View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions OpenVPN not routing?
Log in to Ask a Question

OpenVPN not routing?

networking

I've followed all of the directions for setting up my Debian linode for OpenVPN and connecting to it successfully (sort of) with my Debian laptop. I can ping and ssh and do whatever from my laptop to the server when the VPN is enabled, but I absolutely cannot get any forwarding to work whatsoever.

I have enabled forwarding on my server and have the default route pushed to the client. I have the proper iptables forwarding and nat entries according to dozens of articles I've read. I've also flushed iptables and used JUST those entries with no change. I also have dnsmasq installed. I am not seeing any logged dropped packets in syslog (all dropped packets are logged) and I'm not seeing any errors in the openvpn log. I use network-manager-openvpn package for the client, but if I use a simple client config it does the same thing anyways.

Please help!

server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.0.0 255.255.0.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo no
push "comp-lzo no"
max-clients 5
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 4
mute 10

iptables-save:

# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*security
:INPUT ACCEPT [30746:3391345]
:FORWARD ACCEPT [11831:952761]
:OUTPUT ACCEPT [16059:2602360]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*raw
:PREROUTING ACCEPT [42893:4407336]
:OUTPUT ACCEPT [16062:2602820]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*nat
:PREROUTING ACCEPT [12:703]
:INPUT ACCEPT [3:235]
:OUTPUT ACCEPT [91:5994]
:POSTROUTING ACCEPT [91:5994]
-A POSTROUTING -s 10.8.0.0/24 -j ACCEPT 
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*mangle
:PREROUTING ACCEPT [28303:2930721]
:INPUT ACCEPT [20954:2286300]
:FORWARD ACCEPT [7340:643881]
:OUTPUT ACCEPT [11488:1613988]
:POSTROUTING ACCEPT [18726:2218125]
COMMIT
# Completed on Thu Jul 14 20:24:44 2011
# Generated by iptables-save v1.4.8 on Thu Jul 14 20:24:44 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:115470]
:LOGNDROP - [0:0]
:SPAMLIST - [0:0]
:SPAMLND - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-pam-generic - [0:0]
:fail2ban-postfix - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache 
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix 
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows 
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos 
-A INPUT -p tcp -j fail2ban-pam-generic 
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -j SPAMLIST 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -j LOGNDROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -o tun+ -j ACCEPT 
-A FORWARD -s 10.8.0.0/24 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j SPAMLIST 
-A OUTPUT -p icmp -j ACCEPT 
-A LOGNDROP -p tcp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-TCP: " --log-level 7 
-A LOGNDROP -p udp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-UDP: " --log-level 7 
-A LOGNDROP -p icmp -m limit --limit 6/min -j LOG --log-prefix "Denied IPv4-ICMP: " --log-level 7 
-A LOGNDROP -j DROP 
-A SPAMLIST -s 173.242.122.87/32 -j SPAMLND 
-A SPAMLIST -s 94.250.93.68/32 -j SPAMLND 
-A SPAMLIST -s 94.250.77.220/32 -j SPAMLND 
-A SPAMLIST -s 85.167.116.39/32 -j SPAMLND 
-A SPAMLIST -s 88.90.64.39/32 -j SPAMLND 
-A SPAMLIST -s 174.127.65.56/32 -j SPAMLND 
-A SPAMLIST -s 85.167.118.225/32 -j SPAMLND 
-A SPAMLIST -s 94.250.77.220/32 -j SPAMLND 
-A SPAMLIST -s 206.214.2.230/32 -j SPAMLND 
-A SPAMLIST -s 219.154.45.50/32 -j SPAMLND 
-A SPAMLIST -s 84.202.88.9/32 -j SPAMLND 
-A SPAMLIST -j RETURN 
-A SPAMLND -m limit --limit 6/min -j LOG --log-prefix "SPAMLIST: " --log-level 7 
-A SPAMLND -j DROP 
-A fail2ban-apache -j RETURN 
-A fail2ban-apache-noscript -j RETURN 
-A fail2ban-apache-overflows -j RETURN 
-A fail2ban-pam-generic -j RETURN 
-A fail2ban-postfix -j RETURN 
-A fail2ban-ssh -j RETURN 
-A fail2ban-ssh-ddos -j RETURN 
COMMIT
# Completed on Thu Jul 14 20:24:44 2011

0 Replies

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct