Background:
I recently setup a little headless server at home to go with our new fibre connection. I’ve got basically all the services I want setup. Can’t get pi-hole working yet, but that is for another thread. My biggest concern right now is OpenVPN. The purpose of the VPN is to make local network resources available to everybody in the family no matter where they are in the world.
What I did:
I followed this guide: https://www.howtoforge.com/tutorial/how-to-install-and-configure-open-vpn-on-opensuse-leap-42.1/I paid particular attention to the firewall settings.
**
What works:**
Pretty much everything. I can connect to the VPN, from inside our home network or outside and access local resources. Perfect.
The problem:
The internet connection doesn’t work when I’ve VPN’ed in. Everything else works, but the client cannot use the internet. I understand this has to do with routing, but I can’t seem to figure it out. I do not want to do split-tunneling. We occasionally need to secure our internet connection.
Aiming for a Client <> Server <> Internet layout.
**What I’ve tried:
**
I’ve tried turning the firewall off entirely. Did nothing. Connecting works with firewall on or off from both the internet and within the network.
Additional information:
VPN Off:
daniel@nohostname:~> netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp3s0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp3s0
daniel@nohostname:~> ip route get 8.8.8.8
8.8.8.8 via 192.168.1.1 dev wlp3s0 src 192.168.1.110
cache
VPN On:
daniel@nohostname:~> netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.10.2.5 0.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp3s0
10.10.2.1 10.10.2.5 255.255.255.255 UGH 0 0 0 tun0
10.10.2.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp3s0
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlp3s0
192.168.1.100 0.0.0.0 255.255.255.255 UH 0 0 0 wlp3s0
daniel@nohostname:~> ip route get 8.8.8.8
8.8.8.8 via 10.10.2.9 dev tun0 src 10.10.2.10
cache
**Server.conf
**
#change with your port
port 2034
#You can use udp or tcp
proto udp
# "dev tun" will create a routed IP tunnel.
dev tun
#Certificate Configuration
#ca certificate
ca /etc/openvpn/keys/ca.crt
#Server Certificate
cert /etc/openvpn/keys/server.crt
#Server Key and keep this is secret
key /etc/openvpn/keys/server.key
#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh2048.pem
#Internal IP will get when already connect
server 10.10.2.0 255.255.255.0
#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"
#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.220"
#Enable multiple client to connect with same key
duplicate-cn
keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon
#openvpn status log
status /var/log/openvpn/openvpn-status.log
#enable log
log-append /var/log/openvpn/openvpn.log
#Log Level
verb 3
**
sysctl.conf
**
net.ipv4.ip_forward = 1
**
SuseFirewall2-custom**
fw_custom_after_chain_creation() {
# these rules will be loaded after the various input_* and forward_* chains
# are created.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.10.2.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o eth0 -j MASQUERADE
true
}
w_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
true
}
fw_custom_before_masq() { # could also be named "after_port_handling()"
# these rules will be loaded after the IP protocol and TCP/UDP port
# handling, but before any IP forwarding (routing), masquerading
# will be done.
# NOTE: reverse masquerading is before directly after
# fw_custom_before_port_handling !!!!
# You can use this hook to ... hmmm ... I'm sure you'll find a use for
# this ...
true
}
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
# these are the rules to be loaded after IP forwarding and masquerading
# but before the logging and deny all section is set by SuSEfirewall2.
# You can use this hook to prevent the logging of annoying packets.
true
}
fw_custom_after_finished() {
# these are the rules to be loaded after the firewall is fully configured
true
}
**Where to next:
**So what exactly is the issue and how can I fix it? I’ve tried googling for this issue and everything either directs to split-tunneling or doesn’t help me much. I’ve been trying to figure this out for three days now, and have got no closer to solving it.