Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVPN problem: Can't access internet with the iOS client, but can with Tunnelblick
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVPN problem: Can't access internet with the iOS client, but can with Tunnelblick

lpnlpn Member
edited March 2013 in General

I posted this on the OpenVPN forums, but figured out that I could get help here as I've seen several OpenVPN discussions.

I used to be able to and access the internet with OpenVPN Connect for iOS, but now I can't. The client connects correctly to the server, but can't access anything. It is not DNS issue, as it can't access things by IP address either. Tunnelblick (OS X GUI for OpenVPN) can connect to the server and access the internet just fine.

I am new to OpenVPN, so I was wondering how to troubleshoot this. The server is my own, so I have access to any logs. It is running the latest OpenVPN (from the OpenVPN repositories) on Debain 6.

My guess is that it is some kind of gateway issue, but it is really baffling as Tunnelblick and the iOS client are using exactly the same configuration files (though not at the same time). Any ideas for troubleshooting would be appreciated.

Comments

  • What kind of firewall you use?

  • please post your server config

  • Just realize that iOS already have official OpenVPN client.

  • lpnlpn Member

    @budingyun said: What kind of firewall you use?

    iptables on the VPS running the OpenVPN server. It turns out that the problem was iptables -P INPUT DROP, commenting it out fixed the connectivity issue, but that doesn't explain why it woks with Tunnelblick and default DROP for INPUT. Also if the default is not DROP that renders iptables mostly useless. Any ideas what kind of iptables rules I need to add?

  • budingyunbudingyun Member
    edited March 2013

    It's easier managing iptables using CSF. :D

    vi /etc/csf/csfpre.sh

    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s 192.168.2.0/29 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 192.168.2.0/29 -o eth0 -j MASQUERADE # KVM/XEN
    iptables -t nat -A POSTROUTING -s 192.168.2.0/29 -j SNAT --to serverIP # OpenVZ
    

    csf -r

  • lpnlpn Member

    @cosmicgate said: please post your server config

    It is the default, except for different port (that there was INPUT rule allowing UDP connections to that port in iptables, even when the default rule for INPUT was set to DROP, and that allowed the client to connect to the server, see my comment about iptables above)
    and also these:
    push "redirect-gateway def1"
    push "dhcp-option DNS 10.8.0.1"

    (as suggested in the tutorial that I was using: https://library.linode.com/networking/openvpn/debian-6-squeeze)

  • lpnlpn Member
    edited March 2013

    @budingyun said: t's easier managing iptable using CSF. :D

    vi /etc/csf/csfpre.sh

    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    iptables -A FORWARD -s 192.168.2.0/29 -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s 192.168.2.0/29 -o eth0 -j MASQUERADE #KVM/XEN
    iptables -t nat -A POSTROUTING -s 192.168.2.0/29 -j SNAT --to serverIP #OpenVZ

    csf -r

    I have these exact rules (just with different IP range and I'm on KVM so the KVM rule applies). But the problem are not the FORWARD or POSTROUTING, it is the INPUT. With these FORWARD and POSTROUTING rules present, when the default for INPUT is DROP (as it should be), the iOS client doesn't work, and Tunnelblick works. When the default for INPUT is ALLOW (again, with these FORWARD/POSTROUTING), they both work.

  • i have no idea what you are talking about. nvm.

Sign In or Register to comment.