No internet with OpenVPN clients

Started by vividou, March 02, 2018, 07:31:13 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 02, 2018, 07:31:13 PM Last Edit: March 03, 2018, 07:43:48 PM by vividou
Hello,

My OpenVPN is running and my client can connect to it.

However, the clients cannot connect to the Internet through the vpn.

My purpose is that the clients can connect to the vpn server to surf the Internet from it only (no connection to local network).

How to configure Opnsense for this purpose?


Here is my configuration with OPNsense 18.1.2_2-amd64

VPN: OpenVPN: Servers
Code Select
Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

Firewall: Rules: WAN
Code Select
pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard

Firewall: Rules: OpenVPN
nothing

Firewall: NAT: Outbound
Automatic outbound NAT rule generation

Should I assign an interface for OpenVPN?

Thanks
March 03, 2018, 09:55:09 AM #1
Quote from: vividou on March 02, 2018, 07:31:13 PM
However, the clients cannot connect to the Internet through the vpn.

Does that mean that clients cannot ping 8.8.8.8 or that they cannot resolve public DNS?

If you can ping 8.8.8.8, try these lines under advanced settings of your OpenVPN server page:

    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

(Other public DNS services are available)

My firewall OpenVPN server provides access to the internet without an interface assigned.

Bart...
March 03, 2018, 10:36:53 AM #2
The pings to 8.8.8.8 fail.
March 03, 2018, 10:45:15 AM #3
Add a rule under Firewall, Rules, OpenVPN for IPv4+IPv6, any, any, any, any, any. This should have been added by the OpenVPN wizard.

If that works, add a rule above it to deny access to your internal networks (as per your requirement).

Bart...
March 03, 2018, 11:08:41 AM #4 Last Edit: March 03, 2018, 11:12:38 AM by vividou
Thanks.

I have added the rule Firewall: Rules: OpenVPN
IPv4 *, *, *, *, *, *

This allows pinging the google dns servers (8.8.8.8).

However the nslookup still does not work.

Adding the advanced settings:
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

does not provide better result. (by the way, is it possible to use the dns already provided in opnsense configuration instead of relisting them in the openvpn configuration?)

March 03, 2018, 12:35:19 PM #5
Do the clients pick up the new settings after restart of your VPN service? What does their nslookup show as default server?

I don't use OPNsense for DNS, but others have mentioned that you need to set it to listen on the OpenVPN interface.

Bart...
March 03, 2018, 02:13:20 PM #6
which dns do you use? DNS masq or Unbound?
If Unbound you need to add your OpenVPN net to the accesslist
March 03, 2018, 02:48:15 PM #7
The nslookup command on my client connected to the openvpn never returns and nothing is displayed.

On my configuration Unbound DNS is enabled. Despite adding and allowing the OpenVPN network to the access list, no internet, no dns resolution.

I have read that some people changed the NAT settings, but not sure which settings to set then.
March 03, 2018, 04:03:46 PM #8
No output from nslookup -q=soa google.com. 8.8.8.8 on a client?

It may be worth running a packet capture on the client and/or the firewall to ensure that the packets are going where you want them to go and if so, what is happening to them.

Wireshark is the de facto analysis tool.

Bart...
March 03, 2018, 07:59:20 PM #9
The "nslookup -q=soa google.com 8.8.8.8" command on a client connected to the vpn server provides a result:
Code Select
$ nslookup -q=soa google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 187645724
refresh = 900
retry = 900
expire = 1800
minimum = 60

Authoritative answers can be found from:

It is the same result when the command is not connected to the vpn server.

I have also tried antoher command to see the gateway used when connecting to the server:
Code Select
$ ip route get 8.8.8.8
8.8.8.8 via 10.0.8.1 dev tun0  src 10.0.8.2
    cache

The output is this time different when the client is not connected to the server.

Here is the result of another command whenc connected to the vpn server.

