Pistrong Setup Help (VPN Server Local LAN Subnet/Can't Detect Gateway IP Address)

[ethanic17]

This was originally a thread from: https://forums.raspberrypi.com/viewtopic.php?p=1951935#p1951935

But basically, I'm trying to set up Pistrong as a VPN I can tunnel through to my Pi on my phone/computer outside my home network for SSH & SFTP (Samba). I've already installed Pistrong and setup port forwarding on my Pi through my router's settings but am stuck on trying to setup the CA (Certification authority?). I'm running the makeMyCA script through terminal and am getting stuck at the part where it asks for my VPN Server Local LAN Subnet. I've already entered tried entering the subnet (from command ip a in terminal) with no success and saying that 'No IP Address is assigned to network device my router/gateway's IP address'.

Though one thing I'm confused about is what is the difference between my 'eth0' and 'lo' IP addresses? I know eth0 is ethernet but what exactly is 'lo'? From what I can gather from Google, is that it's some kind of loopback address that communicates with my Pi? Not sure what exactly the use for that is, but I entered in my both my 'eth0' and 'lo' IP addresses during the makeMyCA session/script with the same error message on VPN Server Local LAN Subnet.

I also have a suspicion it's because I set up DDNS incorrectly (using no-ip), but I'm not too sure. For my IPv4 address, I entered in what I got fromecho "$(curl -s 'dynupdate.no-ip.com/ip.php')" but I'm not sure if I need to do any more setup on that end. I've port forwarded ports 500 & 4500 already but do I need to configure anything extra in my router/gateway settings (like static IP, private from pool/fixed private lan assignment, etc?)

[gitbls]

Easy question first: what about device 'lo'? Just ignore it. It's the network device that programs can use to connect to the "current host". The network adapter you care about is 'eth0'.

Here's a picture so that we're talking about the same things:

Internet <---> ISP-assigned external IP address <---> Router <---> LAN <---> VPN Server

So...

• ISP-assigned external IP address is the IP address that your router calls "external IP" or something like that. This is the IP address that your DDNS name should translate to. Since your external IP address can change, you need a tool to monitor it and update the DDNS name. noip has such a tool, and there are tons of others as well. Once you set up the tool correctly, it will keep the DDNS name up-to-date.

• Your router has an address on your LAN. You can get that from your router management tool, or from any device on your network that gets a DHCP-assigned address from your router. You can see it on a pi by doing ip r. For instance, here's the output from one of my Pi systems:

  default via 192.168.42.1 dev eth0 proto dhcp src 192.168.42.224 metric 202 
  192.168.42.0/24 dev eth0 proto dhcp scope link src 192.168.42.224 metric 202 

  In this case, "default via 192.168.42.1" says that the default route goes to 192.168.42.1, which happens to be my router.

• Your VPN server will have an IP address, which you can get from ip a. It's best if this is set up as a static IP address, which means it must have an IP address outside of the pool of IP addresses used by the DHCP server (on your router). Check your router's DHCP config to find out the pool, and pick and address outside of that. Then you can edit /etc/dhcpcd.conf to set your Pi to have a static address. There is an example of a static IP configuration in /etc/dhcpcd.conf. Copy it, remove the '#' from the start of each line, and set the ip_address, routers, and domain_name_servers as appropriate for your LAN.

• Once you have the VPN server's IP address, you can easily derive the VPN Server Local LAN subnet. If your router is 192.168.0.1, your Server Local LAN subnet is 192.168.0.0/24.

• Note that your ISP-assigned external IP address doesn't come into play at all with makeMyCA.

OK, I'm going to stop here. After you've digested the above, please ask for clarifications on anything, and let me know what questions still need to be resolved.

