Hi,
I have a problem with my setup on OrangePi Zero + with lovely DietPi. I have PiVPN server and few other services, like Pihole. But I have a problem with VPN. I am able to connect without any problems, but there is no internet or LAN on connected devices. Only address, that is accessible or pingable is IP of DietPi itself (192.168.29.4). It doesnt look like DNS problem, because I cant ping ips as well.
On a DietPi, I can ping anywhere i want to, also DNS resolution works fine.
I changed DNS to 8.8.8.8 to eliminate possible problems with Pihole. I am suspecting it has something to do with routing and iptables, but I am not skilled in unix enough to troubleshoot it on myself.

Before I had Armbian installed, with PiVPN installed with script and everything worked out of the box, even with Pihole.
Bellow are some configurations, I can post more, if you tell which.
Thanks a million!

dietpi@DietPi:~$ pivpn -d
::: Generating Debug Output
:::                                     :::
::              PiVPN Debug              ::
:::                                     :::
::      Latest Commit                    ::
:::                                     :::
commit 84cd315a522d99717cc4f103c5870b8d014bf846
Author: redfast00 <redfast00@gmail.com>
Date:   Tue Jan 29 11:16:48 2019 +0100

    So long and thanks for all the fish
:::                                     :::
::      Recursive list of files in       ::
::      /etc/openvpn/easy-rsa/pki        ::
:::                                     :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
Holdaxy.ovpn
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
private
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem

/etc/openvpn/easy-rsa/pki/issued:
Holdaxy.crt
server_znyzUOYI8NRpbnxG.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
Holdaxy.key
server_znyzUOYI8NRpbnxG.key
:::                                     :::
::      Output of /etc/pivpn/*           ::
:::                                     :::
:: START /etc/pivpn/DET_PLATFORM ::
Debian
:: END /etc/pivpn/DET_PLATFORM ::
:: START /etc/pivpn/INSTALL_PORT ::
1194
:: END /etc/pivpn/INSTALL_PORT ::
:: START /etc/pivpn/INSTALL_PROTO ::
udp
:: END /etc/pivpn/INSTALL_PROTO ::
:: START /etc/pivpn/INSTALL_USER ::
dietpi
:: END /etc/pivpn/INSTALL_USER ::
:: START /etc/pivpn/NO_UFW ::
1
:: END /etc/pivpn/NO_UFW ::
:: START /etc/pivpn/pivpnINTERFACE ::
eth0
:: END /etc/pivpn/pivpnINTERFACE ::
:: START /etc/pivpn/setupVars.conf ::
pivpnUser=dietpi
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.29.4
IPv4gw=192.168.29.3
pivpnProto=udp
PORT=1194
ENCRYPT=256
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=
OVPNDNS1=8.8.8.8
OVPNDNS2=
:: END /etc/pivpn/setupVars.conf ::
:: START /etc/pivpn/setupVars.conf.save ::
pivpnUser=dietpi
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.29.4
IPv4gw=192.168.29.3
pivpnProto=udp
PORT=1194
ENCRYPT=256
APPLY_TWO_P.OINT_FOUR=true
DOWNLOAD_D.H_PARAM=false
PUBLICDNS.=
OVPNDNS1=
OVPNDNS2=
:: END /etc/pivpn/setupVars.conf.save ::
:: START /etc/pivpn/TWO_POINT_FOUR ::
:: END /etc/pivpn/TWO_POINT_FOUR ::
:::                                     :::
:: /etc/openvpn/easy-rsa/pki/Default.txt ::
:::                                     :::
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_znyzUOYI8NRpbnxG name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
:::                                     :::
::      Debug Output Complete            ::
:::                                     :::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::

dietpi@DietPi:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -j ACCEPT

#/etc/network/interfaces
#Please use DietPi-Config to modify network settings.

