SSL VPN gateway connects to Air. Server but clients connected to getaway have no internet access

[sooprtruffaut 5]

Hey,

 

I'm using a Raspberry Pi as a VPN gateway. Stunnel and openvpn are installed and appear to be configured correctly, as the Pi connects with the AirVPN server through stunnel, as expected.

 

Problem arises on the client side, no device can connect to the internet when given a static IP address with the Pi's internal address as the gateway.

 

This has me stumped and if anyone has any suggestion or sees anything suspect there please let me know. I can post info if needed. Thanks!
 

I suspect something is up with the Pi's iptables: here are the rules I'm using:

 

*nat

:PREROUTING ACCEPT [1:148]

:INPUT ACCEPT [1:148]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -o tun0 -j MASQUERADE

COMMIT

 

*filter

 

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

-A INPUT -i lo -j ACCEPT

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

 

# Accepts all established inbound connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

# Forward all data related to our requests

-A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

 

# Allows all outbound traffic

# You could modify this to only allow certain traffic

-A OUTPUT -j ACCEPT

 

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp --dport 443 -j ACCEPT

-A INPUT -p tcp --dport 22 -j ACCEPT

 

# Allows SSH connections 

-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

 

# Allow ping

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 

# log iptables denied calls (access via 'dmesg' command)

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

 

# Reject all other inbound - default deny unless explicitly allowed policy:

-A INPUT -j REJECT

 

COMMIT

 

 

[sooprtruffaut 5]

I've also noticed that since adding the stunnel part to the chain that the Pi will not allow internet access as it once did through the aforementioned iptable. Disabling the stunnel connection to airvpn doesn't even allow any traffic through whatsoever. 

 

netstat -nr also shows these routing tables are identical when the vpn is established, as well as disabled. Shouldn't there be a longer route here when it's established: 

 

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         10.50.0.161     128.0.0.0       UG        0 0          0 tun0

0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

10.50.0.1       10.50.0.161     255.255.255.255 UGH       0 0          0 tun0

10.50.0.161     0.0.0.0         255.255.255.255 UH        0 0          0 tun0

119.81.25.209   192.168.1.1     255.255.255.255 UGH       0 0          0 eth0

127.0.0.1       192.168.1.1     255.255.255.255 UGH       0 0          0 eth0

128.0.0.0       10.50.0.161     128.0.0.0       UG        0 0          0 tun0

192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0