I have been trying to setup OpenVPN for the longest time now. I've tried it on my spare Macbook Air but the server isn't easy to setup (if it's even possible). So I decided to go the easier route and get it running on the Pi3.
I tried setting it up from scratch but it's better to just use the pivpn utility. Got it setup and working within no time.
After setting up the keys and the DH key which is pretty straight forward, the ovpn configs were generated for clients. I used the same one for my android and used OpenVPN connect to get it to work.
Now the first issue was that all my traffic was being redirected through the tunnel, so to stop that from happening, I had to remove
redirect-gateway def1 from the config. Apparently it was being pushed from the server.
However once I did that, I was left with access to just he VLAN address of the OpenVPN server which didn't help.
So let me first share how the network is setup.
- Home LAN is on the subnet
192.168.1.0/24(I know, it shouldn't be that generic, I'll change it someday)
- OpenVPN server assigns address from the pool
- WAN IP of the gateway that is connected to the server is
- My client LAN has the pool
- And my client WAN IP is
Let's look at the server config
dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 # server and remote endpoints ifconfig 10.8.0.1 10.8.0.2 # Add route to Client routing table for the OpenVPN Server push "route 10.8.0.1 255.255.255.255" # Add route to Client routing table for the OPenVPN Subnet push "route 10.8.0.0 255.255.255.0" # your local subnet #push "route 0.0.0.0 " push "route 192.168.1.0 255.255.255.0" # Set your primary domain name server address for clients push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" # Override the Client default gateway by using 0.0.0.0/1 and # 22.214.171.124/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. #push "redirect-gateway def1" client-to-client duplicate-cn keepalive 10 120 tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC auth SHA256 comp-lzo user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 log /var/log/openvpn.log verb 1 # Generated for use by PiVPN.io
So commenting out
redirect-gateway def1 stopped all the traffic through the VPN and adding pushing the route manually from the server to the client enabled the access to server side LAN
push "route 192.168.1.0 255.255.255.0
Just took an entire week to figure that out. Here's the relevant documentation.