Setting up Bridged VPN using: RPi 3G Hotspot router + openvpn client to connect to home RPi OpenVPN server

Question

I have a Raspberry Pi 3B+ which is working as a hotspot using a Hologram Nova usb ppp0 device where it receives Internet from and routes the internet through WiFi and Ethernet. This Hologram usb ppp0 device does not allow port forwarding so can't play around with ports on it.

I have realized that the IP address on the hotspot-pi changes every time the hotspot-pi reboots, Given that it's a mobile SIM, the cellphone company does not assign a permanent IP address. This makes it very hard or impractical to connect through SSH or access the local network.

The hotspot-pi's local IP address is 192.168.50.1; and it uses a bridge with a range of 192.168.50.0/24 that work or route both wlan0 and eth0 interfaces. All devices connected to the hotspot via wlan0 or eth0 obtain an ip in the range of the 192.168.50.0/24.

I created a home VPN using OpenVPN and a second raspberry pi (different Pi, located at home and acting as a server), and have the hotspot-pi connect to the OpenVPN-pi (at home) using OpenVPN as a client. The server's IP address is 10.10.10.83, and the local network subnet is 10.10.10.0/24

The purpose of this is so that once the hotspot-pi is connected to the OpenVPN-pi, I can see the hotspot-pi and all the other devices connected to it on my local network at home (OpenVPN-pi) using either FING (phone app) or nmap (linux) or any type of ip scanner application.

My issues arise are:

• Once connected to the OpenVPN-pi, all devices connected to the hotspot-pi loose internet access. -> no longer an issue
• piHotspot can ping 10.8.0.1(PiVPNServer) ONLY, PiVPNServer can ping ANYONE in the PiHotspot network. ONLY VPNServer can ping attached devices to the client's network. I still can't ping from server's network's devices

What's left to do:

• Re-allow internet access to devices connected to the Hotspot-pi while it is connected to VPN. -> done
• Allow devices in the server side network (OpenVPN-pi at home) to see devices attached to hotspot-pi (client VPN side on the field)
• The ability to ping or ssh from any device on the server side to any devices on the client side.

I have done a bit more research:

I now know, that I need to do a type of bridging or layer 2 vpn. and I have found some information about it: OpenVPN bridged vpn

However with this new given information I know that if I try to simply implement it, it will definitely break something else. I am not a network engineer nor do I have the tremendous experience with networks, so I would greatly appreciate if someone experienced would be able to explain this a bit better for me.

Current settings on the client vpn hotspot-pi:

Result of ip addr on the PiVPN Server:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:fa:a5:b9 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.83/24 brd 10.10.10.255 scope global eth0
   valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fefa:a5b9/64 scope link 
   valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none 
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
   valid_lft forever preferred_lft forever
inet6 fe80::c367:82ee:1948:743b/64 scope link stable-privacy 
   valid_lft forever preferred_lft forever

Result of ip route in the PiVPN server:

default via 10.10.10.1 dev eth0 proto static 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.83 
192.168.50.0/24 via 10.8.0.2 dev tun0  

Result of systemctl status openvpn@server.service

● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-11-21 23:13:32 EST; 1min 48s ago
 Docs: man:openvpn(8)
       https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
       https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 1750 (openvpn)
Status: "Pre-connection initialization successful"
Tasks: 1 (limit: 2200)
Memory: 1.0M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
       └─1750 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid

Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Nov 21 23:13:32 PiVPNServer systemd[1]: Started OpenVPN connection to server.
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: TUN/TAP device tun0 opened
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: /sbin/ip link set dev tun0 up mtu 1500
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: UDPv4 link local (bound): [AF_INET][undef]:1194
Nov 21 23:13:32 PiVPNServer ovpn-server[1750]: UDPv4 link remote: [AF_UNSPEC]

Result of ip addr in piHotspot (client):

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN group default qlen 1000
link/ether b8:27:eb:3f:0e:89 brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8a:ea:17:87:3f:87 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.1/24 brd 192.168.50.255 scope global br0
   valid_lft forever preferred_lft forever
inet6 fe80::88ea:17ff:fe87:3f87/64 scope link 
   valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether b8:27:eb:6a:5b:dc brd ff:ff:ff:ff:ff:ff
inet6 fe80::ba27:ebff:fe6a:5bdc/64 scope link 
   valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none 
inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
   valid_lft forever preferred_lft forever
inet6 fe80::31c0:593e:d389:b8b7/64 scope link flags 800 
   valid_lft forever preferred_lft forever
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
link/ppp 
inet 25.108.227.234/32 scope global ppp0
   valid_lft forever preferred_lft forever

