PiVPN - possible to connect, but no internet

Yes, I’ve removed the OpenVPN server with the Dietpi-software.

Run : dietpi-software reinstall 171, it’s okay, NordVPN is there again after the installation and reboot. But same problem with the connectivity :thinking:

pls can you check again sysctl net.ipv4.ip_forward

I’ve just unplug and plug it back, PiHole went online, I tried with Dietpi-nordvpn, it connected and now is it WORKING for all my LAN ! :smiley: Awesome, I don’t know what happened between the second reboot but yeah, it works for now.

Thank you very much ! And if you want some log to help other, I’m glad to gave them.

And yes

sysctl net.ipv4.ip_forward

still give me


ok perfect that it is working now.


In term of routing since we modified it, if I implement NextCloud via Dietpi will it work with the VPN on ?



well you could have it installed but it might have issues to access from Internet. Because traffic will arrive on normal network but will be send back to VPN. And this is not gonna work. That would be similar like this https://dietpi.com/forum/t/no-response-traffic-on-application-after-port-forward/4438/1

I guess you would need to setup some iptables rules in addition to route the traffic correct way. But I’m not the expert on this. Usually trendy has some ideas :slight_smile:

If you can identify the tcp/udp ports the application uses, you can mark the packets in iptables mangle chain, then create an ip rule to route the packets with those markings from a different routing table, and finally create a custom routing table which will route via the ISP.

Thanks to you two, I’m going to learn about iptable because I don’t have to skill to manage it at the moment :frowning:

trendy would be port 80/443 tcp as it’s a webserver

Something like this then:

iptables -t mangle -I PREROUTING -s -p tcp -m multiport --sports 80,443 -j MARK --set-mark 10
ip rule add fwmark 10 table 10
ip route add default via ISP_GATEWAY_IP_HERE table 10

The first and second lines could be combined into

ip rule add from sport 80 table 10
ip rule add from sport 443 table 10

Thanks for your reply, I’ve encountered a new problem, my ISP dress is “rotating” every week… :rofl: I’m screwed

Do you mean you external IP address is going to change every week? Well, that’s not a problem as you can use a DDNS service to be able to reach your system from externel/internet using the same URL always.

Yes it is changing like a new IP. I’m going to read about DDNS because I never heard about it.
But how can it work if my IP is changing ?

that’s exactly the purpose of a DDNS (DynDNS) provider to ensure are reachable under a specific domain even if your IP address is changing :wink:

Usually privat internet router offering a couple DDNS providers already. Activating this feature will give you an own domain like www.your.name.ddns.com :slight_smile: This can be used to reach your systems from internet.

There are a couple of free DDNS provider available. No need for a paid service.

Ok thanks, I’ve seen that “NoIP” is quite recommended by French forum, so I will learn on the function and I’ve seen a No-IP in Dietpi-software, I’m in good way.

Since there is a problem because of the VPN, is it the same prob if I want to have a device only on PiHole but not on the VPN ?


if you go for NoIP, keep in mind that you need to login to NoIP website once a month to keep your account active. :wink:

Regarding the VPN. I guess all devices are using PiHole but just some of them you just like to route to the VPN. There it get’s more complex as you than need to specify depending on the source device what to do.

Hi there,

So yes, I can confirm, when the VPN is ON and No-IP running I can’t access it from outside. I’ve double check the firewall and NAT routing, but nothing.

Do you have an idea to just keep no-ip and next cloud outside the VPN ? Or it’s a too crazy ?


You even must bypass the VPN with the No-IP client, otherwise the No-IP domain will point to the NordVPN IP instead of your actual servers IP :wink:. E.g. you could run the No-IP service with a specific user or group (actually it does not need to run as root as it does currently) and then give all packets send by this users a mark that uses a bypass routing table, like trendy did above but based on user/owner. This guide shows how to do it the other way round, so only packets from a specific user are sent through the tunnel, but the principles are the same: https://www.niftiestsoftware.com/2011/08/28/making-all-network-traffic-for-a-linux-user-use-a-specific-network-interface/

In case of Nextcloud it’s the webserver user www-data for which you can do similar, or you run the No-IP client as www-data user and create the bypass rules for this one only.

A bid late today to write the exact steps together and it should be found already somewhere in the forum, I’ll have a closer look tomorrow :slight_smile:.

Ok I see :slight_smile:
That’s why I was reading that the “best” option is to use a VPN with Port Forwarding/DDNS option, that way we can still use VPN on all the traffic if I’m right.

I’m going to read your link if I can handle it :rofl:

Thanks !

Will it be easier with another Raspberry ?
I’ve seen that he created an account for “vpnuser” if I’m right, but understand it well