Connect to VPN. Cannot Access Local Network or Remote Machine...Can Access Local Web Servers.

[digitalnativeio]

Thanks for any assistance with this. I've scoured the forums and support tickets and tried a lot of combination. Starting to go a bit crazy so posting for some help!

Current Situation

• Raspberry Pi Buster w\ latest PiVPN installed.
• Local Network - 192,168.0.1/255.255.255.0 PiVPN - 10.8.0.0 (default)
• Setup a PiVPN on my local network that a remote PC can access to connect to SAMBA shares as well as a hosted HTTP app (on office side) can be accessed on our home network.
• We have a static external IP Address on a home network
• Our RaspberryPi has a fixed IP of 192,168,0.45 + standard ports are forwarded.

What seems to work:

• The remote client connects and allocated a 10.8.0.2 address.
• Without tweaks, I can ping the local router from the remote client (192.168.0.1) and also view the router web gui inputting the same address into a browser.
• With some tweaks (see config) I can also view IIS page hosted on another PC on the network (192,168.0.26).
• Can SSH into the Raspberry Pi VPN from the client \ remote PC.

What I cannot do but need to:

• Cannot ping the remote PC or access (10.8.0.2)
• Cannot remote in with RDP or any other services from the local network.
• Cannot see web GUI on the remote machine (have plex setup and IIS on the remote machine) while being able to access web guy's on local.
• Cannot see SAMBA shares on either server (both IP and NETBIOS name).

**What I am trying to acheive"

• Both sides can see each other's SAMBA shares
• The client uses it's own internet connection rather than route it through a VPN.

• Both sides access Web GUI's and other services hosted on various ports.

  Output Here

  
  <!--::::        PiVPN debug      ::::
  =============================================
  ::::        Latest commit        ::::
  commit 8e3a95152412a9d35b67d51bfc80379350815252
  Author: 4s3ti <cfcolaco@colacoweb.net>
  Date:   Fri Jun 7 16:30:41 2019 +0200
  
  Merge pull request #767 from pivpn/test
  
  Test into Master.
  =============================================
  ::::        Installation settings        ::::
  /etc/pivpn/DET_PLATFORM -> Raspbian
  /etc/pivpn/INSTALL_PORT -> 1194
  /etc/pivpn/INSTALL_PROTO -> udp
  /etc/pivpn/INSTALL_USER -> pi
  /etc/pivpn/NO_UFW -> 1
  /etc/pivpn/pivpnINTERFACE -> wlan0
  =============================================
  ::::    setupVars file shown below   ::::
  pivpnUser=pi
  UNATTUPG=unattended-upgrades
  pivpnInterface=wlan0
  IPv4dns=
  IPv4addr=192.168.0.45
  IPv4gw=192.168.0.1
  pivpnProto=udp
  PORT=1194
  ENCRYPT=2048
  APPLY_TWO_POINT_FOUR=false
  DOWNLOAD_DH_PARAM=false
  PUBLICDNS=
  OVPNDNS1=8.8.8.8
  OVPNDNS2=8.8.4.4
  =============================================
  ::::  Server configuration shown below   ::::
  dev tun
  proto udp
  port 1194
  ca /etc/openvpn/easy-rsa/pki/ca.crt
  cert /etc/openvpn/easy-rsa/pki/issued/server_xdk6ysYqfL9WjhAr.crt
  key /etc/openvpn/easy-rsa/pki/private/server_xdk6ysYqfL9WjhAr.key
  dh /etc/openvpn/easy-rsa/pki/dh2048.pem
  topology subnet
  server 10.8.0.0 255.255.255.0
  # Set your primary domain name server address for clients
  #Change1
  push "dhcp-option DNS 192.168.0.1"
  #push "dhcp-option DNS 8.8.8.8"
  #push "dhcp-option DNS 8.8.4.4"
  #Change1end
  #Change2
  push "route 192.168.0.0 255.255.255.0"
  #Change2end
  # Prevent DNS leaks on Windows
  #push "block-outside-dns"
  # Override the Client default gateway by using 0.0.0.0/1 and
  # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
  # overriding but not wiping out the original default gateway.
  #push "redirect-gateway def1"
  client-to-client
  keepalive 1800 3600
  remote-cert-tls client
  tls-version-min 1.2
  tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
  cipher AES-256-CBC
  auth SHA256
  user nobody
  group nogroup
  persist-key
  persist-tun
  crl-verify /etc/openvpn/crl.pem
  status /var/log/openvpn-status.log 20
  status-version 3
  syslog
  verb 3
  #DuplicateCNs allow access control on a less-granular, per user basis.
  #Remove # if you will manage access by user instead of device. 
  #duplicate-cn
  # Generated for use by PiVPN.io
  =============================================
  ::::  Client template file shown below   ::::
  client
  dev tun
  proto udp
  remote REMOTE 1194
  resolv-retry infinite
  nobind
  persist-key
  persist-tun
  key-direction 1
  remote-cert-tls server
  tls-version-min 1.2
  verify-x509-name server_xdk6ysYqfL9WjhAr name
  cipher AES-256-CBC
  auth SHA256
  auth-nocache
  verb 3
  =============================================
  ::::    Recursive list of files in   ::::
  ::: /etc/openvpn/easy-rsa/pki shows below :::
  /etc/openvpn/easy-rsa/pki/:
  AaronOffice.ovpn
  ca.crt
  crl.pem
  Default.txt
  dh2048.pem
  extensions.temp
  index.txt
  index.txt.attr
  index.txt.attr.old
  index.txt.old
  issued
  openssl-easyrsa.cnf
  Plex.ovpn
  private
  renewed
  revoked
  safessl-easyrsa.cnf
  serial
  serial.old
  ta.key