Result of ip route on piHotspot (client):

default via 25.108.227.234 dev ppp0 proto static 
10.8.0.1 dev tun0 proto kernel scope link src 10.8.0.2 
10.10.10.0/24 via 10.8.0.1 dev tun0 
10.176.0.0/16 via 25.108.227.234 dev ppp0 proto static 
10.254.0.0/16 via 25.108.227.234 dev ppp0 proto static 
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1 

I think here there should be a call to my server's ip address no?

Result of systemctl status openvpn@piHotspot.service

● openvpn@piHotspot.service - OpenVPN connection to piHotspot
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-11-21 23:20:13 EST; 7s ago
 Docs: man:openvpn(8)
       https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
       https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 739 ExecStart=/usr/sbin/openvpn --daemon ovpn-piHotspot --status /run/openvpn/piHotspot.status 10 --cd /
Main PID: 740 (openvpn)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/system-openvpn.slice/openvpn@piHotspot.service
       └─740 /usr/sbin/openvpn --daemon ovpn-piHotspot --status /run/openvpn/piHotspot.status 10 --cd /etc/open

Nov 21 23:20:13 RPiNet systemd[1]: Starting OpenVPN connection to piHotspot...
Nov 21 23:20:13 RPiNet systemd[1]: Started OpenVPN connection to piHotspot.
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: TUN/TAP device tun0 opened
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: /sbin/ip link set dev tun0 up mtu 1500
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: /sbin/ip addr add dev tun0 local 10.8.0.2 peer 10.8.0.1
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: TCP/UDP: Preserving recently used remote address: [AF_INET][My IP Address]
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: UDP link local (bound): [AF_INET][undef]:1194
Nov 21 23:20:13 RPiNet ovpn-piHotspot[740]: UDP link remote: [AF_INET][My IP Address]:1194

Update: Nov 21, 2019

I am able to ping server and client from each other using the 10.8.0.0 subnets (10.8.0.1 10.8.0.2).

I have gained the ability to ping from the VPNServer to any device attached to the VPNClient (PiHotspot).

I have gained the ability to ssh to the VPNClient's attached devices and control them

I have gained internet connection back from attached devices while the VPN is enabled in the client.

I cannot ping from devices in the Client or the Client itself to the attached devices in the server's side, I can only ping the server.

This is my server.conf before the error. Once I changed the 192.168.50.1 to 192.168.50.0, I became a step closer to a finished result :)

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
cipher AES-256-CBC
auth-nocache
route 192.168.50.1 255.255.255.0

This is the 04-eth.network file on the server:

[Match]
Name=e*
[Network]
Address=10.10.10.83/24
Gateway=10.10.10.1
DNS=84.200.69.80 1.1.1.1
IPForward=yes

As always, I would greatly appreciate any and all help! I feel I'm so close to finishing this project I'm at the end of the line!

Thank you kindly!

Answer 1

Having a remote OpenVPN server at your home and connect to it with the RasPi is a good solution if you cannot use port forwarding on the modem. Here is an example setup for what you have described:

          (dhcp
        from RPi)        bridge      10.8.0.2/24               ┌──────────┐   10.8.0.1/24   192.168.50.2
           ╱    wifi    ┌───────┐       /       vpn-tunnel     │          │       \        /
mobile-phone <~.~.~.~.> │(wlan0)│   (tun0) ═════════╗ ╔══════════════════════════ VPN-SERVER
                        │    br0│RPi(ppp0) <-----> MODEM <---> │ INTERNET │           subnet
      laptop <────────> |(eth0) │╲      \    usb          wan  │          │        192.168.50.0/24
           ╲    wired   └───────┘╱     (dhcp                   └──────────┘
         (dhcp           192.168.4.1   from MODEM)
        from RPi)

The ip addresses from the endpoints of the vpn tunnel must be on the same subnet. Here I use the subnet 10.8.0.0/24, so I give the vpn tunnel the shown ip addresses. These addresses are only used for routing to the vpn tunnel. They are not used by any other interface. Due to my test environment I have used some different subnets than yours.

Starting with a fresh flashed Raspbian Buster Lite you should setup the VPN router in three steps so you can test each step independently.

