PiVPN issues routing to the local subnet - a Bug

Hi All, Just installed Diet-Pi latest version on a Rpi 4B. And then installed Pi-VPN. From outside the network, I can connect fine from windows laptop or Android phone using OpenVPN client and I can ping the Rpi default VPN subnet gateway ip of as well as I can then SSH into it from that IP. Client to client also works.

The issue I have is that while I can also ping the LAN side IP of the RPi, anything else on the LAN is not reachable. I have pushed route for the Local LAN subnet and client routing table shows the route installed for the Pi-Server LAN subnet. There is no compression statement in server.conf or client config / ovpn files. So I have ruled that out as well.

I then installed tcpdump on the server side RPi and even though I am doing a continuous ping to the LAN interface (eth0) address, tcpdump 0i eth0 icmp and host does not capture any packets. Same happens with any other IP address behind the eth0 on the local network (my home network).

While I should not need any static route in my firewall (pfsense) as eth0 of Rpi is in same subnet as the devices I am trying to reach over VPN from outside home. But I went ahead and added a static route for pointed back to the (IP of the RPi). And verified that from any devices at home, I can then ping dircetly. But this did not help pinging or 0.3 for the clients on the VPN.

I have done reboots and restarted the openvpn service on both ends and nothing works. When I do traceroute to eth0 IP from the client side, it works and shows one hop getting to the eth0 address. When I do traceroute to any other address in the same subnet as eth0, there is nothing shown on traceroute. I looked into Iptables -L and there are no rules. So routing should not get affected. Tried adding the NAT masquerading under iptables and saving it and restarting service, does not even show anything populating under iptables. But NAT is only needed if I were to go thru server U-turning back into Internet from there, but I needed simple split tunneling. I commented out statement to not push default route (two split internet prefixes routes), and that works to ensure internet keeps working locally for the connected client.

I had installed Pi-VPN from within DietPi-Software. I then uninstalled it from there and then installed it back using the curl script. Also changed to TCP from UDP etc. Everytime client connects fine (and automatically) and can ping other client and server, but nothing behind the server side.

Seems like a bug. Can someone help any further steps to resolve this issue for me? I will be very happy to contribute for the cause.

Thanks so much.


many thanks for your message. Pls can you check if you have set net.ipv4.ip_forward=1 within /etc/sysctl.conf

Thanks for your very prompt help. Yes IP forwarding is enabled in there by default.

just flashed another SDcard with raspbian lite and installed PiVPN and it works without any issues. Clearly there is a bug in routing module in the DietPi (at least in new version as I never tested any older versions).


pls can you check the output of following

sysctl net.ipv4.ip_forward

If you get net.ipv4.ip_forward = 0 you probably missing the symlink

/etc/sysctl.d/99-sysctl.conf => /etc/sysctl.conf

To recover this symlink if needed

ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf

Once rebooted, you should get

net.ipv4.ip_forward = 1

Thanks again. Everything is correct in the file as you have indicated. net.ipv4.ip_forward comes out to be 1.

I tried it today on may RPi3B+ and it was working well. From my OpenVPN client, I could reach all internal systems as well as connect to the internet.

Do you have the symlink as indicated?

Believe the issue could be with RPi 4 B related then. Everything is exactly same. I am now running a test with the VPN link via continuous ping on the Raspbian lite based set up to check the reliability of the tunnel for past two hours. I do have the SDCrad with DietPI set up saved but I will probably try reinstalling the DietPi once again (though I had only PiVPn on top, nothing else), but you never know. I dont have RPi 3 to test on.

I also tested on VirtualBox, but did not get chance to fully test it as VPN server. Will do in a day or two.


I will do a test later the day with my RPi4. But as the image is the same, I don’t expect any difference. We will see.

ok I did a test with my RPi4B now. Same result, all working fine. I just flashed a new image and finished initial setup. Once done I was running installation for PiVPN. No further configuration except that it was needed to create following symlink on my system.

ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf

Sorry, I have been awaiting receipt of a new micro SD card to test this again on a fresh install of diet-Pi. Meanwhile Raspbian based solution is working fine, but I will like to use DietPi as it is lot cleaner image.

I ordered a Sandisk Extreme as I had read it that this is more reliable. I have zero prior experience, so if you have any recommendations for a more reliable micro SD card (mainly across power failures, though I will have a low cost dedicated UPS for my single wireless AP and the Pi running Pi-hole).

Thanks and stay healthy.

As I said, for me PiVPN was working fine. I could not reproduce your issues.

The only thing that might happen is the missing link. But according your statement, it was there

/etc/sysctl.d/99-sysctl.conf => /etc/sysctl.conf

Thanks to Amazon, I did get my new 16GB card, but somehow, I ordered it late night Wednesday and did not pay attention that I ordered wrong one.

So I just took the old one with DietPi installed and tested again and I had the same issues. I then wiped the card and then reinstalled DietPi again and then installed Pi-VPN server. Everything went well. And I had same exact issues. I could connect and ping, but not anything behind the RPi.

