SuperIT762
Posts: 9
Joined: Sat Nov 07, 2015 9:44 pm

PiVPN connected but no internet

Thu Jul 06, 2017 2:11 pm

So after some wrestling on my part, I managed to get a PiVPN server running on my Pi 2 B. However, it's not working quite right. I can connect to the server via all my devices without issue, as well as access resources on the VPN server, but I can't access any other devices on the network or the Internet. My guess is that something in the config file isn't set up right.

Code: Select all

local 10.0.1.11
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
#ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
#push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
#push "route 10.8.0.0 255.255.255.0"
# your local subnet
#push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io
This is pretty much the default config file, but I've commented a couple lines out (mainly the "push route" and the "push dhcp-option" lines), added the "local 10.0.1.11" line at the top, and changed "comp-lzo" to "comp-lzo adaptive".

My goal with this server is to be able to access the server, LAN resources, and the Internet.

Please let me know what you think!
Last edited by SuperIT762 on Sun Aug 06, 2017 9:53 pm, edited 2 times in total.

SuperIT762
Posts: 9
Joined: Sat Nov 07, 2015 9:44 pm

Re: PiVPN connected but no internet

Fri Jul 07, 2017 3:42 pm

After some investigating, it seems I need to bridge wlan0 and tun0 interfaces. However, it seems there are some restrictions on bridging wlan connections, and I'm not sure what to do from this point.

Attempting to set up the bridge using brctl returns "operation not supported" error.

Any help is appreciated!

User avatar
DougieLawson
Posts: 39796
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: PiVPN connected but no internet

Fri Jul 07, 2017 6:31 pm

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

SuperIT762
Posts: 9
Joined: Sat Nov 07, 2015 9:44 pm

Re: PiVPN connected but no internet

Fri Jul 07, 2017 8:42 pm

Ok, based on that how-to, I've redone the config file.

Code: Select all

local 10.0.1.11
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.2 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo adaptive
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io
Unfortunately, this changes nothing. I can still only access the server's resources, but not the rest of the LAN or the Internet. I also ran this command:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE
Which also didn't appear to do anything.

My best guess right now is that I don't have TUN forwarding set up correctly. The how-to mentions it, but doesn't go into any detail.

Also, I was thinking it might just be easier to use TAP instead of TUN, based on what I've been reading. Is there any reason I shouldn't do that?

User avatar
DougieLawson
Posts: 39796
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: PiVPN connected but no internet

Fri Jul 07, 2017 10:43 pm

The route you need to push isn't 10.8.0.0/24 as that's done as part of initialising the tunnel.

You need to push your RPi's LAN IP 10.0.1.0/24 that way the remote end of the tunnel will be able to route through your LAN to the public internet. You may also need to push a default gateway to the remote end (look at the redirect-gateway option).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

SuperIT762
Posts: 9
Joined: Sat Nov 07, 2015 9:44 pm

Re: PiVPN connected but no internet

Fri Jul 07, 2017 11:38 pm

DougieLawson wrote:The route you need to push isn't 10.8.0.0/24 as that's done as part of initialising the tunnel.

You need to push your RPi's LAN IP 10.0.1.0/24 that way the remote end of the tunnel will be able to route through your LAN to the public internet. You may also need to push a default gateway to the remote end (look at the redirect-gateway option).
So I ran:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o wlan0 -j MASQUERADE
and added

Code: Select all

push "route-gateway 10.0.1.1"
to my config file.

Looks like it's still the same issue, though. I also noticed that when connecting to the VPN on my phone, the "default gateway" that it's reporting is the same as my LTE IP address. There's also no external address. The DNS push seems to be working though.

SuperIT762
Posts: 9
Joined: Sat Nov 07, 2015 9:44 pm

Re: PiVPN connected but no internet

Sun Aug 06, 2017 9:46 pm

Well, I ended up resolving part of this issue myself. Here is what worked:

Make sure only iptables is installed (I also had ufw installed).

Run:

Code: Select all

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

This sets the default firewall behavior to allow all incoming, outgoing, and forwarded traffic.
MAKE SURE THIS IS REALLY WHAT YOU WANT TO DO! This is effectively disabling the firewall (though you can still block individual ports or IP addresses).

Unfortunately, I still can't access my LAN.

maverik0106
Posts: 6
Joined: Fri Jul 26, 2019 7:45 pm

Re: PiVPN connected but no internet

Fri Jul 26, 2019 7:47 pm

Hey @ SuperIT762,

Did you ever figure it out? I'm having similar issues, where I'm trying to access my local devices and all i can ping successfully is the vpn local IP.

It didn't use to do this before, with the simple script to install it used to route and do everything, now it's like it's broken...

TheOtherPiUser
Posts: 1
Joined: Wed Sep 11, 2019 2:30 pm

Re: PiVPN connected but no internet

Wed Sep 11, 2019 2:36 pm

Hello all, I ran

Code: Select all

pivpn -d
debug mode and it corrected the issue for me:

=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n] y
Done
:: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] y
Done
:: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] y
Done
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
[INFO] Run pivpn -d again to see if we detect issues
=============================================

Return to “Networking and servers”