[ethanic17]

Alright, so I think I have a good general idea of what to do now. Though I still have some questions regarding setting up static IP and my router recognizing it. Like I mentioned before, I already set up a static IP on my Pi through Pi-Hole and I did edit the /etc/dhcpcd.conf file to do so. Though, I didn't un-comment the one they provided and just manually entered in my own as I followed a PiHole guide but I think these settings should be fine right? It just doesn't specify an Ipv6 address.

interface eth0
        static ip_address=192.168.1.116/24
        static routers=192.168.1.254
        static domain_name_servers=8.8.8.8 8.8.4.4

Actually reading back on your reply I just realized that my static IP address I set for PiHole is still inside my router's DHCP address pool. That hasn't caused any problems on PiHole but setting up Pistrong, I would wanna change it right? I attached a screenshot of my router's DHCP address pool, so I can just input like 192.168.1.257 inside the /etc/dhcpcd.conf file for my static IP and I should theoretically be good right? I wouldn't need to do any additional configuration on my router side either right? Like address assignement I have it set right now Private From Pool, and I can leave it at that? It has the option to assign a private fixed IP, but all the IPs listed there are inside the DHCP address pool so I assume I wouldn't be selecting any of that. It also has the option for a public IP (WAN IP mapping), but I shouldn't have to mess with that right?

Also, you mentioned that I shouldn't have to worry about my 'lo' adapter connection, but on the Pi thread you told me to run hostname --ip-address and see what comes up as that's what the makeMyCA script uses to get the IP address of my Pi. Instead of showing my eth0 IP address (the static IP I set), instead it's showing my 'io' address. Is that normal or is something wrong here?

(And also sorry for the late replies, busy with work/school and GitHub isn't sending me email notifications for some reason)

[gitbls]

Your router doesn't "recognize" static IP addresses set up on Pis (or other devices in general). It is critically important that static addresses you set up on devices don't overlap the DHCP server range (.64-.253 in your picture). So, you can safely use .1-.63 for static IP address assignments. If the static IP address you set for pihole is inside the .64-.253 range, you need to change that. If you don't change it, things will work fine for a while, and then, when you have completely forgotten what you did, some other device will be given that address by the DHCP server and bam! your day is ruined.

Fix it now.

Yes, adding new entries rather than uncommenting in /etc/dhcpcd.conf is perfect. The entries you posted here look fine, except that the .116 address is inside the DHCP server address range.

The picture you have of the static assignment for raspberrypi...is that from your router? What is your router make/model? I've never seen that "Private from pool:" setting, Best to understand what that means! Ditto, the "WAN IP mapping" item. Need to understand what those actually do before I can make definitive responses on those.

As far as hostname --ip-address, I have mis-spoken. On some networks, like yours (and amusingly, on a couple of my systems), that returns the 'lo' 127.0.0.1 address. That's not a problem that needs to be fixed, so don't panic about that. But, you are correct, that is not a good address to use in makeMyCA. You should use 192.168.1.116 (or whatever you end up changing it to outside the DHCP server pool). And, the LAN subnet would be 192.168.1.0/24

For expecting replies, I'm on the US west coast. Where are you located?

[ethanic17]

Gotcha, I set the static IP to 192.168.1.62 and everything seems working for the most part. Except for some reason I can't access my files through File Explorer on Windows anymore. When I enter in the new static IP I set and disconnect the old one, it says Windows can't find the network drive. It shouldn't matter that the static IP is outside the DHCP range right? Everything else is working fine with the new static IP, Pi-Hole, VNC Server, ssh through terminal (on windows), etc.

And yes, the picture was from my router gateway. I'm using AT&T Fiber and this is the router I'm using I think:

I tried searching it up online and tried looking for manuals on my router with no success. Maybe it's something to do with setting the static IP through the router? Though, right now as of my current setting supposedly that's only set as a private IP. But I wouldn't need a public IP for my Pi, because looking back at your mini flowchart from the other reply, I would be using my router's public IP address (not my ISP-assigned external IP address) to route a VPN connection correct? WAN IP Mapping is just used if I chose to set a public IP I think and maps the IP address/sets to public or something. Theoretically, I wouldn't need to mess with any of those settings?

