Successfully auth but not Internet connection

[mattiarainieri]

Checklist

• [x] I read the README
• [x] I read the Important notes
• [x] I followed instructions to configure VPN clients
• [x] I checked Troubleshooting, IKEv2 troubleshooting and VPN status
• [x] I searched existing Issues
• [x] This bug is about the VPN setup scripts, and not IPsec VPN itself

Describe the issue Hi, After the script installation, the internet connections doesn't seem to work. In particular, the authentication step work properly, but we are not able to browse the internet (only to ping to the gateway 192.168.42.1) We've tried on different device/os, but we have always the same result. (Also uninstall and reinstall the script)

Logs Check logs and VPN status, and add error logs to help explain the problem, if applicable. Aug 8 09:38:10 wolfeefree xl2tpd[9073]: Starting xl2tpd: xl2tpd. Aug 8 09:38:10 wolfeefree xl2tpd[9079]: xl2tpd version xl2tpd-1.3.12 started on wolfeefree PID:9079 Aug 8 09:38:10 wolfeefree xl2tpd[9079]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Aug 8 09:38:10 wolfeefree xl2tpd[9079]: Forked by Scott Balmos and David Stipp, (C) 2001 Aug 8 09:38:10 wolfeefree xl2tpd[9079]: Inherited by Jeff McAdams, (C) 2002 Aug 8 09:38:10 wolfeefree xl2tpd[9079]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 Aug 8 09:38:10 wolfeefree xl2tpd[9079]: Listening on IP address 0.0.0.0, port 1701 Aug 8 09:39:02 wolfeefree xl2tpd[9079]: Connection established to 5.168.175.17, 55856. Local: 39359, Remote: 15 (ref=0/0). LNS session is 'default' Aug 8 09:39:02 wolfeefree xl2tpd[9079]: start_pppd: I'm running: Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "/usr/sbin/pppd" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "/dev/pts/1" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "passive" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "nodetach" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "192.168.42.1:192.168.42.10" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "refuse-pap" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "auth" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "require-chap" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "name" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "l2tpd" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "file" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: "/etc/ppp/options.xl2tpd" Aug 8 09:39:02 wolfeefree xl2tpd[9079]: Call established with 5.168.175.17, PID: 9124, Local: 22017, Remote: 2593, Serial: 1

Server (please complete the following information)

• OS: [e.g. Debian 11] = Ubuntu 22.04
• Hosting provider (if applicable): Oracle Cloud

Client (please complete the following information)

• Device: [e.g. iPhone 12] = Iphone13, MacBookPro 2013, SamsungGalaxyS10
• OS: [e.g. iOS 15] = MacOS BigSur 11.6.8, iOS 15 and also Andoird
• VPN mode: [IPsec/L2TP, IPsec/XAuth ("Cisco IPsec") or IKEv2] = Both

[hwdsl2]

@mattiarainieri Hello! This could be an IPTables rules issue on your VPN server. Please post the output of:

sudo iptables -nvL; sudo iptables -nvL -t nat

Another possibility (less likely) is that your server provider is blocking certain outgoing connections. You can test using e.g. wget or curl from a terminal after SSH to the VPN server.

An alternative solution to try is to install the VPN on a new cloud server instance or try a new server provider.

[hwdsl2]

@mattiarainieri I'm closing this but if you have additional information, feel free to reply here for further troubleshooting.

[mattiarainieri]

@hwdsl2 My apologies for the delay, but I haven't been home these days; this is the content of my iptable.

`Chain INPUT (policy ACCEPT 1608K packets, 178M bytes) pkts bytes target prot opt in out source destination
8 560 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol none 1 88 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 951 153K ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 956 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500 1 112 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 policy match dir in pol ipsec 0 0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT all -- enp0s3 ppp+ 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 199 14157 ACCEPT all -- ppp+ enp0s3 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- ppp+ ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp0s3 0.0.0.0/0 192.168.43.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- enp0s3 192.168.43.0/24 0.0.0.0/0
0 0 ACCEPT all -- ppp+ 192.168.43.0/24 0.0.0.0/0
448 82661 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
448 82661 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
213 36898 ACCEPT all -- docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 36 16652 DOCKER all -- docker0 0.0.0.0/0 0.0.0.0/0
199 29111 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1001K packets, 1492M bytes) pkts bytes target prot opt in out source destination

Chain DOCKER (1 references) pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination
199 29111 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
448 82661 RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination
0 0 DROP all -- docker0 0.0.0.0/0 0.0.0.0/0
199 29111 RETURN all -- * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination
448 82661 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 240K packets, 11M bytes) pkts bytes target prot opt in out source destination
240K 11M DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 88446 packets, 4535K bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 10319 packets, 859K bytes) pkts bytes target prot opt in out source destination
0 0 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 10339 packets, 866K bytes) pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- enp0s3 192.168.42.0/24 0.0.0.0/0
0 0 MASQUERADE all -- enp0s3 192.168.43.0/24 0.0.0.0/0 policy match dir out pol none 78 5314 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0

Chain DOCKER (2 references) pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0`

Thank you so much for your support 👏🏻

[hwdsl2]

@mattiarainieri Thanks for the update. Your IPTables rules look fine. However, the two MASQUERADE rules in the chain POSTROUTING of table nat do not show any traffic counters (they show 0). I guess it may be because the IPTables rules added by docker interfere with the rules added for the VPN. Another possibility is that you have customized the 192.168.42.0/24 and/or 192.168.43.0/24 subnets when installing the VPN, but the IPTables rules weren't updated accordingly.

I would suggest that you install the VPN on another new server instance (without Docker).

[mattiarainieri]

@hwdsl2 you are so kind 🙌🏻. I've install Docker after the installation of the script, as an alternative because the VPN didn't work fine. I can also try to uninstall Docker and retry, but i fear to have the same result. I didn't also change nothing from the configuration (like ip class or subnet) That's so strange 😳

Edit: I've restored an old Iptable, re-run the installation script, and now, finally, all work fine
I couldn't have done it without your help, thank you for your help and patience 🎉