I have the following OpenVPN setup:
Client(android OpenVPN client) <-> internet <-> VPN server (linux) <-> LAN
VPN server has eth0 (visible on the open internet) and eth1 (part of the local, firewalled LAN, 192.168.1.0/24). I used the "NAT hack" to make computers in the local LAN visible to the client, using the following:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
since I don't have access to the DHCP server which pushes IP configuration to majority of the computers in the LAN.
Now I have the following situation:
- Client connects to server without problems
- Configuration gets pushed to the client
- I can see the computers in the local LAN (this seems to be the difference with solutions I could find – all other questions dealt with the absence of the "NAT hack" – I have that sorted out!)
- But I don't have access to the internet
The configuration that is pushed from the server to the client is:
'PUSH_REPLY,redirect-gateway autolocal bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway defl,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
As you can see, valid (google) DNS is provided, so that cannot be an issue, AFAIK. "redirect-gateway autolocal" should take care of the internet access, but it doesn't. "redirect-gateway dfl" does not change anything.
I am pretty sure I am missing either additional iptable line or a route… but I am lost as what it should be.
To clarify: I am looking for a way to access the internet via VPN, not for the traffic to pass VPN! And, I am unable to ping 8.8.8.8 from the client, so the DNS is not the issue.
Edit: Yes, I enabled IPV4 forwarding. I assume that local LAN would not be visible without it.
pi@router:~ $ sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Best Answer
Now I'm understand your problem. You configure NAT only for access to LAN, to make access to WAN you should add another rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
.Update: Easiest way to check that you're not flooding WAN with private IPs, to check output on eth0 using tcpdump, for example
tcpdump -n -i eth0 | grep 192.168.0
. If there is no packets, so everything is Ok.