# [solved] Openvpn Server - Routing internet traffic

## Elleni

I installed openvpn server and am able to connect from an android system to openvpn. I also can see a webpage, hosted on the openvpn server which has also installed apache on it. 

But I cannot reach other internet sites. 

What is needed to route all traffic comming from openvpn client to internet? Can this be acheaved with adding a route into routing table of the server, or do I have to use iptables? I have no firewall installed on the server for the moment. 

```
port 1234

proto udp

dev tun

ca /etc/openvpn/certs/ca.crt

cert /etc/openvpn/certs/server.crt

key /etc/openvpn/certs/server.key

dh /etc/openvpn/certs/dh4096.pem

tls-auth /etc/openvpn/certs/ta.key 0

server 10.8.1.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

persist-key

persist-tun

topology subnet

keepalive 10 120

local myipadress of the server

user openvpn

group openvpn

# client-to-client

comp-lzo

log        /var/log/openvpn.log

status     /var/log/openvpn-status.log

verb 5

mute 20

client-config-dir ccd

route 10.8.1.0 255.255.255.0
```

When I try to access a website on internet, I see

```
bad source address from client [10.216.50.110], packet dropped
```

on the openvpn server's logLast edited by Elleni on Sat Apr 16, 2016 2:21 pm; edited 2 times in total

----------

## gerdesj

For OpenVPN clients to access the internet:

Routing (forwarding) must be enabled on the server (echo 1 > /proc/sys/net/ipv4/ip_forward, /etc/sysctl.d/, or similar that will set that entry)

The clients must have a default gateway route that goes via the OVPN server

The server must have a NAT rule for the OVPN clients

The firewall must permit the traffic

You are probably missing out one of those items.  You can run Wireshark (or tcpdump to file and read it via Wireshark elsewhere) and watch the traffic.  Remember you can't see network traffic and guessing rarely works out!

Cheers

Jon

----------

## Elleni

First 2 points are OK. But I dont habe iptables installed in the server. Can a nat roule be implemented without iptables vor do I habe to install iptables on server for creating a nat rule?

----------

## gerdesj

 *Elleni wrote:*   

> First 2 points are OK. But I dont habe iptables installed in the server. Can a nat roule be implemented without iptables vor do I habe to install iptables on server for creating a nat rule?

 

NAT is a firewall function and hence iptables is needed if you want to do it at the the OpenVPN server.  However - unless your OVPN server has an external address - you actually have to do the NAT at your router.  You will also need a static route on your router for the OVPN network which points back at your OVPN server.

Client <-> Server (OVPN network) <-> OVPN server (LAN) <-> Router (LAN) <-> Router (WAN) <-> ISP <-> Internet <-> Target

All the <-> above are routes and all devices need to "know" about the routes between all the others.  You probably have all of them defined apart from Server (OVPN network) <-> Router (LAN) on Router.  The NAT at Router (WAN) hides all your stuff behind itself which avoids you having to run BGP and of course your ISP takes care of your routes in the outside world.

----------

## Elleni

Understood. Thanks for detailed answer. As the Server is a virtual Server and I have no router inbetween that I could configure, and I access Server by it's public adress, I understand now, that I will have to implement iptables for nat, and I will also add needed route(s) in order to let my openvpn Server secure my internet access via mobile device. 

I will put [solved}]as soon as I am done, but this could take a while  :Smile: 

In the meantime I once more thank you for the awesome Support in this foum!   :Very Happy: 

----------

## gerdesj

As the OVPN server has a public IP address then you will not need much in the way of routing because it "knows" where all its interfaces are already.  

Please get a firewall installed as soon as possible.  There are several great packages eg Shorewall and ufw which will make managing rules easier or you can simply write a script.  If you are using OpenRC you can put the rules in /etc/conf.d/net in postup() { } and postdown() { }

Good luck!

----------

## Elleni

ok, I have iptables up and running with the help of: 

https://wiki.gentoo.org/wiki/Iptables

and then added: 

```

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.1.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o enp0s5 -j MASQUERADE
```

Internet access on the vpn client now works; with a little exeption: 

When I change 

```
iptables -P INPUT DROP 
```

I have the problem, that the websites, hosted on the same server are not accessible. But internet access is still working. 

As soon as I change the input table to accept, I have access to my website too. 

Following the iptables rules that I have set, perhaps someone sees what I should change in order to be able to access internet including my own website hosted on the same server from the vpn client - with input table set to drop. 

```
iptables -L             

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable

ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem

REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  localhost            anywhere             tcp dpt:10024 flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  localhost            anywhere             tcp dpt:10025 flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  localhost            anywhere             tcp dpt:mysql flags:FIN,SYN,RST,ACK/SYN ctstate NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:openvpn-port flags:FIN,SYN,RST,ACK/SYN ctstate NEW

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     all  --  10.8.1.0/24          anywhere            

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  10.8.1.0/24          anywhere  

```

----------

## gerdesj

You are nearly there.  Could you post the output from the following:

#ip a

#ip r

#netstat -leepn | grep 80

I assume your webserver is listening on :80 (substitute apache or nginx if more appropriate.)

Cheers

Jon

----------

## Elleni

```
ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

       valid_lft forever preferred_lft forever

2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:1c:42:66:08:79 brd ff:ff:ff:ff:ff:ff

    inet <ser.ver.ip.address>/24 brd <ser.ver.netw.255 scope global enp0s5

       valid_lft forever preferred_lft forever

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100

    link/none 

    inet 10.8.1.1/24 brd 10.8.1.255 scope global tun0

       valid_lft forever preferred_lft forever

```

```
ip b

Object "b" is unknown, try "ip help".

```

```
netstat -leepn | grep 80 

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          5539       3968/apache2        

unix  2      [ ACC ]     STREAM     HÖRT         5801     4172/master          private/rewrite

unix  2      [ ACC ]     STREAM     HÖRT         5804     4172/master          private/bounce

unix  2      [ ACC ]     STREAM     HÖRT         5807     4172/master          private/defer
```

Yes and on port 443 too. 

```
netstat -leepn | grep apache

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          5536       3968/apache2        

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          5539       3968/apache2        

unix  2      [ ACC ]     STREAM     HÖRT         54703    29865/apache2        /var/run/cgisock.3968
```

Thanks in advance  :Smile: 

----------

## Elleni

After reflecting a littlebit and after finding out that sending mails did not work eather from my mobile with vpn connection established, I found my error. I had most rules with -i enp0s5 which naturally explains why I could not see webpages, that were requested via tun0. Corrected it and tataaa everything works fine now  :Smile: 

Thanks once again for incredible support in this forum! I love my gentoo  :Smile: 

----------

