OpenVPN on ec2 bridged mode connects but no Ping, DNS or forwarding
- by michael
I am trying to use OpenVPN to access the internet over a secure connection.
I have openVPN configured and running on Amazon EC2 in bridge mode with client certs. I can successfully connect from the client, but I cannot get access to the internet or ping anything from the client
I checked the following and everything seems to shows a successful connection between the vpn client/server and UDP traffic on 1194
[server] sudo tcpdump -i eth0 udp port 1194
(shows UDP traffic after establishing connection)
[server] sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[server] sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- ip-W-X-Y-0.us-west-1.compute.internal/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[server] openvpn.log
Wed Oct 19 03:11:26 2011 localhost/a.b.c.d:61905 [localhost] Inactivity timeout (--ping-restart), restarting
Wed Oct 19 03:11:26 2011 localhost/a.b.c.d:61905 SIGUSR1[soft,ping-restart] received, client-instance restarting
Wed Oct 19 03:41:31 2011 MULTI: multi_create_instance called
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 Re-using SSL/TLS context
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 LZO compression initialized
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 Local Options hash (VER=V4): '360696c5'
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 Expected Remote Options hash (VER=V4): '13a273ba'
Wed Oct 19 03:41:31 2011 a.b.c.d:57889 TLS: Initial packet from [AF_INET]a.b.c.d:57889, sid=dd886604 ab6ebb38
Wed Oct 19 03:41:35 2011 a.b.c.d:57889 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=EXAMPLE/CN=EXAMPLE_CA/[email protected]
Wed Oct 19 03:41:35 2011 a.b.c.d:57889 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=EXAMPLE/CN=localhost/[email protected]
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 19 03:41:37 2011 a.b.c.d:57889 [localhost] Peer Connection Initiated with [AF_INET]a.b.c.d:57889
Wed Oct 19 03:41:39 2011 localhost/a.b.c.d:57889 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 19 03:41:39 2011 localhost/a.b.c.d:57889 SENT CONTROL [localhost]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-gateway W.X.Y.Z,ping 10,ping-restart 120,ifconfig W.X.Y.Z 255.255.255.0' (status=1)
Wed Oct 19 03:41:40 2011 localhost/a.b.c.d:57889 MULTI: Learn: (IPV6) -> localhost/a.b.c.d:57889
[client] tracert google.com
Tracing route to google.com [74.125.71.104] over a maximum of 30 hops:
1 347 ms 349 ms 348 ms PC [w.X.Y.Z]
2 * * * Request timed out.
I can also successfully ping the server IP address from the client, and ping google.com from an SSH shell on the server. What am I doing wrong?
Here is my config (Note: W.X.Y.Z == amazon EC2 private ipaddress)
bridge config on br0
ifconfig eth0 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
ifconfig br0 W.X.Y.X netmask 255.255.255.0 broadcast W.X.Y.255 up
route add default gw W.X.Y.1 br0
/etc/openvpn/server.conf (from https://help.ubuntu.com/10.04/serverguide/C/openvpn.html)
local W.X.Y.Z
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
;server W.X.Y.0 255.255.255.0
server-bridge W.X.Y.Z 255.255.255.0 W.X.Y.105 W.X.Y.200
;push "route W.X.Y.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
log-append openvpn.log
iptables config
sudo iptables -A INPUT -i tap0 -j ACCEPT
sudo iptables -A INPUT -i br0 -j ACCEPT
sudo iptables -A FORWARD -i br0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s W.X.Y.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Routing Tables added
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
W.X.Y.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 W.X.Y.1 0.0.0.0 UG 0 0 0 br0
C:>route print
===========================================================================
Interface List
32...00 ff ac d6 f7 04 ......TAP-Win32 Adapter V9
15...00 14 d1 e9 57 49 ......Microsoft Virtual WiFi Miniport Adapter #2
14...00 14 d1 e9 57 49 ......Realtek RTL8191SU Wireless LAN 802.11n USB 2.0 Net
work Adapter
10...00 1f d0 50 1b ca ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.2.1 10.1.2.201 25
10.1.2.0 255.255.255.0 On-link 10.1.2.201 281
10.1.2.201 255.255.255.255 On-link 10.1.2.201 281
10.1.2.255 255.255.255.255 On-link 10.1.2.201 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.2.201 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.2.201 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.1.2.1 Default
===========================================================================
C:>tracert google.com
Tracing route to google.com [74.125.71.147]
over a maximum of 30 hops:
1 344 ms 345 ms 343 ms PC [W.X.Y.221]
2 * * * Request timed out.
