Im trying to setup OpenVPN on Ubuntu and I can’t get internet access when I connect. Only local ip of server is reachable (10.8.0.1) Please Help.<\/p>\n
My configurations:<\/p>\n
Server.conf<\/strong><\/p>\n client.conf<\/strong><\/p>\n iptables -L<\/strong><\/p>\n sysctl.conf<\/strong><\/p>\n ifconfig – with openvpn running<\/strong><\/p>\n ifconfig – without openvpn running<\/strong><\/p>\n netstat -rn – with openvpn running<\/strong><\/p>\n netstat -rn – without openvpn running<\/strong><\/p>\n if anyone can help please do…<\/p>\n Thanks in advance.<\/p>\n","protected":false},"excerpt":{"rendered":" Im trying to setup OpenVPN on Ubuntu and I can’t get internet access when I connect. Only local ip of server is reachable (10.8.0.1) Please Help. My configurations: Server.conf ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6801","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6801","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6801"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6801\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6801"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6801"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6801"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}#################################################\n# Sample OpenVPN 2.0 config file for #\n# multi-client server. #\n# #\n# This file is for the server side #\n# of a many-clients one-server #\n# OpenVPN configuration. #\n# #\n# OpenVPN also supports #\n# single-machine single-machine #\n# configurations (See the Examples page #\n# on the web site for more info). #\n# #\n# This config should work on Windows #\n# or Linux\/BSD systems. Remember on #\n# Windows to quote pathnames and use #\n# double backslashes, e.g.: #\n# \"C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key\" #\n# #\n# Comments are preceded with '#' or ';' #\n#################################################\n\n# Which local IP address should OpenVPN\n# listen on? (optional)\n;local a.b.c.d\n\n# Which TCP\/UDP port should OpenVPN listen on?\n# If you want to run multiple OpenVPN instances\n# on the same machine, use a different port\n# number for each one. You will need to\n# open up this port on your firewall.\nport 1194\n\n# TCP or UDP server?\n;proto tcp\nproto udp\n\n# \"dev tun\" will create a routed IP tunnel,\n# \"dev tap\" will create an ethernet tunnel.\n# Use \"dev tap0\" if you are ethernet bridging\n# and have precreated a tap0 virtual interface\n# and bridged it with your ethernet interface.\n# If you want to control access policies\n# over the VPN, you must create firewall\n# rules for the the TUN\/TAP interface.\n# On non-Windows systems, you can give\n# an explicit unit number, such as tun0.\n# On Windows, use \"dev-node\" for this.\n# On most systems, the VPN will not function\n# unless you partially or fully disable\n# the firewall for the TUN\/TAP interface.\n;dev tap\ndev tun\n\n# Windows needs the TAP-Win32 adapter name\n# from the Network Connections panel if you\n# have more than one. On XP SP2 or higher,\n# you may need to selectively disable the\n# Windows firewall for the TAP adapter.\n# Non-Windows systems usually don't need this.\n;dev-node MyTap\n\n# SSL\/TLS root certificate (ca), certificate\n# (cert), and private key (key). Each client\n# and the server must have their own cert and\n# key file. The server and all clients will\n# use the same ca file.\n#\n# See the \"easy-rsa\" directory for a series\n# of scripts for generating RSA certificates\n# and private keys. Remember to use\n# a unique Common Name for the server\n# and each of the client certificates.\n#\n# Any X509 key management system can be used.\n# OpenVPN can also use a PKCS #12 formatted key file\n# (see \"pkcs12\" directive in man page).\nca ca.crt\ncert server.crt\nkey server.key # This file should be kept secret\n\n# Diffie hellman parameters.\n# Generate your own with:\n# openssl dhparam -out dh1024.pem 1024\n# Substitute 2048 for 1024 if you are using\n# 2048 bit keys. \ndh dh1024.pem\n\n# Configure server mode and supply a VPN subnet\n# for OpenVPN to draw client addresses from.