Last post I made on this topic: OpenVPN/TAP Bridge

My goal is to:

• Run an OSMC front-end with Kodi and Plex add-on on the front end
• Run DuckDNS Dynamic DNS script every 5 mins to monitor current external IP
• Run VPN Server from Pi to allow 1 remote VPN connection (this will be used for CCTV DVR monitoring and remote Pi maintenence)

I have previously achieved these goals (progress in above linked thread) however my Pi crashed a few days ago (thought to be due to a corrupted SD card). I’ve since upgraded to a Pi 3B+ and replaced the SD card but am at square 1 now.

I have managed to complete objectives 1 and 2, I have installed OpenVPN Server on the backend and have established remote connection from a client (testing set-up is a W10 Laptop tethered from my iPhone). The connection between the laptop and Pi is established and I get given a 10.8.0.x address, however:

• I cannot ping any 192.x.x.x addresses

• I cannot reach the internet

• I cannot reach any internally run web services (Radarr, Sonarr, Plex, etc.)

• I can ping 10.8.0.x addresses, as expected

I believe this points towards a server.conf misconfiguration, but I’m not sure. I’ve tried following a few different guides (along with my previous post instructions) but no joy. Server.conf is as below:

local 192.168.0.26
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

#ca /etc/openvpn/ca.crt
#cert /etc/openvpn/openvpnserver.crt
#key /etc/openvpn/server/openvpnserver.key
#dh /etc/openvpn/dh.pem

auth SHA512
tls-crypt tc.key
topology subnet

server 10.8.0.0 255.255.255.0
#server 192.168.0.0 255.255.255.0

#push “redirect-gateway def1 bypass-dhcp”

push “redirect-gateway autolocal def1”

push “route 10.8.0.1 255.255.255.255”
push “route 10.8.0.0 255.255.255.0”
push “route 192.168.0.0. 255.255.255.0”
push “route 192.168.0.0 255.255.255.0 vpn_gateway”

route 192.168.0.0 255.255.255.0
route 172.20.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

client-to-client
push “route 192.168.0.0 255.255.255.0”

@fzinken you helped last time, any ideas?

Thanks in advance

try push “redirect-gateway def1" instead.

also what is the output of route on the Windows machine when it is connected?

Did you enable IP forwarding on the Pi? sysctl -w net.ipv4.ip_forward=1

Just tried this and no joy.

Yes, IP forwarding is enabled.

1. What is route telling you on windows when it is connected?

2. Run ping 8.8.8.8 on the windows machine and then check on the pi tcpdump -i any host 8.8.8.8

===========================================================================
Interface List
3…5e ec 4c 85 bd a7 …VPN Client Adapter - VPN
16…00 ff a4 bf d0 f1 …TAP-Windows Adapter V9
6…00 23 18 ce 9b 80 …Intel(R) 82577LC Gigabit Network Connection
8…00 23 14 a0 a8 2c …Intel(R) Centrino(R) Advanced-N 6200 AGN
9…00 22 58 d4 75 a0 …Bluetooth Device (Personal Area Network)
1…Software Loopback Interface 1

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.10.1 172.20.10.2 50
0.0.0.0 128.0.0.0 10.8.0.1 10.8.0.2 259
10.8.0.0 255.255.255.0 On-link 10.8.0.2 259
10.8.0.0 255.255.255.0 10.8.0.1 10.8.0.2 259
10.8.0.1 255.255.255.255 10.8.0.1 10.8.0.2 259
10.8.0.2 255.255.255.255 On-link 10.8.0.2 259
10.8.0.255 255.255.255.255 On-link 10.8.0.2 259
my external IP 255.255.255.255 172.20.10.1 172.20.10.2 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.8.0.1 10.8.0.2 259
172.20.10.0 255.255.255.240 On-link 172.20.10.2 306
172.20.10.2 255.255.255.255 On-link 172.20.10.2 306
172.20.10.15 255.255.255.255 On-link 172.20.10.2 306
192.168.0.0 255.255.255.0 10.8.0.1 10.8.0.2 259
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.2 259
224.0.0.0 240.0.0.0 On-link 172.20.10.2 306
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.2 259
255.255.255.255 255.255.255.255 On-link 172.20.10.2 306

Persistent Routes:
None

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
16 259 fe80::/64 On-link
8 306 fe80::/64 On-link
8 306 fe80::5ce3:555:2ae0:e9/128
On-link
16 259 fe80::94b5:df76:8a7b:d677/128
On-link
1 331 ff00::/8 On-link
16 259 ff00::/8 On-link
8 306 ff00::/8 On-link

