Linux – OpenVPN client breaks remote access to web server

linuxnginxopenvpn

I have an issue where whenever I use OpenVPN client to connect to the remote server to (obviously) set up a VPN tunnel, I can no longer see my nginx server. I can connect on the local network but it seems like it's dropping any remote access to the nginx web server. The VPN tunnel works perfectly. The nginx works fine as long as OpenVPN client isn't running but it stops immediately if I set up the VPN session. Is this something that can be fixed via iptables or routing settings? The system is x86_64 Fedora 19; eth0 is the network card, and tun0 is the vpn interface. Thanks in advance!

Best Answer

The OpenVPN server is likely sending the push "redirect-gateway <if_name>" option to your clients.

In this situation, the client's default gateway is pointing through the VPN tunnel. If the network on the VPN server side of things is not configured to NAT traffic from the VPN clients back out to the internet, then the only hosts they'll be able to access are those directly accessible on the VPN server network.

Related Solutions

Openvpn server not forwarding ping traffic from tun0 to eth0 for rest of the hosts in the subnet

Ok, I figured this out after a few hours of investigation.

The problem is with the forwarding setup. The packets forwarded to eth0 port does not have correct source ip address of the host within the network. The ip addressis from VPN.

05:07:43.991961 IP 10.8.0.6 > 10.10.146.8: ICMP echo request, id 3497, seq 499, length 64

You can switch that by enabling equivalent of NAT (on routers) in linux OS:

iptables -t nat -A POSTROUTING -o <eth0 or whatever else> -j MASQUERADE

This fixed the issue for me.

SSH and OpenVPN – Allowing SSH on a Server with an Active OpenVPN Client

I'm having a similar issue to this and have been attempting the fix described in this forum post.

The idea is that currently when you connect to your public IP address, the return packets are being routed over the VPN. You need to force these packets to be routed over your public interface.

These route commands will hopefully do the trick:

ip rule add from x.x.x.x table 128

ip route add table 128 to y.y.y.y/y dev ethX

ip route add table 128 default via z.z.z.z

Where x.x.x.x is your public IP, y.y.y.y/y should be the subnet of your public IP address, ethX should be your public Ethernet interface, and z.z.z.z should be the default gateway.

Note that this hasn't worked for me (using Debian and PrivateInternetAccess) but may help you out.

Best Answer

Related Solutions

Openvpn server not forwarding ping traffic from tun0 to eth0 for rest of the hosts in the subnet

SSH and OpenVPN – Allowing SSH on a Server with an Active OpenVPN Client

Related Topic