Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No Internet Access and No LAN Access #151

Closed
soehlert opened this issue Nov 14, 2016 · 58 comments

Comments

@soehlert
Copy link

commented Nov 14, 2016

PiVPN Issue Template

Console output of curl install.pivpn.io | bash


Console output of pivpn add or pivpn add nopass


Console output of pivpn debug

`:: PiVPN Debug ::
:: Latest commit ::
commit 2468c69d9aef5522b04b65d411df5ab97c465fba
Author: Kaladin Light <0.kaladin@gmail.com>
Date:   Fri Nov 11 21:55:47 2016 -0500

    Fix escaping stuff in for password of client key
    Was overzealously escaping... oops
:: list of files in /etc/openvpn/easy-rsa/keys ::
01.pem	Default.txt  ca.key	 index.txt	 index.txt.attr.old  macbookpro.3des.key  macbookpro.csr  macbookpro.ovpn  serial.old  server.csr  ta.key
02.pem	ca.crt	     dh2048.pem  index.txt.attr  index.txt.old	     macbookpro.crt	  macbookpro.key  serial	   server.crt  server.key
:: /etc/pivpn/* ::
:: START /etc/pivpn/DET_PLATFORM ::
Ubuntu
:: END /etc/pivpn/DET_PLATFORM ::
:: START /etc/pivpn/INSTALL_PORT ::
1194
:: END /etc/pivpn/INSTALL_PORT ::
:: START /etc/pivpn/INSTALL_PROTO ::
udp
:: END /etc/pivpn/INSTALL_PROTO ::
:: START /etc/pivpn/INSTALL_USER ::
deploy
:: END /etc/pivpn/INSTALL_USER ::
:: START /etc/pivpn/NO_UFW ::
1
:: END /etc/pivpn/NO_UFW ::
:: START /etc/pivpn/REVOKE_STATUS ::
0
:: END /etc/pivpn/REVOKE_STATUS ::
:: /etc/openvpn/easy-rsa/keys/Default.txt ::
client
dev tun
proto udp
remote dnsname.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1
:: done ::`

Issue

I am unable to connect to either the internet or the other hosts on my LAN (using IPs, not even trying DNS). My local subnet at home is 192.168.1.0/24 and I am able to ping my router at 192.168.1.1, but nothing else.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Nov 17, 2016

What OS is this installed on?

@soehlert

This comment has been minimized.

Copy link
Author

commented Nov 17, 2016

Sorry for forgetting such an obvious thing.. Ubuntu 16.04

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Nov 18, 2016

OK. I'll test on that again.

On Thu, Nov 17, 2016, 15:49 Sam Oehlert notifications@github.com wrote:

Sorry for forgetting such an obvious thing.. Ubuntu 16.04


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#151 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ADc_mNSChOE4CWYLm29Sn5IGxg1CvqtSks5q_L28gaJpZM4Kw7fm
.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Nov 19, 2016

Might be related to Issue #80

@0-kaladin 0-kaladin added the bug label Nov 19, 2016

@soehlert

This comment has been minimized.

Copy link
Author

commented Nov 19, 2016

Unfortunately not. For more info, I also run pihole on my LAN. My /etc/resolv.conf on my vpn host points to that. The vpn host itself is able to reach the internet fine and resolve everything locally just fine.

@mitchellurgero

This comment has been minimized.

Copy link

commented Nov 22, 2016

/etc/openvpn/server.conf is misconfigured maybe, mine was:

server.conf it pushs route to x.x.x.x where x.x.x.x is your servers ip when it should be a subnet: EG: 192.168.1.0

@soehlert

This comment has been minimized.

Copy link
Author

commented Nov 23, 2016

Thanks for the thought, but it already is my LAN subnet. 192.168.1.0/24

push "route 192.168.1.0 255.255.255.0"

@mitchellurgero

This comment has been minimized.

Copy link

commented Nov 23, 2016

What is your IPTables output? and could you post your whole server.conf file?

@brunoamaral

This comment has been minimized.

Copy link

commented Nov 26, 2016

just had the same problem, fixed it by editing iptables:

sudo /sbin/iptables -P FORWARD ACCEPT
sudo /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
@soehlert

This comment has been minimized.

Copy link
Author

commented Nov 27, 2016

I am currently only using a hardware firewall in front of the host. IPtables is off.

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.1.22"
push "dhcp-option DNS 8.8.8.8"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite.
@mplawner

This comment has been minimized.

