kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.77k stars 2.39k forks source link

I can connect to OpenVPN but there is no internet connection #220

Open tapir opened 7 years ago

tapir commented 7 years ago

I've followed the instructions here. I can successfully connect to OpenVPN but there is no internet connection afterwards.

Any ideas?

tapir commented 7 years ago

Here is some logs from the container

Fri Feb 17 13:38:47 2017 OpenVPN 2.3.14 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 18 2016
Fri Feb 17 13:38:47 2017 library versions: LibreSSL 2.4.4, LZO 2.09
Fri Feb 17 13:38:47 2017 Diffie-Hellman initialized with 2048 bit key
Fri Feb 17 13:38:47 2017 Control Channel Authentication: using '/etc/openvpn/pki/ta.key' as a OpenVPN static key file
Fri Feb 17 13:38:47 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 17 13:38:47 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 17 13:38:47 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Feb 17 13:38:47 2017 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Fri Feb 17 13:38:47 2017 TUN/TAP device tun0 opened
Fri Feb 17 13:38:47 2017 TUN/TAP TX queue length set to 100
Fri Feb 17 13:38:47 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Feb 17 13:38:47 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Feb 17 13:38:47 2017 /sbin/ip addr add dev tun0 local 192.168.255.1 peer 192.168.255.2
Fri Feb 17 13:38:47 2017 /sbin/ip route add 192.168.255.0/24 via 192.168.255.2
Fri Feb 17 13:38:47 2017 GID set to nogroup
Fri Feb 17 13:38:47 2017 UID set to nobody
Fri Feb 17 13:38:47 2017 UDPv4 link local (bound): [undef]
Fri Feb 17 13:38:47 2017 UDPv4 link remote: [undef]
Fri Feb 17 13:38:47 2017 MULTI: multi_init called, r=256 v=256
Fri Feb 17 13:38:47 2017 IFCONFIG POOL: base=192.168.255.4 size=62, ipv6=0
Fri Feb 17 13:38:47 2017 Initialization Sequence Completed
Fri Feb 17 13:39:15 2017 195.46.137.11:44317 TLS: Initial packet from [AF_INET]195.46.137.11:44317, sid=156bc728 e0bea982
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 VERIFY OK: depth=1, CN=cosku
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 VERIFY OK: depth=0, CN=coskuclient
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Feb 17 13:39:16 2017 195.46.137.11:44317 [coskuclient] Peer Connection Initiated with [AF_INET]195.46.137.11:44317
Fri Feb 17 13:39:16 2017 coskuclient/195.46.137.11:44317 MULTI_sva: pool returned IPv4=192.168.255.6, IPv6=(Not enabled)
Fri Feb 17 13:39:16 2017 coskuclient/195.46.137.11:44317 MULTI: Learn: 192.168.255.6 -> coskuclient/195.46.137.11:44317
Fri Feb 17 13:39:16 2017 coskuclient/195.46.137.11:44317 MULTI: primary virtual IP for coskuclient/195.46.137.11:44317: 192.168.255.6
Fri Feb 17 13:39:18 2017 coskuclient/195.46.137.11:44317 PUSH: Received control message: 'PUSH_REQUEST'
Fri Feb 17 13:39:18 2017 coskuclient/195.46.137.11:44317 send_push_reply(): safe_cap=940
Fri Feb 17 13:39:18 2017 coskuclient/195.46.137.11:44317 SENT CONTROL [coskuclient]: 'PUSH_REPLY,block-outside-dns,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5' (status=1)

and here is some logs form the host

$ docker ps
2902dd926e28        kylemanna/openvpn     "ovpn_run"          3 seconds ago       Up 2 seconds        178.63.128.3:1194->1194/udp   confident_wright
$ ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:a3:04:bc:7c
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:a3ff:fe04:bc7c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5961 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6149189 (6.1 MB)  TX bytes:832911 (832.9 KB)

eth0      Link encap:Ethernet  HWaddr 00:1e:67:c4:74:7e
          inet addr:178.63.128.3  Bcast:178.63.101.63  Mask:255.255.255.192
          inet6 addr: fe80::21e:67ff:fec4:747e/64 Scope:Link
          inet6 addr: 2a01:4f8:121:50a4::2/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:55659 errors:0 dropped:0 overruns:0 frame:0
          TX packets:37002 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:50036458 (50.0 MB)  TX bytes:10117283 (10.1 MB)
          Memory:b1100000-b117ffff

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:107 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:9294 (9.2 KB)  TX bytes:9294 (9.2 KB)

veth49812b6 Link encap:Ethernet  HWaddr 62:17:58:3d:30:1c
          inet6 addr: fe80::6017:58ff:fe3d:301c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:418 (418.0 B)  TX bytes:360 (360.0 B)
smurfster commented 7 years ago

I had this problem until I changed 1 of the docker commands look for udp://VPN.SERVERNAME.COM and change to your ip/host udp://

that fixed it for me

pwl commented 7 years ago

I have the same problem, I already changed the server name in udp://VPN.SERVERNAME.COM to my public ip address but I still can't ping 8.8.8.8. I did everything according to the instructions in README.md (without any additional configuration options), I'm using an ArchLinux based system on an ovh.com VPS. The strange thing is that it worked the first time I tested it, then it stopped working so I reinstalled the VPS and I pulled the docker image on a clean system but without any effect.

EDIT: you can find the logs here

EDIT: I added the options -Nd to the openvpn config according to this note, regenerated the ovpn config files for clients and now it's working.

dannywillems commented 7 years ago

Is it fixed for someone except @pwl? Same issue for me, but @pwl' solution doesn't work.

pwl commented 7 years ago

@dannywillems Since I wrote the above I actually managed to set up a few different docker images using the -Ndcu options and they are all working fine. The only issue with this setup is that I'm actually connecting to the Internet through the original interface instead of through the VPN (my goal was to connect two computers which are both behind a NAT), so that won't work if you are trying to setup a VPN as an encrypted tunnel to the outside world.