I have Ubuntu 18.04 running on a Compute Engine on the Google Cloud Platform. I setup a VPN on 1194/UDP using Nyr's awesome script (I also tried on 443/TCP). The VPN connects however I am unable to access the internet when connected.
greg@vpn:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 !10.8.0.0/24 to:104.154.-.- #removed
traceroute on the VPN
greg@vpn:~$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 209.85.241.122 (209.85.241.122) 10.729 ms 216.239.63.174 (216.239.63.174) 9.965 ms 209.85.241.122 (209.85.241.122) 10.771 ms
2 108.170.243.187 (108.170.243.187) 10.086 ms 108.170.243.196 (108.170.243.196) 10.330 ms 10.285 ms
3 141.101.73.2 (141.101.73.2) 10.867 ms 10.860 ms 11.104 ms
4 one.one.one.one (1.1.1.1) 10.753 ms 9.886 ms 9.930 ms
local traceroute when connected to VPN
greg ~ $traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
...
There is an issue on Nyr's repo which suggests it's a networking config problem. My question is, how do I trouble shoot this? And can this be a firewall / GCP config problem if the VPN server has access to the Internet?
/etc/openvpn/server.conf
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
I've ensured the iptables are correct
greg@vpn:~$ iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o ens4 -j SNAT --to 104.154.x.x
Here is my ip route show
greg@vpn:~$ ip route show
default via 10.128.0.1 dev ens4 proto dhcp metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.128.0.1 dev ens4 proto dhcp scope link metric 100
Subnets
greg@vpn:~$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 ens4
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 ens4
I've also enabled net.ipv4.tcp_syncookies=1
in /etc/sysctl.conf
My traceroute from local when connected to VPN
greg ~ $sudo mtr 1.1.1.1
My traceroute [vUNKNOWN]
Gregs-MacBook-Pro.local (10.8.0.2) 2019-03-14T13:57:40-0400
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.8.0.1 0.0% 24 35.3 36.5 34.3 48.2 3.8
2. ???
My traceroute directly from VPN server
greg@vpn:~$ mtr 1.1.1.1
My traceroute [v0.92]
vpn (10.128.0.28) 2019-03-14T18:11:28+0000
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 216.239.40.188 0.0% 177 10.1 11.3 10.0 33.7 3.8
2. 108.170.243.196 0.0% 177 10.5 10.6 10.4 13.9 0.5
3. 141.101.73.2 0.0% 177 10.8 14.2 10.7 52.4 7.1
4. one.one.one.one 0.0% 176 11.1 11.1 10.9 12.6 0.2
Best Answer
Have you enabled IP Forwarding ?
You can do it either on the instance details page in GCP or directly in sysctl.conf :
net.ipv4.ip_forward=1
Also I used this great tutorial once to setup OpenVPN on Ubuntu 16 and it worked flawlessly, I'm sure it will be of great help.
For the internet access troubleshooting, it would be good to post your GCP routing table and firewall rules