DietPi and PiVPN / OpenVPN server

Troubleshooting
1

Hi!

I got a problem with configuring the openvpn at the DietPi. Other tips I found so far in the forum and www were quite old or not helpful.

I have a running Raspbian on SD with perfectly good working VPN server via port 1194 (proof of working network / router, port forwarding and so on).
Now I tried DietPi and wanted to configure openvpn the same way.
Everything runs smoothly (installation, configuring, creating client certificates, connecting from outside) but then there is no access to anything outside the raspi.

I fiddled around with a lot of settings in the /etc/openvpn/server.conf but with not really deep understanding nor any success so far. I tried various push “dhcp-option DNS ...” entries, I found somewhere in the web.
The usual iptable tips I followed, as checking /proc/sys/net/ipv4/ip_forward which is 1.

The current server.config at the DietPi is:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/$somecrt1
key /etc/openvpn/easy-rsa/pki/private/$somekey1
dh none
ecdh-curve prime256v1
topology subnet
server 10.35.29.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.35.29.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

while the (working) Raspbian server.config says:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/$somecert2
key /etc/openvpn/easy-rsa/pki/private/$somekey2
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

Of course I tried the Raspbian config on the DietPi but with no effect on the behavior.

Some more information:
A connect is possible without problem (e.g. by my Android phone) but then there is no traffic going through. Not even a ping to 8.8.8.8 from client side is possible. Accessing the Raspi itself works (e.g. via App RaspController v5.4.0).

Any hints?

Side note, which might have nothing to do with, but I also don’t understand:
When I change the /etc/openvpn/server.config line “server $whateverIP 255.255.255.0” the new setting applies to the DietPi (seen in ifconfig after rebooting). A freshly connected device still shows the former IP, even when I create the openvpn client ovpn file AFTER the change of the internal IP address (including reboot). Somehow openvpn memorizes the old address and still sends it to the client (maybe in the server cert? no clue).
Anyway, even with an unchanged IP address (openvpn installed out of the box), the initial problem remains.

Cheers
Roman

Required Information

  • DietPi version | 8.9.2
  • Distro version | bullseye 0
  • Kernel version | aarch64 GNU/Linux
  • SBC model | RPi 4 Model B (aarch64)
  • Power supply used | 5V1 2A
  • SD card used | SanDisk ultra 32GB

Additional Information (if applicable)

  • Software title | openvpn
  • Freshly installed
  • Can this issue be replicated on a fresh installation of DietPi? YES
  • Bug report ID | `e7637808-86ac-477a-86cd-efbe59264349´
2

Did you install OpenVPN yourself or did you used our DietPi software catalogue? Our install script should create a client configuration DietPi_OpenVPN_Client.ovpn. As well some reading on our online docs.

As an alternative, you can use PiVPN. It’s a CLI based tool to manage VPN connections.

3

Thanks for fast replying.
I installed PiVPN via CLI (Raspi runs headless): “dietpi-software”, selecting “117 PiVPN OpenVPN/Wireguard…” via “Search software” plus “Install” and followed the steps. (udp, port 1194, static local ip, *.ddns.net and so on). Nothing unexpected or uncertainties here.
The clients I added via “pivpn add” after rebooting.
I got the *.ovpn files in “home/dietpi/ovpns” as expected and transferred to the client.
As I wrote, the client is able to connect without problems. However dietpi seems to block the access. I still guess, there is some misconfiguration, I cannot see so far…

Best regards
Roman

4

Hmm I just tested PiVPN using OpenVPN on my R5S without issue. I can connect back home on my mobile and use my PiHole DNS server without issue. All is working as expected.

Basically writing this post on my mobile, connected via PiVPN/OpenVPN.

5

Some findings: The IP seems to come from “/etc/pivpn/setupVars.conf”
It’s still a bit unclear to me how and where openvpn and pivpn interlock.
Changing the IP takes effect by now (even though the ovpn files must be created after the IP change).

Another hint brought “pivpn debug”.
It printed the content of the openvpn server.config. Whatever.
The key line was at the end:

/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [ERR] Iptables MASQUERADE rule is not set, attempt fix now? [Y/n]

Confirming the fixing attempt was answered by

Done
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled
(it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp

I rebooted as precaution. Now everything is running as supposed! :smiley:

So long!
Roman

6

There is not that much magic on our install procedure. We basically don’t do anything except to download PiVPN installer and execute it https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh

There are 2 config files that are created by the installer, and both needs to fit

/etc/pivpn/openvpn/setupVars.conf
/etc/openvpn/server.conf
7

Obviously the “Iptables MASQUERADE rule” wasn’t set. Actually I have no idea, what the fixing attempt did and where.
Anyway, it works fine by now, so I am continuing to explore DietPi and getting into it…

Thanks a lot for your support anyway!
Have a good one!
Roman

8

At least there is a section on the PiVPN installer that should have done this