[Solved] pivpn.io - Connected but no access to anything

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Locked
flash_uk
OpenVpn Newbie
Posts: 10
Joined: Sun Oct 04, 2015 12:05 pm

[Solved] pivpn.io - Connected but no access to anything

Post by flash_uk » Fri Nov 13, 2015 2:36 pm

I am going slightly crazy trying to work out what is wrong with my config. I have built an OpenVPN server on my Raspberry Pi, and can successfully connect to it from a client (OpenVPN app on iOS). Once connected, however, I can't access any other clients on the remote LAN, or access the internet through the VPN. I suspect some kind of issue with routing and iptables.

Server config:

Code: Select all

local 192.168.0.7
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/MYNAME.crt
key /etc/openvpn/easy-rsa/keys/MYNAME.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6 
Client config:

Code: Select all

client
dev tun
proto udp
remote MYEXTERNAL IP ADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp=lzo
verb 1
mute 20
firewall-openvpn-rules:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 SNAT --to-source 192.168.0.7
interfaces:

Code: Select all

auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet static
   pre-up /etc/firewall-openvpn-rules.sh
address 192.168.0.7
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 192.168.0.1

auto wlan0
allow-hotplug wlan0
iface wlan0 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

auto wlan1
allow-hotplug wlan1
iface wlan1 inet manual
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
When connected, I can't get a ping response from anything. The openvpn log shows the client is connected.

Given I have probably the most simple of setups, no doubt I have made a basic error somewhere, but after hours of forum scanning and trying different things without success, I am a broken man (with a broken RPi OpenVPN server) :lol:
Any suggestions gratefully received.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connected but no access to anything

Post by Traffic » Fri Nov 20, 2015 1:12 am

flash_uk wrote:Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 SNAT --to-source 192.168.0.7
The recommended iptables rule is:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

flash_uk
OpenVpn Newbie
Posts: 10
Joined: Sun Oct 04, 2015 12:05 pm

Re: Connected but no access to anything

Post by flash_uk » Sun Nov 22, 2015 2:11 pm

Traffic wrote:The recommended iptables rule is:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Thanks Traffic. Tried that also, but nothing doing. Have also now tried connected using Openvpn Connect on an Android device, and it does not work either (connects, but no traffic flowing).

Part of the issue for me self-diagnosing this, is that I'm not sure I fully understand the way the traffic is meant to flow. My understanding so far is as follows:
- My raspberry Pi has a local lan IP of 192.168.0.7
- The gateway on the lan is the ADSL modem/router, with IP 192.168.0.1
- ignoring openvpn for a moment, the Pi has internet connectivity as I am able to ping externally and download updates etc
- My Openvpn server on the Pi has an IP address of 10.8.0.1
- It hands out a client IP address to my iPad or android tablet of 10.8.0.6
- I am testing by having the client on a 4G mobile network, to remove any local LAN to local LAN confusions
- given that the client and server get a connection, there is at least some level of connectivity between the client and the openvpn server
- I now come to two parts I don't know enough about.
- First, what part of all the config is the part that tells the openvpn server IP address (10.8.0.1), that it needs to go through the Local LAN address of the Pi (eth0 = 192.168.0.7) to access stuff? I'm guessing that's the line in server.conf that says "local 192.168.0.7". I have assumed that other than installing openvpn server on the Pi, nothing additional needs to be done with routes or firewalls or anything else, to enable that leg of the connectivity chain?
- Second, how do the vpn client IP addresses know where to route stuff? I though this was the part as shown above about nat-ing the 10.8.0.0 network through 192.168.0.7?

flash_uk
OpenVpn Newbie
Posts: 10
Joined: Sun Oct 04, 2015 12:05 pm

Re: Connected but no access to anything

Post by flash_uk » Sun Nov 22, 2015 2:51 pm

Sorry, meant to add one more question to the previous post. I read lots of post here about needing to configure routes for the return path for traffic, along the lines of "you need to let your router know where to send packets back to..."or something like that. On which part of the whole solution is this referring to? When the Pi (192.168.0.7)speaks to the router (192.168.0.1), the router knows it was the Pi and what it's address is, so can't see a need to add any specific routing there. When the openvpn server or one of it's client IP addresses tries to access say the internet or another device on the local lan (192.168.0.x), the openvpn server knows which client made the request, and then can send the answer back...and when the server passes the request onwards (via 192.168.0.7), doesn't the server software keep track of what requests have been passed out?

