# [solved] openvpn no internet connection

## Prof. Frink

Hey, 

I don't get openvpn working. Here is my server.conf

```
port 1194

proto udp

dev tun

ca ./easy-rsa2/keys/ca.crt

cert ./easy-rsa2/keys/server.crt

key ./easy-rsa2/keys/server.key  # This file should be kept secret

dh ./easy-rsa2/keys/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.178.0 255.255.255.0"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 192.168.178.1"

keepalive 10 120

comp-lzo

user openvpn

group openvpn

persist-key

persist-tun

status openvpn-status.log

log-append  /var/log/openvpn.log

verb 3

push "explicit-exit-notify 3"

```

Here is my client.conf

```
client

dev tun

proto udp

remote xxx.org 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert falke.crt

key falke.key

remote-cert-tls server

comp-lzo

verb 3

```

Here is server.log, after connecting 

```
Sun Aug 13 17:48:11 2017 event_wait : Interrupted system call (code=4)

Sun Aug 13 17:48:11 2017 /sbin/ip route del 10.8.0.0/24

RTNETLINK answers: Operation not permitted

Sun Aug 13 17:48:11 2017 ERROR: Linux route delete command failed: external program exited with error status: 2

Sun Aug 13 17:48:11 2017 Closing TUN/TAP interface

Sun Aug 13 17:48:11 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2

RTNETLINK answers: Operation not permitted

Sun Aug 13 17:48:11 2017 Linux ip addr del failed: external program exited with error status: 2

Sun Aug 13 17:48:11 2017 SIGTERM[hard,] received, process exiting

Sun Aug 13 17:48:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017

Sun Aug 13 17:48:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08

Sun Aug 13 17:48:11 2017 Diffie-Hellman initialized with 2048 bit key

Sun Aug 13 17:48:11 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]

Sun Aug 13 17:48:11 2017 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:1f:08:23

Sun Aug 13 17:48:11 2017 TUN/TAP device tun0 opened

Sun Aug 13 17:48:11 2017 TUN/TAP TX queue length set to 100

Sun Aug 13 17:48:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Sun Aug 13 17:48:11 2017 /sbin/ip link set dev tun0 up mtu 1500

Sun Aug 13 17:48:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2

Sun Aug 13 17:48:11 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2

Sun Aug 13 17:48:11 2017 GID set to openvpn

Sun Aug 13 17:48:11 2017 UID set to openvpn

Sun Aug 13 17:48:11 2017 UDPv4 link local (bound): [undef]

Sun Aug 13 17:48:11 2017 UDPv4 link remote: [undef]

Sun Aug 13 17:48:11 2017 MULTI: multi_init called, r=256 v=256

Sun Aug 13 17:48:11 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0

Sun Aug 13 17:48:11 2017 ifconfig_pool_read(), in='falke,10.8.0.4', TODO: IPv6

Sun Aug 13 17:48:11 2017 succeeded -> ifconfig_pool_set()

Sun Aug 13 17:48:11 2017 IFCONFIG POOL LIST

Sun Aug 13 17:48:11 2017 falke,10.8.0.4

Sun Aug 13 17:48:11 2017 Initialization Sequence Completed

Sun Aug 13 17:48:27 2017 92.195.103.53:35463 TLS: Initial packet from [AF_INET]92.195.103.53:35463, sid=3ee2128c 55b85d59

Sun Aug 13 17:48:28 2017 92.195.103.53:35463 VERIFY OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Frink inc., OU=Frink, CN=Frink inc. CA, name=EasyRSA, emailAddress=xxx

Sun Aug 13 17:48:28 2017 92.195.103.53:35463 VERIFY OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Frink inc., OU=Frink, CN=falke, name=EasyRSA, emailAddress=xxx

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Sun Aug 13 17:48:29 2017 92.195.103.53:35463 [falke] Peer Connection Initiated with [AF_INET]92.195.103.53:35463

Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)

Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI: Learn: 10.8.0.6 -> falke/92.195.103.53:35463

Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI: primary virtual IP for falke/92.195.103.53:35463: 10.8.0.6

Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 PUSH: Received control message: 'PUSH_REQUEST'

Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 send_push_reply(): safe_cap=940

Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 SENT CONTROL [falke]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.178.1,explicit-exit-notify 3,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

```

ping google.de on client fails: "unkown host google.de" 

Any ideas about this?

Thank you.Last edited by Prof. Frink on Tue Aug 15, 2017 10:55 am; edited 1 time in total

----------

## fpemud

1. what is the result of "ping 8.8.8.8"?

2. what is the result of "cat /etc/resolv.conf"?

----------

## Prof. Frink

 *fpemud wrote:*   

> 1. what is the result of "ping 8.8.8.8"?

 

```
# ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

^C

--- 8.8.8.8 ping statistics ---

213 packets transmitted, 0 received, 100% packet loss, time 217125ms

```

 *Quote:*   

> 2. what is the result of "cat /etc/resolv.conf"?

