Home / server / Questions / 756010
In Process
megloff
Asked: 2016-02-14 07:06:08 +0800 CST

Cent OS - OpenVPN client connects but can't access internet

  • 772

I set up openVPN 2.3 on a centOS 6.5 system I could connect with my windows client to the server. client gets IP address and DNS entries but when I like to access the internet with my client it does not work.

I have set the "net.ipv4.ip_forward = 1" in "/etc/sysctl.conf". And added the firewall rule "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE".

A "tracert 8.8.8.8" ony my client ends into a timeout.

Any hints or suggestions I can try? Thanks

Please find below my IPTable onfiguration

# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*mangle
:PREROUTING ACCEPT [2300:167838]
:INPUT ACCEPT [2300:167838]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1911:1150640]
:POSTROUTING ACCEPT [1911:1150640]
COMMIT
# Completed on Sat Feb 13 16:18:46 2016
# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15:1699]
:fail2ban-SSH - [0:0]
:fail2ban-sasl - [0:0]
:fail2ban-submission - [0:0]
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 587 -j fail2ban-submission
-A INPUT -p tcp -m tcp --dport 2022 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 25 -j fail2ban-sasl
-A INPUT -p tcp -m tcp --dport 587 -j fail2ban-submission
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state     NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fail2ban-SSH -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-submission -j RETURN
COMMIT
# Completed on Sat Feb 13 16:18:46 2016
# Generated by iptables-save v1.4.7 on Sat Feb 13 16:18:46 2016
*nat
:PREROUTING ACCEPT [88:5707]
:POSTROUTING ACCEPT [29:2145]
:OUTPUT ACCEPT [29:2145]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Completed on Sat Feb 13 16:18:46 2016

domain-name-system

1 Answers

  1. I could get it running. I had to add additional Forwarding rules

    iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i p4p1 -o tun0 -j ACCEPT
iptables -I FORWARD -o p4p1 -i tun0 -j ACCEPT

    where "p4p1" is my ethernet interface. Please get the correct name of your interface from th "ifconfg" command.

    • 0