VPN no route to internet

Simplimus · March 7, 2017, 9:52am

NethServer Version: 7.0 final
Module: VPN

Dear Nethserver team,
I just installed nethserver (NS) 7 final the other day from a centos 7 minimal.
All went smooth, with one exception.

I have a small nuc sitting behind my router at home. The nuc is running the NS. The NS has one NIC and is connected via cable with the router. The IP address of the NS is 192.168.1.100. The router ip is 192.168.1.1.

For different reasonsI want to be able to route all my traffic through my home installation when I am abroad.
I set up a vpn service on the NS and login works like a charme. I was really impressed.
The IP net of the vpn is 10.0.0.0 255.255.255.0.
The client recieved 10.0.0.6.

The external VPN client can reach the NS at 192.168.1.100. But it can not reach (not even ping) the router @192.168.1.1. It also cannot ping google @8.8.8.8.

I have checked the “send all traffic through vpn” box.
I am not running a DNS, gateway or firewall on the NS. (no that I know of)

Here is my client config

######### NethServer OpenVPN client configuration #########
dev tun
client
remote there.be.dragons
port 1194
float
# Authentication: certificate

-----BEGIN CERTIFICATE-----
******
-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----
******
-----END PRIVATE KEY-----


-----BEGIN CERTIFICATE-----
******
-----END CERTIFICATE-----

comp-lzo
explicit-exit-notify 1
verb 3
persist-key
persist-tun
nobind

I don’t see the server pushing some sort of routes to the client. Isn’t that required?

Help is much appreciated.

JOduMonT · March 7, 2017, 12:50pm

Welcome Simplimus;

I had a similar issue and another user proposed this :

I hope it will fix your issue.

Simplimus · March 7, 2017, 1:18pm

I also did find that, but I don’t know how to configure that. I cannot find it in the config menus.
Do I need to install a new module?
I did not know I was running a firewall.

My local network 192.168.1.* is configured as green.

Simplimus · March 7, 2017, 1:39pm

Okay, so I did install the “basic firewall” package.
Now in my Gateway menu I see the point “firewall rules”.
There in the tab “firewall” I defined a new rule to Always Accept All traffic coming from the vpn to green networks and all services.

Still no success.

Simplimus · March 7, 2017, 2:14pm

In the nethserver documentation it is stated that:

Firewall and gateway modes are enabled only if:

the nethserver-firewall-base package is installed
at least there is one network interface configured with red role

I only have a green network configured. So The rules must not apply, ergo the traffic must not be blocked. This gets me even more confused.

Simplimus · March 8, 2017, 2:53pm

Still not solved. No ideas?

filippo_carletti · March 8, 2017, 2:58pm

AFAIK, the above rule from vpn to green is not needed. See /etc/shorewall/policy:

# 20policy_openvpn
#
loc            ovpn           ACCEPT
**ovpn           loc            ACCEPT** (this is openvpn to green)
ovpn           $FW            ACCEPT
$FW            ovpn           ACCEPT
ovpn        blue           ACCEPT

I think that you need an ACCEPT rule from vpn to red.

Simplimus · March 8, 2017, 3:01pm

I already added that. No success.

Simplimus · March 8, 2017, 3:04pm

I checked /etc/shorewall/policy:

filippo_carletti · March 8, 2017, 3:07pm

I hope you can find some lines logged in /var/log/firewall.log when you are connected through vpn.
Those lines could lead us to understand the problem.

Simplimus · March 8, 2017, 3:10pm

It’s apparently empty. And I have logged in several times successfully already. Twice today.

filippo_carletti · March 8, 2017, 3:14pm

[root@nethsecurity7 ~]# systemctl status shorewall
● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/shorewall.service.d
           └─nethserver-firewall-base.conf
   Active: active (exited) since Tue 2017-03-07 19:12:29 CET; 21h ago
  Process: 3072 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3072 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/shorewall.service

Mar 07 19:12:28 nethsecurity7.nethesis.it shorewall[3072]: Setting up Proxy ARP...
Mar 07 19:12:28 nethsecurity7.nethesis.it shorewall[3072]: Setting up Traffic Control...
Mar 07 19:12:28 nethsecurity7.nethesis.it shorewall[3072]: Preparing iptables-restore input...
Mar 07 19:12:29 nethsecurity7.nethesis.it shorewall[3072]: Running /sbin/iptables-restore ...
Mar 07 19:12:29 nethsecurity7.nethesis.it shorewall[3072]: IPv4 Forwarding Enabled
Mar 07 19:12:29 nethsecurity7.nethesis.it shorewall[3072]: Processing /etc/shorewall/start ...
Mar 07 19:12:29 nethsecurity7.nethesis.it shorewall[3072]: Processing /etc/shorewall/started ...
Mar 07 19:12:29 nethsecurity7.nethesis.it logger[4851]: Shorewall started
Mar 07 19:12:29 nethsecurity7.nethesis.it shorewall[3072]: done.
Mar 07 19:12:29 nethsecurity7.nethesis.it systemd[1]: Started Shorewall IPv4 firewall.

Simplimus · March 9, 2017, 11:31am

I found that http://community.nethserver.org/t/shorewall-block-openvpn-traffic-out/6075/4 is not just similar, but exactly my problem. I will pick up your suggestion there.