Some questions about the OpenVPN server

Hello,
My OpenVPN server has two NICs as below:

enp0s3: (NAT)
enp0s8: (Local)

I installed OpenVPN on it and its configuration is as the follow:

# cat /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key                              
dh dh.pem
server 10.8.0.0 255.255.255.0               
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth ta.key 0                         
data-ciphers AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

I started the OpenVPN service and it made a virtual NIC:

# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:feed:b47c  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ed:b4:7c  txqueuelen 1000  (Ethernet)
        RX packets 7010  bytes 4245282 (4.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4989  bytes 938827 (916.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe74:6397  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:74:63:97  txqueuelen 1000  (Ethernet)
        RX packets 3335  bytes 611417 (597.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1060  bytes 259691 (253.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 19  bytes 1824 (1.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19  bytes 1824 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::3b8a:eb82:bdad:49a5  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 133  bytes 9116 (8.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 456 (456.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Then, I connected a Windows OS to my OpenVPN server. Windows did not have internet. After it, I did the following iptables rules:

# IF_MAIN=enp0s3
# IF_TUNNEL=tun0
# YOUR_OPENVPN_SUBNET=10.8.0.0/16
# iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT
# iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE

The Internet is OK and Windows can ping targets by their IP address, but not their name. I installed the Dnsmasq on my OpenVPN server and configured it. After it, I added the following iptables rules:

# iptables -A FORWARD -i enp0s8 -o enp0s3 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT
# iptables -A FORWARD -j LOG
# iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE

And change push “dhcp-option DNS IP” in the OpenVPN configuration with my local OpenVPN server IP.

Problem solved. I have some questions:

1- I want to know that is it normal? Why didn’t OpenVPN share the Internet by default? Is it because I have two NICs?

2- How about the ping problem? Is a DNS server needed for an OpenVPN server?

Thank you.

OpenVPN is designed to create a secure tunnel between two endpoints with virtual network interfaces. iptables and nftables are the right tools to use for NAT. By the way, openvpn has the “client nat” option, but this is different from the NAT defined by iptables.

The DNS depends on the network config. If the Windows PC is not connected to the internet, it might be using via DHCP a DNS server on the LAN, which could be masked by the VPN routing. The push dhcp-option DNS gives Windows an accessible DNS server again.

Ping using a hostname does require that dns be active. How that is configured can be a local dns server or it can be pass-through of the dns requests in both directions. If dns does not work for the client then many problems will be seen.

It seems your firewall rules solved the issue.