1

I setup PiVPN on my Pi3B. I have a Windows computer. I can connect through OpenVPN GUI on Windows to my Pi, because I changed the WAN address of my router in original .ovpn config file that my PiVPN generated to my Pi's local IP address. However, when I change it back to my external IP address for my router (Bell 3000), I cannot connect from Windows to Pi's VPN. OpenVPN GUI is allowed through my Windows Defender Firewall. I've port forwarded port 443 externally and internally from my router to my Pi. I've tried adding my Pi to my DMZ on my router to no avail. What can I do to fix this issue?I've added a picture for more clarification.

Edit - Here is my OVPN Config that works:

client
dev tun
proto udp
remote 192.168.2.37 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_08XRL6zHTfDaymUK name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBnzCCAUWgAwIBAgIJAJbJod1X+
...
+W1kN37CaTI/qocSTEyGc=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV2gAwIB
...
+H5wVZ4
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GC
...
Pa52i051Fudhrk=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
bb0a39e1d55a264e237db76c5d9dc3ce
...
1425af36d2449f2c935b794e06407514
-----END OpenVPN Static key V1-----
</tls-crypt>

I've removed all the key contents. The original that didn't work had my router's WAN IP instead of 192.168.2.37.

Update: I have just tested it from another network; I can ssh to the pi, through port forwarding, but OpenVPN still doesn not work.

Raymo111
  • 153
  • 2
  • 9

1 Answers1

6

Info: To have a simple openvpn server installation for reference look at Simple openVPN with static keys.

The first idea seeing the picture was that you confused WAN- and LAN-address. But lets look how I understand the setup so far with this example. I assume wifi and wired ethernet are bridged on the router (having the same ip address range).

                 vpn tunnel                         ┌──────────┐
       ╔═══════════════════════════════════════════════════════════ vpn client
RPi(eth0) <----------------> router <-------------> │ INTERNET │
         \     wired        /      \      wan       │          │
   192.168.4.2       192.168.4.1   172.217.18.174   └──────────┘
               wifi       /         (public ip)
      PC <~.~.~.~.~.~.~->/
        \
   192.168.4.3

Following this setup you can see that it makes no sense to try to connect from internal to the RPi with the public ip address 172.217.18.174. This is only important for the VPN client outside in the internet.

Update from the comments:
You want to connect to the VPNServer from outside everywhere in the internet. For testing you simply want to use the PC on your local area network, go to the internet and then try to connect to the tunnel like an external vpn client. As far as I can see this cannot work because PC and router are on the same local area network. Either the router sees the private source ip address 192.168.4.3 from the PC on its wan port 172.217.18.174, then it will reject it because no router accepts private ip addresses comming from the internet by specification. Or the router will NAT the PCs address to its wan port 127.217.18.174 as usual. Then you try to connect to the tunnels outside ip 127.217.18.174 from the (nated) PC ip 127.217.18.174. I don't think that equal source and destination addresses are accepted.

To test such situations I use a second independent 4G internet connection with my cell phone. Then the request to the router comes from a real outside internet address.

If you have established a VPN tunnel from the outside VPN client to the VPN server on the RasPi then the VPN client gets part of the local area network, just like it's local connected to it. The tunnel can be seen as a very long secured ethernet cable plugged in on the VPN client on one side and plugged in on the RasPi on the other side. There is no way back what you mean. But with the PC as part of your local area network it could be possible that you can connect to the internet like any other PC on that local network, not through the tunnel. I haven't tested it. There are specific routes set on the VPN client so this may avoid it.

If you still cannot connect from the outside public ip address it is difficult to say what's wrong with PiVPN for Jessie you installed on Stretch, with your DMZ and internal and external port forwarding, what ever this mean. You should start again from a fresh flashed Raspbian Stretch Lite image, install OpenVPN on it and configure it as VPN server, not using preconfigured PiVPN and not using a DMZ. I will have a look at such a setup but it will take some days.

Ingo
  • 42,961
  • 20
  • 87
  • 207