PiVPN - possible to connect, but no internet Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
holda
Posts: 5
Joined: Wed Feb 06, 2019 8:33 am

PiVPN - possible to connect, but no internet

Post by holda »

Hi,
I have a problem with my setup on OrangePi Zero + with lovely DietPi. I have PiVPN server and few other services, like Pihole. But I have a problem with VPN. I am able to connect without any problems, but there is no internet or LAN on connected devices. Only address, that is accessible or pingable is IP of DietPi itself (192.168.29.4). It doesnt look like DNS problem, because I cant ping ips as well.
On a DietPi, I can ping anywhere i want to, also DNS resolution works fine.
I changed DNS to 8.8.8.8 to eliminate possible problems with Pihole. I am suspecting it has something to do with routing and iptables, but I am not skilled in unix enough to troubleshoot it on myself.

Before I had Armbian installed, with PiVPN installed with script and everything worked out of the box, even with Pihole.
Bellow are some configurations, I can post more, if you tell which.
Thanks a million!

Code: Select all

dietpi@DietPi:~$ pivpn -d
::: Generating Debug Output
:::                                     :::
::              PiVPN Debug              ::
:::                                     :::
::      Latest Commit                    ::
:::                                     :::
commit 84cd315a522d99717cc4f103c5870b8d014bf846
Author: redfast00 <redfast00@gmail.com>
Date:   Tue Jan 29 11:16:48 2019 +0100

    So long and thanks for all the fish
:::                                     :::
::      Recursive list of files in       ::
::      /etc/openvpn/easy-rsa/pki        ::
:::                                     :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
Holdaxy.ovpn
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
issued
private
serial
serial.old
ta.key

/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem

/etc/openvpn/easy-rsa/pki/issued:
Holdaxy.crt
server_znyzUOYI8NRpbnxG.crt

/etc/openvpn/easy-rsa/pki/private:
ca.key
Holdaxy.key
server_znyzUOYI8NRpbnxG.key
:::                                     :::
::      Output of /etc/pivpn/*           ::
:::                                     :::
:: START /etc/pivpn/DET_PLATFORM ::
Debian
:: END /etc/pivpn/DET_PLATFORM ::
:: START /etc/pivpn/INSTALL_PORT ::
1194
:: END /etc/pivpn/INSTALL_PORT ::
:: START /etc/pivpn/INSTALL_PROTO ::
udp
:: END /etc/pivpn/INSTALL_PROTO ::
:: START /etc/pivpn/INSTALL_USER ::
dietpi
:: END /etc/pivpn/INSTALL_USER ::
:: START /etc/pivpn/NO_UFW ::
1
:: END /etc/pivpn/NO_UFW ::
:: START /etc/pivpn/pivpnINTERFACE ::
eth0
:: END /etc/pivpn/pivpnINTERFACE ::
:: START /etc/pivpn/setupVars.conf ::
pivpnUser=dietpi
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.29.4
IPv4gw=192.168.29.3
pivpnProto=udp
PORT=1194
ENCRYPT=256
APPLY_TWO_POINT_FOUR=true
DOWNLOAD_DH_PARAM=false
PUBLICDNS=
OVPNDNS1=8.8.8.8
OVPNDNS2=
:: END /etc/pivpn/setupVars.conf ::
:: START /etc/pivpn/setupVars.conf.save ::
pivpnUser=dietpi
UNATTUPG=unattended-upgrades
pivpnInterface=eth0
IPv4dns=
IPv4addr=192.168.29.4
IPv4gw=192.168.29.3
pivpnProto=udp
PORT=1194
ENCRYPT=256
APPLY_TWO_P.OINT_FOUR=true
DOWNLOAD_D.H_PARAM=false
PUBLICDNS.=
OVPNDNS1=
OVPNDNS2=
:: END /etc/pivpn/setupVars.conf.save ::
:: START /etc/pivpn/TWO_POINT_FOUR ::
:: END /etc/pivpn/TWO_POINT_FOUR ::
:::                                     :::
:: /etc/openvpn/easy-rsa/pki/Default.txt ::
:::                                     :::
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_znyzUOYI8NRpbnxG name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
:::                                     :::
::      Debug Output Complete            ::
:::                                     :::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::

Code: Select all

dietpi@DietPi:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -j ACCEPT

Code: Select all

#/etc/network/interfaces
#Please use DietPi-Config to modify network settings.

