No internet or LAN access through OpenVPN (piVPN)

[kriscs1]

Hi,

I am running a Raspberry Pi 3 B+ (dietpi).
I installed piVPN using these instructions (https://www.ostechnix.com/pivpn-simples ... pberry-pi/), but with the inbuilt dietpi installer.
I can connect successfully to the VPN using my phone and computer, however I have no LAN or internet access. I cannot even access the pi itself using SSH.
I have searched for a number of solutions and tried them, but I am still having no success.

This is my pivpn debug:

Code: Select all

::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
fatal: Not a git repository: '/etc/.pivpn/.git'
=============================================
::::        Installation settings        ::::
/etc/pivpn/DET_PLATFORM -> Raspbian
/etc/pivpn/INSTALL_PORT -> 1194
/etc/pivpn/INSTALL_PROTO -> udp
/etc/pivpn/INSTALL_USER -> dietpi
/etc/pivpn/NO_UFW -> 1
/etc/pivpn/pivpnINTERFACE -> eth0
/etc/pivpn/TWO_POINT_FOUR ->
=============================================
::::    setupVars file shown below       ::::
pivpnUser=dietpi
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=192.168.1.1
IPv4addr=192.168.1.124
IPv4gw=192.168.1.1
pivpnProto=udp
PORT=1194
ENCRYPT=256
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=REMOTE
OVPNDNS1=8.8.8.8
OVPNDNS2=8.8.4.4
=============================================
::::  Server configuration shown below   ::::
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_OMoH02HZddW3Pe8J.crt
key /etc/openvpn/easy-rsa/pki/private/server_OMoH02HZddW3Pe8J.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
push "route 192.168.1.0 255.255.255.0"
=============================================
::::  Client template file shown below   ::::
client
dev tun
proto udp
remote REMOTE 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_OMoH02HZddW3Pe8J name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
::::    Recursive list of files in       ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
extensions.temp
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
kris.ovpn
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem

/etc/openvpn/easy-rsa/pki/issued:
kris.crt
server_OMoH02HZddW3Pe8J.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
kris.key
server_OMoH02HZddW3Pe8J.key

/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
=============================================
::::      Snippet of the server log      ::::
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 ++ Certificate has E                                                                                                                                                             KU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 VERIFY EKU OK
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 VERIFY OK: depth=0,                                                                                                                                                              CN=kris
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_GUI_VE                                                                                                                                                             R=OC30Android
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_VER=3.                                                                                                                                                             2
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_PLAT=a                                                                                                                                                             ndroid
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_NCP=2
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_TCPNL=                                                                                                                                                             1
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_PROTO=                                                                                                                                                             2
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 peer info: IV_AUTO_S                                                                                                                                                             ESS=1
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 Control Channel: TLS                                                                                                                                                             v1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
May 22 21:52:46 DietPi ovpn-server[298]: 118.21.85.331:2081 [kris] Peer Connecti                                                                                                                                                             on Initiated with [AF_INET]118.21.85.331:2081
May 22 21:52:46 DietPi ovpn-server[298]: MULTI: new connection by client 'kris'                                                                                                                                                              will cause previous active sessions by this client to be dropped.  Remember to u                                                                                                                                                             se the --duplicate-cn option if you want multiple clients using the same certifi                                                                                                                                                             cate or username to concurrently connect.
May 22 21:52:46 DietPi ovpn-server[298]: MULTI_sva: pool returned IPv4=10.8.0.2,                                                                                                                                                              IPv6=(Not enabled)
May 22 21:52:46 DietPi ovpn-server[298]: MULTI: Learn: 10.8.0.2 -> kris/120.22.8                                                                                                                                                             5.233:2081
May 22 21:52:46 DietPi ovpn-server[298]: MULTI: primary virtual IP for kris/120.                                                                                                                                                             22.85.233:2081: 10.8.0.2
May 22 21:52:46 DietPi ovpn-server[298]: kris/118.21.85.331:2081 PUSH: Received                                                                                                                                                              control message: 'PUSH_REQUEST'
May 22 21:52:46 DietPi ovpn-server[298]: kris/118.21.85.331:2081 SENT CONTROL [k                                                                                                                                                             ris]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,block-outside-                                                                                                                                                             dns,redirect-gateway def1,route 192.168.1.0 255.255.255.0,route-gateway 10.8.0.1                                                                                                                                                             ,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,pee                                                                                                                                                             r-id 1,cipher AES-256-GCM' (status=1)
May 22 21:52:46 DietPi ovpn-server[298]: kris/118.21.85.331:2081 Data Channel En                                                                                                                                                             crypt: Cipher 'AES-256-GCM' initialized with 256 bit key
May 22 21:52:46 DietPi ovpn-server[298]: kris/118.21.85.331:2081 Data Channel De                                                                                                                                                             crypt: Cipher 'AES-256-GCM' initialized with 256 bit key
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::

Thank you.

[default_user8]

Your not allowing access to your local lan, here is a link to a server.conf file example that should help you. You're missing "# your local subnet
push "route 192.168.2.0 255.255.255.0"
https://gist.github.com/laurenorsini/9925434

[kriscs1]

Ok, that was simple. Thanks default_user8.

I had already added the push "route 192.168.2.0 255.255.255.0" as per a previous topic.
All it took was the "local # your local subnet" line...
Strange that piVPN doesn't add that in during the installation. It's meant to just work on install.

[default_user8]

Ok, that was simple. Thanks default_user8.

I had already added the push "route 192.168.2.0 255.255.255.0" as per a previous topic.
All it took was the "local # your local subnet" line...
Strange that piVPN doesn't add that in during the installation. It's meant to just work on install.

Don't know why it didn't work for you, I've used the install script numerous times without a hitch. Glad you got it working.