Skip to content

Compare: FAQ

Showing with 324 additions and 103 deletions.
  1. +115 −55 FAQ.md
  2. +33 −48 Home.md
  3. +105 −0 OpenVPN.md
  4. +71 −0 WireGuard.md
170 changes: 115 additions & 55 deletions FAQ.md
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,149 @@
# FAQ (Frequently Asked Questions)
## What boards/OSes does PiVPN support?
PiVPN runs at least on the following boards:
* Raspberry Pi 1/2/3 running Raspbian Jessie, Raspbian Jessie Lite.
* All SBC's running DietPi. This is currently: Raspberry Pi's (all models), Odroid C1, Odroid C2 (arm64), Odroid XU3/4, Pine A64, NanoPi NEO, NanoPi NEO Air, NanoPi M1, NanoPi M2/T2, NanoPi M3/T3, Banana Pi Pro Banana Pi M2+, OrangePi PC and OrangePi One
* Most servers running a Debian or Ubuntu based distro.

### What About Octopi?
## Links to protocol specific FAQs

https://github.com/guysoft/OctoPi/issues/373 OctoPi doesn't play well with PiVPN installer as they use a git wrapper that blocks it from running as root user.
- [WireGuard](https://github.com/pivpn/pivpn/wiki/WireGuard)
- [OpenVPN](https://github.com/pivpn/pivpn/wiki/OpenVPN)

To disable the git wrapper please do: `sudo rm /root/bin/git`
## How do I troubleshoot connection issues?

## Can I change the hostname, the IP address, protocol or port after the install?
Yes. To change the hostname or IP address, you will need to change `/etc/openvpn/easy-rsa/pki/Default.txt` and your `.ovpn` files if you have already generated them.
### Preliminary checks

## My ISP doesn't give me a static external IP address, so my servers IP address keeps changing!
You will need a dynamic DNS service and a hostname. If your IP address changes, your hostname will then automatically point to the new IP address. Some free dynamic DNS services are <http://noip.com> or <http://freedns.afraid.org/>.
- Confirm that all checks are [OK] using `pivpn -d`.

## Installing with Pi-hole
You can safely install PiVPN on the same Raspberry Pi as your Pi-hole install, and point your VPN clients to the IP of your Pi-hole so they get ad blocking, etc. Here's how:
In our case:

1. Create a new file `sudo nano /etc/dnsmasq.d/02-pivpn.conf`
2. Add `interface=tun0` inside to tell Pi-hole to listen on the VPN interface as well
3. Save the file end exit
4. Restart Pi-hole with `pihole restartdns`
5. Edit the server config with `sudo nano /etc/openvpn/server.conf`
6. Remove every `push "dhcp-option DNS [...]"` line
7. Add this line `push "dhcp-option DNS 10.8.0.1"` to point clients to the PiVPN IP
8. Save the file and exit
9. Restart openvpn with `sudo systemctl restart openvpn`
```
$ pivpn -d
[...]
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [OK] OpenVPN is listening on port 1194/udp
=============================================
[...]
```

If your debug log shows some [ERR], accept the [Y/n], run `pivpn -u` again and verify that all checks pass. If not, stop here and look up the error (if you get any) among existing issues or open a new issue.

## Allow Clients to connect but block their access to the internet
***

If you don't want your VPN clients to be able to access the internet simply comment the following line in `/etc/openvpn/server.conf`
- Verify that the server is running.
- OpenVPN, restart the server with `sudo systemctl restart openvpn`, run `pivpn -u` and confirm that the snippet of the server log ends with `Initialization Sequence Completed`.
- WireGuard, restart the server with `sudo systemctl restart wg-quick@wg0`. Run `lsmod | grep wireguard` and confirm that you get at least this output (numbers don't matter).

```
push "redirect-gateway def1"
wireguard 225280 0
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 16384 1 wireguard
```

**If you remove the above PUSH command, you'll need to add a route PUSH command to get access to your LAN.
Add the PUSH command:**
***

- Acquire the installation settings using `cat /etc/pivpn/setupVars.conf`.

```
[...]
IPv4dev=eth0 <--- Network interface you have chosen
IPv4addr=192.168.23.211/24 <--- IP address of the Raspberry Pi at the time of installation
(only consider the 192.168.23.211 part)
IPv4gw=192.168.23.1 <--- Gateway IP, which you will type into a web browser to open
the management interface
`push "192.168.2.0 255.255.255.0"`
pivpnPROTO=udp <--- Protocol you need to use in the port forwarding entry (if
you are using WireGuard, then you won’t see this line. In
such a case, the protocol is always udp)
**Ensure that the IP and netmask match what the VPN side of the network is.**
pivpnPORT=1194 <--- Port you need to forward
## How Can I Migrate my configs to another PiVPN Instance?
pivpnHOST=192.0.2.48 <--- Public IP or DNS name your clients will use to connect to
the PiVPN
[...]
```

***

you can achieve that by copying your /etc/openvpn folder to your new Raspberry pi, one method that works is using scp.
- Check that the current IP address of the interface `IPv4dev` is the same as `IPv4addr`. You can see the current IP with `ip -f inet address show IPv4dev`.

Example:
In our case:

```
$ ip -f inet address show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
`inet 192.168.23.211/24 brd 192.168.23.255 scope global dynamic eth0
valid_lft 84694sec preferred_lft 84694sec
```
scp -pr /etc/openvpn/ root@192.168.101.124:/etc/

Confirmed: `192.168.23.211` is the same as the content of the `IPv4addr` variable.