Copy link

commented Nov 29, 2016

Having the same issue. Not sure if it matters, but I'm running pihole on the same machine.
I can access my router and the pihole admin pages via IP so it appears to be a DNS issue. However, I've modified my openvpn server settings to (a) push the eth0 IP (pihole dns), (b) push the eth0 IP and the tun0 IP (pihole dns), (c) router (which upstreams to my service provider), and (d) google DNS. None worked. Also completely remove the push of DNS, and the client indicated it used a Google default DNS, also with no luck. My client is an IOS device, so I have limited tools to check client configurations.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Nov 30, 2016

maybe what pihole adds to iptables is conflicting with this installer's adds?
can you print out your iptables config here?

@mplawner

This comment has been minimized.

Copy link

commented Nov 30, 2016

I didn't think that pihole added anything to iptables.

[pi@pi:/etc/init.d $ sudo iptables-save -c

Generated by iptables-save v1.4.21 on Wed Nov 30 13:29:56 2016

*filter
:INPUT ACCEPT [1829:350272]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [862:110897]
COMMIT

Completed on Wed Nov 30 13:29:56 2016

@soehlert

This comment has been minimized.

Copy link
Author

commented Nov 30, 2016

I don't have pihole installed on the same host. I don't want my issue to get conflated with that.

@mplawner

This comment has been minimized.

Copy link

commented Nov 30, 2016

I don't believe it has to do with pihole, just providing that information knowing pivpn and pihole use similar approaches. I'm not using iptables, and I am not using ufw.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

Isn't that the issue? You need to have some rules to have the vpn client traffic masquerade out. The pivpn script puts these in yet you say you don't have them. Add the iptables lines and enable iptables and you client should be able to route out.

@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

Hmm. That makes sense. Perhaps the problem is that the current pivpn installation has a bug in the script and isn't setting up the iptables? What rules are supposed to be in the iptables?

@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

Perhaps I found it in the installation script:

if hash ufw 2>/dev/null; then
    if $SUDO ufw status | grep -q inactive
    then
        noUFW=1
    else

I don't have ufw installed, so the status doesn't have "inactive" in the response, so it jumps to the else state and configures ufw. Whereas, it should have jumped to the then state and configured iptables (which it doesn't appear to have done).

@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

I think I've got it...

I believe that there are 2 problems:

  1. Routing. I believe the pivpn installation script doesn't set the iptables when ufw isn't installed (as mentioned in my previous post). Once I added in the iptables configuration, and set the DNS server to either my router, OpenDNS, Google, my provider's DNS, etc. I was able to browse the internet without issue but NOT using the pihole running on my network.
  2. pihole restriction - Although the dnsmasq.conf file doesn't have any restrictions, I see dnsmasq is running with --local-service option, which I believe is restricting responses from clients on the VPN network. Testing now....
@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

Pihole restriction confirmed.

According to dnsmasq documentation, by default it runs with the --local-service option (confirm yourself by running ps -aux | grep dnsmasq on your pihole server). This option "[a]ccept[s] DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect is there are no --interface --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks."

To resolve, on pihole server add the following line to /etc/dnsmasq.conf:
listen-address=127.0.0.1,ww.xx.yy.zz
where ww.xx.yy.zz is the ip address of your pihole server.
Restart dnsmasq.conf
sudo /etc/init.d/dnsmasq restart

IF you are running pihole and pivpn on the same server, you could instead use:
interface=eth0,wlan0,tun0
or
listen-address=127.0.0.1,ww.xx.yy.zz,10.8.0.1
where ww.xx.yy.zz is the ip address of your pihole server and assuming 10.8.0.1 is your pivpn server ip.

Hope that helps!

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

@mplawner per your

  1. above, it does set iptables
# else configure iptables
    if [[ $noUFW -eq 1 ]]; then
        echo 1 > /tmp/noUFW
        $SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
        if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
            $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
        else
$SUDO netfilter-persistent save

question is why didn't that seem to work on your install.
You never stated which OS you are on, the more details you can provide the more we can try to figure out why the iptables rules didn't get applied or saved on your machine. Ideally you can run an uninstall and reinstall and paste in the install output where it probably had any errors it encountered.

