OpenVPN web traffic routing not working

openvpn

My first time trying to set up OpenVPN. I followed the HOWTO guide from OpenVPN's site and was successfully connected but when I tried to route my web traffic, it seems that nothing gets through to my server.

My server is an Amazon EC2 box and my client is MacOS Lion. I'm using Tunnelblick on the Mac. I have run/tried the following:

  • ran iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE on my server
  • disabled firewall on the mac
  • enabled UDP 1194 on EC2 firewall
  • tried both dev tun and dev tap
  • tried using Amazon's name server with "push "dhcp-option DNS 172.16.0.23" as well as Google's 8.8.8.8[/list]

Here is my server config file: http://pastebin.com/izCBxk99

server ifconfig while running OpenVPN: http://pastebin.com/xM9w8kAA

server log, with one client connecting and trying to open a webpage after successful connection: http://pastebin.com/B1WAJ2XH

Client config file: http://pastebin.com/GzPeXE7E

client ifconfig while running OpenVPN: http://pastebin.com/ZQvvP9Z0

client log: http://pastebin.com/xmhEx77g

The only error I notice is in the client log, where it says:

2012-05-06 20:43:44 us=732786 /sbin/ifconfig tap0 delete
                                    ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2012-05-06 20:43:44 us=738214 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

Could that be the problem? I found some webpage that said Tunnelblick used to have problems with Lion, but the version I'm using is higher than the one mentioned as the fix.

In addition, I noticed that after running iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE (with su), my server still shows just the following if I do netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.248.138.0    0.0.0.0         255.255.254.0   U         0 0          0 eth0
0.0.0.0         10.248.138.1    0.0.0.0         UG        0 0          0 eth0

The server doesn't seem to have gotten the new routes. Is this the problem?

Please help. Thanks!

Best Answer

Have you enabled ip_forward on server?

cat /proc/sys/net/ipv4/ip_forward # 0 disabled, 1 enabled

enable it to allow masquerading:

echo 1 > /proc/sys/net/ipv4/ip_forward

and to make change permanent, edit /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Related Topic