Need Help with OpenVPN

Hey I tryed to install OpenVPN with @Nyr script. I Fixed the "OVZ" Problems and then i have an connection. But only internal not external. Like Google.de is not reachable

Tagged:

Comments

  • Did you check your DNS settings? Caused me headache last time...

    Thanked by (1)Xenic
  • @Bochi yes there stand Googles DNS Server 8.8.8.8 and 8.8.4.4

  • So when I connect, he says this.
    Looks like an internal connection

  • SolaireSolaire OG
    edited November 2019

    Xenic said: Looks like an internal connection

    That's the purpose of a VPN - getting a private IP. Add this to your /etc/openvpn/server.conf and then restart openvpn server:

    push "dhcp-option DNS 8.8.8.8"
    
  • Are you able to ping a public IP? If yes: looks like a problem with your DNS configuration.
    Does your server or client OpenVPN log show any errors or warning?

  • add an iptables-save record to allow outside connection

  • Xenic said: Looks like an internal connection

    That is normal. Please, provide the full installation log, where I can see which IP addresses are you configuring.

    Most likely, one of this did happen:

    • Your server is behind NAT and you selected the wrong IP addresses
    • You have a client or server side firewall which is messing with the needed routing

    Solaire said: Add this to your /etc/openvpn/server.conf

    Not needed because that is configured by the script and anyway not the right place to do it (would be /etc/openpn/server/server.conf)

    xammy said: add an iptables-save record to allow outside connection

    In the case he's using iptables, the script would take care of that stuff for him automatically, so not needed.

    Thanked by (3)Amitz Xenic WSS
  • Hello @Nyr mean you the client-common.txt or the openvpn-status file. Or Are you mean an other file?
    Greetings Xenic

  • And i used for the internal IP 172.16.70.146 and then the system says its behind nat (I know) then I use the port forwarded shared public ip as "not nat" with my forwarded port.

  • WSSWSS OGRetired

    @Nyr said:
    That is normal.

    How much disdain do you have for the moniker angristan? I swear half of the LES tickets I saw in the last couple years are due to your dated script, and the rest of it are that fork.

    My pronouns are like/subscribe.

  • @Xenic sorry for the late response, I've been sick:

    • Can you try connecting from a different client device like your smartphone?
    • Can you please provide the output of iptables -t nat -L in the server?
    • What distribution are you using? If installed from a template, what provider?
    Thanked by (1)Amitz
  • NyrNyr OG
    edited November 2019

    WSS said: How much disdain do you have for the moniker angristan?

    I have some disdain indeed, because the fork was created based on uninformed fears (the length of your keys and DH are insecure!! the transport algorithm is not secure enough!!) and other uninformed assumptions like that. I always refused to implement those "security improvements" because I'm not a commercial VPN provider with a marketing department which needs to lie to its users to get sales. I've also refused to implement "disable logs" commits and similar bullshit.

    It looks like there was a market for that, and the "secure" fork was created, by a person with a social following stronger than me, a Patreon and some other bullshit. Yeah, I'm not happy about that. He even removed the GitHub header notifying the visitor that his is a fork of my original project and that information is now only buried in a very long readme, so a lot of people doesn't know that an original project exists which is cleaner and well maintained.

    WSS said: your dated script

    I don't see how my script is dated. In fact I think that it is very future proof, but I'm open to suggestions.

    I'm not a native speaker so sorry if I'm wrong, but "dated" usually has negative connotations.

    Thanked by (3)Amitz mikho WSS
  • WSSWSS OGRetired

    @Nyr said:
    I don't see how my script is dated. In fact I think that it is very future proof, but I'm open to suggestions.

    I'm not a native speaker so sorry if I'm wrong, but "dated" usually has negative connotations.

    I was implying that you haven't done a lot with it recently, which causes the idea in some minds that it's older and no longer supported. I had no idea he removed the information that he forked your project. What a jerk.

    My pronouns are like/subscribe.

  • WSS said: I was implying that you haven't done a lot with it recently

    Well, there was a pretty significant commit in September. I agree that not a lot of new stuff is pushed, but I like to keep it simple, reliable and easy to maintain. My only guarantee is to always keep it up to date in compatibility and security, not a lot of new stuff should be expected now or ever, to be honest.

    But a very cool IPv6 implementation is coming soon™, I can say that :smile:

    Thanked by (4)WSS Amitz TigersWay skorous
  • Hey @Nyr
    Here is my "iptables -t nat -L" Answer:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT all -- 10.8.0.0/24 !10.8.0.0/24 to:172.16.70.146

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    I tried the 172.16.70.146 Subnet and the 10.8.0.0 Subnet.
    But on the 10.8.0.0 Network the Server says Options error: --local addresses must be distinct from --ifconfig addresses
    And on the 172.16.70.146 Network i got an internal connection but google.com is not reacheable. I Will try it on my Mobile Device to connect. Thanks @Nyr

  • The iptables configuration looks right. If you don't have a firewall or other kind of conflicting stuff on the server, it must be something in your client.

    Xenic said: I tried the 172.16.70.146 Subnet and the 10.8.0.0 Subnet.

    Not sure what you are talking about but you don't need to change anything from the default configuration. Try installing in a clean template if needed, nothing needs to be modified other than enabling TUN.

  • After 1 Hour of Fixing it works! I can access Google.com with my Australian VPN Thanks for Help @Nyr :)

  • One more question, will IPv6 support be added soon? Because IPv6 would be useful: D

  • @Xenic said:
    One more question, will IPv6 support be added soon? Because IPv6 would be useful: D

    Yes. No promises of a timeline but IPv6 support will be a thing, sooner than later I hope.

    Thanked by (1)InceptionHosting
  • InceptionHostingInceptionHosting Hosting ProviderOG

    Nyr said: Yes. No promises of a timeline but IPv6 support will be a thing, sooner than later I hope.

    Looking forward to that!

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @Nyr said:
    Yes. No promises of a timeline but IPv6 support will be a thing, sooner than later I hope.

    Expecting it too!!

Sign In or Register to comment.