Connected to VPN but no internet

[fengapappit]

⚠️ Unless you are sure you find a bug with the script, please open a discussion instead of an issue!

Checklist

• I read the README
• I read the FAQ
• I searched the issues
• I searched the discussion
• My issue is about the script, and not OpenVPN itself

Pease include as much details as possible in your issue:

• Description of the issue
• How to reproduce the issue
• What did you expected should happen
• Logs
• Server/Client versions (OS, OpenVPN, etc)
• Any context or information that could help

---

Hello,

I installed an OpenVPN server using the script in the hope of having a full tunnel between my home computer and one of my servers.

I can successfully connect to the server using the VPN, but it's impossible to get anything from there.
Seems like an issue with the NAT, especially in the "server back to client" direction.

I cannot find what is wrong in the configuration for the life of me.

My iptables :

$sudo iptables -L -v --line-number
Chain INPUT (policy ACCEPT 6035 packets, 868K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     5155  548K f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh
2     3538  510K ACCEPT     udp  --  eno0   any     anywhere             anywhere             udp dpt:51194
3        4  2360 ACCEPT     all  --  tun0   any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     2482  209K ACCEPT     all  --  tun0   eno0    anywhere             anywhere            
2        0     0 ACCEPT     all  --  eno0   tun0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 7263 packets, 1106K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       16  1280 REJECT     all  --  any    any     128.199.76.195       anywhere             reject-with icmp-port-unreachable
2       18  1448 REJECT     all  --  any    any     150.109.7.77         anywhere             reject-with icmp-port-unreachable
3       13  1060 REJECT     all  --  any    any     222.185.241.130      anywhere             reject-with icmp-port-unreachable
4       23  1832 REJECT     all  --  any    any     server.sna.hsl.mybluehostin.me  anywhere             reject-with icmp-port-unreachable
5        0     0 REJECT     all  --  any    any     103.105.66.97        anywhere             reject-with icmp-port-unreachable
6       10   528 REJECT     all  --  any    any     server.thietkewebvip.com  anywhere             reject-with icmp-port-unreachable
7       21  1676 REJECT     all  --  any    any     194.152.206.103      anywhere             reject-with icmp-port-unreachable
8       12   664 REJECT     all  --  any    any     121.4.68.192         anywhere             reject-with icmp-port-unreachable
9       21  1588 REJECT     all  --  any    any     static.customer-201-116-3-194.uninet-ide.com.mx  anywhere             reject-with icmp-port-unreachable
10      21  1628 REJECT     all  --  any    any     200-91-219-250-host.ifx.net.co  anywhere             reject-with icmp-port-unreachable
11      11   836 REJECT     all  --  any    any     42.42.127.124.broad.bj.bj.static.163data.com.cn  anywhere             reject-with icmp-port-unreachable
12      26  1960 REJECT     all  --  any    any     health-hub.ie        anywhere             reject-with icmp-port-unreachable
13      23  1780 REJECT     all  --  any    any     167.172.181.229      anywhere             reject-with icmp-port-unreachable
14      22  1728 REJECT     all  --  any    any     165.227.193.157      anywhere             reject-with icmp-port-unreachable
15      27  2072 REJECT     all  --  any    any     BSN-77-65-237.static.siol.net  anywhere             reject-with icmp-port-unreachable
16      22  1728 REJECT     all  --  any    any     45.43.57.225         anywhere             reject-with icmp-port-unreachable
17      23  2076 REJECT     all  --  any    any     141.98.10.60         anywhere             reject-with icmp-port-unreachable
18    4067  467K RETURN     all  --  any    any     anywhere             anywhere            
# Warning: iptables-legacy tables present, use iptables-legacy to see them

My sysctl:

$sudo sysctl --system
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /etc/sysctl.d/disable-IPv6-autoconf.conf ...
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
* Applying /etc/sysctl.d/protect-links.conf ...
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

My server.conf:

$cat /etc/openvpn/server.conf 
port 51194
proto udp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_8ZbpYJSKFUEiZ3Zq.crt
key server_8ZbpYJSKFUEiZ3Zq.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

If you could point me in the right direction, I'd be glad.

[fengapappit]

Ok so it was killing me so I tried on another one of my VPS which runs on CentOS7, instead of the Debian cited previously and it works out of the box.

The non working beast:

$lsb_release -a && uname -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
Linux greybox 4.9.58-xxxx-std-ipv6-64 #1 SMP Mon Oct 23 11:35:59 CEST 2017 x86_64 GNU/Linux

[joelemanoel]

+1 i use Alma Linux

[peterfarge]

I have the same problem. I can connect the client to the VPN Server but no internet connection through the tunnel. I'm running Debian 10:
Linux gustav 4.19.0 #1 SMP Tue Jun 9 12:58:54 MSK 2020 x86_64 GNU/Linux

If I reinstall a Debian 9 image, the VPN Server delivers a working internet connection to the client.

[Glastis]

Have the exact same problem with Debian 10 and 11, despite it's working on debian 9.

I have ufw along openvpn, but even after I disabled ufw and I ran a iptables -F and then reinstalling the script, the client was still unable to communicate with internet, like if the forwarding wasn't set.

[sahinakkaya]

I can confirm that I have the same issue on Debian 11. I am using default settings and allowed port 1194 using ufw but still no internet after connecting to the server.

[BrunoCartier]

Spent some hours on this...
Maybe it could help some of you.

The problem is the fact that on Debian 10 & 11, the "iptables" command does not run iptables, it runs some compatibility version of nftables (aka nft). It this compatibility version refuses to run one of the firewall commands of this script.

The solution is as follows:

• vim /etc/iptables/add-openvpn-rules.sh

  • add "-legacy" to every "iptables" command (so they should be "iptables-legacy")

• vim /etc/iptables/rm-openvpn-rules.sh

  • same as before

• service iptables-openvpn restart (to apply those changes)

Please note though, that it is not recommanded to have firewall rules both on iptables & nftables, but I did not find a way to make things work with nftables rules.

[ytingyeu]

Should the second file be rm-openvpn-rules.sh?

[BrunoCartier]

Indeed, edited - thanks.

[enboig]

I have similar problem on Ubuntu 22.04, but there isn't any add-openvpn-rules.sh file
How could I fix it?

[mr-debil777]

So... What should i do?

Openvpn server is installed on centos 9 on remote vps.
tun mode is set.
Ovpn server was installed via https://github.com/angristan/openvpn-install/

this is entered firewall commands:

semanage port -a -t openvpn_port_t -p tcp 11994;
semanage port -a -t openvpn_port_t -p udp 11994
firewall-cmd --zone=public --add-port=11994/tcp --permanent;
firewall-cmd --zone=public --add-port=11994/udp --permanent;
firewall-cmd --zone=public --add-service openvpn;
firewall-cmd --zone=public --add-service openvpn --permanent;
firewall-cmd --reload;
firewall-cmd --add-masquerade;
firewall-cmd --add-masquerade --permanent;
firewall-cmd --query-masquerade;
VAR=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE;
firewall-cmd --reload;

networkmanager-openvpn package is ovpn client on my laptop.
user.ovpn file was downloaded and inserted in ovpn client.
i connected to the server, BUT THERE WERE NOT ANY TRAFFIC REDIRECTIONS.

this is ovpn client logs without any criminal info:

5:54 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
5:54 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
5:54 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
5:54 DCO version: N/A
5:54 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_MACHINE_IP:11994
5:54 Socket Buffers: R=[212992->212992] S=[212992->212992]
5:54 UDPv4 link local: (not bound)
5:54 UDPv4 link remote: [AF_INET]REMOTE_MACHINE_IP:11994
5:54 TLS: Initial packet from [AF_INET]REMOTE_MACHINE_IP:11994, sid=4a8064ba 3cb81744
5:54 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
5:54 VERIFY KU OK
5:54 Validating certificate extended key usage
5:54 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
5:54 VERIFY EKU OK
5:54 VERIFY X509NAME OK: CN=server_A7vEzNqMWKlJHLcR
5:54 VERIFY OK: depth=0, CN=server_A7vEzNqMWKlJHLcR
5:54 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 256 bits ECprime256v1
5:54 [server_A7vEzNqMWKlJHLcR] Peer Connection Initiated with [AF_INET]REMOTE_MACHINE_IP:11994
5:54 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
5:54 TLS: tls_multi_process: initial untrusted session promoted to trusted
5:54 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,route-ipv6 2000::/3,redirect-gateway ipv6,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd42:42:42:42::2/112 fd42:42:42:42::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
5:54 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
5:54 OPTIONS IMPORT: --ifconfig/up options modified
5:54 OPTIONS IMPORT: route options modified
5:54 OPTIONS IMPORT: route-related options modified
5:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
5:54 net_route_v4_best_gw query: dst 0.0.0.0
5:54 net_route_v4_best_gw result: via 192.168.0.2 dev wlan0
5:54 ROUTE_GATEWAY 192.168.0.2/255.255.255.0 IFACE=wlan0 HWADDR=84:7b:57:67:69:0c
5:54 GDG6: remote_host_ipv6=n/a
5:54 net_route_v6_best_gw query: dst ::
5:54 sitnl_send: rtnl: generic error (-101): Network is unreachable
5:54 ROUTE6: default_gateway=UNDEF
5:54 TUN/TAP device tun0 opened
5:54 net_iface_mtu_set: mtu 1500 for tun0
5:54 net_iface_up: set tun0 up
5:54 net_addr_v4_add: 10.8.0.2/24 dev tun0
5:54 net_iface_mtu_set: mtu 1500 for tun0
5:54 net_iface_up: set tun0 up
5:54 net_addr_v6_add: fd42:42:42:42::2/112 dev tun0
5:54 net_route_v4_add: REMOTE_MACHINE_IP/32 via 192.168.0.2 dev [NULL] table 0 metric -1
5:54 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
5:54 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
5:54 add_route_ipv6(2000::/3 -> fd42:42:42:42::1 metric -1) dev tun0
5:54 net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
5:54 add_route_ipv6(::/3 -> fd42:42:42:42::1 metric -1) dev tun0
5:54 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
5:54 add_route_ipv6(2000::/4 -> fd42:42:42:42::1 metric -1) dev tun0
5:54 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
5:54 add_route_ipv6(3000::/4 -> fd42:42:42:42::1 metric -1) dev tun0
5:54 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
5:54 add_route_ipv6(fc00::/7 -> fd42:42:42:42::1 metric -1) dev tun0
5:54 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
5:54 Initialization Sequence Completed
5:54 Data Channel: cipher 'AES-128-GCM', peer-id: 0
5:54 Timers: ping 10, ping-restart 120
5:54 Protocol options: explicit-exit-notify 1
5:56 event_wait : Interrupted system call (fd=-1,code=4)