Going back to DDNS on no-ip, I entered in the Ipv4 address what I got from echo "$(curl -s 'dynupdate.no-ip.com/ip.php')", and I wouldn't need to do any additional config over on that side right (because I already port forwarded ports 500 & 4500)? So if I were to run the makeMyCA script (with my new static IP), this is what I should be entering in right?:

Domain Name: servername.ddns.net vpnaddr for VPN: pihostname.servername.ddns.net Network device that will be connected to the internet [eth0]: my router's IP/gateway address 192.168.1.254 Network device that will be connected to the Local LAN [eth0]: my pi's static IP address 192.168.1.62 VPN Server Local LAN IP Address: my pi's static IP address 192.168.1.62 VPN Server Local LAN Subnet: 192.168.1.0/24

I'm also on the US west coast (San Francisco/Silicon Valley), but this weekend I've just been out more frequently and not at home a lot, so sorry about the somewhat late responses. I set up GitHub notifications through my phone now so I'll see your message and when I get home I'll be able to test around on my Pi and respond to you.

[gitbls]

1. Windows can't access the Pi. Make sure that it's using the correct IP address (check using ping piname, or ping piname.local). I assume you're accessing it by name and not by IP address? Make sure that the windows system can Ping the Pi. DHCP or static is not the issue, it's something else, so problem-solving it by checking as I mentioned will get you toward the solution.
2. Huh. I did one search for: pace 5268ac and found this. Is this what you have?
3. Correct, you don't need a public IP for your Pi. Are you talking about the DMZ settings? Don't use that, it's a security nightmare unless you know really well what you're doing.
4. When you say you "entered the IPV4 address you got from the echo command", where did you enter it? Please be really specific about stuff you're doing, or I'll get bored of having to ask you for clarifications all the time.
5. The info you have provided looks correct, I think. If you aren't sure, you can run makeMyCA and take it right up to the point where it asks if you want to proceed. Immediately before that question it tells you in detail what it's going to do. You can copy/paste that here and I can check it. Or, you can just forge ahead. If you muck something up, you can simply do sudo pistrong deleteca and then re-run makeMyCA.
6. I'm a few hours north of you in Seattle. Don't worry about how long it takes you to respond. It's more important that you're providing complete information than being timely. I've got plenty of other things to keep me amused ;)
7. You said you were in school. That's cool! What grade?

[ethanic17]

Figured out why Windows couldn't access the Pi, turns out it was because of my DNS settings. Not too sure how exactly that would work with Windows not recognizing it, but I used my Pi-hole's DNS server and forgot to change the address since I changed the IP for my Pi.

Yep, that's the one. And yes I believe it's something related to DMZ and my router's firewall settings but yeah, I heard it's best not to mess around with that as I could potentially expose every port on my Pi to the internet (at least according to the dude from the Pi forum).

I entered the IPv4 address into no-ip.com but on the website, it says "No Dynamic Update detected" so I'm assuming I did something wrong here? I ran the makeMyCA script again with the same error message 'No IP address is assigned to network device 192.168.1.254 (my gateway/router address)' and on the same step where it told me to provide a Local LAN subnet. I think the error I got here is probably correlated to DDNS/no-ip being configured incorrectly. I'm following this guide for installing no-ip by the way: https://raspberrytips.com/install-no-ip-raspberry-pi/

Gotcha, and my apologies if anything seems unclear or vague. I'll try my best and provide everything I can but please let me know if anything seems off or needs additional clarification. And yeah haha, I'm currently a senior in high school and just finished applying to colleges, planning to major in something related to IT. I'm assuming you've graduated college already?

[gitbls]

You definitely want to get DNS working correctly before setting up your VPN or you'll just have more problems to deal with.

As I mentioned...DMZ...just...don't. Not only are you exposing your system to the bad boys on the network, it won't be on your LAN, so pihole won't work, and VPNing into it will not bring you much joy.

As far as no-ip and No Dynamic Update, I've never seen that message. Can you post a screenshot so I can see it?

And with makeMyCA, I really need to see a screen shot of what you're seeing. Screenshot or save the text please. There is nothing in makeMyCA that relies on DDNS being set up or configured in any particular way, so I need to see what you're seeing.

Did you install the dynamic update client that that no-ip guide mentions? You'll need it at some point, but it's not required yet.