♦ Setup the modem connection

Setup the modem connection so you get the ppp0 interface and you can ping google.com. Nothing else is connected to the hotspot RasPi. I don't have a 4G modem so I used USB tethering with my smartphone to test it. This will give me the interface usb0. But the settings with ppp0 should look similar to this at this time:

rpi ~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether dc:a6:32:01:db:ec brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether dc:a6:32:01:db:ed brd ff:ff:ff:ff:ff:ff
4: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 12:8e:37:b5:a9:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.218/24 brd 192.168.42.255 scope global noprefixroute usb0
       valid_lft forever preferred_lft forever
    inet6 fe80::c1dd:14fa:9aab:41a6/64 scope link
       valid_lft forever preferred_lft forever

rpi ~$ ip route
default via 192.168.42.129 dev usb0 proto dhcp src 192.168.42.218 metric 204
192.168.42.0/24 dev usb0 proto dhcp scope link src 192.168.42.218 metric 204

rpi ~$ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.42.129

♦ Setup the bridge and the internet connection

Setup the bridge and the internet connection as shown in How can I set my pi 3 up to be WiFi AND ethernet router simultaneously?. In that setup just replace all strings *usb0* with *ppp0*. Also replace ip address 192.168.4.1 just with that you want to use, e.g. with 192.168.50.1 but have an attention it isn't from the ip range that is used by the modem. When finished then you should have a running setup as shown in the drawing above but just without the vpn tunnel. You should be able to ping everything from everywhere now, except interfaces from the VPN tunnel (it's not setup at this point). The settings are:

rpi ~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether dc:a6:32:01:db:ec brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe01:dbec/64 scope link
       valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether be:1e:14:46:ba:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::bc1e:14ff:fe46:ba8d/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether dc:a6:32:01:db:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe01:dbed/64 scope link
       valid_lft forever preferred_lft forever
6: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether fe:89:43:14:4f:41 brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.245/24 brd 192.168.42.255 scope global dynamic usb0
       valid_lft 3595sec preferred_lft 3595sec
    inet6 fe80::fc89:43ff:fe14:4f41/64 scope link
       valid_lft forever preferred_lft forever

rpi ~$ ip route
default via 192.168.42.129 dev usb0 proto dhcp src 192.168.42.245 metric 1024
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
192.168.42.0/24 dev usb0 proto kernel scope link src 192.168.42.245
192.168.42.129 dev usb0 proto dhcp scope link src 192.168.42.245 metric 1024

rpi ~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
--- snip ---
nameserver 192.168.42.129

♦ Setup VPN connection

I have used this Simple openVPN with static keys setup to test the configuration. Here in short only the needed setup.

I assume you have a working internet connection from the hotspot RasPi to the VPN server. I use port forwarding but how to setup it is out of scope here. For this example I use the public ip address 84.152.97.94 to connect to the router, that forwarded default openvpn port 1194 to the VPN server. You should be able to ping from the hotspot RasPi the remote address of the VPN server, in my example ping 84.152.97.94.

Install OpenVPN on the VPN server

# Install OpenVPN
server ~$ sudo -Es
server ~# apt install openvpn openvpn-systemd-resolved

# disable classic networking
server ~# systemctl mask networking.service dhcpcd.service
server ~# mv /etc/network/interfaces /etc/network/interfaces~
server ~# sed -i '1i resolvconf=NO' /etc/resolvconf.conf

# enable systemd-networkd
server ~# systemctl enable systemd-networkd.service systemd-resolved.service
server ~# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Setup network interface eth0. Because I configured port forwarding on the internet router (192.168.50.1) I have to set a static ip address so the internet router can forward traffic on default OpenVPN port 1194 to this ip address.

server ~# cat > /etc/systemd/network/04-eth.network <<EOF
[Match]
Name=e*
[Network]
Address=192.168.50.2/24
Gateway=192.168.50.1
DNS=84.200.69.80 1.1.1.1
IPForward=yes
EOF

Then generate a static secret key:

server ~# openvpn --genkey --secret /etc/openvpn/static.key

Create a client config file:

server ~# cat > /etc/openvpn/server.conf <<EOF
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
cipher AES-256-CBC
auth-nocache
route 192.168.4.0 255.255.255.0
EOF

