I'm sorry I have to create another thread on the forum but I just can't figure my situation out.
I currently have a Raspberry Pi 3 with openvpn on it (installed via PiVPN), which, if it matters, is running pihole+dnscrypt too.
Now, I had this VPN server working for 2 days, then I started faceing the same problem again and again, which is: client connects but can't browse (can ping locally). The only way around this I found was to set the DNS push to 127.0.0.1, which is pointless cause it makes the client use his own dns client, when I want it to use MY dns client which is (succesfully) running on the RPi.
The Pi's internal IP is (staticly assigned) 192.168.147.250, and 10.8.147.1 for the VPN subnet. The router is correctly set up to forward connections from 443 and 1194 to my server's 11940 port, on which I am listening.
I've got UFW on the server which should be configured correctly (I'll post the configuration here too).
Also, I get an error from time to time in the server's logs which states that "comp-lzo" is only enabled server-side. I am 101% sure that comp-lzo is NOT enabled, neother server nor client side. In fact, I only enable and push "compress lz4-v2" as you can see in the config files.
Finally, I also tried changing "listen-address" line in dnsmasq to listen on 127.0.0.1, 192,168.147.250, 10.8.147.1, and made sure the pihole listened on all ports, but no no result.
Thanks so much for your time and sorry for the wall of text
Client config : (clients are running ubuntu and android, both have different keys that haven't been revoked)
Code: Select all
dev tun proto udp port 11940 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/serverf.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh none topology subnet server 10.8.147.0 255.255.255.0 # Set your primary domain name server address for clients push "dhcp-option DNS 10.8.147.1" push "block-outside-dns" push "redirect-gateway autolocal def1" #client-to-client keepalive 10 120 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-CBC auth SHA256 push "compress lz4-v2" compress lz4-v2 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3
Code: Select all
client dev tun proto udp remote **myddns** 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server tls-version-min 1.2 verify-x509-name server_abcd name cipher AES-256-CBC auth SHA256 compress lz4-v2 verb 3 <ca> **ca cert** </cert> <key> **key** </key> <tls-crypt> **key** </tls-crypt>
Code: Select all
# # rules.before # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to masquerade -A POSTROUTING -s 10.8.147.0/24 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines # allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT # quickly process packets for which we already have a connection -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # drop INVALID packets (logs these in loglevel medium and higher) -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT # allow dhcp client to work -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT # # ufw-not-local # -A ufw-before-input -j ufw-not-local # if LOCAL, RETURN -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN # if MULTICAST, RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN # if BROADCAST, RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN # all other non-local packets are dropped -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 18.104.22.168 --dport 5353 -j ACCEPT # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above # is uncommented) -A ufw-before-input -p udp -d 22.214.171.124 --dport 1900 -j ACCEPT # don't delete the 'COMMIT' line or these rules won't be processed COMMIT
Code: Select all
pivpnUser=dietpi UNATTUPG= pivpnInterface=eth0 IPv4dns=127.0.0.1 IPv4addr=192.168.147.250 IPv4gw=192.168.147.69 pivpnProto=udp PORT=11940 ENCRYPT=2048 APPLY_TWO_POINT_FOUR=true DOWNLOAD_DH_PARAM= PUBLICDNS=**myddns** OVPNDNS1=192.168.147.250 OVPNDNS2=