015-04-28%2006.43.26.png?dl=0

What is strange is that gateway and DNS is 192.168.254.5. Whe I try to ping that, a timeout occurrs. In the meantime, I can ping 192.168.254.2 which I believe is the server, and 192.168.254.6 which is the client itself.

Note that in the image above, I also enabled push "redirect-gateway" in the config (which is different from your config) but when I comment it out, the only difference is that "Default gateway" is blank when connected to the server.

Is there anything else I have to do/install at server level? I have installated dnsmasq and it's configurated to listen the ip. Is there any firewall rules etc. to add and if there are, how do I add those? In your config you're using dev tun0 but in mine it's only dev tun.

The server/route config works for me so I'd say use it ;)

Try turning off your firewall on the server and see if that helps, you'll also want to ensure IP forwarding is enabled by running cat /proc/sys/net/ipv4/ip_forward if that outputs 0 then run echo 1 > /proc/sys/net/ipv4/ip_forward; echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

Thanks, it was "0" so I enabled it.

Problem is still there though.. "Gateway" is empty in my Windows Ethernet Interface, and DHCP 192.168.255.5

One more strange thing, I've put 255.255.255.0 as subnet mask, the Ethernet info says IPv4 Subnet Mask: 255.255.255.252

More ideas? Something to add to iptables?

With iptables disabled there is no diefference. I'm getting 192.168.255.5 as DHCP server, which I cannot ping. 192.168.255.1 on the other hand will reply to ping. And why is Gateway still empty?

My plan with this is do be enable to connect to SMTP, FTP services etc. on the server, using the local IPs.

Now I tried to copy/paste your server config exactly, but I added the values for:

dh
ca
cert
key

I'm connected, but still with gateway 192.168.255.5 and DCHP 192.168.255.5 instead of 192.168.255.1

Can't figure out what's going on, or how I can fix this. Have googled for hours reading threads from people with different issues but doesn't matter what I try, the problem persits.

192.168.255.5 is the correct gateway that's how openvpn works, you'll see 192.168.255.6 as your IP. You should get your servers IP if you connect to an external site.

@obs:

You should get your servers IP if you connect to an external site.
Don't you need to set up IP Masquerading for that to work?

I have setup "dnsmasq" or what it was called, and nope, sorry, still not working. Do I have to bridge the ethernet adapters or something like that? Was thinking, could it possibly be a limitation in my modem/isp? I've got a pocket Wifi (3g) LTE Modem.

I still don't understand why I cannot ping the DNS or Gateway (192.168.255.5) I'm getting, what is the reason for that?

@sweh:

@obs:

You should get your servers IP if you connect to an external site.
Don't you need to set up IP Masquerading for that to work?

Possibly, I don't on my server but it could be the OPs firewall killing it or something else specific to their server or even their ISP. I run openvpn from docker so all I have is ip forwarding enabled in the kernel, and iptables forwarding ovpn requests to the docker instance, it just works out of the box for me.

So how do I look my iptables settings for these openVPN clients traffic?

@Webkungen:

Good morning

Note that in the image above, I also enabled push "redirect-gateway" in the config (which is different from your config) but when I comment it out, the only difference is that "Default gateway" is blank when connected to the server.

I read in one of the online guides, you need to put the redirect-gateway in the client config file, as putting it in the server config file didn't work properly.

This may or may not help: http://marguspala.com/simple-way-to-rou … h-openvpn/">http://marguspala.com/simple-way-to-route-all-traffic-via-gateway-with-openvpn/

“redirect-gateway def1″ changes client routing table so that all traffic is directed via server. Without it only traffic sent to servers ip 10.66.77.1 will be sent there. Most materials in web recommend to add to server config push “redirect-gateway def1″ but this is not working in some cases so better add this config directly to client

Still not getting gateway correct, have the push directive in server config, and redirect-gateway in the client config. But I can telnet the smtp server with the local IP, which is good.

#:/etc/openvpn# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.255.1  P-t-P:192.168.255.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:113781 (111.1 KiB)  TX bytes:724 (724.0 B)

My server is configured with local IP as well, is there a way to use those ip addresses for the VPN as well, i.e. so I will be able to reach the other debian boxes in the local network? eth0:0 Link encap:Ethernet HWaddr f2:3c:91:df:58:af inet addr:192.168.192.172 Bcast:192.168.255.255 Mask:255.255.128.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

