Help with NAT after successful installation
Posted: Fri Jun 17, 2022 7:09 am
I've successfully installed OpenVPN on a Raspberry Pi 4 running Debian following this tutorial, created an ovpn file and imported it into the OpenVPN Connect app on my Android. It connects just fine via my internet router's (FRITZ!Box 6951 Cable) manufacture's DynDNS service (MyFritz) using port forwarding (1194) from the router to the Raspi. The Raspi is has UFW installed, but currently disabled as log as stuff isn't working.
Thing is, once I've connected, all calls to URLs either inside or outside the local network, either by IP address or DNS name, just time out after a while.
I understood that I need to set up some static route in the router, so that the response packages from the URLs endpoints find their way back into the tunnel. That would explain the timeouts instead of a 404, I suppose. Some tutorial suggested to add a route between 10.10.10.0, Subnet 255.255.255.0 to my Raspi, let that be 192.168.178.17 (fixed IP over wired ethernet). I did that, but it didn't help. Maybe I need to use a different IP than 10.10.10.0, but I wouldn't know which one instead. I don't even know where they got 10.10.10.0 from. It can't be the client's IP adress, as that one might change constantly?
I'm fairly certain there's one last step missing to make it work, and that it's one step everybody must have done. But I just can't get my head around it. To be really frank: I already fail at understanding the Wikipedia article about NATs. I do have basic network knowledge, but not in-depth, and also sadly have an issue that I simply can't concentrate enough to dive into all those details. While I know how to program software and occasionally do it, I also can't read other people's code for the same reason. Brain just goes "boooring, la la la, what's the weather outside, and oh, what's on today's menu?"
So I hope someone here is willing to guide me through the steps of where to define what to make it work. The FRITZ!Box comes with its own VPN solution that does work, but it's a PITA to set it up with clients. So far I managed to get it working on my Smartphone, but still fail with my wife's phone (even though she has the same model) or my laptop, let alone other clients like a piCore Player, and from what I've understoof the solution also has some issues with my Internet provider (Vodafone Cable) in combination with IPv6. That's why I'd like to use OpenVPN instead.
My server.conf is this:
Thread viewtopic.php?p=106952 and viewtopic.php?p=106859 seem to suggest I just need to enable the line "net.ipv4.ip_forward=1" in /etc/sysctl.conf? I don't want to touch it without confirmation as I don't know what I might break if I'm doing the wrong thing. Would be bad if the Raspi became unreachable afterwards, and it's also running other stuff like an Apache Tomcat or ioBroker.
Edit: I went and enabled "net.ipv4.ip_forward=1" and ran "sudo sysctl -p" which listed the aforementioned line. I also went and added a static route between 10.10.10.0/255.255.255.0 and 192.168.[IP of the OpenVPN server] to the internet router again. But that didn't change anything, I still get the timeouts.
Thing is, once I've connected, all calls to URLs either inside or outside the local network, either by IP address or DNS name, just time out after a while.
I understood that I need to set up some static route in the router, so that the response packages from the URLs endpoints find their way back into the tunnel. That would explain the timeouts instead of a 404, I suppose. Some tutorial suggested to add a route between 10.10.10.0, Subnet 255.255.255.0 to my Raspi, let that be 192.168.178.17 (fixed IP over wired ethernet). I did that, but it didn't help. Maybe I need to use a different IP than 10.10.10.0, but I wouldn't know which one instead. I don't even know where they got 10.10.10.0 from. It can't be the client's IP adress, as that one might change constantly?
I'm fairly certain there's one last step missing to make it work, and that it's one step everybody must have done. But I just can't get my head around it. To be really frank: I already fail at understanding the Wikipedia article about NATs. I do have basic network knowledge, but not in-depth, and also sadly have an issue that I simply can't concentrate enough to dive into all those details. While I know how to program software and occasionally do it, I also can't read other people's code for the same reason. Brain just goes "boooring, la la la, what's the weather outside, and oh, what's on today's menu?"
So I hope someone here is willing to guide me through the steps of where to define what to make it work. The FRITZ!Box comes with its own VPN solution that does work, but it's a PITA to set it up with clients. So far I managed to get it working on my Smartphone, but still fail with my wife's phone (even though she has the same model) or my laptop, let alone other clients like a piCore Player, and from what I've understoof the solution also has some issues with my Internet provider (Vodafone Cable) in combination with IPv6. That's why I'd like to use OpenVPN instead.
My server.conf is this:
Code: Select all
local 192.168.[removed]
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.[removed]"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notifyEdit: I went and enabled "net.ipv4.ip_forward=1" and ran "sudo sysctl -p" which listed the aforementioned line. I also went and added a static route between 10.10.10.0/255.255.255.0 and 192.168.[IP of the OpenVPN server] to the internet router again. But that didn't change anything, I still get the timeouts.