Page 1 of 1

PiVPN connected but no internet

Posted: Thu Jul 06, 2017 2:11 pm
by SuperIT762
So after some wrestling on my part, I managed to get a PiVPN server running on my Pi 2 B. However, it's not working quite right. I can connect to the server via all my devices without issue, as well as access resources on the VPN server, but I can't access any other devices on the network or the Internet. My guess is that something in the config file isn't set up right.

Code: Select all

local 10.0.1.11
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
#ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
#push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
#push "route 10.8.0.0 255.255.255.0"
# your local subnet
#push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io
This is pretty much the default config file, but I've commented a couple lines out (mainly the "push route" and the "push dhcp-option" lines), added the "local 10.0.1.11" line at the top, and changed "comp-lzo" to "comp-lzo adaptive".

My goal with this server is to be able to access the server, LAN resources, and the Internet.

Please let me know what you think!

Re: PiVPN connected but no internet

Posted: Fri Jul 07, 2017 3:42 pm
by SuperIT762
After some investigating, it seems I need to bridge wlan0 and tun0 interfaces. However, it seems there are some restrictions on bridging wlan connections, and I'm not sure what to do from this point.

Attempting to set up the bridge using brctl returns "operation not supported" error.

Any help is appreciated!

Re: PiVPN connected but no internet

Posted: Fri Jul 07, 2017 6:31 pm
by DougieLawson

Re: PiVPN connected but no internet

Posted: Fri Jul 07, 2017 8:42 pm
by SuperIT762
Ok, based on that how-to, I've redone the config file.

Code: Select all

local 10.0.1.11
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.2 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io
Unfortunately, this changes nothing. I can still only access the server's resources, but not the rest of the LAN or the Internet. I also ran this command:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
Which also didn't appear to do anything.

My best guess right now is that I don't have TUN forwarding set up correctly. The how-to mentions it, but doesn't go into any detail.

Also, I was thinking it might just be easier to use TAP instead of TUN, based on what I've been reading. Is there any reason I shouldn't do that?

Re: PiVPN connected but no internet

Posted: Fri Jul 07, 2017 10:43 pm
by DougieLawson
The route you need to push isn't 10.8.0.0/24 as that's done as part of initialising the tunnel.

You need to push your RPi's LAN IP 10.0.1.0/24 that way the remote end of the tunnel will be able to route through your LAN to the public internet. You may also need to push a default gateway to the remote end (look at the redirect-gateway option).

Re: PiVPN connected but no internet

Posted: Fri Jul 07, 2017 11:38 pm
by SuperIT762
DougieLawson wrote:The route you need to push isn't 10.8.0.0/24 as that's done as part of initialising the tunnel.

You need to push your RPi's LAN IP 10.0.1.0/24 that way the remote end of the tunnel will be able to route through your LAN to the public internet. You may also need to push a default gateway to the remote end (look at the redirect-gateway option).
So I ran:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o wlan0 -j MASQUERADE
and added

Code: Select all

push "route-gateway 10.0.1.1"
to my config file.

Looks like it's still the same issue, though. I also noticed that when connecting to the VPN on my phone, the "default gateway" that it's reporting is the same as my LTE IP address. There's also no external address. The DNS push seems to be working though.

Re: PiVPN connected but no internet

Posted: Sun Aug 06, 2017 9:46 pm
by SuperIT762
Well, I ended up resolving part of this issue myself. Here is what worked:

Make sure only iptables is installed (I also had ufw installed).

Run:

Code: Select all

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

This sets the default firewall behavior to allow all incoming, outgoing, and forwarded traffic.
MAKE SURE THIS IS REALLY WHAT YOU WANT TO DO! This is effectively disabling the firewall (though you can still block individual ports or IP addresses).

Unfortunately, I still can't access my LAN.

Re: PiVPN connected but no internet

Posted: Fri Jul 26, 2019 7:47 pm
by maverik0106
Hey @ SuperIT762,

Did you ever figure it out? I'm having similar issues, where I'm trying to access my local devices and all i can ping successfully is the vpn local IP.

It didn't use to do this before, with the simple script to install it used to route and do everything, now it's like it's broken...

Re: PiVPN connected but no internet

Posted: Wed Sep 11, 2019 2:36 pm
by TheOtherPiUser
Hello all, I ran

Code: Select all

pivpn -d
debug mode and it corrected the issue for me:

=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] y
Done
:: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] y
Done
:: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] y
Done
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
[INFO] Run pivpn -d again to see if we detect issues
=============================================