How Can I Give My VPN Clients Internet Access

Posted on

How Can I Give My VPN Clients Internet Access – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ubuntu, vpn, openvpn, .

I have been successful in setting up two OpenVPN servers as follows:

  1. Ubuntu1 (LAN IP: 172.23.6.148 WAN IP: 60.242.175.132)
  2. Ubuntu2 (LAN IP: 172.23.6.149 WAN IP: 60.242.175.133)

Clients connecting to both servers can access my two LAN subnets (172.23.6.0/24 and 172.23.7.0/24). However, those connecting to Ubuntu2 cannot access the internet. Below are the routing tables from both servers:

KERNEL ROUTING TABLE FROM UBUNTU1 (172.23.6.148)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.23.6.120    0.0.0.0         UG    0      0        0 br0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tinc0
172.23.6.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.23.7.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
207.187.53.0    0.0.0.0         255.255.255.0   U     0      0        0 br0

KERNEL ROUTING TABLE FROM UBUNTU2 (172.23.6.149)

root@ubuntu2:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         50.242.184.134  0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tinc0
50.242.184.128  0.0.0.0         255.255.255.248 U     0      0        0 eth0
172.23.6.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.23.7.0      172.23.6.1      255.255.255.0   UG    0      0        0 br0
207.187.53.0    172.23.6.1      255.255.255.0   UG    0      0        0 br0

Please note that I have full control of the gateway for Ubuntu2 but not for Ubuntu1 (3rd party managed). What do I need to do to get internet traffic for clients connecting to Ubuntu2? I’m ready and willing to provide any additional information as requested, thanks.

EDIT #1:

Below is what I’ve added to my firewall rules (in /etc/ufw/before.rules just before the *filter line):

# START OPENVPN RULES

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to br0
-A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
COMMIT

# END OPENVPN RULES

Solution :

Based on the accepted answer to this question, I changed my firewall rule to SNAT instead of MASQUERADE and it worked:

-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 60.242.175.133

I added this rule to the /etc/ufw/before.rules file. I did note, however, that if I included “iptables” in the line, UFW failed to reload. Anyway, my clients connecting to Ubuntu2 now can get internet access. Thanks to all who offered suggestions, I really appreciate the help.

you are Masquerading / natting 10.8.0.0/24, however the requests are most likely coming from 172.23 subnet – its impossible to say for certain however without more details.

You should try natting 172.23.0.0/16 and see if that solves your problem.

Leave a Reply

Your email address will not be published.