Openvpn – Routing Internet Traffic through VPN tunnel

ipv4ipv6openvpnrouting

I am relatively new to the topic, so please do not mind if I ask simple (or stupid) questions.
I own a Raspberry Pi 3B and installed and configured an OpenVPN server on it.
Therefore I followed this openvpn community guide: https://openvpn.net/community-resources/how-to/
I am using a Windows machine to connect to this server, which works perfectly fine. I tried to configure the server, such that my IPv4 internet traffic is routed through the tunnel. The problem is, during connection to the VPN server is established, IPv4 websites are not loading at all. Furthermore IPv6 traffic still slips through, such that IPv6 websites load as usual.
Please find server config, client config, iptables rulesets and IP routing table attached. In addition to this, I configured the NAT according to the community guide with the command 

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

So the problem in the end is the correct routing. Thank you all in advance for your help!

Cheers,
Patrick

P.S.: 192.168.2.1 is the IP of the W-Lan router my Pi is connected to via ethernet.

Server config

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0 
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
push "redirect-gateway local def1"
push "dhcp-options DNS 10.8.0.1"

Client config

client
dev tun
proto udp
remote 192.168.2.129 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
redirect-gateway local def1

IPv4 rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_INPUT_denied: "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "iptables_FORWARD_denied: "
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m udp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m tcp --sport 1194 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "iptables_OUTPUT_denied: "
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

IPv6 rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
-A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
COMMIT

IP Routing table

Target       Router            Genmask             Flags     MSS Window irtt Iface
0.0.0.0      192.168.2.1       0.0.0.0             UG          0 0            0   eth0
10.8.0.0     10.8.0.2          255.255.255.0       UG          0 0            0   tun0
10.8.0.0.2    0.0.0.0          255.255.255.225     UH          0 0            0   tun0
192.168.2.1   0.0.0.0          255.255.255.0       U           0 0            0   eth0

Best Answer

Is the IP routing table from your windows machine for client? I do quite get understand why they recommand "def1" thing. To me, your question is fairly simple, your Windows client and your VPN server are both on 192.168.2.0/24 gw 192.168.2.1 and you would be better off setting the default gw as virtual IP of your vpn server inside the tunnel, check

ip addr

or simply add log /var/ovpn.log to your config and check the real IP it is. and secondly set 192.168.2.1 as the gw for net 192.168.2.0/24 Once you get this routing table set up, Your Windows machine will find that 192.168.2.1 to reach to your VPN server, and any other traffic outside 192.168.2.0/24 goes to the virtual IP of that server for routing.

Related Topic