# Local
auto lo
iface lo inet loopback

# Ethernet
allow-hotplug eth0
iface eth0 inet static
address 192.168.29.4
netmask 255.255.255.0
gateway 192.168.29.3
dns-nameservers 8.8.8.8

# Wifi
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
#gateway 192.168.0.1
wireless-power off
#dns-nameservers 8.8.8.8 8.8.4.4

# IP tables
up iptables-restore < /etc/iptables.ipv4.nat

dietpi@DietPi:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.29.3    0.0.0.0         UG    202    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.29.0    0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_znyzUOYI8NRpbnxG.crt
key /etc/openvpn/easy-rsa/pki/private/server_znyzUOYI8NRpbnxG.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

Hi,

I had a similar problem that was caused by ip_forward not being enabled.
You can check that by running

cat /proc/sys/net/ipv4/ip_forward
1

If it is not 1, you should check whether in /etc/sysctl.conf you find a line like

net.ipv4.ip_forward=1

If not, you need to uncomment/add it and then run

sudo sysctl -p

Now ip_forward is enabled and should also be enabled automatically at startup. Maybe this can solve your problem.

Jep, enable this persistently via: echo ‘net.ipv4.ip_forward=1’ > /etc/sysctl.d/ipv4_forward.conf

We indeed need to add this hint to the online docs. I already track that within a GitHub issue.

I had ip forwarding enable but I still couldn’t get outbound internet access to work, just LAN.

So then I found this recommendation and then pi-hole began monitoring the tun0 interface and gave me DNS capability. The contributing issue was that my router forwards all udp 53 to my internal pi hole address.

Edit Pi-hole config:

sudo nano /etc/pihole/setupVars.conf

Add “PIHOLE_INTERFACE=tun0” belowe the “eth0”.

You should now have entries:

PIHOLE_INTERFACE=eth0

PIHOLE_INTERFACE=tun0

https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/

Ah jep, great, thanks for sharing. Indeed in case of Pi-hole usage we did not yet implement some automated bundle configuration. It’s on the list.

Great thanks. I have spend almost 6 hours looking why this happen and it’s the configuration. Can it set to enabled when installing openVPN?

Oh by the way:

This can be done via pihole’s web admin (if you have installed it). Go to ‘Setting’ > ‘DNS’ > ‘Interface listening behavior’. Check ‘Listen on all interfaces’. Then, just modify openVPN’s server config (/etc/openvpn/server.conf) to route DNS to pihole.

push "dhcp-options DNS 10.8.0.1"
# Remember to comment other DNS route"
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"

Great!
It works now, even with pihole.
Thank you!

Hi,

I have the same problem, “Dietpi-nordvpn” Is connected but them I do NOT have internet on my device.
I tried to implement all the before explanation but I blocked on the last :

push “dhcp-options DNS 10.8.0.1”

Remember to comment other DNS route"

#push “dhcp-options DNS 8.8.8.8”
#push “dhcp-options DNS 8.8.4.4”

Where do I put that in my server.conf :

port 1194
proto udp
dev tun

ca ca.crt
cert DietPi_OpenVPN_Server.crt
key DietPi_OpenVPN_Server.key
dh dh.pem

server 10.8.0.0 255.255.255.0

client-to-client
keepalive 10 60
comp-lzo
max-clients 10

user nobody
group nogroup

persist-key
persist-tun
verb 3

Web Forwarding (uncomment to enable)

#push “redirect-gateway”
#push “dhcp-option DNS 10.8.0.1”

Thanks all for the work and the help

The configuration you have showed us is from a server. I believe you connect to NordVPN as a client.

Ah yeah damn it, I’m connecting as a client with dietpi-nordvpn, do I just need to check « client.conf » ? Sorry I’m beginning in the Linux/command line.

Anyway thanks for helping me !

Yes, there should be some other configuration file for the client.
Also the output of

ip -4 addr; ip -4 ro; ip -4 ru

would provide some insight.

First of all revert all steps that you did based on this thread, as it is about connecting to DietPi as a VPN server with PiVPN .

To paste the used (client-side) config file:

cat "$(grep -o '/etc/openvpn/.*\.ovpn' /etc/systemd/system/dietpi-nordvpn.service)"

And can you paste the output of: dietpi-nordvpn status

Ok thank you both, I tried to revert all the modifications based upon this topic, the best I could…

So, yes, you were right about the fact that I’m trying to connect as a client to NordVPN from Dietpi-nordvpn, to let pass all my traffic from my LAN > Pi > VPN > Internet. (using the DHCP from PiHole and turned off the one from the router)

When the VPN is connected, I cannot access internet.

