Openvpn client no internet through vpn tunnel

[ParanoiA]

I have OpenVPN server running at my house. I recently set up OpenVPN client at my dads house so I can connect back to my house. The vpn client connects. Now here is where my problem is. When I enable selective routing and force a client at my dads house to use the tunnel I get no internet. If I force it to go thru wan it has internet.
I've checked settings on my server and client and cannot figure out what is going wrong. I'm thinking there is an iptables setting on the client router that is not correct? Idk. I know how to iptables -L but I don't know enough to spot something specific missing or something that shouldn't be there. I've googled but can't find anything about this specific problem. Any hints or help would be appreciated.
Also to note, when I connect to my OpenVPN server from my phone directly or laptop directly with the same .ovpn config file it seems to work fine.

 

[eibgrad]

Did you NAT the tunnel on the OpenVPN client? Because if you didn't, then packets w/ the source IP from your dad's local network can't be routed back over the tunnel!

 

[ParanoiA]

I just checked, on the OpenVPN client page the option "create NAT on tunnel" option is ticked for yes. I notice that it also says right below "router must be configured manually". Does that mean must be configured manually because I have it checked yes, or either option needs manual configuration? What do I need to set manually?

 

[eibgrad]

If you do NOT NAT the tunnel, then you need to configure the routes manually.

What you haven't made clear here is the hardware and firmware used by both the OpenVPN server and OpenVPN client.

Also, did you just configure this OpenVPN recently for these purposes, or do you normally use that same OpenVPN server, as currently configured, for remote access, both to your LAN, and as a means to the internet while roaming?

 

[ParanoiA]

The openvpn server (most up to date from repos) is running on a bare metal pfsense (most up to date) router. I have used it without issue for a while now connecting either my phone or my laptop when away from my house. Just recently I have tried setting up an asus ac66u router at my dads house to connect as a client to my server. I first tried merlin's latest build for the ac66u but then switched to john's latest build in an attempt to rule out openvpn version mismatches since john's build has an updated openvpn.
Basically on the ac66u I imported the .ovpn that I have used with my phone and laptop and used generally the default options in the gui to try to get it to work. Nothing really custom going on. Anything more info you need let me know.
What I'm trying to do at my dad's house is use the ac66u to vpn back to my house and just run a single roku device over the tunnel. All other traffic at his house should use the wan, not the vpn.

 

[eibgrad]

Then I assume your OpenVPN server defaults to redirecting the OpenVPN client over the tunnel for internet purposes. But given your described needs (accessing a Roku), there's no need for the redirection. You should configure the OpenVPN client to reject the redirect gateway of your OpenVPN server, and add a route to the OpenVPN client that tells it how to reach your home network (which is, of course, over the VPN).

So add the following to the Custom Config field of the OpenVPN client.

route-nopull
route 192.168.1.0 255.255.255.0 vpn_gateway

I used 192.168.1.x as an example. Change it your network back home.

Now the only thing that will be routed over the tunnel will be references to 192.168.1.x (using my example). And make sure to NAT the tunnel on the OpenVPN client side.

And btw, assuming this is a routed (tun) tunnel (not bridged (tap)), this will only work if the local network on each side of the tunnel is *different*. IOW, you and your dad can't both be using 192.168.1.x. They *must* be different.

 

[ParanoiA]

Yes it is a tun and both sides are using different IP addresses. I will try your suggestions tomorrow it's getting late here but I'll report back. Thanks for the quick responses.

 

[ParanoiA]

I added those 3 settings to the client config and the vpn will not connect. I narrowed it down to the vpn_gateway command that keeps it from connecting. I added my phone to be forced through the vpn instead of the Roku bc the Roku doesn't have a terminal to help diagnose my problem. When my phone is forced through the vpn I cannot ping past 192.168.3.1 (which is the local IP address of the ac66u)

 

[eibgrad]

Not sure I've made it clear. Do NOT use any form of PBR (policy based routing) w/ the suggested config. All you're trying to do here is have the tunnel used when a reference is made to the remote network behind the OpenVPN server. IOW, if your network back home is 192.168.1.0/24, and your dad's network is 192.168.3.0/24, and the device at 192.168.3.100 references 192.168.1.200, that will go over the tunnel. Anything else, including the internet, remains local to your dad's network. None of this involves PBR, so if you have PBR enabled in way, disable it.

With PBR disabled, those two directives I gave you a) stop the OpenVPN server from changing the default gateway to your home ISP, and b) force any references to 192.168.1.0/24 over the tunnel. Why this doesn't work (assuming you have PBR disabled) escapes me.

As a sanity check, I added those exact same directives to my own OpenVPN client (connecting to a commercial OpenVPN provider), and I can tell from the OpenVPN client log that they worked. The OpenVPN client did NOT add routes to change the local routing table to the VPN, and the 192.168.1.0/24 route (that points to the VPN gateway as the route to that network, specifically, 192.168.88.2) was added.

Apr 15 11:36:06 router daemon.notice openvpn[14944]: /sbin/ifconfig tun21 192.168.88.1 pointopoint 192.168.88.2 mtu 1500
Apr 15 11:36:06 router daemon.notice openvpn[14944]: /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.88.2
Apr 15 11:36:06 router daemon.notice openvpn[14944]: /sbin/route add -net 192.168.88.0 netmask 255.255.255.0 gw 192.168.88.2

That's where the OpenVPN logs can be VERY useful, both client and server. It tells us what's happening. And dumping the routing tables as well (w/ the route command).

This is pretty basic stuff and should work. But as always, if you make a misstep and configure something incorrectly (e.g., fail to NAT the tunnel), things can quickly go wrong.

 

[ParanoiA]

Thank you for the reply. I will try again. Just to rephrase what I am trying to accomplish, I have a Roku at my dads house. I am trying to make it think it is at my house so I can use xfinity stream app. If the app detects it is not on my home network, it errors out and doesn't work. I'm not sure exactly how it determines in or out of home. (I decompiled the app but I'm still sifting through it to try to determine exactly). I don't need the Roku to talk to any other devices, just think I am using it at home. This whole setup is really an experiment but I think should work. Also, I want only the Roku at my dads to use the vpn tunnel to my house, no other devices at his house because I don't have enough bandwidth or I wouldn't care. I can't use a vpn app on the Roku itself like I can with my phone or laptop, so this is a learning experience too. Again, thank you for helping me.