Client can't see/find DLNA server on home network

[splasher]

If I put this in the wrong area, I apologize.
The setup is OpenVPN server running on a Raspberry Pi 3b+ as 192.168.75.72. The home network is 192.168.75.x. I can remotely connect into the OpenVPN server with my laptop and use a browser to get to the rest of the internet. My bank sees the connection as coming from home and doesn't require additional authorization as expected, so OpenVPN is working as expected and I have done the port forwarding in the router correctly.
A second RPi is running miniDLNA as 192.168.75.92. Neither Windows or Android clients can see the miniDLNA server from within VLC media player but they do see it when they are on the home network (no VPN).
After reading in the OpenVPN help about "Adding multiple machines on the server side when using a routed VPN (dev tun)", I added the following line to the server.conf file: push "route 192.168.75.0 255.255.255.0"
It did not help.
I further added push "route 10.8.0.0 255.255.255.0" to the .ovpn file that was distributed to the client, but that didn't help either.
I made no other changes to the config files other than the above two changes.
Any suggestions? What have I missed or am I expecting something that can't be?
Thanks in advance for any and all help.

[Pippin]

Hi,

I further added push "route 10.8.0.0 255.255.255.0" to the .ovpn file that was distributed to the client, but that didn't help either.

That's not what the manual says:

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

.

I made no other changes to the config files other than the above two changes.

There is more that it says.

[TinCanTech]

After reading in the OpenVPN help about "Adding multiple machines on the server side when using a routed VPN (dev tun)",

Any suggestions

Read it again, carefully.

I further added push "route 10.8.0.0 255.255.255.0"

Assuming that your server uses --server 10.8.0.0 255.255.255.0, that is done automatically.

[splasher]

Thanks to both @Pippin and @TinCanTech for your responses.
You both indicated that I incorrectly added "route 10.8.0.0 255.255.255.0" so I removed it.
I guess I am more than a little lost in the terminology.
The instructions state :

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

Is the server-side LAN gateway part of my cable modem/router? If so, what words should I be looking for in it?
I have already added Port Forwarding for port 1194 to 192.168.75.72 to direct the incoming VPN traffic to the OpenVPN server and that part works correctly.
The instructions also refer to making sure that IP forwarding is enabled and the link shows using this command:
"echo 1 > /proc/sys/net/ipv4/ip_forward" for a Linux installation. There is currently a file by that name which contains a "1", so I am guessing that IP forwarding is enabled.
Once again, thanks in advance for your help.
BTW, I got the message about using the [oconf] BB tag, so I added it to the subject in my reply, but I don't know if that is the correct way of how to do it after the fact.

[Pippin]

Is the server-side LAN gateway part of my cable modem/router?

We do not know but probably yes.

You would have to look for adding a static route to (probably) your modem/router:
network: 10.8.0.0 255.255.255.0 - gateway: 192.168.75.72
If it does not have the ability to add static routes then there is another way but lets see first.

[splasher]

Evidently, setting a static route in the Hitron CODA-4589 modem/router used by Breezeline can not be done by the user, you need their tech support to do it for you. They supposedly set it based on your information above, but I can't see it to confirm what it actually is.
If they did it correctly, it still doesn't make the local network visible.
If I add the DLNA server as a favorite in VLC, I can get to it when VPNing into remotely. Same thing for File Manager (Android), if it is in history, it can find it again and that might be the solution. Just make sure that the software on my mobile devices know where to find them before expecting them to be found when using VPN.
But I'm curious, what is the other way that you alluded to?

[Pippin]

Another way is to masquerade the client traffic when it leaves the server/tunnel into the LAN.
This is done on the server with the following firewall rule:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.75.0/24 -o $EXTIF -j MASQUERADE

Where $EXTIF is the interface of the RPi, for example eth0 or enp1s0.

This might help visually:
https://community.openvpn.net/openvpn/w ... acketsFlow

Please post your server and client config files:
viewtopic.php?t=22603

Also make sure that

Code: Select all

cat /proc/sys/net/ipv4/ip_forward = 1

permanently.

[splasher]

@Pippin
I had the cable tech support remove the static route from the Modem/Router in case it was not doing what we wanted or they did it wrong since I could not see what they had entered.

I did add the iptable rule that you suggested, this is the result of running it:
pi@RPi3-OpenVPN:~ $ sudo iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.75.0/24 -o eth0 -j MASQUERADE
MASQUERADE all opt -- in * out eth0 10.8.0.0/24 -> 192.168.75.0/24

IP forwarding was "1" already, so nothing to do there.

I can connect to things if I specify an IP address, but having the remote device browse/search the local network does not find anything. As an example, in Win10 File Explorer, if I click on "Network", it only shows the current computer, none of the other computers on the LAN or Media Devices (my RPi DLNA server) or printers or storage (WD MyCloud).

Am I expecting too much? I never used a VPN to remotely connect to work years ago, so I'm not sure what to expect.

On a forum protocol topic, I have a banner stating to "Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example." It appears that when I posted the original question, it should have had the [oconf] in the title, am I understanding that correctly?

Once again, I can't thank you enough for your guidance so far.

You asked for the config files, there is a ### before and after each:
Server.conf:
############
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/RPi3-Bullseye_dcc15f19-f5a2-447a-9f62-bdee49012e77.crt
key /etc/openvpn/easy-rsa/pki/private/RPi3-Bullseye_dcc15f19-f5a2-447a-9f62-bdee49012e77.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
#
# added by SPL
# echo 1 > /proc/sys/net/ipv4/ip_forward
push "route 192.168.75.0 255.255.255.0"
############

Client config:
############
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name RPi3-Bullseye_dcc15f19-f5a2-447a-9f62-bdee49012e77 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#removed
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#removed
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
#removed
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#removed
-----END OpenVPN Static key V1-----
</tls-crypt>
############

[Pippin]

You can connect via IP address which means from OpenVPN point of view it is working.
Your configs look ok.

It has become off topic.

PS
From a search I found that miniDLNA needs multicastcast.
It seems there is a solution, one I found suggests to add a second miniDLNA to the same host running OpenVPN.