this is ovpn server logs on remote vps with my connection and without any criminal info again:

7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SIGUSR1[soft,ping-restart] received, client-instance restarting
7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 [user] Inactivity timeout (--ping-restart), restarting
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,rout>
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IPv6 for user/MY_MACHINE_IP:54417: fd42:42:42:42::2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: fd42:42:42:42::2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IP for user/MY_MACHINE_IP:54417: 10.8.0.2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: 10.8.0.2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=fd42:42:42:42::2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 [user] Peer Connection Initiated with [AF_INET6]::ffff:MY_MACHINE_IP:54417
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUBv2=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_LZO_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PROTO=990
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_NCP=2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_MTU=1600
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_TCPNL=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PLAT=linux
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_VER=2.6.12
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=0, CN=user
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
3:48 openvpn[55133]: MY_MACHINE_IP:54417 TLS: Initial packet from [AF_INET6]::ffff:MY_MACHINE_IP:54417, sid=b652188d 79e81fe0
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Initialization Sequence Completed
2:59 openvpn[55133]: IFCONFIG POOL LIST
2:59 openvpn[55133]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65534. IPv4 pool size limits the number of clients that can be served from the pool
2:59 openvpn[55133]: IFCONFIG POOL IPv6: base=fd42:42:42:42::2 size=65534 netbits=112
2:59 openvpn[55133]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2:59 openvpn[55133]: MULTI: multi_init called, r=256 v=256
2:59 openvpn[55133]: UID set to nobody
2:59 openvpn[55133]: GID set to nobody
2:59 openvpn[55133]: UDPv6 link remote: [AF_UNSPEC]
2:59 openvpn[55133]: UDPv6 link local (bound): [AF_INET6][undef]:11994
2:59 openvpn[55133]: setsockopt(IPV6_V6ONLY=0)
2:59 openvpn[55133]: Socket Buffers: R=[212992->212992] S=[212992->212992]
2:59 openvpn[55133]: net_addr_v6_add: fd42:42:42:42::1/112 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: net_addr_v4_add: 10.8.0.1/24 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: TUN/TAP device tun0 opened
2:59 openvpn[55133]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: ECDH curve prime256v1 added
2:59 openvpn[55133]: CRL: loaded 1 CRLs from file crl.pem
2:59 systemd[1]: Started OpenVPN service for server.

Maybe problem is in iptables/nftables? I should set some forwarding?

this is iptables rules

sudo iptables -L -v -n | more
Chain INPUT (policy ACCEPT 33934 packets, 9787K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   43 12364 ACCEPT     17   --  ens192 *       0.0.0.0/0            0.0.0.0/0            udp dpt:11994
    0     0 ACCEPT     0    --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1088 ACCEPT     0    --  tun0   ens192  0.0.0.0/0            0.0.0.0/0           
   17  1847 ACCEPT     0    --  ens192 tun0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

this is generated server.conf

port 11994
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_A7vEzNqMWKlJHLcR.crt
key server_A7vEzNqMWKlJHLcR.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-....
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

[mr-debil777]

if you think there is forgotten forwarding problem
sysctl -a | grep forward output

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.ens192.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.ens192.bc_forwarding = 0
net.ipv4.conf.ens192.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.bc_forwarding = 0
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.ens192.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.ens192.mc_forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0

[mr-debil777]

future googler with the same problem, check this https://bbs.archlinux.org/viewtopic.php?pid=2203694

[mr-debil777]

по итогу я не понял
это провайдер у меня такой крутой или я такой тупой.
wireguard через wg-easy не рабит
тор не рабит
xray настроил, не рабит...
это пиздец, ребята.