Reach NAS in local network through pivpn

Jappe · 7 March 2024 16:17

This is just the package name, the corresponding command is iptables-save, like

iptables-save > /etc/iptables/rules.v4

Tarrasque · 8 March 2024 15:54

Ok, in this case I already issued the command several times in the past, but never specifying an output file. Does it matter?

My ipyables -S output is:

dietpi@DietPi:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -d 10.205.139.0/24 -i eth0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment wireguard-forward-rule -j ACCEPT
-A FORWARD -s 10.205.139.0/24 -i wg0 -o eth0 -m comment --comment wireguard-forward-rule -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -i eth0 -o wg0 -j ACCEPT
-A DOCKER-USER -i eth0 -o wg0 -j ACCEPT
-A DOCKER-USER -j RETURN

At the moment I still cannot ping my NAS or RPi.

Joulinar · 8 March 2024 18:51

the rule is now there twice

can you check if this is still set to 1

sysctl net.ipv4.ip_forward

trendy · 10 March 2024 22:50

There is IP overlap where you are connecting from.

Joulinar · 10 March 2024 23:20

Uhh good spot, the client is within a similar subnet than the target system. This usually doesn’t work on VPN. But it should be possible to work around while adding target IP range 192.168.1.0 to AllowedIPs on client side

Tarrasque · 12 March 2024 12:20

Should I remove it? How?

Yes it is.

dietpi@DietPi:~$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Tarrasque · 12 March 2024 12:21

Could you please give me instructions on how to do this?

I’m going outside of my already limited networking/vpn skills…

trendy · 12 March 2024 18:53

The network where you connect, the wifi, uses the same address space as you use at home, 192.168.1.x . Therefore when you try to ping 192.168.1.7, you are not pinging the device at your home, but a random device in that wifi, if there is any.
It is a rather common address, hence the overlap.
I’d advise to use a more uncommon address space at home, like 192.168.11.X

Joulinar · 12 March 2024 19:45

I have a similar challenge on a holiday location where I’m at least once a year. The hotel WiFi is using the same network segment as my home network. As i can’t change one of them, I added this IP range to AllowedIPs on client configuration like:

AllowedIPs = 0.0.0.0/0, 192.168.1.0/24

Tarrasque · 14 March 2024 17:20

I think I see.

This could be problematic because changing my IPs at home means a lot of work. I have several devices: the Pi, various NASes, a nvidia shield with Plex, etc. All their addresses are set by the router DNS and I only told them to be permanent. Changing them means retweaking a lot of configuration, port forwarding, and stuff.

Tarrasque · 14 March 2024 17:21

Joulinar:

I have a similar challenge on a holiday location where I’m at least once a year. The hotel WiFi is using the same network segment as my home network. As i can’t change one of them, I added this IP range to AllowedIPs on client configuration like:
AllowedIPs = 0.0.0.0/0, 192.168.1.0/24

This seems nice. I’ll try it.