I need some advice and/or help for a VPN using PiVPN (OpenVPN) on a Pi 3. I've googled and searched and pounded my head on my desk for days now trying to get a VPN up and running like I need it to. I've even posted on OpenVPN forums and failed to get the help I need. I'm really hoping to get a resolution here...
This is what I want to do. My company want's to use Pi's to access remote TCP/IP equipment on remote locations. This equipment isn't on the same subnet as the internet connection. That shouldn't be a big deal but that's where I'm getting hung up..... I have the VPN running and it works great from both a PC and an iPAD. On this VPN I have two NICs. One for the internet connection and the other to reach our equipment. As I said above, that's where I'm getting hung up. For the life of me, I cannot ping anything on that subnet. The internet side is on a subnet of 192.168.1.x. The equipment is on a subnet of 192.168.86.x. The VPN serves out addresses on a subnet of 10.8.0.x. When I'm connected I get served an IP address of 10.8.0.2. From that IP I can ping 192.168.1.x, 10.8.0.x and 192.168.86.253 (address of the second NIC) but I cannot ping anything but 192.168.86.253. I believe the issue is in one of two places. It's either in the server.conf file so the VPN isn't pushing a route correctly to the clients or I don't have my IPTables setup correctly. It's also possible that it could be both. I really don't know.
My OpenVPN server.conf file:
Code: Select all
dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 # server and remote endpoints ifconfig 10.8.0.1 10.8.0.2 # Add route to Client routing table for the OpenVPN Server push "route 10.8.0.1 255.255.255.255" # Add route to Client routing table for the OPenVPN Subnet push "route 10.8.0.0 255.255.255.0" # your local subnet push "route 192.168.1.0 255.255.255.0" [color=#FF0000]#Tried bellow and didn't work push "route 192.168.86.0 255.255.255.0"[/color] #---- tried with others commented out [color=#FF0000]#Tried bellow and didn't work push "route 192.168.86.0 255.255.255.0 10.8.0.1"[/color]#---- tried with others commented out [color=#FF0000]#Tried bellow and didn't work push "route 192.168.86.0 255.255.255.0 192.168.1.14"[/color]#---- tried with others commented out # Set your primary domain name server address for clients push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199" # Override the Client default gateway by using 0.0.0.0/1 and # 188.8.131.52/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. push "redirect-gateway def1" client-to-client duplicate-cn keepalive 10 120 tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC auth SHA256 comp-lzo user nobody group nogroup persist-key persist-tun #crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 log /var/log/openvpn.log verb 1 # Generated for use by PiVPN.io
My kernel routing table:
Code: Select all
# Generated by iptables-save v1.4.21 on Tue Jul 25 19:31:33 2017 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [1:184] :POSTROUTING ACCEPT [1:184] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Tue Jul 25 19:31:33 2017 # Generated by iptables-save v1.4.21 on Tue Jul 25 19:31:33 2017 *filter :INPUT ACCEPT [1409:349819] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1431:209698] COMMIT # Completed on Tue Jul 25 19:31:33 2017
Code: Select all
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 202 0 0 eth0 10.8.0.0 * 255.255.255.0 U 0 0 0 tun0 192.168.1.0 * 255.255.255.0 U 202 0 0 eth0 192.168.86.0 * 255.255.255.0 U 204 0 0 eth1