# Local
auto lo
iface lo inet loopback

# Ethernet
allow-hotplug eth0
iface eth0 inet static
address 192.168.29.4
netmask 255.255.255.0
gateway 192.168.29.3
dns-nameservers 8.8.8.8

# Wifi
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.42.1
netmask 255.255.255.0
#gateway 192.168.0.1
wireless-power off
#dns-nameservers 8.8.8.8 8.8.4.4

# IP tables
up iptables-restore < /etc/iptables.ipv4.nat

Code: Select all

dietpi@DietPi:~$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.29.3    0.0.0.0         UG    202    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.29.0    0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0

Code: Select all

server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_znyzUOYI8NRpbnxG.crt
key /etc/openvpn/easy-rsa/pki/private/server_znyzUOYI8NRpbnxG.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
WilburWalsh
Posts: 12
Joined: Sat Dec 22, 2018 1:33 pm

Re: PiVPN - possible to connect, but no internet

Post by WilburWalsh »

Hi,

I had a similar problem that was caused by ip_forward not being enabled.
You can check that by running

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1
If it is not 1, you should check whether in /etc/sysctl.conf you find a line like

Code: Select all

net.ipv4.ip_forward=1
If not, you need to uncomment/add it and then run

Code: Select all

sudo sysctl -p
Now ip_forward is enabled and should also be enabled automatically at startup. Maybe this can solve your problem.
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: PiVPN - possible to connect, but no internet

Post by MichaIng »

Jep, enable this persistently via: echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/ipv4_forward.conf

We indeed need to add this hint to the online docs. I already track that within a GitHub issue.
oldfashioned
Posts: 3
Joined: Thu Feb 07, 2019 8:17 pm

Re: PiVPN - possible to connect, but no internet

Post by oldfashioned »

I had ip forwarding enable but I still couldn't get outbound internet access to work, just LAN.

So then I found this recommendation and then pi-hole began monitoring the tun0 interface and gave me DNS capability. The contributing issue was that my router forwards all udp 53 to my internal pi hole address.

Edit Pi-hole config:

Code: Select all

sudo nano /etc/pihole/setupVars.conf
Add "PIHOLE_INTERFACE=tun0" belowe the "eth0".

You should now have entries:

PIHOLE_INTERFACE=eth0

PIHOLE_INTERFACE=tun0
https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: PiVPN - possible to connect, but no internet

Post by MichaIng »

Ah jep, great, thanks for sharing. Indeed in case of Pi-hole usage we did not yet implement some automated bundle configuration. It's on the list.
tohjg
Posts: 1
Joined: Sun Feb 10, 2019 9:28 am

Re: PiVPN - possible to connect, but no internet

Post by tohjg »

WilburWalsh wrote: Thu Feb 07, 2019 5:01 pm Hi,

I had a similar problem that was caused by ip_forward not being enabled.
You can check that by running

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1
If it is not 1, you should check whether in /etc/sysctl.conf you find a line like

Code: Select all

net.ipv4.ip_forward=1
If not, you need to uncomment/add it and then run

Code: Select all

sudo sysctl -p
Now ip_forward is enabled and should also be enabled automatically at startup. Maybe this can solve your problem.
Great thanks. I have spend almost 6 hours looking why this happen and it's the configuration. Can it set to enabled when installing openVPN?

Oh by the way:
oldfashioned wrote: Fri Feb 08, 2019 7:29 pm I had ip forwarding enable but I still couldn't get outbound internet access to work, just LAN.

So then I found this recommendation and then pi-hole began monitoring the tun0 interface and gave me DNS capability. The contributing issue was that my router forwards all udp 53 to my internal pi hole address.

Edit Pi-hole config:

Code: Select all

sudo nano /etc/pihole/setupVars.conf
Add "PIHOLE_INTERFACE=tun0" belowe the "eth0".

You should now have entries:

PIHOLE_INTERFACE=eth0

PIHOLE_INTERFACE=tun0
https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/
This can be done via pihole's web admin (if you have installed it). Go to 'Setting' > 'DNS' > 'Interface listening behavior'. Check 'Listen on all interfaces'. Then, just modify openVPN's server config (/etc/openvpn/server.conf) to route DNS to pihole.