/etc/openvpn/easy-rsa/pki/issued: AaronOffice.crt Plex.crt server_xdk6ysYqfL9WjhAr.crt

/etc/openvpn/easy-rsa/pki/private: AaronOffice.key ca.key Plex.key server_xdk6ysYqfL9WjhAr.key

/etc/openvpn/easy-rsa/pki/renewed: private_by_serial reqs_by_serial

/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:

/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:

/etc/openvpn/easy-rsa/pki/revoked: private_by_serial reqs_by_serial

/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:

:::: Self check :::: :: [OK] IP forwarding is enabled :: [OK] Iptables MASQUERADE rule set :: [OK] OpenVPN is running :: [OK] OpenVPN is enabled (it will automatically start on reboot) :: [OK] OpenVPN is listening on port 1194/udp

:::: Snippet of the server log :::: Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_PLAT=win Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_PROTO=2 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_NCP=2 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_LZ4=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_LZ4v2=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_LZO=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_COMP_STUB=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_COMP_STUBv2=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_TCPNL=1 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 peer info: IV_GUI_VER=OpenVPN_GUI_11 Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Jul 24 21:39:14 vpn ovpn-server[452]: 49.255.11.50:47870 [Plex] Peer Connection Initiated with [AF_INET]49.255.11.50:47870 Jul 24 21:39:14 vpn ovpn-server[452]: Plex/49.255.11.50:47870 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled) Jul 24 21:39:14 vpn ovpn-server[452]: Plex/49.255.11.50:47870 MULTI: Learn: 10.8.0.3 -> Plex/49.255.11.50:47870 Jul 24 21:39:14 vpn ovpn-server[452]: Plex/49.255.11.50:47870 MULTI: primary virtual IP for Plex/49.255.11.50:47870: 10.8.0.3 Jul 24 21:39:15 vpn ovpn-server[452]: Plex/49.255.11.50:47870 PUSH: Received control message: 'PUSH_REQUEST' Jul 24 21:39:15 vpn ovpn-server[452]: Plex/49.255.11.50:47870 SENT CONTROL [Plex]: 'PUSH_REPLY,dhcp-option DNS 192.168.0.1,route 192.168.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1) Jul 24 21:39:15 vpn ovpn-server[452]: Plex/49.255.11.50:47870 Data Channel: using negotiated cipher 'AES-256-GCM' Jul 24 21:39:15 vpn ovpn-server[452]: Plex/49.255.11.50:47870 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Jul 24 21:39:15 vpn ovpn-server[452]: Plex/49.255.11.50:47870 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

:::: Debug complete :::: -->

[orazioedoardo]

Without tweaks, I can ping the local router from the remote client (192.168.0.1) and also view the router web gui inputting the same address into a browser. With some tweaks (see config) I can also view IIS page hosted on another PC on the network (192,168.0.26).

The rule push "redirect-gateway def1", configures the server to tell clients to route all traffic through the server itself, including traffic directed to 192.168.0.0/24, so if you were able to access 192.168.0.1, 192.168.0.26 should have been reachable as well, without manually adding push "route 192.168.0.0 255.255.255.0".

Cannot ping the remote PC or access (10.8.0.2) Cannot remote in with RDP or any other services from the local network. Cannot see web GUI on the remote machine (have plex setup and IIS on the remote machine) while being able to access web guy's on local. Cannot see SAMBA shares on either server (both IP and NETBIOS name).

Accessing services on the LAN from the VPN client should work out of the box with PiVPN. If they don't work, probably they rely on packets that don't cross local networks like Multicast DNS. For example, AirPrint doesn't work over VPN, unless you switch OpenVPN to tap mode, which forwards ethernet frames (lower level in the OSI model) instead of the default tun mode, which forwards IP packets.

