Cannot connect to PiVPN Server from WAN but can connect through LAN

Question

I setup PiVPN on my Pi3B. I have a Windows computer. I can connect through OpenVPN GUI on Windows to my Pi, because I changed the WAN address of my router in original .ovpn config file that my PiVPN generated to my Pi's local IP address. However, when I change it back to my external IP address for my router (Bell 3000), I cannot connect from Windows to Pi's VPN. OpenVPN GUI is allowed through my Windows Defender Firewall. I've port forwarded port 443 externally and internally from my router to my Pi. I've tried adding my Pi to my DMZ on my router to no avail. What can I do to fix this issue?

Edit - Here is my OVPN Config that works:

client
dev tun
proto udp
remote 192.168.2.37 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_08XRL6zHTfDaymUK name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBnzCCAUWgAwIBAgIJAJbJod1X+
...
+W1kN37CaTI/qocSTEyGc=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIBuDCCAV2gAwIB
...
+H5wVZ4
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GC
...
Pa52i051Fudhrk=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
bb0a39e1d55a264e237db76c5d9dc3ce
...
1425af36d2449f2c935b794e06407514
-----END OpenVPN Static key V1-----
</tls-crypt>

I've removed all the key contents. The original that didn't work had my router's WAN IP instead of 192.168.2.37.

Update: I have just tested it from another network; I can ssh to the pi, through port forwarding, but OpenVPN still doesn not work.

You are using three interfaces on your RasPi, wifi, ethernet and ovpn. There is a router with a demilitarized zone (DMZ) and routing the vpn tunnel. And anywhere there is a MS Windows PC with a firewall. And anywhere you are using port forwarding. You are using local and external ip addresses. And that's all said in only four sentences. Sorry, but that's to much in short to understand your setup. Can you please make an overview (ascii art, picture) which is connected to what with what? — Ingo, Dec 08 '18 at 18:20
(^.^)d lets look.. What PiVPN server you are using? This one http://www.pivpn.io/ ? It's for outdated Raspbian Jessie. You are using Raspbian Stretch. — Ingo, Dec 08 '18 at 18:46
Can you post your OpenVPN configuration file? What port are you using, is it TCP/IP or UDP/IP? Default is UDP/IP with port 1194. What rules have you added in your router's port forwarding rules? DO NOT PUT YOUR RPI IN YOUR ROUTERS DMZ IT WILL BE PWNED WITHIN ABOUT 4 MINUTES. — Dougie, Dec 08 '18 at 19:07
@Dougie How will it be pwned? The only person that knows of its existence is me. Plus, what can they even do? There is nothing on the Pi. — Raymo111, Dec 08 '18 at 19:22
I don't know if there is a more recent version. The question is: do you used that installation script `curl -L https://install.pivpn.io | bash` on your Raspbian Stretch installation? — Ingo, Dec 08 '18 at 19:22
DMZ opens ALL ports to the public internet. If you don't have a sensible iptables/ip6tables firewall and haven't set a strong password for every userid you will have the world knocking at your door seeing if there's a way in. My secure system is getting hundreds of attacks per day. My fail2ban policy blocks any attacker permanently. My ufw policy restricts everything apart from 80, 443, 22 and 1194. Try it with a fresh copy of Raspbian with userid=pi password=raspberry and it's about four minutes until your system will be compromised. — Dougie, Dec 08 '18 at 20:14
@Dougie haven't used a DMZ before but what means "*DMZ opens ALL ports to the public internet*"? What does nmap show me on an open port 47119 without an application behind it serving the port? What's the issue with such an open port? — Ingo, Dec 08 '18 at 20:52
The issue is it may not be open right now. But what happens six months from now when you forget your system is in the DMZ and you open another service like telnet or ftp or something else that has a high security risk. There is no reason to ever put a server system in the DMZ unless you fully understand the full consequences and risks of doing it. — Dougie, Dec 08 '18 at 21:16
@Dougie Please address me with *@Ingo*, otherwise I won't see your reply. I agree with you that the OP should not use a DMZ in this case but in general a DMZ is to increase security for the main system. — Ingo, Dec 08 '18 at 21:36
at first glance, it looks like you need NAT loopback aka hairpinning - though the statement `I've port forwarded port 443 externally and internally from my router to my Pi` has me confused, what exactly is "internal" port forwarding? — Jaromanda X, Dec 08 '18 at 22:58

Ingo · Accepted Answer · 2019-05-11T21:17:04.180

Info: To have a simple openvpn server installation for reference look at Simple openVPN with static keys.