So, I paste all the data you asked for :

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.56/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever

ip -4 ro
default via 192.168.1.1 dev eth0 onlink ← That’s the IP from my internet gateway
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.56

ip -4 ru

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

cat “$(grep -o ‘/etc/openvpn/.*.ovpn’ /etc/systemd/system/dietpi-nordvpn.service)”
client
dev tun
proto udp
remote 217.138.207.139 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/settings_ovpn.conf

verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
route-up /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/up.sh
script-security 2
<ca>
-----BEGIN CERTIFICATE-----
KEY removed
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
KEY removed
-----END OpenVPN Static key V1-----
</tls-auth>

dietpi-nordvpn status

Connected - Sent = 0 MiB | Received = 0 MiB

Strange, it’s said that it is connected but I don’t see that

I removed the cert key from congiguration file from your post.

Basically DietPi-NordVPN is going to download the config file from NordVPN and there is no need to perform a configuration

Question:

• Is connection from the Pi itself to the internet is working while VPN is active?
• Is the Pi set as Gateway on your Clients within your local network?
• Are you able to ping something like 8.8.8.8 or 9.9.9.9 on the web?

I guess some iptable rules would need to be set to forward trafic from eth0 to tun0 interface. As well pls can you check result of sysctl net.ipv4.ip_forward? It would need to be set to 1.

The connection test does not more than checking for a route through the VPN interface, and that route is there .
Although I am not 100% sure if those VPN addresses are correct, not that there is another OpenVPN instance running…

Can you check for other OpenVPN processes (probably started while trying to fix things):

ps ax | grep openvpn

And what does the up script contain?

cat /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/up.sh

(erase any private/identifying data)

Joulinar
Correct me, but I think that key is public from NordVPN and all sensitiv data in this regards is in /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/settings_ovpn.conf, isn’t it? Good to be double sure but at least we do not create or add any private key to those configs but only the user/password with this external file.

Thanks guys, so :

When the VPN is connected, the Pi can connect to internet, I CAN ping 8.8.8.8 without problem. And yes the Pi is set to be my gateway on all stuff.

The sysctl net.ipv4.ip_forward report 1, so I think it’s ok.

ps ax | grep openvpn

  396 ?        Ss     0:02 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
18956 pts/0    S+     0:00 grep openvpn

cat /var/lib/dietpi/dietpi-software/installed/dietpi-nordvpn/up.sh

#!/bin/bash
# Clear this file completely, including line breaks, to have it removed.
whitelist add subnet 192.168.1.56/25

The weird thing, is that it all worked during one day, I had internet on all devise and then boom, blocked like that

Ah okay, so you use OpenVPN as server and as client concurrently. While this is generally possible I am not 100% sure currently what needs to be done to make that work or the other way round what would break it.

Currently only the server is running, not the client. dietpi-nordvpn UI wrongly shows “connected” state as the server is running and hence the tun0 interface is up with a route.

It is quite a problem that we check tun0 with dietpi-nordvpn while, if I see right, it can be tun1 or tun2 if there are other tun interfaces configured already. Not sure if this can be hardcoded, e.g. adding dev tun1 to client configs while keeping dev tun0 for server configs?

But the actual problem will be conflicting routes, probably even depending on which instance is started first, server or client. I’ll test and think about it tomorrow.

But a different question: If you have OpenVPN on the clients that you want to connect to your DietPi, to then redirect them to NordVPN, why don’t you connect the clients to NordVPN directly? Or did I misunderstand the aim?

If I’m not mistaken, it’s required to configure the environment to have following connection scenario: LAN > Pi > VPN > Internet

Therefore I would recommend to deactivate OpenVPN server and just try to get the Client working.

No in fact I don’t want to use the OpenVPN server only the client, to connect all my network to the NordVPN account using only one connection, way easier that way for the TV, etc…

Joulinar got it right, I don’t even know how I turned on this god damnes OpenVPN server I’ve only touched the Dietpi-nordvpn client…

Is there a way to delete the “server” side ?

Thanks

EDIT : I’ve found that I had the OpenVPN Server installed in the DietPi package, so I un installed it and killed the process in htop. Normally I only have the Dietpi-nordvpn client now

EDIT 2 : So, apparently removing this completely broke the Dietpi-nordvpn

yes both OpenVPN server as well as NordVPN Client using same Debian package. Did you removed OpenVPN server using dietpi-software now? If yes, no problem. You could force NordVPN Client to be reinstalled

dietpi-software reinstall 171