\n# The server will take 10.8.0.1 for itself,\n# the rest will be made available to clients.\n# Each client will be able to reach the server\n# on 10.8.0.1. Comment this line out if you are\n# ethernet bridging. See the man page for more info.\nserver 10.8.0.0 255.255.255.0\n\n# Maintain a record of client virtual IP address\n# associations in this file. If OpenVPN goes down or\n# is restarted, reconnecting clients can be assigned\n# the same virtual IP address from the pool that was\n# previously assigned.\nifconfig-pool-persist ipp.txt\n\n# Configure server mode for ethernet bridging.\n# You must first use your OS's bridging capability\n# to bridge the TAP interface with the ethernet\n# NIC interface. Then you must manually set the\n# IP\/netmask on the bridge interface, here we\n# assume 10.8.0.4\/255.255.255.0. Finally we\n# must set aside an IP range in this subnet\n# (start=10.8.0.50 end=10.8.0.100) to allocate\n# to connecting clients. Leave this line commented\n# out unless you are ethernet bridging.\n;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100\n\n# Configure server mode for ethernet bridging\n# using a DHCP-proxy, where clients talk\n# to the OpenVPN server-side DHCP server\n# to receive their IP address allocation\n# and DNS server addresses. You must first use\n# your OS's bridging capability to bridge the TAP\n# interface with the ethernet NIC interface.\n# Note: this mode only works on clients (such as\n# Windows), where the client-side TAP adapter is\n# bound to a DHCP client.\n;server-bridge\n\n# Push routes to the client to allow it\n# to reach other private subnets behind\n# the server. Remember that these\n# private subnets will also need\n# to know to route the OpenVPN client\n# address pool (10.8.0.0\/255.255.255.0)\n# back to the OpenVPN server.\n;push \"route 192.168.10.0 255.255.255.0\"\n;push \"route 192.168.20.0 255.255.255.0\"\n\n# To assign specific IP addresses to specific\n# clients or if a connecting client has a private\n# subnet behind it that should also have VPN access,\n# use the subdirectory \"ccd\" for client-specific\n# configuration files (see man page for more info).\n\n# EXAMPLE: Suppose the client\n# having the certificate common name \"Thelonious\"\n# also has a small subnet behind his connecting\n# machine, such as 192.168.40.128\/255.255.255.248.\n# First, uncomment out these lines:\n;client-config-dir ccd\n;route 192.168.40.128 255.255.255.248\n# Then create a file ccd\/Thelonious with this line:\n# iroute 192.168.40.128 255.255.255.248\n# This will allow Thelonious' private subnet to\n# access the VPN. This example will only work\n# if you are routing, not bridging, i.e. you are\n# using \"dev tun\" and \"server\" directives.\n\n# EXAMPLE: Suppose you want to give\n# Thelonious a fixed VPN IP address of 10.9.0.1.\n# First uncomment out these lines:\n;client-config-dir ccd\n;route 10.9.0.0 255.255.255.252\n# Then add this line to ccd\/Thelonious:\n# ifconfig-push 10.9.0.1 10.9.0.2\n\n# Suppose that you want to enable different\n# firewall access policies for different groups\n# of clients. There are two methods:\n# (1) Run multiple OpenVPN daemons, one for each\n# group, and firewall the TUN\/TAP interface\n# for each group\/daemon appropriately.\n# (2) (Advanced) Create a script to dynamically\n# modify the firewall in response to access\n# from different clients. See man\n# page for more info on learn-address script.\n;learn-address .\/script\n\n# If enabled, this directive will configure\n# all clients to redirect their default\n# network gateway through the VPN, causing\n# all IP traffic such as web browsing and\n# and DNS lookups to go through the VPN\n# (The OpenVPN server machine may need to NAT\n# or bridge the TUN\/TAP interface to the internet\n# in order for this to work properly).