I'm trying to setup an OpenVPN server on an Amazon EC2 instance. Unfortunately, after reading a lot of tutorial & stackoverflow threads, I still can't figure out why I'm not able to route all traffic through the VPN.
First of all, I'm able to connect to the VPN server with my iPhone using OpenVPN app and a client certificate, so I assume nothing is wrong on the keys/certificates side.
Here is the server configuration:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-crypt ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
On the client side:
client
dev tun
proto udp
remote <amazon ec2 public ip> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 3
push "redirect-gateway def1"<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
OpenVPN tun0 interface is properly created and the route seems ok:
ubuntu@ip-172-31-22-XX:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.31.22.XX netmask 255.255.240.0 broadcast 172.31.31.255
inet6 fe80::8dd:1bff:fe44:4dc0 prefixlen 64 scopeid 0x20<link>
ether 0a:dd:1b:44:4d:c0 txqueuelen 1000 (Ethernet)
RX packets 53974 bytes 46601742 (46.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25000 bytes 5878276 (5.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef80:3549:3556:914f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 382 bytes 68030 (68.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 507 bytes 394677 (394.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ubuntu@ip-172-31-22-XX:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-172-31-16-1. 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 ip-10-8-0-2.eu- 255.255.255.0 UG 0 0 0 tun0
ip-10-8-0-2.eu- 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.31.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
ip-172-31-16-1. 0.0.0.0 255.255.255.255 UH 100 0 0 eth0
ubuntu@ip-172-31-22-XX:~$
I allowed the ip forwarding in sysctl and also configured iptables but I guess the issue is on the firewall side:
ubuntu@ip-172-31-22-XX:~$ sudo sysctl -p
net.ipv4.ip_forward = 1
ubuntu@ip-172-31-22-XX:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ubuntu@ip-172-31-22-XX:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- ip-10-8-0-0.eu-west-3.compute.internal/24 anywhere
ubuntu@ip-172-31-22-XX:~$
Same on the AWS management console, I configured the security group to allow TCP22, UDP1194 incoming, and all outgoing traffic.
As soon as I turn off the push "redirect-gateway def1 bypass-dhcp" directive, I don't issue trying to reach the internet any longer, but the traffic is going through the internet.
I also tried to access to a website using IP address instead of domain name but it didn't help and doesn't seem to be a DNS issue. From the EC2 server, I'm able to reach internet without any issue.
I don't know how to diagnose more precisely what's going on.
Thanks for any help.