OpenVPN Configuration – Not Default Gateway for All Traffic

openvpn

I'm trying to make my client forward all traffic through a VPS running OpenVPN. As you can see, it will allow pings to both domains and raw IP addresses, but it will not allow traffic like that made through curl and traceroute doesn't come up with anything. The traffic works correctly when not connected to the VPN.

All information is here: https://pastebin.com/tGspNefn

Thank you.

Working configs thanks to solution below:

Server:

port <integer>
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key  # This file should be kept secret
dh dh4096.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway autolocal"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Client:

client
dev tun
proto udp
remote x.x.x.x <port number>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vpnclient.crt
key vpnclient.key
tls-auth ta.key 1
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3

Best Answer

There are two parts into the solution:

1. Redirect all the traffic into the tunnel

The easiest solution - use OpenVPN's --redirect-gateway autolocal option (or put it in the config file as redirect-gateway autolocal.

2. Handle the traffic on the OpenVPN server

Now that the tunnel is up all the traffic goes into the tunnel and pops up at the server's end from tun0 interface.

You need to configure two things to make it work:

a. Enable packet forwarding

By default in most distributions the packet forwarding is disabled, hence packets from the tunnel interface never make it to the public interface. You must enable forwarding with:

~ # sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

Once tested make the change permanent in /etc/sysctl.conf

Also make sure that iptables are not blocking the forwarded traffic:

~ # iptables -I FORWARD -j ACCEPT

This is good enough for testing - in production you'll want to make the firewall rules a bit more specific, but that's out of scope here.

b. NAT the outgoing packets from the tunnel

With forwarding enabled the packets are by default forwarded with their source address unchanged, that is in your case 10.8.0.6 - such packets are either dropped on the ISP gateway or even if they make it to the destination the reply never finds the way back. These private addresses are not routable on the internet.

The solution is to NAT the egress traffic, i.e. replace the private 10.8.0.6 address with the VPN server's public IP. That will ensure that the replies reach the VPN server and there they will get forwarded back into the tunnel.

~ # iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

3. Test it

Now try ping 8.8.4.4 from your VPN client. You should see a reply. Let us know if not :)

Best Answer

Related Solutions

Openvpn – Problems setting up a VPN: can connect but can’t ping anyone

OpenVPN routing problem

Related Topic