Code: Select all

push "dhcp-options DNS 10.8.0.1"
# Remember to comment other DNS route"
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"
holda
Posts: 5
Joined: Wed Feb 06, 2019 8:33 am

Re: PiVPN - possible to connect, but no internet

Post by holda »

Great!
It works now, even with pihole.
Thank you!
JohnDoeFR
Posts: 12
Joined: Tue Sep 22, 2020 6:04 pm

Re: PiVPN - possible to connect, but no internet

Post by JohnDoeFR »

tohjg wrote: Sun Feb 10, 2019 9:38 am
WilburWalsh wrote: Thu Feb 07, 2019 5:01 pm Hi,

I had a similar problem that was caused by ip_forward not being enabled.
You can check that by running

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1
If it is not 1, you should check whether in /etc/sysctl.conf you find a line like

Code: Select all

net.ipv4.ip_forward=1
If not, you need to uncomment/add it and then run

Code: Select all

sudo sysctl -p
Now ip_forward is enabled and should also be enabled automatically at startup. Maybe this can solve your problem.
Great thanks. I have spend almost 6 hours looking why this happen and it's the configuration. Can it set to enabled when installing openVPN?

Oh by the way:
oldfashioned wrote: Fri Feb 08, 2019 7:29 pm I had ip forwarding enable but I still couldn't get outbound internet access to work, just LAN.

So then I found this recommendation and then pi-hole began monitoring the tun0 interface and gave me DNS capability. The contributing issue was that my router forwards all udp 53 to my internal pi hole address.

Edit Pi-hole config:

Code: Select all

sudo nano /etc/pihole/setupVars.conf
Add "PIHOLE_INTERFACE=tun0" belowe the "eth0".

You should now have entries:

PIHOLE_INTERFACE=eth0

PIHOLE_INTERFACE=tun0
https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/
This can be done via pihole's web admin (if you have installed it). Go to 'Setting' > 'DNS' > 'Interface listening behavior'. Check 'Listen on all interfaces'. Then, just modify openVPN's server config (/etc/openvpn/server.conf) to route DNS to pihole.

Code: Select all

push "dhcp-options DNS 10.8.0.1"
# Remember to comment other DNS route"
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"
Hi,

I have the same problem, "Dietpi-nordvpn" Is connected but them I do NOT have internet on my device.
I tried to implement all the before explanation but I blocked on the last :

push "dhcp-options DNS 10.8.0.1"
# Remember to comment other DNS route"
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"

Where do I put that in my server.conf :

port 1194
proto udp
dev tun

ca ca.crt
cert DietPi_OpenVPN_Server.crt
key DietPi_OpenVPN_Server.key
dh dh.pem

server 10.8.0.0 255.255.255.0

client-to-client
keepalive 10 60
comp-lzo
max-clients 10

user nobody
group nogroup

persist-key
persist-tun
verb 3

# Web Forwarding (uncomment to enable)
#push "redirect-gateway"
#push "dhcp-option DNS 10.8.0.1"

Thanks all for the work and the help
trendy
Posts: 125
Joined: Tue Feb 25, 2020 2:54 pm

Re: PiVPN - possible to connect, but no internet

Post by trendy »

JohnDoeFR wrote: Tue Sep 22, 2020 6:16 pm Hi,

I have the same problem, "Dietpi-nordvpn" Is connected but them I do NOT have internet on my device.
I tried to implement all the before explanation but I blocked on the last :

push "dhcp-options DNS 10.8.0.1"
# Remember to comment other DNS route"
#push "dhcp-options DNS 8.8.8.8"
#push "dhcp-options DNS 8.8.4.4"
The configuration you have showed us is from a server. I believe you connect to NordVPN as a client.
JohnDoeFR
Posts: 12
Joined: Tue Sep 22, 2020 6:04 pm

Re: PiVPN - possible to connect, but no internet

Post by JohnDoeFR »

Ah yeah damn it, I’m connecting as a client with dietpi-nordvpn, do I just need to check « client.conf » ? Sorry I’m beginning in the Linux/command line.

Anyway thanks for helping me !
Post Reply