No internet with OpenVPN clients

[vividou]

Hello,

My OpenVPN is running and my client can connect to it.

However, the clients cannot connect to the Internet through the vpn.

My purpose is that the clients can connect to the vpn server to surf the Internet from it only (no connection to local network).

How to configure Opnsense for this purpose?


Here is my configuration with OPNsense 18.1.2_2-amd64

VPN: OpenVPN: Servers

Code: [Select]

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked
Firewall: Rules: WAN

Code: [Select]

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard
Firewall: Rules: OpenVPN
nothing

Firewall: NAT: Outbound
Automatic outbound NAT rule generation

Should I assign an interface for OpenVPN?

Thanks

[bartjsmit]

However, the clients cannot connect to the Internet through the vpn.

Does that mean that clients cannot ping 8.8.8.8 or that they cannot resolve public DNS?

If you can ping 8.8.8.8, try these lines under advanced settings of your OpenVPN server page:

    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

(Other public DNS services are available)

My firewall OpenVPN server provides access to the internet without an interface assigned.

Bart...

[vividou]

The pings to 8.8.8.8 fail.

[bartjsmit]

Add a rule under Firewall, Rules, OpenVPN for IPv4+IPv6, any, any, any, any, any. This should have been added by the OpenVPN wizard.

If that works, add a rule above it to deny access to your internal networks (as per your requirement).

Bart...

[vividou]

Thanks.

I have added the rule Firewall: Rules: OpenVPN
IPv4 *, *, *, *, *, *

This allows pinging the google dns servers (8.8.8..

However the nslookup still does not work.

Adding the advanced settings:
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

does not provide better result. (by the way, is it possible to use the dns already provided in opnsense configuration instead of relisting them in the openvpn configuration?)

[bartjsmit]

Do the clients pick up the new settings after restart of your VPN service? What does their nslookup show as default server?

I don't use OPNsense for DNS, but others have mentioned that you need to set it to listen on the OpenVPN interface.

Bart...

[the-mk]

which dns do you use? DNS masq or Unbound?
If Unbound you need to add your OpenVPN net to the accesslist

[vividou]

The nslookup command on my client connected to the openvpn never returns and nothing is displayed.

On my configuration Unbound DNS is enabled. Despite adding and allowing the OpenVPN network to the access list, no internet, no dns resolution.

I have read that some people changed the NAT settings, but not sure which settings to set then.

[bartjsmit]

No output from nslookup -q=soa google.com. 8.8.8.8 on a client?

It may be worth running a packet capture on the client and/or the firewall to ensure that the packets are going where you want them to go and if so, what is happening to them.

Wireshark is the de facto analysis tool.

Bart...

[vividou]

The "nslookup -q=soa google.com 8.8.8.8" command on a client connected to the vpn server provides a result:

Code: [Select]

$ nslookup -q=soa google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 187645724
refresh = 900
retry = 900
expire = 1800
minimum = 60

Authoritative answers can be found from:
It is the same result when the command is not connected to the vpn server.

I have also tried antoher command to see the gateway used when connecting to the server:

Code: [Select]

$ ip route get 8.8.8.8
8.8.8.8 via 10.0.8.1 dev tun0  src 10.0.8.2
    cache
The output is this time different when the client is not connected to the server.

Here is the result of another command whenc connected to the vpn server.

Code: [Select]

$ ip route show
0.0.0.0/1 via 10.0.8.1 dev tun0
default via 10.41.yyy.yyy dev wlp3s0  proto static  metric 600
10.0.8.0/24 dev tun0  proto kernel  scope link  src 10.0.8.2
10.41.0.0/18 dev wlp3s0  proto kernel  scope link  src 10.41.yyy.yyy  metric 600
10.255.255.254 via 10.41.0.1 dev wlp3s0  proto dhcp  metric 600
xxx.xxx.xxx.xxx via 10.41.0.1 dev wlp3s0
128.0.0.0/1 via 10.0.8.1 dev tun0
169.254.0.0/16 dev tun0  scope link  metric 1000

Just to make a point to my Opnsense config now according to the one provided at the beginning of the post, only the following has changed:
Firewall: Rules: OpenVPN

Code: [Select]

pass IPV4 *, OpenVPN net, *, *, *, *
Adding the OpenVPN network to the access list of Unbound DNS server do not change the status made here.

