OpenVPN Connection Established but No Internet Access: Troubleshooting Routing and Forwarding Issues on Arch Linux Server


18 views

When your OpenVPN client connects successfully to the Arch Linux server but fails to route internet traffic, you're typically facing one of these core issues:

  • Incorrect network interface configuration
  • Missing IP forwarding rules
  • Improper NAT/masquerading setup
  • DNS resolution failures

First verify these critical settings on your OpenVPN server:

# Check IP forwarding status
sysctl net.ipv4.ip_forward

# If not enabled (should return 1), activate it:
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make persistent by adding to /etc/sysctl.conf:
net.ipv4.ip_forward = 1

For NAT functionality (assuming your server's public interface is eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Persist the rules (on Arch Linux using iptables-save):

iptables-save > /etc/iptables/iptables.rules
systemctl enable iptables

Your client configuration should include these directives:

client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
redirect-gateway def1

When seeing "looking up..." issues, try pushing DNS servers:

# Add to server.conf
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Troubleshoot with these commands on client and server:

# Check routing table
ip route show

# Test basic connectivity
ping 8.8.8.8
ping google.com

# Verify DNS
nslookup example.com
dig example.com

# Check interface
ip addr show tun0

For Arch Linux systems using systemd-networkd:

# /etc/systemd/network/80-vpn.network
[Match]
Name=tun0

[Network]
IPForward=yes

When your OpenVPN client successfully connects to an Arch Linux server but fails to access the internet (browser stuck at "looking up..."), this typically indicates a routing or forwarding configuration issue. Let's break down the key components:

First, verify your OpenVPN server configuration. The critical parameters in /etc/openvpn/server.conf should include:


push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
dev tun
proto udp
server 10.8.0.0 255.255.255.0

On your Arch Linux server, check if IP forwarding is enabled:


# Check current setting
sysctl net.ipv4.ip_forward

# Enable if not active (persistent)
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-sysctl.conf
sysctl -p

Proper NAT masquerading is essential. Add these iptables rules (or nftables equivalent):


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

The "looking up..." issue suggests DNS problems. Try these client-side fixes:


# Linux client DNS fix
sudo resolvectl dns tun0 8.8.8.8 8.8.4.4
sudo resolvectl domain tun0 ~.

# Windows client alternative
Add these to your client.ovpn:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

When basic fixes don't work, try these diagnostic commands:


# Check routes
ip route show table all

# Verify DNS
dig example.com @8.8.8.8
nslookup example.com

# Packet tracing
tcpdump -i tun0 -n
tcpdump -i eth0 -n port 53

To isolate the issue, temporarily configure a full tunnel:


# Server config addition
push "redirect-gateway def1 bypass-dhcp"
push "route 0.0.0.0 0.0.0.0"

# Client verification
curl ifconfig.me
traceroute 8.8.8.8