Persistent Routes:
None

tcpdump -i any host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:31:39.628805 IP 10.8.0.2.64064 > dns.google.domain: 19573+ A? dns.google. (28)
15:31:39.628874 IP 10.8.0.2.64064 > dns.google.domain: 19573+ A? dns.google. (28)
15:31:41.518847 IP 10.8.0.2.50187 > dns.google.domain: 23121+ A? skype.msz.su. (30)
15:31:41.518921 IP 10.8.0.2.50187 > dns.google.domain: 23121+ A? skype.msz.su. (30)
15:31:43.039193 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 153, length 40
15:31:43.039251 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 153, length 40
15:31:45.509342 IP 10.8.0.2.50187 > dns.google.domain: 23121+ A? skype.msz.su. (30)
15:31:45.509415 IP 10.8.0.2.50187 > dns.google.domain: 23121+ A? skype.msz.su. (30)
15:31:46.989943 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:46.990011 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:47.759784 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 154, length 40
15:31:47.759852 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 154, length 40
15:31:49.989842 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:49.989916 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:52.758844 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 155, length 40
15:31:52.758915 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 155, length 40
15:31:53.988901 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:53.988972 IP 10.8.0.2.62278 > dns.google.domain: 50181+ A? mtalk.google.com. (34)
15:31:55.529045 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:31:55.529091 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:31:57.761858 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 156, length 40
15:31:57.761930 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 156, length 40
15:31:58.529062 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:31:58.529133 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:32:02.518517 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:32:02.518563 IP 10.8.0.2.61798 > dns.google.domain: 36492+ A? skype.msz.su. (30)
15:32:03.500049 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:03.500124 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:06.499013 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:06.499085 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:06.948763 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)
15:32:06.948832 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)
15:32:09.965507 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)
15:32:09.965577 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)
15:32:10.500731 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:10.500808 IP 10.8.0.2.61934 > dns.google.domain: 2741+ A? discourse.osmc.tv. (35)
15:32:12.538908 IP 10.8.0.2.54283 > dns.google.domain: 61871+ A? skype.msz.su. (30)
15:32:12.538994 IP 10.8.0.2.54283 > dns.google.domain: 61871+ A? skype.msz.su. (30)
15:32:13.959000 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)
15:32:13.959072 IP 10.8.0.2.64878 > dns.google.domain: 19491+ A? dns.google. (28)

Ok, so package reaches the Pi but isn’t forwarded.
Check IP Forwarding cat /proc/sys/net/ipv4/ip_forward also what is route saying on the Pi?

Response is “1”

Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 wlan0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.20.10.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 wlan0

looks all right, do you have any firewall running? iptables -S

root@osmc:/etc/openvpn/server# iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

ufw is also disabled

Ok, actually I might have seen something wrong.
run ping 8.8.8.8 again on windows and tcpdump -i wlan0 host 8.8.8.8 on the Pi

root@osmc:/etc/openvpn/server# tcpdump -i wlan0 host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:47:34.357858 IP 10.8.0.2.60770 > dns.google.domain: 34300+ A? skype.msz.su. (30)
15:47:37.759815 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 158, length 40
15:47:38.369366 IP 10.8.0.2.60770 > dns.google.domain: 34300+ A? skype.msz.su. (30)
15:47:42.768861 IP 10.8.0.2 > dns.google: ICMP echo request, id 1, seq 159, length 40
15:47:51.380967 IP 10.8.0.2.53071 > dns.google.domain: 21121+ A? skype.msz.su. (30)
15:47:51.588973 IP 10.8.0.2.61803 > dns.google.domain: 61677+ A? mobile.pipe.aria.microsoft.com. (48)
15:47:52.009799 IP 10.8.0.2.50345 > dns.google.domain: 3296+ A? www.googleapis.com. (36)
15:47:52.017187 IP 10.8.0.2.62863 > dns.google.domain: 57464+ A? www.gstatic.com. (33)
15:47:53.000206 IP 10.8.0.2.62635 > dns.google.domain: 8169+ A? apps.bittorrent.com. (37)

Ok so everything works as it should. The problem now is your router doesn’t know the route back to the client IP (10.8.0.2). So you either need to configure a route on router for 10.8.0.0/24 to point to the PI LAN address or you would need to NAT the packages from the client on the Pi

The router I have is just an out of the box router from my ISP, I can’t configure static routes.

I’ve got this solution working once before without needing a 3rd party router/managed router, just can’t figure out what’s wrong this time. How do I go about NATting the packages on the Pi?

check the iptables rules here

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

These are the outputs of a 192.168.0.1 ping:

root@osmc:/etc/openvpn/server# tcpdump -i wlan0 host 192.168.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:58:20.770506 IP 10.8.0.2 > _gateway: ICMP echo request, id 1, seq 164, length 40
15:58:21.328307 ARP, Request who-has osmc tell _gateway, length 42
15:58:21.328393 ARP, Reply osmc is-at b8:27:eb:5a:7f:ae (oui Unknown), length 28
15:58:25.771260 IP 10.8.0.2 > _gateway: ICMP echo request, id 1, seq 165, length 40
15:58:30.777905 IP 10.8.0.2 > _gateway: ICMP echo request, id 1, seq 166, length 40
15:58:34.334434 ARP, Request who-has _gateway tell osmc, length 28
15:58:34.336985 ARP, Reply _gateway is-at c0:05:c2:d0:51:48 (oui Unknown), length 42

Same story your router doesn’t know what to do with 10.8.0.2
Either do the NAT as indicated or (not a nice solution) take some 192.168.0.x addresses for your opevpn clients.

So I’ve done the NAT rules in the iptables (iptables-legacy on my Pi) as outlined in the second half of the article you linked (“Using routing and OpenVPN not running on the default gateway”)

No ping from W10 laptop to 8.8.8.8 or 192.168.0.1

1. show again the tcpdump output
2. show the iptables rules