Another reason could be the same subnet on the remote and local LAN. For the local LAN I mean the network where the Raspberry Pi sits, and for the remote LAN I mean the LAN from where the VPN client is connecting. Clearly if they are both 192.168.0.0/24 the VPN client doesn't know which of the two 192.168.0.25 belongs to so it will reach the client on the closest route (I think).

Not sure why you can't access SAMBA shares and RDP on the local LAN via IP if you can access the web page on another PC. Provided that you don't have the same subnet issue we could try to use tcpdump on the Raspberry Pi to check if the traffic is forwarded correctly (or check the samba logs).

On the other hand, accessing 10.8.0.2 from machines on the local LAN other than the Raspberry Pi, is a different problem for routing reasons. Say 192.168.0.26, called A, wants to access a dns server (port 53) on 10.8.0.2, called B. A constructs a packet with source IP 192.168.0.26 and destination IP 10.8.0.2.

Now, A doesn't know how to get to B, so it gives the packet to the router. However, the router too doesn't know the route to B so it drops the packet. If that's all, then you might ask yourself how does A respond to B when B connects to a web server on A? The answer is that the Raspberry Pi is configured to replace (NAT) the VPN source and destination IP with it's local LAN ip (192.168.0.45) when packets are forwarded from the VPN to the LAN such that LAN hosts know how to respond. Example:

Packet: 10.8.0.2 -> 192.168.0.26 is modified like so 192.168.0.45 -> 192.168.0.26. This allows A to respond with 192.168.0.26 -> 192.168.0.45 that is modified back to 192.168.0.45 -> 10.8.0.2.

Back to your goal: if you want A to reach B, you need to add to A a route to 10.8.0.0/24 using 192.168.0.45, then remove the NAT rule on the Pi. Better would be to add such static route on the router itself.

[orazioedoardo]

No replies in a while, closing...

[Hesi-Re]

I have the same p

Without tweaks, I can ping the local router from the remote client (192.168.0.1) and also view the router web gui inputting the same address into a browser. With some tweaks (see config) I can also view IIS page hosted on another PC on the network (192,168.0.26).

The rule push "redirect-gateway def1", configures the server to tell clients to route all traffic through the server itself, including traffic directed to 192.168.0.0/24, so if you were able to access 192.168.0.1, 192.168.0.26 should have been reachable as well, without manually adding push "route 192.168.0.0 255.255.255.0".

Cannot ping the remote PC or access (10.8.0.2) Cannot remote in with RDP or any other services from the local network. Cannot see web GUI on the remote machine (have plex setup and IIS on the remote machine) while being able to access web guy's on local. Cannot see SAMBA shares on either server (both IP and NETBIOS name).

Accessing services on the LAN from the VPN client should work out of the box with PiVPN. If they don't work, probably they rely on packets that don't cross local networks like Multicast DNS. For example, AirPrint doesn't work over VPN, unless you switch OpenVPN to tap mode, which forwards ethernet frames (lower level in the OSI model) instead of the default tun mode, which forwards IP packets.

Another reason could be the same subnet on the remote and local LAN. For the local LAN I mean the network where the Raspberry Pi sits, and for the remote LAN I mean the LAN from where the VPN client is connecting. Clearly if they are both 192.168.0.0/24 the VPN client doesn't know which of the two 192.168.0.25 belongs to so it will reach the client on the closest route (I think).

Not sure why you can't access SAMBA shares and RDP on the local LAN via IP if you can access the web page on another PC. Provided that you don't have the same subnet issue we could try to use tcpdump on the Raspberry Pi to check if the traffic is forwarded correctly (or check the samba logs).

On the other hand, accessing 10.8.0.2 from machines on the local LAN other than the Raspberry Pi, is a different problem for routing reasons. Say 192.168.0.26, called A, wants to access a dns server (port 53) on 10.8.0.2, called B. A constructs a packet with source IP 192.168.0.26 and destination IP 10.8.0.2.

Now, A doesn't know how to get to B, so it gives the packet to the router. However, the router too doesn't know the route to B so it drops the packet. If that's all, then you might ask yourself how does A respond to B when B connects to a web server on A? The answer is that the Raspberry Pi is configured to replace (NAT) the VPN source and destination IP with it's local LAN ip (192.168.0.45) when packets are forwarded from the VPN to the LAN such that LAN hosts know how to respond. Example:

Packet: 10.8.0.2 -> 192.168.0.26 is modified like so 192.168.0.45 -> 192.168.0.26. This allows A to respond with 192.168.0.26 -> 192.168.0.45 that is modified back to 192.168.0.45 -> 10.8.0.2.

Back to your goal: if you want A to reach B, you need to add to A a route to 10.8.0.0/24 using 192.168.0.45, then remove the NAT rule on the Pi. Better would be to add such static route on the router itself.

I want exactly that. But I don't know how to do it. How can add a route. and remove NAT rule? For example: I want to connect to remote pc (192.168.1.64) over VPN. My pi is 10.6.0.1.