OpenVPN: connection successful, can ping internal IPs, can't access internet

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
My current DD-WRT firewall commands:
Code:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ippaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ippaddr)

The first four lines are for OpenVPN. OpenVPN clients receive a 10.8.0.0/24 (ex. 10.8.0.153).

The last two lines are to restricted DNS to OpenDNS 208.67.222.222 and 208.67.220.220 + 10.0.255.3 (the Windows Server 2008 R2 domain controller, DHCP, DNS, file server, FTP server, and ERP database server).

When I connect to VPN as a client from my laptop running through my cellular data plan, these are the results I get:
Code:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Joshua>ping echo
^C
C:\Users\Joshua>ping echo.orderdis.net
Ping request could not find host echo.orderdis.net. Please check the name and tr
y again.

C:\Users\Joshua>ping echo
^C
C:\Users\Joshua>ping dis-wap
^C
C:\Users\Joshua>ping google.com

Pinging google.com [74.125.225.96] with 32 bytes of data:
Request timed out.

Ping statistics for 74.125.225.96:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\Joshua>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SIERRA
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mshome.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-F6-20-DE-65
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2d1f:c2c5:ce34:6ebc%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, March 1, 2014 7:30:40 PM
   Lease Expires . . . . . . . . . . : Sunday, March 1, 2015 7:30:40 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 167837686
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-87-51-F0-00-1E-37-1E-CA-8F

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : mshome.net
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1D-E0-34-48-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4db7:8b6a:2c7f:ccb3%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.137.141(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, March 1, 2014 6:12:26 PM
   Lease Expires . . . . . . . . . . : Saturday, March 8, 2014 7:27:45 PM
   Default Gateway . . . . . . . . . : 192.168.137.1
   DHCP Server . . . . . . . . . . . : 192.168.137.1
   DHCPv6 IAID . . . . . . . . . . . : 318774752
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-87-51-F0-00-1E-37-1E-CA-8F

   DNS Servers . . . . . . . . . . . : 192.168.137.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ORDERDIS.NET
   Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 00-1E-37-1E-CA-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.mshome.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mshome.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{F620DE65-AB06-4817-BFAC-1B1842670BB4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Joshua>
echo = 10.0.255.3 (the Windows Server 2008 box)

I am unable to ping any hostnames on the network including the router's and DC's hostnames, even when appending the FQDN .orderdis.net (the AD domain). If I ping google.com is resolves the IP but does not give any ping responses, so it looks like the only communication I have is to internal LAN IPs and nothing more.

This is the /tmp/openvpn/openvpn.conf from my router (got to it through SSH over FTP):
Code:
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp
cipher bf-cbc
auth sha512
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
tun-ipv6

This is the config file I'm using on the OpenVPN GUI Client on my laptop:
Code:
client
dev tun0
proto udp
remote vpn.orderdis.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
float
route-delay 30
ca ca.crt
cert jszanto.crt
key jszanto.key
ns-cert-type server
cipher bf-cbc
auth sha512
comp-lzo
verb 3

In DD-WRT VPN --> OpenVPN Server/Daemon I do not have anything in "Additional Config".

When I am connected to the internal LAN by wire + wireless nic is turned off, these are my ipconfig /all results:
Code:
C:\Users\Joshua>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SIERRA
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ORDERDIS.NET

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-F6-20-DE-65
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mshome.net
   Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Physical Address. . . . . . . . . : 00-1D-E0-34-48-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : ORDERDIS.NET
   Description . . . . . . . . . . . : Intel(R) 82566MM Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 00-1E-37-1E-CA-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8c46:f856:a673:6117%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.255.122(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Saturday, March 1, 2014 7:24:37 PM
   Lease Expires . . . . . . . . . . : Sunday, March 2, 2014 7:35:31 PM
   Default Gateway . . . . . . . . . : 10.0.255.1
   DHCP Server . . . . . . . . . . . : 10.0.255.1
   DHCPv6 IAID . . . . . . . . . . . : 251665975
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-87-51-F0-00-1E-37-1E-CA-8F

   DNS Servers . . . . . . . . . . . : 10.0.255.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.ORDERDIS.NET:

   Connection-specific DNS Suffix  . : ORDERDIS.NET
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:10.0.255.122%25(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 419430400
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-87-51-F0-00-1E-37-1E-CA-8F

   DNS Servers . . . . . . . . . . . : 10.0.255.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Users\Joshua>
 
Adding
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
to Firewall Commands allowed me to ping google.com successfully. I'm posting this through VPN. Thanks to squidmata at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=749746

My Firewall Commands looks like this now:
Code:
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun2 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ippaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ippaddr)

However, I am still unable to resolve internal LAN hostnames such as 'echo' or 'echo.orderdis.net' like I normally am when connected via wire. :(

Adding
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
did not make a difference. Not sure what it even changed or if it did anything.
 
Last edited:
That's because your VPN DHCP pool does not have a default gateway.
 
Back
Top