If it's not the same, go to your router admin webpage and reserve the static IP `IPv4addr` to the MAC address of the `IPv4dev` interface. To show the MAC address: `cat /sys/class/net/IPv4dev/address`. Then reboot the Raspberry Pi.

***

- Check that the current public IP of your connection is the same as `pivpnHOST`. To check the current public IP: `curl -s https://checkip.amazonaws.com`.

In our case:

```
$ curl -s https://checkip.amazonaws.com
192.0.2.48
```

Confirmed: `192.0.2.48` is the same as the content of the `pivpnHOST` variable.

If the IP is different, then update the IP using the [OpenVPN](https://github.com/pivpn/pivpn/wiki/OpenVPN#how-do-i-change-the-public-ipdns-name-of-the-pivpn-after-the-install) or [WireGuard](https://github.com/pivpn/pivpn/wiki/WireGuard#how-do-i-change-the-public-ipdns-name-of-the-pivpn-after-the-install) guide. If your IP changes frequently, the norm on most home connections, consider using a [Dynamic DNS](https://github.com/pivpn/pivpn/wiki#my-isp-doesnt-give-me-a-static-external-ip-address-so-my-servers-ip-address-keeps-changing).

If you are already using a DDNS, and thus `pivpnHOST` contains your domain name, use `dig +short yourdomain.example.com` to check whether the returned IP matches `curl -s https://checkip.amazonaws.com`.

### Packet capture

## How to resolve local hostnames?
We will use `tcpdump` take a peek into the network interface to see if packets are reaching our Raspberry Pi.

to resolve local hostnames all you have to do is to use your router as DNS Server instead of using other public DNS providers.
If you have already a working installation of OpenVPN, all you need to do is to edit `/etc/openvpn/server.conf` and change the following line:
First off, if you want to test the connection using your smartphone as a client, make sure to use MOBILE DATA, do not test from the same network where the Raspberry Pi is located. If you want to use a PC, connect to the internet via TETHERING/HOTSPOT.

Connecting from the same network as the server not only doesn't make sense (you are already inside the network the VPN is supposed to connect you to) but may not work with many routers.

From your device, go to https://ipleak.net and check what's your IP address, let's say we have 192.0.2.45.

1. Open a root shell: `sudo -s`
2. Install tcpdump: `apt install tcpdump -y`
3. Run `tcpdump -n -i IPv4dev pivpnPROTO port pivpnPORT` (it will block the terminal but don't worry)
4. Try to connect from your device
5. Shortly after you should see some packets being exchanged between your Raspberry Pi and your device

In our case:

```
#Assuming your router IP address is 192.168.1.1
push "dhcp-option DNS 192.168.1.1"
# tcpdump -n -i eth0 udp port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:57:38.952503 IP 192.0.2.45.28050 > 192.168.23.211.1194: UDP, length 32 <--- Your device sent a packet to the Raspberry Pi
10:57:49.109202 IP 192.168.23.211.1194 > 192.0.2.45.28050: UDP, length 128 <--- Your Raspberry Pi responded to your device
10:57:49.144774 IP 192.0.2.45.28050 > 192.168.23.211.1194: UDP, length 128
10:57:59.490185 IP 192.168.23.211.1194 > 192.0.2.45.28050: UDP, length 32
```
Alternatively you can change `/etc/hosts` file and add `<IPAddress> <hostname>`
Example:

You are looking at udp or tcp packets coming to your Raspberry Pi on the port you specified, via the network interface (ethernet or wifi) you chose. The example output above is a successful conversation.

Here's an unsuccessful one (no packets reach the Raspberry Pi):

```
192.168.1.1 JohnDoeRouter
192.168.1.2 JohnDoePC
192.168.1.3 JaneDoePC
192.168.1.4 CatPC
192.168.1.5 DogPC
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
```
## How to kick a connected client

from Issue #577
6. Press CTRL-C to stop the capture
7. Exit the root shell: `exit`

1. Stop the server with `sudo systemctl openvpn stop`
2. Edit the server config with `sudo nano /etc/openvpn/server.conf`
3. Add this line`management 127.0.0.1 PORT` (replace PORT with a port number, like 1234)
3. Save the file and exit
5. Start the server with `sudo systemctl openvpn start`
### What to do if I see no packets?

To connect to the management interface, use `nc 127.0.0.1 PORT`, then disconnect a client with `kill CLIENTNAME`, use CTRL-C to exit.
- If you set up PiVPN with ethernet and later switched to wifi, you will have a different IP. Easiest way to fix is to reinstall and pick the new network interface.
- Check if your ISP uses Carrier-grade NAT (check online). With CGNAT, your router gets a private IP, making port forwarding ineffective. This is mostly the norm if your router connects via 4G/LTE. If that's the case, you need to ask the ISP for a public IP.
- If you see packets coming, but no response from the Pi, it may indicate routing issues, attempts to block the connection (on either side), or poor connectivity. In all cases, try to connect from a different network.
- You may have misconfigured firewall rules on your Pi, open an issue and add the output of `sudo iptables -S` and `sudo iptables -t nat -S`.

More info [here](https://openvpn.net/community-resources/management-interface/). Consider also setting a password on the management interface as suggested on the [manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage).
If you performed all the following steps and suggestions, but you still can't connect, open a new issue showing all the steps you followed to troubleshoot. Include the packet capture as well (censor client IPs if you want). Remember to follow the ISSUE TEMPLATE.