  1. for the pihole, I'll probably just add this to the wiki so we can direct those who have pihole on same server the modification to make to get it to work.
@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

@soehlert try running the iptables commands i pasted above where $IPv4dev is your interface, like eth0 or wlan0.
so if you are on raspbian with a network cable plugged in just run as root:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "eth0" -j MASQUERADE
netfilter-persistent save
@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

@0-kaladin Thanks for your reply.

Sorry, version info:

pi@applepi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 8.0 (jessie)
Release:	8.0
Codename:	jessie
pi@applepi:~ $ uname -a
Linux applepi 4.4.32-v7+ #924 SMP Tue Nov 15 18:11:28 GMT 2016 armv7l GNU/Linux

I believe the problem is further up in the script:

if hash ufw 2>/dev/null; then
    if $SUDO ufw status | grep -q inactive
    then
        noUFW=1
    else

If I run the above command:

pi@applepi:~ $ sudo ufw status | grep -q inactive
sudo: ufw: command not found

This would then skip the "then" statement and go right into configuring ufw. iptables wouldn't be set because noUFW would never be set to 1. (And if [[ $noUFW -eq 1 ]]; then later in the code would never be true, which is needed.)

Perhaps you are missing the word service?

if $SUDO service ufw status | grep -q inactive

@mplawner

This comment has been minimized.

Copy link

commented Dec 1, 2016

I believe this entered the code in May when you added support for ufw. I can see an issue #55 back in July which indicates the same problem.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 1, 2016

I think the code is right but I'll retest. The first hash line checks if ufw exists. And you don't need service first cause if you have ufw then ufw status is a valid command.

@soehlert

This comment has been minimized.

Copy link
Author

commented Dec 2, 2016

This did not help. Still the same situation.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 2, 2016

Can you just uninstall and reinstall and paste in the output of the whole install?

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 4, 2016

so @chrismelikian the script knew you were raspbian and didn't have ufw. which means it would have run the exact commands you said worked for you. No idea why they didn't seem to take when the script ran them. I'd have to see the install output during install to have clues to that.
no who reports no internet access has pasted in the install output. that would really help.

@chrismelikian

This comment has been minimized.

Copy link

commented Dec 4, 2016

Hi @0-kaladin all I can say is that I started with a fresh Debian Jessie lite image from https://www.raspberrypi.org/downloads/raspbian/ . The only thing I did before the pivpn install was to change the SSH configuration to prevent password-based login after doing an apt-get update/upgrade. I know the pivpn script does this anyway but I wanted to run it beforehand.

@chrismelikian

This comment has been minimized.

Copy link

commented Dec 4, 2016

I can't risk running the installer again, I need it up and running. Can try again in the new year if you've not been able to fix it.

@soehlert

This comment has been minimized.

Copy link
Author

commented Dec 6, 2016

Sorry, life has a funny way of getting in the way. Will try a full new install and post the results here ASAP.

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 7, 2016

@soehlert

This comment has been minimized.

Copy link
Author

commented Dec 8, 2016

So my entire infrastructure died (both servers' disks died). In the coming weeks, I'll be rebuilding as I get time. The problem with this idea, however, is that I could not even ping anything on my network by IP, nor could I ping anything outside by IP. So DNS was not the problem (yet?).

@jwdv22

This comment has been minimized.

Copy link

commented Dec 16, 2016

This was the error I receive when installing PiVPN this morning, after installing Pi-Hole last night.

pivpninstallationerror
Hope that helps. I can update more once it is done generating the DH

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 16, 2016

@jwdv22

This comment has been minimized.

Copy link

commented Dec 16, 2016

@jwdv22

This comment has been minimized.

Copy link

commented Dec 16, 2016

Went through second install just fine. But I still get disconnected immediately from my Win 7 laptop client.
Options error : Unrecognized option or missing parameter(s) in stdin"11" tls-version-min (2.1.1oOAS)

Client OVPN file says tls-version-min 1.2

I have other problems. Sorry

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 16, 2016

@jwdv22

This comment has been minimized.

Copy link

commented Dec 16, 2016

Old OpenVPN Client.msi but open to try an alternative
I removed it from server.conf and rebooted-- no luck then removed it from client.ovpn and it error on the next parm of verify-x509-name

@0-kaladin

This comment has been minimized.

Copy link
Member

commented Dec 16, 2016

yea just use a new one and it'll work https://openvpn.net/index.php/open-source/downloads.html

@jwdv22

This comment has been minimized.

