OpenVPN Connection Established but No Internet Access: Troubleshooting Routing and Forwarding Issues on Arch Linux Server


7 views

When your OpenVPN client connects successfully to the Arch Linux server but fails to route internet traffic, you're typically facing one of these core issues:

  • Incorrect network interface configuration
  • Missing IP forwarding rules
  • Improper NAT/masquerading setup
  • DNS resolution failures

First verify these critical settings on your OpenVPN server:

# Check IP forwarding status
sysctl net.ipv4.ip_forward

# If not enabled (should return 1), activate it:
echo 1 > /proc/sys/net/ipv4/ip_forward
# Make persistent by adding to /etc/sysctl.conf:
net.ipv4.ip_forward = 1

For NAT functionality (assuming your server's public interface is eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Persist the rules (on Arch Linux using iptables-save):

iptables-save > /etc/iptables/iptables.rules
systemctl enable iptables

Your client configuration should include these directives:

client
dev tun
proto udp
remote your.server.ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
redirect-gateway def1

When seeing "looking up..." issues, try pushing DNS servers:

# Add to server.conf
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Troubleshoot with these commands on client and server:

# Check routing table
ip route show

# Test basic connectivity
ping 8.8.8.8
ping google.com

# Verify DNS
nslookup example.com
dig example.com

# Check interface
ip addr show tun0

For Arch Linux systems using systemd-networkd:

# /etc/systemd/network/80-vpn.network
[Match]
Name=tun0

[Network]
IPForward=yes

When your OpenVPN client successfully connects to an Arch Linux server but fails to access the internet (browser stuck at "looking up..."), this typically indicates a routing or forwarding configuration issue. Let's break down the key components:

First, verify your OpenVPN server configuration. The critical parameters in /etc/openvpn/server.conf should include:


push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
dev tun
proto udp
server 10.8.0.0 255.255.255.0

On your Arch Linux server, check if IP forwarding is enabled:


# Check current setting
sysctl net.ipv4.ip_forward

# Enable if not active (persistent)
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/99-sysctl.conf
sysctl -p

Proper NAT masquerading is essential. Add these iptables rules (or nftables equivalent):


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

The "looking up..." issue suggests DNS problems. Try these client-side fixes:


# Linux client DNS fix
sudo resolvectl dns tun0 8.8.8.8 8.8.4.4
sudo resolvectl domain tun0 ~.

# Windows client alternative
Add these to your client.ovpn:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

When basic fixes don't work, try these diagnostic commands:


# Check routes
ip route show table all

# Verify DNS
dig example.com @8.8.8.8
nslookup example.com

# Packet tracing
tcpdump -i tun0 -n
tcpdump -i eth0 -n port 53

To isolate the issue, temporarily configure a full tunnel:


# Server config addition
push "redirect-gateway def1 bypass-dhcp"
push "route 0.0.0.0 0.0.0.0"

# Client verification
curl ifconfig.me
traceroute 8.8.8.8