OpenVPN blocks outgoing Apache sites

I host a site to teach SQL (databases.pacha.dev) by using Apache in a DigitalOcean droplet. I wanted to install OpenVPN to have a VPN in the same server, and I run this as root

#!/bin/bash
echo "Setting up OpenVPN..."
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
PROTOCOL=udp
PORT=1194
echo "OpenVPN configuration:"
echo " Listen on: $IP:$PORT"
echo " Protocol : $PROTOCOL"
echo " Resolver : pi.hole (10.8.0.1)"
# Install easy-rsa
EASYRSAURL='
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
chown -R root:root /etc/openvpn/server/easy-rsa/
rm -f ~/easyrsa.tgz
cd /etc/openvpn/server/easy-rsa/ || exit 1
sed -i 's/^RANDFILE/#RANDFILE/g' openssl-easyrsa.cnf
patch --ignore-whitespace << 'EOF'
From cdaa4a1fb0851beb17f364febb6e9b1f694baff8 Mon Sep 17 00:00:00 2001
From: Luiz Angelo Daros de Luca <>
Date: Tue, 25 Sep 2018 17:58:03 -0300
Subject: [PATCH] include index.txt.attr as CA files
Remove a warning when the first certificate is generated
Can't open .../easy-rsa/pki/index.txt.attr for reading, No such file or directory
Signed-off-by: Luiz Angelo Daros de Luca <>
--- easyrsa | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/easyrsa b/easyrsa
index de4fe43..969b5d9 100755
--- a/easyrsa
+++ b/easyrsa
@@ -428,7 +428,7 @@ verify_ca_init() { verify_pki_init # verify expected files present:
- for i in serial index.txt ca.crt private/ca.key; do
+ for i in serial index.txt index.txt.attr ca.crt private/ca.key; do if [ ! -f "$EASYRSA_PKI/$i" ]; then [ "$1" = "test" ] && return 1 die "\
@@ -543,6 +543,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" done printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
+ printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file" print "01" > "$EASYRSA_PKI/serial" || die "$err_file" # Default CN only when not in global EASYRSA_BATCH mode:
--
2.17.1
EOF
# Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=90 ./easyrsa build-server-full server nopass
EASYRSA_CRL_DAYS=90 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:nogroup /etc/openvpn/server/crl.pem
# Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/server/ta.key
# Create the DH parameters file using the predefined ffdhe2048 group
echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
# Generate server.conf
echo "port $PORT
proto $PROTOCOL" > /etc/openvpn/server/server.conf
echo 'dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
log /var/log/openvpn.log
crl-verify crl.pem' >> /etc/openvpn/server/server.conf
# Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
# Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv4/ip_forward
# Add post-routing rule (other required rules already configured)
iptables-restore /etc/iptables/rules.v4
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source "$IP"
iptables-save > /etc/iptables/rules.v4
# And finally, enable and start the OpenVPN service
systemctl enable --now
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3" > /etc/openvpn/server/client-common.txt
echo "OpenVPN setup complete."
echo "Creating new client config..."
newclient () { cd /etc/openvpn/server/easy-rsa/ || exit 1 EASYRSA_CERT_EXPIRE=90 ./easyrsa build-client-full "$1" nopass # Generates the custom client.ovpn cp /etc/openvpn/server/client-common.txt "/root/$1.ovpn" { echo "<ca>" cat /etc/openvpn/server/easy-rsa/pki/ca.crt echo "</ca>" echo "<cert>" sed -ne '/BEGIN CERTIFICATE/,$ p' "/etc/openvpn/server/easy-rsa/pki/issued/$1.crt" echo "</cert>" echo "<key>" cat "/etc/openvpn/server/easy-rsa/pki/private/$1.key" echo "</key>" echo "<tls-auth>" sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key echo "</tls-auth>" } >> "/root/$1.ovpn"
}
CLIENT="client"
if [ -n "$1" ]
then CLIENT="$1"
fi
newclient "$CLIENT"
THISFILE='/var/lib/cloud/scripts/per-instance/03-create-client-config'
LINKPATH='/root/create-client-config.sh'
if [ ! -f "$LINKPATH" ]
then ln -s "$THISFILE" "$LINKPATH"
fi
echo "Client config creation complete (~/$CLIENT.ovpn)."

This is my ufw status (enabled)

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
5432/tcp ALLOW Anywhere
3306/tcp ALLOW Anywhere
1433/tcp ALLOW Anywhere
4022/tcp ALLOW Anywhere
135/tcp ALLOW Anywhere
1434/tcp ALLOW Anywhere
1434/udp ALLOW Anywhere
1194 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
1433/tcp (v6) ALLOW Anywhere (v6)
4022/tcp (v6) ALLOW Anywhere (v6)
135/tcp (v6) ALLOW Anywhere (v6)
1434/tcp (v6) ALLOW Anywhere (v6)
1434/udp (v6) ALLOW Anywhere (v6)
1194 (v6) ALLOW Anywhere (v6) 

However, even after doing systemctl stop openvpn I can't open the site that I provide via Apache in that server. I tried both from laptop and mobile.

Ping is working correctly

~ $ ping databases.pacha.dev
PING databases.pacha.dev (164.92.122.20) 56(84) bytes of data.
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=1 ttl=47 time=204 ms
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=2 ttl=47 time=256 ms
64 bytes from 164.92.122.20 (164.92.122.20): icmp_seq=3 ttl=47 time=250 ms

Any ideas?

Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like