Code Select
$ ip route show
0.0.0.0/1 via 10.0.8.1 dev tun0
default via 10.41.yyy.yyy dev wlp3s0  proto static  metric 600
10.0.8.0/24 dev tun0  proto kernel  scope link  src 10.0.8.2
10.41.0.0/18 dev wlp3s0  proto kernel  scope link  src 10.41.yyy.yyy  metric 600
10.255.255.254 via 10.41.0.1 dev wlp3s0  proto dhcp  metric 600
xxx.xxx.xxx.xxx via 10.41.0.1 dev wlp3s0
128.0.0.0/1 via 10.0.8.1 dev tun0
169.254.0.0/16 dev tun0  scope link  metric 1000


Just to make a point to my Opnsense config now according to the one provided at the beginning of the post, only the following has changed:
Firewall: Rules: OpenVPN
Code Select
pass IPV4 *, OpenVPN net, *, *, *, *

Adding the OpenVPN network to the access list of Unbound DNS server do not change the status made here.
March 04, 2018, 10:21:07 AM #10
If you can get to Google for DNS then the problem lies with the client. Can you set the client OS to always use 8.8.8.8 (or 9.9.9.9, OpenDNS, etc) to see if that will work?

It's always easier to have a working setup to start from.

Bart...
May 23, 2018, 09:02:56 PM #11
Hello,

a quick refresh on my current setup:
Code Select
Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked

then the client file is obtained from the client export section:
Code Select
Verify Server CN        Automatic-Use verify-x509-name
Use Random Local Port   checked

Exporting the others file

Firewall: Rules: WAN
Code Select
pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard

Firewall: Rules: OpenVPN
Code Select
pass, IPv4 *, OpenVPN net, *, *, *, *, OpenVPN wizard

With this configuration I am able to ping 8.8.8.8. With wireshark running on the client, I can see that the traffic goes to the tun0 in clear then to the internet encrypted with OpenVPN protocol.
However, it is not possible to display web pages.

I am suspected that the traffic is not reemitted by opnsense to satisfy the request.
What could be the reason?

When looking the Firewall/Log Files/Live View, I do not see any traffic to/from the openvpn interface.

How to monitor the traffic going in/out a specific interface? Is this Live View the only way?

Thanks,
May 24, 2018, 08:29:05 AM #12
If you can ping 8.8.8.8 can you resolve hosts from it? Try:

nslookup google.com. 8.8.8.8

nslookup google.com.

If the first one works but the second one doesn't, you need to push out a DNS server to your clients.

Bart...
May 24, 2018, 06:40:37 PM #13 Last Edit: May 24, 2018, 07:53:43 PM by vividou
Yes, I can ping using dns names.

Code Select
$ nslookup google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.110

Code Select
$ nslookup google.com
Server: 127.0.1.1
Address: 127.0.1.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.78

But no internet. Which opnsense settings could block the traffic despite having a passing rule on the firewall?


When increasing the verbosity on the client side to 6 and trying browsing the internet, I can see lot of traffic as follow:
Code Select

Thu May 24 19:40:18 2018 us=366858 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367395 UDPv4 READ [161] from [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=160
Thu May 24 19:40:18 2018 us=367685 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367881 TUN READ [1328]
Thu May 24 19:40:18 2018 us=368478 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424
Thu May 24 19:40:18 2018 us=368823 TUN READ [1328]
Thu May 24 19:40:18 2018 us=369423 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424

In the same time, wireshark listening on the tun0 interface provides such kind of messages a lot that I do not observe when browsing the internet without openvpn:
Code Select
1018 115.665848000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Retransmission] 54801→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499056 TSecr=1287031960
1023 119.121651000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Out-Of-Order] 54802→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499920 TSecr=1287031998
1029 122.384418000 93.184.220.29 10.0.8.2 TCP 52 [TCP Keep-Alive ACK] 80→48290 [ACK] Seq=2365 Ack=1375 Win=148480 Len=0 TSval=1070943662 TSecr=488092
1030 123.153667000 10.0.8.2 34.217.184.213 TCP 52 [TCP Keep-Alive] 54804→443 [ACK] Seq=1198 Ack=3189 Win=36608 Len=0 TSval=500928 TSecr=1287042247
May 24, 2018, 08:35:34 PM #14
Try curl http://checkip.dyndns.com/ Make sure that the public IP address is the one you are expecting.

Bart...
Print
Go Up Pages1 2
User actions