Connected to VPN but not reaching internal network
by cotarelo from LinuxQuestions.org on (#5S5VT)
Hi!
I am not sure what I did but my Openvpn in Debian 10 stopped routing traffic. I believe it happened in some recent update. I tried uninstalling and reinstalling the openvpn package but I had no luck. The VPN gateway is responding and openvpn connects correctly, but once connected I can't access interal servers or browse the web
The connection from my mobile (in 4G) to the VPN is good, it connects. But I can't seem to reach the internal network. I think it's something related with iptables? as forwarding is enabled
Code:root@DietPi:/home/dietpi# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(failed reverse-i-search)`echo': iptabl^C --list
root@DietPi:/home/dietpi# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@DietPi:/home/dietpi# /sbin/iptables-save > /etc/iptables/rules.v4
root@DietPi:/home/dietpi# route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.31.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@DietPi:/home/dietpi# /sbin/ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.254 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::2247:47ff:feed:9fea prefixlen 64 scopeid 0x20<link>
ether 20:47:47:ed:9f:ea txqueuelen 1000 (Ethernet)
RX packets 23571 bytes 3043694 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26598 bytes 3539766 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7200000-f7220000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1782 bytes 374097 (365.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1782 bytes 374097 (365.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::b28d:fecd:24dc:b079 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 450 (450.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions
From OpenVPN logs I can see only status.log which is blank
If I start OpenVPN via command line and connect from mobile this happens
Code:root@DietPi:/etc/openvpn# /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Sun Nov 21 00:54:43 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Sun Nov 21 00:54:43 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sun Nov 21 00:54:43 2021 Diffie-Hellman initialized with 2048 bit key
Sun Nov 21 00:54:43 2021 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=eth0 HWADDR=20:47:47:ed:9f:ea
Sun Nov 21 00:54:43 2021 TUN/TAP device tun0 opened
Sun Nov 21 00:54:43 2021 TUN/TAP TX queue length set to 100
Sun Nov 21 00:54:43 2021 /sbin/ip link set dev tun0 up mtu 1500
Sun Nov 21 00:54:43 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Nov 21 00:54:43 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Nov 21 00:54:43 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Nov 21 00:54:43 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Nov 21 00:54:43 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Nov 21 00:54:43 2021 UDPv4 link remote: [AF_UNSPEC]
Sun Nov 21 00:54:43 2021 GID set to nogroup
Sun Nov 21 00:54:43 2021 UID set to nobody
Sun Nov 21 00:54:43 2021 MULTI: multi_init called, r=256 v=256
Sun Nov 21 00:54:43 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Nov 21 00:54:43 2021 Initialization Sequence Completed
Sun Nov 21 00:54:52 2021 176.80.133.166:51866 TLS: Initial packet from [AF_INET]176.80.133.166:51866, sid=f846d120 d9f17d44
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=1, CN=ChangeMe
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=0, CN=DietPi_OpenVPN_Client
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_VER=3.git::662eae9a:Release
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PLAT=android
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_NCP=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_TCPNL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PROTO=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_LZO_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUBv2=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_AUTO_SESS=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_SSO=openurl
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_BS64DL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 [DietPi_OpenVPN_Client] Peer Connection Initiated with [AF_INET]176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: Learn: 10.8.0.6 -> DietPi_OpenVPN_Client/176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: primary virtual IP for DietPi_OpenVPN_Client/176.80.133.166:51866: 10.8.0.6
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 PUSH: Received control message: 'PUSH_REQUEST'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 SENT CONTROL [DietPi_OpenVPN_Client]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit keyAnybody able to help? Not sure what I am missing
I am not sure what I did but my Openvpn in Debian 10 stopped routing traffic. I believe it happened in some recent update. I tried uninstalling and reinstalling the openvpn package but I had no luck. The VPN gateway is responding and openvpn connects correctly, but once connected I can't access interal servers or browse the web
The connection from my mobile (in 4G) to the VPN is good, it connects. But I can't seem to reach the internal network. I think it's something related with iptables? as forwarding is enabled
Code:root@DietPi:/home/dietpi# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(failed reverse-i-search)`echo': iptabl^C --list
root@DietPi:/home/dietpi# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@DietPi:/home/dietpi# /sbin/iptables-save > /etc/iptables/rules.v4
root@DietPi:/home/dietpi# route -v
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.31.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@DietPi:/home/dietpi# /sbin/ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.254 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::2247:47ff:feed:9fea prefixlen 64 scopeid 0x20<link>
ether 20:47:47:ed:9f:ea txqueuelen 1000 (Ethernet)
RX packets 23571 bytes 3043694 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 26598 bytes 3539766 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7200000-f7220000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1782 bytes 374097 (365.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1782 bytes 374097 (365.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::b28d:fecd:24dc:b079 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 450 (450.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions
From OpenVPN logs I can see only status.log which is blank
If I start OpenVPN via command line and connect from mobile this happens
Code:root@DietPi:/etc/openvpn# /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Sun Nov 21 00:54:43 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Sun Nov 21 00:54:43 2021 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Sun Nov 21 00:54:43 2021 Diffie-Hellman initialized with 2048 bit key
Sun Nov 21 00:54:43 2021 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=eth0 HWADDR=20:47:47:ed:9f:ea
Sun Nov 21 00:54:43 2021 TUN/TAP device tun0 opened
Sun Nov 21 00:54:43 2021 TUN/TAP TX queue length set to 100
Sun Nov 21 00:54:43 2021 /sbin/ip link set dev tun0 up mtu 1500
Sun Nov 21 00:54:43 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Nov 21 00:54:43 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Nov 21 00:54:43 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Nov 21 00:54:43 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Nov 21 00:54:43 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Nov 21 00:54:43 2021 UDPv4 link remote: [AF_UNSPEC]
Sun Nov 21 00:54:43 2021 GID set to nogroup
Sun Nov 21 00:54:43 2021 UID set to nobody
Sun Nov 21 00:54:43 2021 MULTI: multi_init called, r=256 v=256
Sun Nov 21 00:54:43 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Nov 21 00:54:43 2021 Initialization Sequence Completed
Sun Nov 21 00:54:52 2021 176.80.133.166:51866 TLS: Initial packet from [AF_INET]176.80.133.166:51866, sid=f846d120 d9f17d44
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=1, CN=ChangeMe
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=0, CN=DietPi_OpenVPN_Client
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_VER=3.git::662eae9a:Release
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PLAT=android
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_NCP=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_TCPNL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PROTO=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_LZO_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUBv2=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_AUTO_SESS=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_SSO=openurl
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_BS64DL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 [DietPi_OpenVPN_Client] Peer Connection Initiated with [AF_INET]176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: Learn: 10.8.0.6 -> DietPi_OpenVPN_Client/176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: primary virtual IP for DietPi_OpenVPN_Client/176.80.133.166:51866: 10.8.0.6
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 PUSH: Received control message: 'PUSH_REQUEST'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 SENT CONTROL [DietPi_OpenVPN_Client]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit keyAnybody able to help? Not sure what I am missing