Mmmm. maybe this is the part I don't get. Do I need to explain to 192.168.0.7 how to pass packets back to 10.8.0.1??? or 10.8.0.x??? That seems a bit odd, given that the openvpn server is a piece of software rather than a physical network device....and the 10.8.0.x network is really only a virtual address space that exists in the vpn software and tunnel. Or am I talking nonsense!?

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connected but no access to anything

Post by Traffic » Sun Nov 22, 2015 7:46 pm

The point to using iptables NAT is that you do not require further routing ..
Your client IP will appear to be the Pi IP.

Out of curiosity, what is your client IP before connecting to the VPN .. eg: 192.168.x.x ?

flash_uk
OpenVpn Newbie
Posts: 10
Joined: Sun Oct 04, 2015 12:05 pm

Re: Connected but no access to anything

Post by flash_uk » Sun Nov 22, 2015 9:55 pm

Traffic wrote:The point to using iptables NAT is that you do not require further routing ..
Your client IP will appear to be the Pi IP.
That's what I had suspected - with NAT operating, routing should be taken care of.
Traffic wrote:Out of curiosity, what is your client IP before connecting to the VPN .. eg: 192.168.x.x ?
On the iPad, the IP before connecting is the IP assigned by the 4G network provider - a public IP address.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connected but no access to anything

Post by Traffic » Sun Nov 22, 2015 10:06 pm

Try using tcpdump on the Pi to monitor packet flow.

And make sure you use the correct iptables rule for your network.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Connected but no access to anything

Post by TiTex » Mon Nov 23, 2015 8:49 am

hello
i don't think you need these lines in the server config if you are using the server option , see the man page
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
also your client config is not complete , and comp=lzo is invalid
stop putting every option you find in the wild in your vpn configs , start simple and build on it ... testing you setup every step

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connected but no access to anything

Post by Traffic » Mon Nov 23, 2015 3:14 pm

@ TiTex: It would help if we could see Flash_UK's log files ;)

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Connected but no access to anything

Post by TiTex » Mon Nov 23, 2015 3:38 pm

yeah , maybe the admins should add some modification to phpBB
something like https://www.phpbb.com/community/viewtop ... 0#p3995965 :)

with checks like do you have logs ? configs ? OS ? ovpn version ?

flash_uk
OpenVpn Newbie
Posts: 10
Joined: Sun Oct 04, 2015 12:05 pm

Re: Connected but no access to anything

Post by flash_uk » Mon Nov 23, 2015 9:30 pm

TiTex wrote:hello
i don't think you need these lines in the server config if you are using the server option , see the man page
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
also your client config is not complete , and comp=lzo is invalid
stop putting every option you find in the wild in your vpn configs , start simple and build on it ... testing you setup every step
@TiTex, a thousand thanks! everything is now working as required :D :D :D

I killed off all the ifconfig and route config above, and fixed the "comp-lzo yes" setting. I must have mistyped that first time round :oops:

All of that routing config stuff appears in almost every dummies guide to setting up openvpn on a Pi. I'm surprised more people don't have a problem. Although I did just change two things, so maybe it was only the comp=lzo thing that was causing a problem....

nuukem
OpenVpn Newbie
Posts: 1
Joined: Thu Nov 07, 2019 5:43 am

Re: Connected but no access to anything

Post by nuukem » Thu Nov 07, 2019 5:53 am

Traffic wrote:
Fri Nov 20, 2015 1:12 am
flash_uk wrote:Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 SNAT --to-source 192.168.0.7
The recommended iptables rule is:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Thank you, Traffic, for your suggestion. I know this is an old post, but I wanted to share my feedback in case it helps anyone else. I too was having issues with getting to the local LAN after authenticating. After running the iptables command above, I was in business. I am running a PiVPN [1] install. I was curious what other iptables NAT entries existed on this fresh Pi so I ran:

Code: Select all

iptables -t nat -L -n -v
That returned...

Code: Select all

Chain POSTROUTING (policy ACCEPT 8 packets, 552 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      wlan0   10.8.0.0/24          0.0.0.0/0
That's when I realized, I had initially set up this PiVPN installation while on WiFi but have since connected the Pi to the LAN via an ethernet cable. So, if you are installing PiVPN, keep that in mind.

[1] https://pivpn.io

Locked