The OpenVPN log for the client looks like this when connecting:````
Fri May 01 08:45:44 2015 PUSH: Received control message: 'PUSHREPLY,redirect-gateway def1,dhcp-option DNS 8.8.4.4,dhcp-option DNS 8.8.8.8,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5' Fri May 01 08:45:44 2015 OPTIONS IMPORT: timers and/or timeouts modified Fri May 01 08:45:44 2015 OPTIONS IMPORT: --ifconfig/up options modified Fri May 01 08:45:44 2015 OPTIONS IMPORT: route options modified Fri May 01 08:45:44 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Fri May 01 08:45:44 2015 doifconfig, tt->ipv6=0, tt->didifconfigipv6setup=0 Fri May 01 08:45:44 2015 MANAGEMENT: >STATE:1430441144,ASSIGNIP,,192.168.255.6,
Fri May 01 08:45:44 2015 opentun, tt->ipv6=0 Fri May 01 08:45:44 2015 TAP-WIN32 device [Ethernet 2] opened: \.\Global{BB81A1BE-F61B-4431-A315-F44EA2AA0E91}.tap Fri May 01 08:45:44 2015 TAP-Windows Driver Version 9.21 Fri May 01 08:45:44 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.255.6/255.255.255.252 on interface {BB81A1BE-F61B-4431-A315-F44EA2AA0E91} [DHCP-serv: 192.168.255.5, lease-time: 31536000] Fri May 01 08:45:44 2015 Successful ARP Flush on interface [48] {BB81A1BE-F61B-4431-A315-F44EA2AA0E91} Fri May 01 08:45:49 2015 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 178.79.135.11 MASK 255.255.255.255 192.168.0.1 Fri May 01 08:45:49 2015 Warning: route gateway is ambiguous: 192.168.0.1 (2 matches) Fri May 01 08:45:49 2015 Route addition via IPAPI failed [adaptive] Fri May 01 08:45:49 2015 Route addition fallback to route.exe Fri May 01 08:45:49 2015 envblock: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 MANAGEMENT: >STATE:1430441149,ADD_ROUTES,,,
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 192.168.255.1 MASK 255.255.255.255 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 Initialization Sequence Completed
Fri May 01 08:45:49 2015 MANAGEMENT: >STATE:1430441149,CONNECTED,SUCCESS,192.168.255.6,178.79.135.11

This looks like an error, but what does it mean?````
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 178.79.135.11 MASK 255.255.255.255 192.168.0.1
Fri May 01 08:45:49 2015 Warning: route gateway is ambiguous: 192.168.0.1 (2 matches)
Fri May 01 08:45:49 2015 Route addition via IPAPI failed [adaptive]
Fri May 01 08:45:49 2015 Route addition fallback to route.exe

Can the problem had to do with my local ips?

From my modem I'm getting 192.168.0.x in my local network, and on the vpn server there is also a local ip setup, using 192.168.192.x

This might be un-related. On my Linode I had Debian 7, with openvpn, and I could send traffic up the VPN and out to the world. Checking whatsmyip, my traffic was originating from my Linode.

I upgraded to Debian 8 this week, to get openvpn with IP6, but with my original configs, I can't get to the outside world anymore, and yes, I have set IP forwarding in the kernel.

So are you by chance running Debian 8. If so I don't have an answer. Also you need to have redirect-gateway without the def1 to get the default gateway to be set for the vpn. Well at least I did, and it was also mentioned at one other tutorial site. Problem is so much has changed, and most of the tutorials appear out of date, compared to how you had to do things, and how you now have to do things.

In the log above, you have: Warning: route gateway is ambiguous: 192.168.0.1 (2 matches) this could be bad, maybe.

I removed "def1" now from both server and client config.

When I connect to the VPN, I'm unable to browse any website at all. However, I can ping and telnet services on the local network (VPN server).

Trying to trace Google.com:

# tracert google.com

Tracing route to google.com [216.58.221.46]
over a maximum of 30 hops:

  1   464 ms   448 ms   399 ms  192.168.255.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
...
 30     *        *        *     Request timed out.

As you see I never come outside the network on the server. Same result with firewall (csf) disabled. My guess is that there MUST BE some kind of server config betwen the network interfaces (bridging or similar?) I'm missing?

Well I've got my problem sorted out - I hadn't done the iptables bit at the bottom.

Also you can have def1 in the client side, and existing connections (ssh) will be maintained when the VPN comes up.