Screenshots (saving text or whatever) will help me help you get unstuck. This stuff definitely works. I've set up several different VPNs with it, as have several others. So, let's figure out what is hanging you up.

I'm a little older than you are...our son is graduating college this spring....in CS, just like his dad.

[ethanic17]

Here's a screenshot of what I did during the makeMyCA session/script (hopefully I didn't include any sensitive information):

And the error message with 'No Dynamic Update detected went away on no-ip but here's a screenshot of what it looks like right now (I blurred out my IP target as I assume that would be sensitive info, but it's the IP I got from running "$(curl -s 'dynupdate.no-ip.com/ip.php')" on my Pi's terminal):

I haven't installed DUC on my Pi yet, but I'll do that once I figure out how to solve getting through the makeMyCA script. If you need additional (sensitive) information, I'd be happy to email you screenshots of them (like running ip a or ip r, or any other commands that would output something sensitive or router information).

And wow, congratulations to your son! Must be exciting haha. If you don't mind me asking, where did he go to college for CS?

[gitbls]

Screenshots are like magic! Two issues with your makeMyCA: 1) You answered the question "Network device that will be connected to the Internet [eth0]" with an IP address, not a device name, which in your case is eth0. Admittedly makeMyCA should do better error checking. I'll put that on the list of things that round tuits never show up for.

You also answered the question "Network device that will be connected to the local LAN [eth0]" exactly as incorrectly as the above question.

The second issue is your DDNS name. I assume you registered the name 'navato.ddns.net' at noip? If so, then you have two choices for what you could answer the question "vpnaddr for your VPN":

1. novato.ddns.net: You'd use this if it's the only DNS name in the (sub-)domain novato.ddns.net. A DNS lookup on novato.ddns.net would return your router's external IP address
2. servernavato.navato.ddns.net: You'd use this if you also defined the name servernavato.navato.ddns.net at noip.com, and a DNS lookup on it returns your router's external IP address

You chose the 3rd option, which is incorrect, unless you also have the noip subdomain servernavato.ddns.net, which I doubt.

The screenshot of your noip config looks good, assuming there's an IP address in the IP address field (is this what you blanked out?).

Yea, you don't need DUC yet, unless your external IP address changes frequently. There are a few ISPs that do that.

Son is at Tufts in Boston. There are a lot of great CS schools, and lots of considerations that you need to consider when choosing a school.

[ethanic17]

Phew it worked just fine once I fixed those two issues, I just went along configuring the rest of the script (mostly entering the default ones the makeMyCA script provides) but when I went to confirm everything, there were a couple of permission errors I ran into. I've attached a copy of my entire console log below (through paste bin because it's quite long if I paste it directly in here). I think I also ran into this issue when I was setting up PiHole and was trying to edit a file but didn't have permissions, but I forgot how I solved it, though I believe it's something to do with not having sufficient user permissions right? And on the topic of user permissions (if this is the error that is), how would I prevent this from happening again? I never really got my hands dirty with user accounts and permissions on Linux as Windows was already a headache.

https://paste-bin.xyz/25706 (and by the way while you're looking at the console log, could you double-check and see if everything else I entered is correct? mostly used the default ones in brackets but just wanna make sure I didn't mess up anywhere)

Though despite those permission errors, it still said strongSwan CA was successfully configured which I doubt. I know you mentioned in a previous reply I could run sudo pistrong deleteca and re-run everything, so once I fix the permission issue and then re-run everything I should be good?

And yeah, what I blanked out in the screenshot on my previous reply was the IP address I got from my terminal by running "$(curl -s 'dynupdate.no-ip.com/ip.php')". The error I received on no-ip seems to have gone away and it says there was a successful hostname update in the last 30 days so I think everything there should be good.

Whoa, out-of-state in Mass. I thought he would be attending somewhere here in California haha. I'm planning to stay in-state (because out-of-state tuition is kind of expensive) and was looking at the CSUs and UCs in the Bay Area. I heard UC Berkeley and San Jose State were among the best here so I applied to them (doubtful I'd get in), but also others like Cal Poly SLO, SF State, Davis, etc.