Please note that the server will never connect to the client so it does not have a remote entry. The connection is always initiated by the client. Enable the VPN server:

server ~# systemctl enable openvpn@server.service

Reboot. The setting should now look like this:

server ~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b8:27:eb:0e:3c:6f brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.2/24 brd 192.168.50.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe0e:3c6f/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether b8:27:eb:5b:69:3a brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2a9e:7d49:c632:62a3/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

server ~$ ip route
default via 192.168.50.1 dev eth0 proto static
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.4.0/24 via 10.8.0.2 dev tun0
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.

server ~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
--- snip ---
nameserver 84.200.69.80
nameserver 1.1.1.1

Install OpenVPN on the hotspot RasPi

Here we will install an OpenVPN configuration, named "client" on the hotspot RasPi.

client ~$ sudo -Es
client ~# apt install openvpn openvpn-systemd-resolved

Copy /etc/openvpn/static.key from the VPN server to /etc/openvpn/static.key here and set its permission with sudo chmod 600 /etc/openvpn/static.key. Create a client config file:

client ~# cat > /etc/openvpn/client.conf <<EOF
dev tun
remote 84.152.97.94
ifconfig 10.8.0.2 10.8.0.1
route 192.168.50.0 255.255.255.0
secret static.key
cipher AES-256-CBC
auth-nocache
EOF

Start the VPN client:

client ~# systemctl enable --now openvpn@client.service
client ~# exit
client ~$

Now you should be able to ping the VPN server:

client ~$ ping 10.8.0.1
client ~$ ping 192.168.50.2
client ~$ ping google.com

This will establish a connection. After that you should also be able to ping the hotspot RasPi from the VPN server:

server ~$ ping 10.8.0.2
server ~$ ping 192.168.4.1
client ~$ ping google.com

You should also be able to ping any device connected wired or wireless to the hotspot RasPi. Please keep in mind that the VPN server will not connect to the client. First ping the server from the client (hotspot RasPi).

The setup should look like this:

client ~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether dc:a6:32:01:db:ec brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe01:dbec/64 scope link
       valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether be:1e:14:46:ba:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::bc1e:14ff:fe46:ba8d/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether dc:a6:32:01:db:ed brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dea6:32ff:fe01:dbed/64 scope link
       valid_lft forever preferred_lft forever
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 8a:ef:e0:df:7e:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.42.92/24 brd 192.168.42.255 scope global dynamic usb0
       valid_lft 2707sec preferred_lft 2707sec
    inet6 fe80::88ef:e0ff:fedf:7e1e/64 scope link
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.2 peer 10.8.0.1/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::4cf3:3f85:c0f7:3cd6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

client ~$ ip route
default via 192.168.42.129 dev usb0 proto dhcp src 192.168.42.92 metric 1024
10.8.0.1 dev tun0 proto kernel scope link src 10.8.0.2
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
192.168.42.0/24 dev usb0 proto kernel scope link src 192.168.42.92
192.168.42.129 dev usb0 proto dhcp scope link src 192.168.42.92 metric 1024
192.168.50.0/24 via 10.8.0.1 dev tun0

client ~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
--- snip ---
nameserver 192.168.42.129

Setup routing on the VPN server

If you try from the hotspot RasPi to ping devices connected to the VPN server on its subnet 192.168.50.0/24 you will see that it doesn't work now. The reason is that they don't know where the subnet 192.168.4.1 of the hotspot RasPi is. We have to tell it with an additional routing information. You can configure each client with a static route, or you can configure its DHCP server to give that route to the clients, if it can. But the easiest is to disable the running DHCP server on subnet 192.168.50.0/24 and enable the DHCP server on the VPN Server. It will do all work automagically. Just append this to 04-eth.network:

server ~$ sudo -Es
server ~# cat >> /etc/systemd/network/04-eth.network <<EOF
DHCPServer=yes
[DHCPServer]
DNS=84.200.69.80 1.1.1.1
EOF

Don't forget to disable the "old" running DHCP server before enable this:

server ~# systemctl daemon-reload
server ~# systemctl restart systemd-networkd.service
server ~# exit
server ~$

Answer 2

I think, what you are looking for is dynamic DNS.

Your Pi will be assigned a subdomain of the service you choose. This static url you can then use to access your Pi.

In the background, you need to run SW on your Pi that regularly updates the external IP of your Pi with the service you are using.

Dynamic DNS is a favorite of people whose external IP address from their ISP changes quite regularly.