Can Connect to VPN, But Can't Ping Clients On [oconf] Subnet

[Sycro5]

Server

OS:

Code: Select all

Linux VPNPi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux

Network Setup:

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.45  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 (removed) prefixlen 64  scopeid 0x20<link>
        ether (removed)  txqueuelen 1000  (Ethernet)
        RX packets 125464  bytes 26838439 (25.5 MiB)
        RX errors 0  dropped 112  overruns 0  frame 0
        TX packets 38144  bytes 8538350 (8.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 (removed) prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 15123  bytes 1786370 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6774  bytes 4410569 (4.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether (removed)  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

View OriginalServer Config

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 192.168.1.0 255.255.255.0"
# your local subnet
push "route 0.0.0.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io

Client

OS:
Microsoft Windows [Version 10.0.14393]

Network Setup:

Code: Select all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PW-T440s
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
   Physical Address. . . . . . . . . : 28-D2-44-4E-47-26
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5918:9548:4b63:d7fb%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, October 11, 2017 2:05:43 AM
   Lease Expires . . . . . . . . . . : Thursday, October 12, 2017 7:01:12 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 187224644
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-77-8A-08-28-D2-44-4E-47-26
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
   Physical Address. . . . . . . . . : 5C-51-4F-E6-30-25
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 5C-51-4F-E6-30-26
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter NETGEAR-VPN:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-C9-60-40-B9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

View OriginalClient Config

client
dev tun
proto udp
remote (removed)
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1

My client connects without any issues, but it is not able to access devices on the subnet where the server is located. I've followed the instructions here:
HOWTO: Expanding the scope of the VPN to include additional machines.

I've done the following to advertise my subnet to the VPN client:

Code: Select all

push "route 192.168.1.0 255.255.255.0"

I also enabled IP forwarding with:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

Finally, I tried to NAT the traffic using the command:

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That seems like it's all I should need to do, but I'm still stuck. I do have a few extra push routes in my server config file that PiVPN added, but I've tried commenting those out, and that hasn't changed anything.

Is there something I'm missing here? Been struggling with this one for a while.

Thanks in advance!!!

[Sycro5]

Can anyone help me with this?

[TinCanTech]

So,

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

• You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
  For example: 192.168.143.0/24

[Sycro5]

I've gone ahead and changed my LAN to 192.168.143.0/24. I also updated the appropriate line 12 in my configuration file from

Code: Select all

push "route 192.168.1.0 255.255.255.0"

to

Code: Select all

push "route 192.168.143.0 255.255.255.0"

Still no success. I can connect to the VPN without any issues. My client just can't access anything on the server's subnet.

Any other suggestions? Thanks

[Pippin]

Where are the logs at verb 4?
Did you make ip_forward persistant?
I would:
remove ifconfig 10.8.0.1 10.8.0.2
remove push "route 10.8.0.1 255.255.255.255"
remove or change push "route 0.0.0.0 0.0.0.0"

change iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE