Hi!
I got a problem with configuring the openvpn at the DietPi. Other tips I found so far in the forum and www were quite old or not helpful.
I have a running Raspbian on SD with perfectly good working VPN server via port 1194 (proof of working network / router, port forwarding and so on).
Now I tried DietPi and wanted to configure openvpn the same way.
Everything runs smoothly (installation, configuring, creating client certificates, connecting from outside) but then there is no access to anything outside the raspi.
I fiddled around with a lot of settings in the /etc/openvpn/server.conf but with not really deep understanding nor any success so far. I tried various push “dhcp-option DNS ...” entries, I found somewhere in the web.
The usual iptable tips I followed, as checking /proc/sys/net/ipv4/ip_forward which is 1.
The current server.config at the DietPi is:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/$somecrt1
key /etc/openvpn/easy-rsa/pki/private/$somekey1
dh none
ecdh-curve prime256v1
topology subnet
server 10.35.29.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.35.29.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
while the (working) Raspbian server.config says:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/$somecert2
key /etc/openvpn/easy-rsa/pki/private/$somekey2
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
Of course I tried the Raspbian config on the DietPi but with no effect on the behavior.
Some more information:
A connect is possible without problem (e.g. by my Android phone) but then there is no traffic going through. Not even a ping to 8.8.8.8 from client side is possible. Accessing the Raspi itself works (e.g. via App RaspController v5.4.0).
Any hints?
Side note, which might have nothing to do with, but I also don’t understand:
When I change the /etc/openvpn/server.config line “server $whateverIP 255.255.255.0” the new setting applies to the DietPi (seen in ifconfig after rebooting). A freshly connected device still shows the former IP, even when I create the openvpn client ovpn file AFTER the change of the internal IP address (including reboot). Somehow openvpn memorizes the old address and still sends it to the client (maybe in the server cert? no clue).
Anyway, even with an unchanged IP address (openvpn installed out of the box), the initial problem remains.
Cheers
Roman
Required Information
- DietPi version | 8.9.2
- Distro version | bullseye 0
- Kernel version | aarch64 GNU/Linux
- SBC model | RPi 4 Model B (aarch64)
- Power supply used | 5V1 2A
- SD card used | SanDisk ultra 32GB
Additional Information (if applicable)
- Software title | openvpn
- Freshly installed
- Can this issue be replicated on a fresh installation of DietPi? YES
- Bug report ID | `e7637808-86ac-477a-86cd-efbe59264349´