Copy link

commented Dec 16, 2016

That fixed it. And I can confirm I am seeing ads blocked in the Pi_Hole console from 10.8.0.2 when VPNing from laptop to my Verizon Wireless hotspot. Thanks so much this is awesome

@kjunggithub

This comment has been minimized.

Copy link

commented Jan 11, 2017

On Raspbian Jessie here, just typed in those 2 commands from @brunoamaral and it works fine now!

@drvan

This comment has been minimized.

Copy link

commented Jan 25, 2017

Just did a fresh install of Rasbian Jessie Lite on a pi3, and had the same issue - no Internet, no LAN access. Like other posters, I was able to solve it by re-adding the iptables rules. Nothing to note in the install log:

:::
::: Stopping OpenVPN service... done.
:::
::: Checking for existing base files...
:::    Checking /etc/.pivpn is a repo...:::    Cloning https://github.com/pivpn/pivpn.git into /etc/.pivpn... done!
:::
::: Installing scripts to /opt/pivpn... done.
::: Using protocol: udp
::: Building CA...

::: CA Complete.

Note: using Easy-RSA configuration from: ./vars

Note: using Easy-RSA configuration from: ./vars

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

net.ipv4.ip_forward = 1
::: Using Google DNS servers.
@0-kaladin

This comment has been minimized.

Copy link
Member

commented Jan 25, 2017

@drvan

This comment has been minimized.

Copy link

commented Jan 25, 2017

I selected eth0, as best as I can recall (both eth0 and wlan0 were available, if I recall correctly).

@stualoo

This comment has been minimized.

Copy link

commented Feb 20, 2017

Hi,

Same issue here on Raspian Jessie - installed, but no internet/LAN access after installation (and reboot as recommended at end of installation).

Doing the...
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "eth0" -j MASQUERADE
netfilter-persistent save

... commands (given above) fixed the problem and I had internet access working straight away without rebooting.
However, after rebooting the Pi, nothing works again.Just using the first command fixes the issue, not sure what the 2nd should do? Save the ip table? (Newb!) Will research more...

Here is the output when I type the above code anyway...:
pi@pi:~ $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "eth0" -j MASQUERADE
pi@pi:~ $ sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

Any recommendations for getting it to save fully?

@KaosCreator69

This comment has been minimized.

Copy link

commented Feb 20, 2017

Hey Thanks stualoo, that is what I needed for it to work for me also! Just not going to reboot it lol

@stualoo

This comment has been minimized.

Copy link

commented Feb 20, 2017

This looks like one way to get it to work on reboot... #182

But, I was wondering if there was another method to get the "save" to work :-) (newb here) or a reason why it might not be holding the setting of the ip table.

Also willing to help test/install everything again fresh to see what the issue is with the installation script if necessary :-) Maybe the routes are put in place and then are lost at reboot at end of installation, not sure, I don't (yet) know enough! :-)

@ghost

This comment has been minimized.

Copy link

commented Apr 17, 2017

not work on fresh install on raspbian normal up-to-date (have try 2x). I have try the solution linked (#182), haved try to open firewall too, haved try this solution

more infos : when i connect my client to te VPN i can watch one of my core at 100% and in "ifconfig" command for "tun0" interface some Go sended in few second but nothing received.

Edit : not work too on raspbian light
If anybody have a solution please

@cuckovich

This comment has been minimized.

Copy link

commented May 2, 2017

I have this installed on Pi 2. Everything works fine from android devices LAN/internet, but from an iPod ios 9.3 there is no LAN. LAN from iPod ios will show only router, ap, and printer. Android 5, 6, and 7 all work fine.

Using OpenVPN on all devices. Any ideas?

@4s3ti

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

@redfast00 this is labeled as a bug ... however, i think this can be closed ... there are some failures related to this but aren't usually directly related to PiVPN ... what do you think?

@redfast00

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

Sure, I'll close it.

@redfast00 redfast00 closed this Jun 30, 2017

@andkal

This comment has been minimized.

Copy link

commented Jan 3, 2019

just had the same problem, fixed it by editing iptables:

sudo /sbin/iptables -P FORWARD ACCEPT
sudo /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

Hi!

I had the same problem, and no pihole is installed in the same or other server. The first line:
sudo /sbin/iptables -P FORWARD ACCEPT
actually solved the problem which I had been struggling with for a while.
I don't really know what the second line is for, but it really seems it is working. Thanks a lot! :) 👍

@kriscs1 kriscs1 referenced this issue May 22, 2019
4 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.