[gitbls]

You're getting closer. Here are some things to fix:

• You need to sudo makeMyCA. That's why you're getting protection errors. Will address...
• You still got the answer to this question wrong: "Network device that will be connected to the local LAN [eth0]: 192.168.1.62" You responded with an IP address where a device name (like the default, eth0) is the correct response.
• Any question that ends with [something]...That something is the default answer, so if your answer is the same as the default, you don't need to retype it, just hit ENTER
• Is your DNS server at 192.168.1.1? makeMyCA just guesses the .1 address in the subnet. If your DNS server is somewhere else (like where your pihole is running), use that.
• cnsuffix...While it's strictly a string used in naming, you might want to rethink this after you see what the cert stuff all looks like.
• In this case, you don't even need to do the deleteca. All the protection errors mean that nothing got written. No CA was created, so nothing to delete. But if it had worked, yes, you can just do the deleteca and then rerun makeMyCA.

California has a lot of really great schools. I went to a state school, was definitely a great learning experience!

[ethanic17]

Alright, I think I successfully set up the makeMyCA script for StrongSwan. Following the GitHub guide on here, the next step would be to add user certs but I ran into an issue saying that the connection refused. What I'm trying to do here is to add my iPhone as a device under the user 'eth', but it said that the connection refused. Did I enter the command wrong or did I miss a step here?

pi@servernavato:~ $ sudo pistrong add eth --device iphone11 --remoteid ios.navato.ddns.net --mail ethanzhengmain12@gmail
.com --zip
% Zip file '/etc/swanctl/pistrong/server-assets/eth-iphone11.zip' created for 'eth-iphone11'
Traceback (most recent call last):
  File "/usr/local/bin/pistrong", line 1374, in <module>
    thefunc(pd, args)
  File "/usr/local/bin/pistrong", line 843, in cmd_add
    mailcert(pd, args, newkey)
  File "/usr/local/bin/pistrong", line 689, in mailcert
    sendmsg(pd, pd.dx['mailfrom'], args.mail, "VPN Cert password {}".format(pd.cn), pwmsg, None)
  File "/usr/local/bin/pistrong", line 249, in sendmsg
    msmtp = smtplib.SMTP(pd.db['config']['smtpserver']['value'], pd.db['config']['smtpport']['value'])
  File "/usr/lib/python3.9/smtplib.py", line 253, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib/python3.9/smtplib.py", line 339, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib/python3.9/smtplib.py", line 310, in _get_socket
    return socket.create_connection((host, port), timeout,
  File "/usr/lib/python3.9/socket.py", line 843, in create_connection
    raise err
  File "/usr/lib/python3.9/socket.py", line 831, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
pi@servernavato:~ $

And actually, for the DNS server part for the makeMyCA script, I just realized I might have entered it wrong? I did set up PiHole on my Pi but I don't think I ever actually changed the DNS address for my Pi to use the PiHole DNS (unless it changed back somehow) because looking into /etc/resolv.conf, I found that it's using the default Google DNS. I remember I had to go through something on the PiHole setup to configure an alternate DNS or something among those lines so maybe that explains why? Either way, I entered in 192.168.1.1 (the default) which I believe routes to my PiHole DNS (192.168.1.62), but in the /etc/resolv.conf file it shows the Google DNS. Should I change it to the PiHole DNS instead of the Google DNS?

Though for some reason even though my Pi says it's using Google DNS, on the PiHole admin webpage it shows the DNS queries from my Pi (showing up as 'localhost') so maybe it's using both DNS servers?

And yeah for sure, California has really great schools, though they are super competitive haha. I think the schools where I am are a good choice for CS as we're located right around Silicon Valley and could land potential intern opportunities while in college. Only downside is that the cost of living here is insane. :cry:

[gitbls]

Did you set up pistrong to send mail? There is some configuration that needs to be done as documented here. Of course, it shouldn't crap out like it is if you haven't configured pistrong to send mail.

