Raspberry pi PiVPN Tap Configuration

Question

I'm currently trying to set up a VPN server in the TAP configuration to allow clients joining to be able to see everything on the network and reference them as if the client was connected physically to that network.

So far I have setup openvpn using the PiVPN script, then done some modifications to the configuration to allow for TAP device and a bridge to be used.

Now my issue is, i have configured my network and client scripts to connect to the right port and DDNS name, and i can see that the VPN server recieves an indication of a connection request, but the connection is never completed. I also seem to lose internet connectivity on the Rpi (server hosting the pivpn server) whenever the vpn server is running

find below a reference to all of my config files. Any hints would be greatly appreciated or requests for more info will be updated ASAP.

Thanks

openvpn.log

Dec 12 23:47:59 raspberrypi ovpn-server[797]: Initialization Sequence Completed
Dec 12 23:49:02 raspberrypi ovpn-server[797]: 120.17.124.157:2601 TLS: Initial packet from [AF_INET]120.17.124.157:2601, sid=9ddd6c8a bb410336
Dec 12 23:50:02 raspberrypi ovpn-server[797]: 120.17.124.157:2601 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 12 23:50:02 raspberrypi ovpn-server[797]: 120.17.124.157:2601 TLS Error: TLS handshake failed
Dec 12 23:50:02 raspberrypi ovpn-server[797]: 120.17.124.157:2601 SIGUSR1[soft,tls-error] received, client-instance restarting

server.conf

dev tap0
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_bdb.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_bdb.key
dh none
topology subnet
#server 10.8.0.0 255.255.255.0
server-bridge 192.168.15.249 255.255.255.0 192.168.15.80 192.168.15.99
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

i

Answer 1

I haven't used PiVPN before so I can't say much about it. But when I see your server.conf file it seems to be a very complex setup. Using tap interfaces is also not easy to setup. I don't believe that PiVPN can be made to configure a VPN in bridge mode by just doing some modifications to the configuration. The difference between bridging on OSI layer 2 and routing on OSI layer 3 is to great. A bridge does not use ip addresses, only mac addresses. But PiVPN configures only ip addresses ...

I would suggest to forget PiVPN to be used for bridging with tap interfaces and configure it direct with OpenVPN. You can find a "simple" example at How to bridge an access point with a remote network by openvpn?.