Help with weird matter needed

Hi All,

I am having weird issue which does not make any sense to me anymore.

I have OpenWRT router with latest 22.03.2 version. ISP device is set to bridge mode so my router is getting public IP. I have Raspberry Pi where i host OpenVPN server set using pivpn project. I have static lease configured for that RPi and port forwarding to it.

VPN clients can connect to the VPN, they can ping every single host, SSH to hosts but when i try for example connect to some host using VNC or SFTP that is not successful. I cannot also open routers administration panel for example while being on VPN. From what i have tested i can actually only SSH to all hosts, nothing more.

I have reset router to factory defaults and just set port forwarding not messing much with config. Behavior was the same.

I have setup Raspberry Pi from scratch, using brand new SD Card with clean image and clean installation of pivpn. No luck.

I have even disconnected Raspberry Pi where VPN server is installed and i have installed OpenVPN server directly on the router. Still the same.

I have tried set up VPN server on different port. Situation the same.

Exactly the same issue is happing on multiple clients on multiple platforms.

I have tried VPN to my network from different ISPs.

I can't understand why all my VPN clients can SSH to hosts on internal network but they can't connect using SFTP or VNC.

Does anyone have any ideas what i may try?

What are the hosts that you wish to connect to via VNC, SFTP, etc.? Are they Windows machines? If so, the Windows firewall may be causing the issue -- you must explicitly allow connections from other subnets (or disable the firewall entirely as a test).

Otherwise, without details of the configuration itself, it'll be hard to provide any further guidance.

An "appendage" VPN server (meaning that the VPN server is not the network's main router, but a separate device on the LAN) can work one of two ways:

  • It NATs all VPN access to the LAN. In this case a remote user appears to be coming from the server's IP on the LAN, and the endpoints on the LAN treat it as trusted LAN-LAN access.

  • It does not NAT VPN access to the LAN. In this case, foreign IP addresses (the remote user's tunnel or remote LAN IP) appear as the source IP on the LAN. This has the upside that the situation is completely bi-directional-- a LAN device can initiate a connection to the remote device as long as it knows the IP. But for this to work, generally the foreign subnet(s) need to be entered into the main router as static routes (with their gateway the appendage VPN server), and some endpoint firewalls or services will reject foreign private IPs unless specially configured.

I don't know which way "pivpn" works, it's outside the scope of this forum.

All machines where I am trying SFTP anc VNC are Linux machines. I am not even able to open administration panel of my router while being on VPN so i don't think it is firewall of any of those devices.

I set VPN server to router itself also and situation was exactly the same.

I have did some additional test on Windows machine and Android device. It looks like connection gets actually established (i misunderstood linux VPN client behaviour) but in case of VNC i get grey screen (with proper resolution) like no transfer would be made back to me. I tried also RDP. Exactly the same. Connection gets established, grey screen with correct resolution of the machine. In case of SFTP it also connects but cannot show me the list of directories/files.

You have not explained how the pivpn works on the network. @mk24 laid out the two options (nat or not nat).

If it is nat, nothing more is required from the main router, and therefore your problem must lie on the vpn device.

If it is not nat’d, you would need to setup a static route on the main router.

My guess is that it is the first scenario or you wouldn’t even get as far as you have. That means you should ask the pivpn people for help and troubleshooting.