You make a very good tester! Adding this to the list also.

[ethanic17]

Haha, thanks. And yep, turns out I missed a step. Just finished setting up pistrong to send emails, but I think some of the instructions on the Client Certification page may be a bit outdated. I think Apple changed the location of some of the settings with iOS 15 (or an older version before the instructions were published). There's no "Profiles" tab anymore and instead, it's grouped under "VPN & Device Management". Also, I didn't need to enter the Cert password at all to install the profile. Did I miss a step? I've attached screenshots below that show the certificate showing up on my device as verified without entering the cert password.

And I think this next problem relates back to me not entering the cert password/not being able to. When I try and add the VPN configuration and enter in all the details from the email provided, I can't choose the certificate (like the option for me to select a certificate is grayed out) meaning that I can't save and add the VPN configuration at all.

[gitbls]

Yea, tough to keep up with changing iOS Settings layouts. Sorry about that.

Did you install BOTH certificates? One is the root CA, which you have installed. The second is the identity Cert, which has the password on it. My guess is that you didn't install this cert, and that's why choosing a Certificate is grayed out for you, since there are no identity certs to choose from.

BTW, great progress! You're almost there!

[ethanic17]

Oops yeah, I didn't see the other certificate, just installed that and configured my VPN connection. However, the connection wouldn't work ("The VPN server did not respond") and I'm pretty sure I entered everything correctly in the configuration (as most of the stuff was from the email). Would I need to turn on the proxy or do something else?

[gitbls]

The strongswan service is disabled at the end of the install. Try sudo systemctl enable --now strongswan , which will enable it for future boots, and start it right now. If you don't want to enable it at reboot yet, sudo systemctl start strongswan.

If you still can't connect, then check sudo journalctl -b | grep charon. If you can't sort it out, I'll need that output.

Also...make sure that you've attended to the firewall rules. At a minimum, sudo systemctl enable --now pistrong-iptables-load is necessary.

So close!

[ethanic17]

Unfortunately didn't work. This time the error message was different on my iPhone ("VPN Connection: User Authentication Failed") so I think I was able to connect but somehow it couldn't verify I was on a trusted device? I double-checked the certificates and they were still installed and verified so I'm not too sure why that would be. I did sudo systemctl enable --now strongswan and also sudo systemctl enable --now pistrong-iptables-load as well but I do have a question regarding my firewall settings. I was looking at the main guide you posted in the GitHub and here you said:

Many users either have or want more than this very minimal firewall. In that case, the iptables rules in /etc/swanctl/pistrong/CA-iptables must be added to the Firewall rules for your system.

Are the firewall settings for Strongswan/pistrong different than the firewall settings I configured for my Pi through my router? I've attached a screenshot of the firewall settings I configured for my Pi below through my router. I guess what I'm trying to say is, does this open up a security vulnerability in some way? My understanding of it is that right now I've exposed only ports 500 & 4500 on my Pi so if a hacker or someone with malicious intent managed to gain access to my Pi, would they only have access to those ports, or would they be able to access everything else and possibly even other devices on my network? I'm not sure if what I just said made any sense at all but I just wanna make sure I'm not opening up a security vulnerability in any way. I've run sudo systemctl enable --now pistrong-iptables-load, but you did mention that it was a very minimal firewall and just for peace of mind I wanna know if there's a more robust solution.

And I also ran sudo journalctl -b | grep charon but I think that might expose some sensitive information on here so could I email you the console log instead? This is your email, correct? bls3427@outlook.com

[gitbls]

OK, we're down to the fun stuff now ;).

You do not have any security vulnerability. Since you're running behind a firewall (in your router), you don't really need to have a massive firewall on your Pi. Some people do. I don't now, but I used to when routers sucked. The firewall rules that pistrong sets up are for policy-based routing, which is how traffic from the vpn connection gets routed onto your local network. Needed so that your phone can talk to other systems on your LAN over the VPN.