[bartjsmit]

If you can get to Google for DNS then the problem lies with the client. Can you set the client OS to always use 8.8.8.8 (or 9.9.9.9, OpenDNS, etc) to see if that will work?

It's always easier to have a working setup to start from.

Bart...

[vividou]

Hello,

a quick refresh on my current setup:

Code: [Select]

Server Mode:            Remote Access (SSL/TLS + User Auth)
Protocol:               UDP
Device Mode:            tun
Interface:              WAN
Local port:             1194
TLS Authentication:     checked
Certificate Depth:      One (Client+Server)
IPv4 Tunnel Network:    10.0.8.0/24
Redirect Gateway:       checked
Compression:            Enabled with Adaptive Compression
Disable IPv6:           checked
Dynamic IP:             checked
Address Pool:           checked
Topology:               checked
Force DNS cache update: checked
then the client file is obtained from the client export section:

Code: [Select]

Verify Server CN        Automatic-Use verify-x509-name
Use Random Local Port   checked
Exporting the others file

Firewall: Rules: WAN

Code: [Select]

pass, IPv4 UDP, *, *, WAN address 1194, *, OpenVPN wizard
Firewall: Rules: OpenVPN

Code: [Select]

pass, IPv4 *, OpenVPN net, *, *, *, *, OpenVPN wizard
With this configuration I am able to ping 8.8.8.8. With wireshark running on the client, I can see that the traffic goes to the tun0 in clear then to the internet encrypted with OpenVPN protocol.
However, it is not possible to display web pages.

I am suspected that the traffic is not reemitted by opnsense to satisfy the request.
What could be the reason?

When looking the Firewall/Log Files/Live View, I do not see any traffic to/from the openvpn interface.

How to monitor the traffic going in/out a specific interface? Is this Live View the only way?

Thanks,

[bartjsmit]

If you can ping 8.8.8.8 can you resolve hosts from it? Try:

nslookup google.com. 8.8.8.8

nslookup google.com.

If the first one works but the second one doesn't, you need to push out a DNS server to your clients.

Bart...

[vividou]

Yes, I can ping using dns names.

Code: [Select]

$ nslookup google.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.110

Code: [Select]

$ nslookup google.com
Server: 127.0.1.1
Address: 127.0.1.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.214.78
But no internet. Which opnsense settings could block the traffic despite having a passing rule on the firewall?


When increasing the verbosity on the client side to 6 and trying browsing the internet, I can see lot of traffic as follow:

Code: [Select]

Thu May 24 19:40:18 2018 us=366858 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367395 UDPv4 READ [161] from [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=160
Thu May 24 19:40:18 2018 us=367685 TUN WRITE [64]
Thu May 24 19:40:18 2018 us=367881 TUN READ [1328]
Thu May 24 19:40:18 2018 us=368478 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424
Thu May 24 19:40:18 2018 us=368823 TUN READ [1328]
Thu May 24 19:40:18 2018 us=369423 UDPv4 WRITE [1425] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=1424
In the same time, wireshark listening on the tun0 interface provides such kind of messages a lot that I do not observe when browsing the internet without openvpn:

Code: [Select]

1018 115.665848000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Retransmission] 54801→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499056 TSecr=1287031960
1023 119.121651000 10.0.8.2 34.217.184.213 TCP 1328 [TCP Out-Of-Order] 54802→443 [ACK] Seq=334 Ack=3033 Win=35584 Len=1276 TSval=499920 TSecr=1287031998
1029 122.384418000 93.184.220.29 10.0.8.2 TCP 52 [TCP Keep-Alive ACK] 80→48290 [ACK] Seq=2365 Ack=1375 Win=148480 Len=0 TSval=1070943662 TSecr=488092
1030 123.153667000 10.0.8.2 34.217.184.213 TCP 52 [TCP Keep-Alive] 54804→443 [ACK] Seq=1198 Ack=3189 Win=36608 Len=0 TSval=500928 TSecr=1287042247

[bartjsmit]

Try curl http://checkip.dyndns.com/ Make sure that the public IP address is the one you are expecting.

Bart...