iptables OpenVPN – How to Tunnel All Traffic Through an OpenVPN Server

I'm trying to get all traffic to be routed through the VPN so that the OpenVPN Server's IP address is what shows up when I'm browsing the internet.

Not that it should matter, but we're using password based authentication via a PAM module. That PAM module makes an HTTP call to a website to validate things.

This is my OpenVPN Server Configuration:

port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret

;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120

cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional

push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"

This is my client OpenVPN configuration:

client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass

This is what iptables –list looks like:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  ip-10-8-0-0.ec2.internal/24  anywhere             ctstate NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

These iptables entries were created with:

iptables -I FORWARD -i tun0 -o eth0 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
         -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 \
          -s 10.8.0.0/24 -j MASQUERADE

This is what ifconfig looks like on the OpenVPN Server:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 172.26.12.92  netmask 255.255.240.0  broadcast 172.26.15.255
        inet6 fe80::89c:e4ff:feab:ccce  prefixlen 64  scopeid 0x20<link>
        ether 0a:9c:e4:ab:cc:ce  txqueuelen 1000  (Ethernet)
        RX packets 219194  bytes 218590052 (218.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 98397  bytes 11103942 (11.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4886  bytes 669299 (669.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4886  bytes 669299 (669.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::ef51:ccb3:ccc0:f02b  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IP Forwarding is enabled:

ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1

This is what I see if my client log:

Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{A4956E3A-C1FC-45BF-9857-31E5725E5011}.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21 
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A4956E3A-C1FC-45BF-9857-31E5725E5011} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] {A4956E3A-C1FC-45BF-9857-31E5725E5011}
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,

This is what I see in my server's OpenVPN Log:

Wed Jun  5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun  5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan  9 2019
Wed Jun  5 11:39:35 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Wed Jun  5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY 
Wed Jun  5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun  5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun  5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun  5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun  5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun  5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun  5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun  5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun  5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun  5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun  5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun  5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun  5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun  5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun  5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun  5 11:39:35 2019 Initialization Sequence Completed
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun  5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan' 
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun  5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun  5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun  5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun  5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting

I have looked at and tried to adopt / try settings from the following articles with no success:
https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/

How to force all traffic through VPN?

https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn

https://openvpn.net/community-resources/how-to/#redirect

Most likely I just haven't put the right combination together, but I'm at a loss here and definitely looking for help.

It would be greatly appreciated if you are able to explain why a given setting might solve the issue, as that may help me figure this out if what you give isn't the complete solution.

iptables OpenVPN – How to Tunnel All Traffic Through an OpenVPN Server

Best Answer

Related Topic

Best Answer

Related Solutions

Openvpn – Problems setting up a VPN: can connect but can’t ping anyone

Linux – Strange OpenVPN behavior – disconnects after one minute

Related Topic