Yes, please email me the output from sudo journalctl -b | grep charon at that address. Also please include:

• The output from sudo pistrong showca and sudo pistrong list --full
• The file /etc/swanctl/pistrong/makeCA.log

Thx

[ethanic17]

Alright, just sent you the files. The "fun stuff", can't wait for that haha :sweat_smile:.

Also my apologies if there was another way to save console log files from Powershell in a different/easier format, I just copy and pasted it into a .txt file. And if you're wondering why there are like three devices configured on the pistrong full file, the other two are the ones I messed up and don't need. The one I'm trying to set up right now is 'eth-iphone'

[ethanic17]

Alright, so me and Benn (the creator here) got this all resolved through email so I’ll try and sum up what we did and how we got it working. Everything we did leading up to the previous reply still worked and nothing went wrong there. I just redid my makeMyCA script and re-installed the certs and everything worked. I suspect it’s probably something to do with me not installing the certs in the correct order or within a certain time frame, but still not entirely too sure. Either way, we got it working and I’m now able to connect to my Pi via VPN on my phone and securely SSH/SFTP from anywhere (outside my home network). Below I’ve just listed some key takeaways and some mistakes we encountered so feel free to read through them and just be aware of them if you’re also setting up Pistrong and reading through this thread.

Mistakes you might encounter & Important things to remember:

• Make sure you’ve properly set up a static IP before doing anything first. Here’s a good guide but just make sure the static IP you set in /etc/dhcpcd.conf is outside of your router/gateway’s DHCP pool. https://pimylifeup.com/raspberry-pi-static-ip-address/

• When running the makeMyCA script, pay close attention to the default config/text in brackets. I made the mistake of entering in IP addresses when makeMyCA asked for a device name.(Network Device that will be connected to the internet & Network Device that will be connected to the Local LAN), so make sure you’re entering in the correct things. Most of the time (for me at least), I just entered the default ones in the bracket (which you can do by just pressing Enter).

• If you’re setting up Dynamic DNS on no-ip make sure you are using the correct IPv4 address (i.e. your Pi’s public IPv4 address). After installing no-ip on your Pi you can run echo "$(curl -s 'dynupdate.no-ip.com/ip.php')" which will give you your Pi’s public IPv4 address (assuming that you’ve already port forwarded ports 500 & 4500 on your Pi)

• This is kind of a noob mistake on my part, but make sure you’re running ‘sudo’ at the start of every command you enter so you don’t get protection errors and that you’re running them at the highest security privileges (kind of like running programs on Windows as admin)

• After configuring makeMyCA, make sure to set up Pistrong to send mail so you can receive your certs. And also make sure you’ve set up your app password so you can actually receive the emails. https://github.com/gitbls/pistrong#sending-mail https://github.com/gitbls/pistrong/blob/master/CertInstall.md https://towardsdatascience.com/automate-sending-emails-with-gmail-in-python-449cc0c3c317

• On iOS, make sure you install BOTH certificates and not just one. And make sure you actually start the strongswan service before trying to connect to your VPN sudo systemctl enable --now strongswan (enables strongswan service on boot) sudo systemctl start strongswan Also make sure you’ve added firewall rules by running: sudo systemctl enable --now pistrong-iptables-load

As for the overall usability of Pistrong, it’s been awesome so far. You're probably going to encounter some hiccups when setting it up but once you actually get it all set up properly, it’s quite magical to see everything just work. It’s secure and speedy (for what I do at least) for SSH/SFTP and even other stuff like VNC. You might think the install process would be quite complicated but as long as you have the patience and don’t give up easily, you’ll be fine ;).

And speaking of the install process, the documentation here isn’t too hard to pick up even as a novice, it’s quite fascinating to learn about everything when setting it up. Compared to other guides on the internet which are either too vague or too complicated, pistrong fits the ticket for me and I strongly recommend it to anyone who’s looking for a simple way to set up a VPN connection on their Pi.

[gitbls]

Ethan found a couple of great bugs and points of confusion, so from my perspective this was time well spent (not to mention that he got his VPN up and running!). I'll be updating pistrong and makeMyCA to address these findings, and will also be posting a new script to use in problem-solving situations. Thanks for sticking with it, Ethan!