The first idea seeing the picture was that you confused WAN- and LAN-address. But lets look how I understand the setup so far with this example. I assume wifi and wired ethernet are bridged on the router (having the same ip address range).

                 vpn tunnel                         ┌──────────┐
       ╔═══════════════════════════════════════════════════════════ vpn client
RPi(eth0) <----------------> router <-------------> │ INTERNET │
         \     wired        /      \      wan       │          │
   192.168.4.2       192.168.4.1   172.217.18.174   └──────────┘
               wifi       /         (public ip)
      PC <~.~.~.~.~.~.~->/
        \
   192.168.4.3

Following this setup you can see that it makes no sense to try to connect from internal to the RPi with the public ip address 172.217.18.174. This is only important for the VPN client outside in the internet.

Update from the comments:
You want to connect to the VPNServer from outside everywhere in the internet. For testing you simply want to use the PC on your local area network, go to the internet and then try to connect to the tunnel like an external vpn client. As far as I can see this cannot work because PC and router are on the same local area network. Either the router sees the private source ip address 192.168.4.3 from the PC on its wan port 172.217.18.174, then it will reject it because no router accepts private ip addresses comming from the internet by specification. Or the router will NAT the PCs address to its wan port 127.217.18.174 as usual. Then you try to connect to the tunnels outside ip 127.217.18.174 from the (nated) PC ip 127.217.18.174. I don't think that equal source and destination addresses are accepted.

To test such situations I use a second independent 4G internet connection with my cell phone. Then the request to the router comes from a real outside internet address.

If you have established a VPN tunnel from the outside VPN client to the VPN server on the RasPi then the VPN client gets part of the local area network, just like it's local connected to it. The tunnel can be seen as a very long secured ethernet cable plugged in on the VPN client on one side and plugged in on the RasPi on the other side. There is no way back what you mean. But with the PC as part of your local area network it could be possible that you can connect to the internet like any other PC on that local network, not through the tunnel. I haven't tested it. There are specific routes set on the VPN client so this may avoid it.

If you still cannot connect from the outside public ip address it is difficult to say what's wrong with PiVPN for Jessie you installed on Stretch, with your DMZ and internal and external port forwarding, what ever this mean. You should start again from a fresh flashed Raspbian Stretch Lite image, install OpenVPN on it and configure it as VPN server, not using preconfigured PiVPN and not using a DMZ. I will have a look at such a setup but it will take some days.

That's not what @Raymo111's OpenVPN configuration looks like. The posted one is for an OpenVPN client not an OpenVPN server. — Dougie, Dec 08 '18 at 21:17
@Dougie Do I misunderstood the headline "*Cannot connect to PiVPN Server...*" together with its drawing? Maybe, but firstly I've made the ascii art to clarify the situation. What should I change? — Ingo, Dec 08 '18 at 21:31
@Ingo Traffic from my PC is going out to internet through router. Then it comes in through router to RasPi. Then it leaves Raspi, goes through router, and goes to Internet. This is how my RasPi is being used as a VPN server. — Raymo111, Dec 08 '18 at 21:41
@Raymo111 Boah... double passing the router, from inside and then back through the vpn tunnel. I'm scratching my head how this could work. The PC has an address from a private network. The router expects a public source ip address on its wan port (172.217.18.174) and never accept private addresses from the internet by specification. It makes less sense and you should consider if you really need this. I just have no idea how to make this working and if it is worth the effort to realize it. — Ingo, Dec 08 '18 at 22:13
@Raymo111 And no, the traffic will not go back from the RasPi to the internet through vpn tunnel (third passing the router). The vpn server is the endpoint of the tunnel. Through the tunnel you can connect to your local area network but the PC is already there. You would have a loop. — Ingo, Dec 08 '18 at 22:17
@Ingo It's designed so that when my computer is outside my LAN, I should be able to start my connection through my router to my PiVPN, then back through my router and back out to the target. I am just testing it by accessing the internet through my router right now from my computer. I should be able to connect from internet, but right now, I can't. — Raymo111, Dec 08 '18 at 22:28
As this answer has been flagged as "not an answer" I wanted to point out that "flags should not be used to indicate technical inaccuracies, or an altogether wrong answer"... but I am not judging if it is a wrong answer, just saying that it should not be flagged as "not an answer". — Ghanima, Dec 08 '18 at 23:03
@Raymo111 It is difficult to say what's wrong with PiVPN for Jessie you installed on Stretch, with your DMZ and internal and external port forwarding, what ever this mean. You should start again from a fresh flashed Raspbian Stretch Lite image, install OpenVPN on it and configure it as VPN server, not using preconfigured PiVPN and not using a DMZ. I will have a look at such a setup but it will take some days. — Ingo, Dec 09 '18 at 15:25
@Ingo If you change your answer to your last comment I will accept it. — Raymo111, Dec 09 '18 at 16:36
@Raymo111 Done with last paragraph. The other paragraphs may help others to understand what could go wrong if they also try to test vpn from an inside PC. — Ingo, Dec 09 '18 at 16:49

Cannot connect to PiVPN Server from WAN but can connect through LAN

1 Answers1

Linked