Cannot access Internet when connected to the OpenVPN server

VPN
1

I can reach my NAS when connected to VPN but I cannot access any internet websites.

This is what I did: (Maybe it’s a dumb question but I really don’t understand what i’m doing wrong).

  • I configured the OpenVPN server on synology and exported the .ovpn config file.
  • Following the README file I replaced “YOUR_SERVER_IP” with my NAS ip address
  • I left “redirect-gateway def1” commented as I want a split tunnel configuration
  • and set these two lines for the DNS
    • dhcp-option DNS 8.8.8.8
    • dhcp-option DNS 8.8.4.4

And that’s it… I think I’m missing something in the DNS part but I don’t see where.

Thank you in advance and ask me if you need other specific details.

SOLVED!

The main problem was that I forgot to set a firewall rule to allow connections from the vpn subnet. That made me tinker in the config file adding “dhcp-option DNS” lines and made it worse…

removing those lines from the config and adding the firewall rule solved the problem!

I still have to understand why with the firewall set correctly, adding the DNS in the config resulted in no internet access though.

Thanks to all who took some time to help me

2

Try adding #redirect-gateway ipv6 to your client config file.

3

Hey, can you reach 1.1.1.1 when the VPN connection is turned on? If so, it’s very likely a DNS problem. If not, can you check what the default gateway is on your client device, while the connection is on?

4

Something I did that was really dumb but had the same effect…

I set up the VPN but then forgot to update the firewall rules to allow traffic on the new subnet that was created.

5

When I added the equivalent of your 10.8.0.0/24 subnet as the number 2 rule in LAN 1 everything started working. Of course I had to hit the save button on the firewall page first.

That should do the trick

6

In my case with MacOS, to make custom DNS rules from an OpenVPN client config (.ovpn file) work, I had to allow UDP port 53 in Synology Firewall.

7

Can you maybe describe your exact steps? I have the exact same problem.

8

sorry for necroing, but you saved me hours of troubleshooting. may god bless your soul

9

Just moved one of my customers to OpenVPN and this issue has been annoying me for hours, adding this simple line to the config has saved the day 3 years later. Thank you very much sir :slight_smile:

10

don’t the # mean the line is commented? From what I understand if I want a split tunnel configuration I have to leave #redirect-gateway commented. But I’m clearly missing something so correct me if I’m wrong

11

I do ping 1.1.1.1

Connection-specific DNS Suffix . :
Link-Local IPv6 Address . : fe80::81f2:7a2c:be48:8fe6%60                                         
IPv4 address. . . . . . . . . . . . : 10.8.0.6                                                                        
Subnet mask . . . . . . . . . . . . . : 255.255.255.252                                                                 
Default Gateway. . . . . . . . . :

This is what ipconfig outputs when I’m connected to the vpn.

The fact that the “Connection-specific DNS Suffix” is empty may be the problem?

The Default Gateway is empty also when I’m connected to the vpn i use for work and that one connect to the internet just fine in split tunnel.

12

These are my firewall rules:

LAN 1:

PORTS PROTOCOL SOURCE IP ACTION
All All 192.168.1.0/255.255.255.0 Allow
All All fe89::/10 Allow
VPN Server UDP “My country” Allow
All All All Deny

VPN:

PORTS PROTOCOL SOURCE IP ACTION
“List of NAS services” All 10.8.0.0/255.255.255.0 Allow
All All All Deny

I tried adding this subnet 10.8.0.0/255.255.255.0 to the LAN 1 rules but nothing changed…

Can you share your firewall rules to see if there’s something different I need to add? Thanks!

13

That was it! (Partially)

I also had to remove completely the part about the DNS in the config file.

When I set the vpn subnet rule and it did not work, I removed it immediately 'cause I thought that wasn’t the issue.

I still have to understand why with the firewall set correctly, adding the DNS in the config resulted in no internet access though.

Thank you for pointing me in the right direction!

14

I had to add a rule on the synology firewall to allow connections from the vpn subnet.

So under the rule to allow connections from your lan subnet (ex.: 192.168.1.0/24), you need to add a similar one with the VPN subnet (ex.: 10.8.0.0/24)

15

Hey, glad it helped!

16

Yes it means it’s commented. Adding it ensures you’re disabling the option.

17

Hey I just want you to know google landed me here and I can’t believe I’ve wasted 2 hours troubleshooting something so simple that not a single other person on the internet has mentioned.

Thank you so much!

18

I thought that commented or missing lines were functionally the same. I added the line but still no internet though

19

Sorry it didn’t work. In many cases there’s a hidden default config that will apply unless explicitly defined otherwise.

20

I’ll leave it explicitly commented just in case. Thank you!