 

```
# cat /etc/resolv.conf

# Generated by openvpn for interface tun0

nameserver 192.168.178.1

```

----------

## bbgermany

Hi,

please add "pull" to your client config and afterwards post the output of "ifconfig -a", "netstat -rn" and maybe a traceroute to 8.8.8.8

greets, bb

EDIT: Oh and btw, does your router know the way to your openvpn network? I guess not, looks like a Fritz!Box ip address  :Wink:  In this case, a bridged configuration could be an option for you. Let me know, if you want to try it.

----------

## Prof. Frink

```

#ifconfig -a

enp0s25: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether 8c:73:6e:db:6e:b9  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17  memory 0xf2400000-f2420000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1  (Lokale Schleife)

        RX packets 192  bytes 15552 (15.1 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 192  bytes 15552 (15.1 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 1  (IPv6-nach-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5

        inet6 fe80::f6ee:debc:7f57:50ee  prefixlen 64  scopeid 0x20<link>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 65  bytes 6323 (6.1 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp16s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.2.104  netmask 255.255.255.0  broadcast 192.168.2.255

        inet6 fe80::bf1c:2d45:eb5e:30ff  prefixlen 64  scopeid 0x20<link>

        ether 18:3d:a2:0d:bb:b0  txqueuelen 1000  (Ethernet)

        RX packets 362229  bytes 494397580 (471.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 172105  bytes 17042500 (16.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

```
 # netstat -rn

Kernel IP Routentabelle

Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface

0.0.0.0         10.8.0.5        128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 wlp16s0

10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0

10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0

92.195.17.137   192.168.2.1     255.255.255.255 UGH       0 0          0 wlp16s0

128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0

192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp16s0

192.168.178.0   10.8.0.5        255.255.255.0   UG        0 0          0 tun0

```

```
traceroute 8.8.8.8

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets

 1  10.8.0.1 (10.8.0.1)  24.414 ms  24.417 ms  24.418 ms

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  * * *

 8  * * *

 9  * * *

10  * * *

11  * * *

12  * * *

13  * * *

14  * * *

15  * * *

16  * * *

17  * * *

18  * * *

19  * * *

20  * * *

21  * * *

22  * * *

23  * * *

24  * * *

25  * * *

26  * * *

27  * * *

28  * * *

29  * * *

30  * * *

```

Yes, I use a FritzBox.  What do you mean by "bridged configuration"?

Thank you.

----------

## bbgermany

The problem is, your FritzBox doesnt know the way to your OpenVPN network. Thats why you cannot access anything via the vpn. A bridged configuration means, that your local dhcp server can provide ips from your network to the vpn client. So you could get a 192.168.178.x ip address from your fritzbox. You can also try to run an iptables rule instead. But you would mask all vpn traffic on your openvpn server then.

please replace eth0 with your server interface!

iptables rule:

```

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

```

Dont forget to enable ip forwarding.

Do you use openvpn for your wireless lan, or to access your lan via the internet? If you use it via the internet, this config could be one for you:

/etc/conf/net (server):

```

config_eth0="null"

tuntap_tap0="tap"

config_tap0="null"

config_br0="192.168.178.X/24" # enter your openvpn server ip address

routes_br0="default via 192.168.178.1"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

bridge_stp_state_br0=1

bridge_br0="eth0"

depend_tap0() {

        need net.br0

        }

depend_br0() {

        need net.eth0

        }

depend_openvpn() {

        need net.tap0

        }

postup() {

        brctl addif br0 tap0

        }

```

openvpn server config:

```

port 1194

proto udp

dev tap0

dev-type tap

mode server

ca ./easy-rsa2/keys/ca.crt

cert ./easy-rsa2/keys/server.crt

key ./easy-rsa2/keys/server.key

dh ./easy-rsa2/keys/dh2048.pem

comp-lzo

verb 2

status-version 2

status /etc/openvpn/openvpn-status.log

client-config-dir /etc/openvpn/ccd

persist-key

persist-tun

reneg-sec 1200

keepalive 10 120

client-to-client

duplicate-cn

cipher AES-256-CBC

auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

tls-version-min 1.2

remote-cert-tls client

```

client config:

```

client

dev tap

proto tcp-client

remote your-server.org 1194 # dont forget to replace!!!

nobind

persist-key

persist-tun

ca ca.crt

cert falke.crt

key falke.key

key-direction 1

comp-lzo

verb 2

pull

tls-client

cipher AES-256-CBC

auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

remote-cert-tls server

tls-version-min 1.2

```

You should create a tls key as well and add it to your server and client config asl well. If you have issues with the bridged configuration let me know about. You just should increase the verbosity then to at least 3 better 4.

greets bb

----------

## Prof. Frink

Hey,

with the iptables.-rule enabled everything works fine, so I will leave everything as it is and won't switch to the bridged configuration. Thank you very much. 

Greets

Frink

----------