\n;push \"redirect-gateway def1 bypass-dhcp\"\n\n# Certain Windows-specific network settings\n# can be pushed to clients, such as DNS\n# or WINS server addresses. CAVEAT:\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats\n# The addresses below refer to the public\n# DNS servers provided by opendns.com.\n;push \"dhcp-option DNS 208.67.222.222\"\n;push \"dhcp-option DNS 208.67.220.220\"\n\n# Uncomment this directive to allow different\n# clients to be able to \"see\" each other.\n# By default, clients will only see the server.\n# To force clients to only see the server, you\n# will also need to appropriately firewall the\n# server's TUN\/TAP interface.\n;client-to-client\n\n# Uncomment this directive if multiple clients\n# might connect with the same certificate\/key\n# files or common names. This is recommended\n# only for testing purposes. For production use,\n# each client should have its own certificate\/key\n# pair.\n#\n# IF YOU HAVE NOT GENERATED INDIVIDUAL\n# CERTIFICATE\/KEY PAIRS FOR EACH CLIENT,\n# EACH HAVING ITS OWN UNIQUE \"COMMON NAME\",\n# UNCOMMENT THIS LINE OUT.\n;duplicate-cn\n\n# The keepalive directive causes ping-like\n# messages to be sent back and forth over\n# the link so that each side knows when\n# the other side has gone down.\n# Ping every 10 seconds, assume that remote\n# peer is down if no ping received during\n# a 120 second time period.\nkeepalive 10 120\n\n# For extra security beyond that provided\n# by SSL\/TLS, create an \"HMAC firewall\"\n# to help block DoS attacks and UDP port flooding.\n#\n# Generate with:\n# openvpn --genkey --secret ta.key\n#\n# The server and each client must have\n# a copy of this key.\n# The second parameter should be '0'\n# on the server and '1' on the clients.\n;tls-auth ta.key 0 # This file is secret\n\n# Select a cryptographic cipher.\n# This config item must be copied to\n# the client config file as well.\n;cipher BF-CBC # Blowfish (default)\n;cipher AES-128-CBC # AES\n;cipher DES-EDE3-CBC # Triple-DES\n\n# Enable compression on the VPN link.\n# If you enable it here, you must also\n# enable it in the client config file.\ncomp-lzo\n\n# The maximum number of concurrently connected\n# clients we want to allow.\n;max-clients 100\n\n# It's a good idea to reduce the OpenVPN\n# daemon's privileges after initialization.\n#\n# You can uncomment this out on\n# non-Windows systems.\n;user nobody\n;group nogroup\n\n# The persist options will try to avoid\n# accessing certain resources on restart\n# that may no longer be accessible because\n# of the privilege downgrade.\npersist-key\npersist-tun\n\n# Output a short status file showing\n# current connections, truncated\n# and rewritten every minute.\nstatus openvpn-status.log\n\n# By default, log messages will go to the syslog (or\n# on Windows, if running as a service, they will go to\n# the \"\\Program Files\\OpenVPN\\log\" directory).\n# Use log or log-append to override this default.\n# \"log\" will truncate the log file on OpenVPN startup,\n# while \"log-append\" will append to it. Use one\n# or the other (but not both).\n;log openvpn.log\n;log-append openvpn.log\n\n# Set the appropriate level of log\n# file verbosity.\n#\n# 0 is silent, except for fatal errors\n# 4 is reasonable for general usage\n# 5 and 6 can help to debug connection problems\n# 9 is extremely verbose\nverb 3\n\n# Silence repeating messages. At most 20\n# sequential messages of the same message\n# category will be output to the log.\n;mute 20\n\npush \"redirect-gateway def1\"\n<\/code><\/pre>\n##############################################\n# Sample client-side OpenVPN 2.0 config file #\n# for connecting to multi-client server. #\n# #\n# This configuration can be used by multiple #\n# clients, however each client should have #\n# its own cert and key files. #\n# #\n# On Windows, you might want to rename this #\n# file so it has a .ovpn extension #\n##############################################\n\n# Specify that we are a client and that we\n# will be pulling certain config file directives\n# from the server.\nclient\n\n# Use the same setting as you are using on\n# the server.\n# On most systems, the VPN will not function\n# unless you partially or fully disable\n# the firewall for the TUN\/TAP interface.\n;dev tap\ndev tun\n\n# Windows needs the TAP-Win32 adapter name\n# from the Network Connections panel\n# if you have more than one. On XP SP2,\n# you may need to disable the firewall\n# for the TAP adapter.\n;dev-node MyTap\n\n# Are we connecting to a TCP or\n# UDP server? Use the same setting as\n# on the server.\n;proto tcp\nproto udp\n\n# The hostname\/IP and port of the server.\n# You can have multiple remote entries\n# to load balance between the servers.\nremote XXX.XXX.XXX.XXX 1194\n;remote my-server-2 1194\n\n# Choose a random host from the remote\n# list for load-balancing. Otherwise\n# try hosts in the order specified.\n;remote-random\n\n# Keep trying indefinitely to resolve the\n# host name of the OpenVPN server. Very useful\n# on machines which are not permanently connected\n# to the internet such as laptops.\nresolv-retry infinite\n\n# Most clients don't need to bind to\n# a specific local port number.\nnobind\n\n# Downgrade privileges after initialization (non-Windows only)\n;user nobody\n;group nogroup\n\n# Try to preserve some state across restarts.\npersist-key\npersist-tun\n\n# If you are connecting through an\n# HTTP proxy to reach the actual OpenVPN\n# server, put the proxy server\/IP and\n# port number here. See the man page\n# if your proxy server requires\n# authentication.\n;http-proxy-retry # retry on connection failures\n;http-proxy [proxy server] [proxy port #]\n\n# Wireless networks often produce a lot\n# of duplicate packets. Set this flag\n# to silence duplicate packet warnings.\n;mute-replay-warnings\n\n# SSL\/TLS parms.\n# See the server config file for more\n# description. It's best to use\n# a separate .crt\/.key file pair\n# for each client. A single ca\n# file can be used for all clients.\nca ca.crt\ncert client.crt\nkey client.key\n\n# Verify server certificate by checking\n# that the certicate has the nsCertType\n# field set to \"server\". This is an\n# important precaution to protect against\n# a potential attack discussed here:\n# http:\/\/openvpn.net\/howto.html#mitm\n#\n# To use this feature, you will need to generate\n# your server certificates with the nsCertType\n# field set to \"server\". The build-key-server\n# script in the easy-rsa folder will do this.\nns-cert-type server\n\n# If a tls-auth key is used on the server\n# then every client must also have the key.\n;tls-auth ta.key 1\n\n# Select a cryptographic cipher.\n# If the cipher option is used on the server\n# then you must also specify it here.\n;cipher x\n\n# Enable compression on the VPN link.\n# Don't enable this unless it is also\n# enabled in the server config file.\ncomp-lzo\n\n# Set log file verbosity.\nverb 3\n\n# Silence repeating messages\n;mute 20\n<\/code><\/pre>\nroot@server:~# iptables -L\nChain INPUT (policy ACCEPT)\ntarget prot opt source destination \nAS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\nAS0_ACCEPT all -- anywhere anywhere \nAS0_IN_PRE all -- anywhere anywhere mark match 0x2000000\/0x2000000\nAS0_ACCEPT udp -- anywhere server state NEW udp dpt:openvpn\nAS0_ACCEPT tcp -- anywhere server state NEW tcp dpt:https\nAS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\nAS0_WEBACCEPT tcp -- anywhere server state NEW tcp dpt:943\n\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination \nAS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\nAS0_IN_PRE all -- anywhere anywhere mark match 0x2000000\/0x2000000\nAS0_OUT_S2C all -- anywhere anywhere \nACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED\nACCEPT all -- 10.8.0.0\/24 anywhere \nREJECT all -- anywhere anywhere reject-with icmp-port-unreachable\n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination \nAS0_OUT_LOCAL all -- anywhere anywhere \n\nChain AS0_ACCEPT (5 references)\ntarget prot opt source destination \nACCEPT all -- anywhere anywhere \n\nChain AS0_IN (4 references)\ntarget prot opt source destination \nACCEPT all -- anywhere 5.5.0.1 \nACCEPT all -- anywhere localnet\/24 \nAS0_IN_POST all -- anywhere anywhere \n\nChain AS0_IN_POST (1 references)\ntarget prot opt source destination \nAS0_OUT all -- anywhere anywhere \nDROP all -- anywhere anywhere \n\nChain AS0_IN_PRE (2 references)\ntarget prot opt source destination \nAS0_IN all -- anywhere 5.5.0.0\/20 \nAS0_IN all -- anywhere 192.168.0.0\/16 \nAS0_IN all -- anywhere 172.16.0.0\/12 \nAS0_IN all -- anywhere 10.0.0.0\/8 \nACCEPT all -- anywhere anywhere \n\nChain AS0_OUT (2 references)\ntarget prot opt source destination \nDROP all -- anywhere anywhere \n\nChain AS0_OUT_LOCAL (1 references)\ntarget prot opt source destination \nDROP icmp -- anywhere anywhere icmp redirect\nACCEPT all -- anywhere anywhere \n\nChain AS0_OUT_S2C (1 references)\ntarget prot opt source destination \nAS0_OUT all -- anywhere anywhere \n\nChain AS0_WEBACCEPT (2 references)\ntarget prot opt source destination \nACCEPT all -- anywhere anywhere\n<\/code><\/pre>\n# Uncomment the next line to enable packet forwarding for IPv4\nnet.ipv4.ip_forward=1\n<\/code><\/pre>\nroot@server:~# ifconfig \nas0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 \n inet addr:5.5.0.1 P-t-P:5.5.0.1 Mask:255.255.248.0\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:200 \n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\n\neth0 Link encap:Ethernet HWaddr 00:01:6c:2d:be:00 \n inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0\n inet6 addr: fe80::201:6cff:fe2d:be00\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:28831661 errors:0 dropped:65539 overruns:0 frame:0\n TX packets:25344300 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:27763144851 (27.7 GB) TX bytes:19771050493 (19.7 GB)\n\nlo Link encap:Local Loopback \n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1\/128 Scope:Host\n UP LOOPBACK RUNNING MTU:65536 Metric:1\n RX packets:744868 errors:0 dropped:0 overruns:0 frame:0\n TX packets:744868 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0 \n RX bytes:208557442 (208.5 MB) TX bytes:208557442 (208.5 MB)\n\ntun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 \n inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1\n RX packets:5608 errors:0 dropped:0 overruns:0 frame:0\n TX packets:5892 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:100 \n RX bytes:1018432 (1.0 MB) TX bytes:4512967 (4.5 MB)\n<\/code><\/pre>\nroot@server:~# ifconfig \nas0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 \n inet addr:5.5.0.1 P-t-P:5.5.0.1 Mask:255.255.248.0\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:200 \n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\n\neth0 Link encap:Ethernet HWaddr 00:01:6c:2d:be:00 \n inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0\n inet6 addr: fe80::201:6cff:fe2d:be00\/64 Scope:Link\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\n RX packets:28833221 errors:0 dropped:65539 overruns:0 frame:0\n TX packets:25345463 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:1000 \n RX bytes:27763517926 (27.7 GB) TX bytes:19771192727 (19.7 GB)\n\nlo Link encap:Local Loopback \n inet addr:127.0.0.1 Mask:255.0.0.0\n inet6 addr: ::1\/128 Scope:Host\n UP LOOPBACK RUNNING MTU:65536 Metric:1\n RX packets:744948 errors:0 dropped:0 overruns:0 frame:0\n TX packets:744948 errors:0 dropped:0 overruns:0 carrier:0\n collisions:0 txqueuelen:0 \n RX bytes:208569802 (208.5 MB) TX bytes:208569802 (208.5 MB)\n<\/code><\/pre>\nroot@server:~# netstat -rn\nKernel IP routing table\nDestination Gateway Genmask Flags MSS Window irtt Iface\n0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0\n5.5.0.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0\n10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0\n10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0\n192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n<\/code><\/pre>\nroot@server:~# netstat -rn\nKernel IP routing table\nDestination Gateway Genmask Flags MSS Window irtt Iface\n0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0\n5.5.0.0 0.0.0.0 255.255.248.0 U 0 0 0 as0t0\n192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0\n<\/code><\/pre>\n