I then checked /etc/sysctl.conf and it is empty this time and so is also the case with /etc/sysctl.d/99-sysctl.conf. In my earlier setup, I had the ip forwarding etc and all included in there and it was a text full of file. How can I access some newer / beta version to try?

As a side note, just tried to donate CAD50 (I am in Canada) for the cause but I am sent to PayPal page in non-english language that I have difficulty in navigating thru. It will be great if clicking on the donate button gives you option of US/Canada link as well. Or maybe there is email address that I can send my donation to. Thanks


there seems to be something really weird on your system. :cry:

I checked the image and there are all files and links. In theory it should be working. :face_with_raised_eyebrow:

Not sure what desktop system you are using, but on windows + 7zip you should be able to open the 7z archive + the included image. There you have 2 partitions. One 1.img (Linux) you have the root file system. Pls can you have a look if /etc/sysctl.conf is present? as well the link \etc\sysctl.d\99-sysctl.conf > …/sysctl.conf. If needed, extract /etc/sysctl.conf from the archive and copy it to your SBC. Once done just create the missing link. Within /etc/sysctl.conf the following should be set net.ipv4.ip_forward=1. Another idea is to check files and links before installing PiVPN. Maybe there is something wrong on installation process. :thinking:

Or a more radical idea, just have a look to dietpi-software and native WireGuard (not the PiVPN version).

I tried to modify the Paypal donation link to be in English language. But currency is still EUR because DietPi project is located in central Europe


Donation email should be micha@dietpi.com

Thank you. Just donated little money for the project as an appreciation of great work you all are doing.

As to issues with my system, I just have a Pi 4B with 2G of RAM. I used win32DiskImager after formatting the card to FAT32. Then plugged it in and powered the RPi.

I then used DietPi-config to change SSH server to OpenSSH (so that I can use SCP) and then set up localization. At every instance, when it asked to reboot, I did reboot. Then I installed using DietPi-Software to install PiVPN.

I get all kinds of errors if I try to choose Wireguard. I tried both tcp and udp with same results. At the time of install, when it asks me to choose one of the user for Pivpn service, I chose PiVPN account.

I am using Windows 10, and when I extract the 7z archive, I see on img file, one hash file and one readme file. I am not able to look inside the img file as this needs to be mounted first.

Just download a small utility to do MD5 checksum validation and it does not match. So definitely I have damaged file or something missing in there. I am using ARM6 Buster. Let me try again by downloading another file and do MD5 checksum on it.

ok you can install native WireGuard (software ID 172), don’t use the PiVPN version. Personally I still think PiVPN is creating to much overhead and I’m using WireGuard as is. :wink: WireGuard is working quite well for me and on my last holiday I was using it on all my devices during our stay in a holiday home (3 mobiles, 1 tablet, 1 laptop and 1 FireTV stick) :rofl:

Once you have the 7z archive downloaded, just double click on it. 7Zip should open and display the *.img file. Don’t extract it. Just double klick on the *.img file inside the 7z archive. Now, you should see the FAT32 boot as well as Linux root partition.

Regarding SCP. There is no need to switch to OpenSSH server. You simply can install OpenSSH Client from dietpi-software catalogue. That should be enough to connect via SCP. This is what I’m doing to use SCP :wink:

But yeah if MD5 checksum is not matching, probably something brocken on the download

Well, I had a space when I was doing checksum test and it was correct file. regardless I download again and it is exact same size.

I installed it on the RPi 3B and I do have these two required files. But RPi 4B based install somehow empties these files.

I will copy these two and test again in few minutes.

My requirements is to have few sites with Free Guest WiFi. There is no one for me to do a remote session to their machine to make any change into ISP router, if they repair / reset / replace the router. That router is serving as dhcp server and I will also be running Pi-hole on the RPi. So ISP router needs to have pi-hole / RPi IP as the DNS server in the dhcp scope. The ISP does not allow management over WAN and I cannot call them to make this change for me in case they replace / factory reset the router. Their system has only few things accessible to them, not customer end configuration (other than resetting the PPPoE credentials or the whole factory reset etc).

That is why I need to maintain access to the RPi and the way I was planning was to set it as OpenVPN client that will autoconnect to the centralized Pi-VPN runnning on the another Pi. So I am not sure if Wireguard is something that will work for me without PiVPN as the wrapper. In my test setup, autoconnect works anytime I reboot the client or the server. So I was quote happy with this. I tested the PiVPN server by installng DoetPi on a Virtualbox and I dont have any issues. It is the Rpi 4B that is giving me the grief.

And I needed to Scp to and not from and hence I needed to set up OpenSSH server.

yes SCP to the RPi (from Windows) is working with OpenSSH client (installed)

Well, WireGuard can act as client as well. Just configure the client service that way, that it will connect on reboot automatically.

okay, will try in few minutes. Meanwhile I copied the folder and the file and now I get this:

root@DietPi-VPNServer:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
root@DietPi-VPNServer:~# /etc/sysctl.d/99-sysctl.conf => /etc/sysctl.conf
-bash: /etc/sysctl.d/99-sysctl.conf: Permission denied

Inside the /etc/sysctl.conf, I have net.ipv4.ip_forward = 1. Same is the case with 99-sysctrl.conf.