On the Server:````

Set your server IP address here

local xx.xx.xx.xx
port 1194
proto udp
dev tun

Default topology is net30 - change to use normal subnet

topology subnet
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 1800 4000
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4

On the client:````
client
dev tun
dev-node "Windows TAP Adapter"
proto udp
# Put your server IP address or Domain name here
remote example.com 1194
redirect-gateway def1
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\PC.crt"
key "C:\\Program Files\\OpenVPN\\config\\PC.key"
remote-cert-tls server
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
comp-lzo
verb 3

Turn on IP forwarding on the server:````
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE

````

Now, back to that pesky IP6 part.

With the VPN up - here is the server ip addr:````
18: tun0: up>mtu 1500 qdisc pfifofast state UNKNOWN group default qlen 100 link/none inet 172.16.1.1/24 brd 172.16.1.255 scope global tun0 validlft forever preferredlft forever

and the client ipconfig /all (trimmed)

Ethernet adapter Windows TAP Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-C6-B6-B4-D3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, 1 May 2015 7:26:56 PM
Lease Expires . . . . . . . . . . : Saturday, 30 April 2016 7:26:56 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 172.16.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Note there is no default gateway, but whatismyip returns my servers ip address, not my ISP's.

Removing the def1 from the client config sets this.

Ethernet adapter Windows TAP Adapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-C6-B6-B4-D3
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.1.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, 1 May 2015 8:23:03 PM
Lease Expires . . . . . . . . . . : Saturday, 30 April 2016 8:23:02 PM
Default Gateway . . . . . . . . . : 172.16.1.1
DHCP Server . . . . . . . . . . . : 172.16.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

````

Not getting this… I tried to copy your config exactly except the ca, cert and key (and changed local as well). Still same issue.. I can connect, I can ping the vpn server etc. but cannot browse internet at all. No matter what I do, I'm getting ERRCONNECTIONTIMED_OUT.

Tried to disable both csf and my anti-virus/firewall software (ESET).

Is eth0 on a public IP address and not a private IP address?

If it's on a private 192, 172, 10 it will be dropped by your servers upstream routers.

Also if you are trying to connect other servers / computes on the private IP address subnet of the VPN, you need to look into the client-to-client server config option and associated magic with ccd files that is required to make this work. I can't help you with that as I don't use it or need it.

eth0 is the public ip but it's also configured (eth0:0) with private ip as well.

My goal is masquerade my IP and make it look Im in London, this is becuase my ISP gives me dirty ip addresses all the time which are blacklisted, so I cannot connect to certain hosting providers, or do my job in a good way.

Well my last suggestion would be to remove the private IP address off eth0. Not even sure why you would want that. You must be doing something special.

It's possible that iptables is sending your VPN traffic (assuming my config) from 172.16.1.1 out your private IP address on eth0, instead of you public IP address on eth0, and upstream is dropping it. I have no idea how you would even test for that.

I'm assuming you have actually done the following, and the kernel you are using will actually forward traffic.

My Debian kernel does, does the Linode one? Don't know.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE

If this doesn't work, I don't know what to suggest next.

The reason why I have private LAN setup is that there are 3 other debian boxes in the same local network, two app boxes and one dedicated MySQL. The one hosting the VPN is the smtp and backup server in the cloud.

I have issued the commands above for up_forward. Running Debian 6.

Still no progress in this matter..

Would it be possible to use my local LAN config IP's for the VPN as well? I.e. my eth0 is configured for both WAN and LAN, and can I use the same ip range (192.168.172.0) for the VPN?

Have downloaded a software (SoftEther VPN Client) for Windows and I'm able to connect to the public VPN servers in that program, and get their resp. public ips, so this MUST be a matter of debian/serverconfig and has nothing to do with my modem/pocket wifi I thought before.

Only difference is that software is using TCP instead of UDP. Have tried to change OpenVPN config to TCP but now I cannot connect at all (yes I have opened TCP 1194 in CSF).

Any advise?

Here's my LAN ip config````

ifconfig eth0:0

eth0:0 Link encap:Ethernet HWaddr f2:3c:91:df:58:af
inet addr:192.168.192.172 Bcast:192.168.255.255 Mask:255.255.128.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
````

How should the server config for OpenVPN look like? Thanks!

This article may allude to what's going on: http://www.embedded-bits.co.uk/2008/mul … rk-gotcha/">http://www.embedded-bits.co.uk/2008/multiple-network-gotcha/

I think this is more a Linux networking / IP forwarding thing than an OpenVPN thing. But this is just a guess, it's above my pay grade.

I would temporarily take down your private IP's, so eth0 only has the primary public IP and test if that works.

If it does, you can then try and find out why it doesn't with private IP's.

To take the local LAN down temporarily, it's just to write "ifconfig eth0:0" or is there anothre way, without taking down the whole interface (i.e. loose connection to the server).

Thanks,

I would HIGHLY recommend this script to setup an OpenVPN. Its ridiculously easy.

https://github.com/Nyr/openvpn-install

There is a great tutorial on how to setup an openvpn on a linux system here.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct