Using OpenVPN from PiHole to access home network; what's needed besides port forwarding?

valemaio2 · February 29, 2024, 12:17pm

Hi all, I've got OpenWRT 23.05 running on a NanoPi R2S. On my home network I have a PiHole installation for DNS resolving and as a home OpenVPN server, so that I can access my home network remotely. The configuration on the PiHole side is correct, as it was working just fine on my old OPNSense router.

Now, I've opened port 1194 on OpenWRT pointing to my PiHole installation (192.168.1.248), but my clients can't connect, with a generic timeout error. I'm pretty sure I'm forgetting something in the OpenWRT configuration, could anyone please point me in the right direction? Searching online I couldn't find a solution to my specific issue, most of the guides are on how to install OpenVPN directly on OpenWRT.

AndrewZ · February 29, 2024, 1:39pm

Please confirm you have a public IP on OpenWrt WAN interface and show the relevant part of your /etc/config/firewall where this pointing is defined. No pictures please.

valemaio2 · February 29, 2024, 2:36pm

No I don't, OpenWRT acts as a router sitting behind my ISP modem. The modem can't be put in bridge mode, but I've set OWRT in the DMZ of the ISP modem.

Here's the relevant bit in /etc/config/firewall:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'openvpn'
        option src 'wan'
        option src_dport '1194'
        option dest_ip '192.168.1.248'
        option dest_port '1194'

AndrewZ · February 29, 2024, 3:03pm

Looks good to me. I would try running tcpdump to see if anything is coming to port 1194. I would first check this on the router and then on the server.

egc · February 29, 2024, 3:15pm

You might need to set a static route on the main router to route the openvpn subnet back to 192.168.1.124 or alternatively masquerade the openvpn traffic coming out of thePi

valemaio2 · February 29, 2024, 3:37pm

Thanks for the suggestion, here's a tcpdump for port 1194 on OpenWRT, when trying to connect my phone to the VPN over 4G

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:35:51.031237 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 11930939:11948983, ack 1212, win 4705, options [nop,nop,TS val 1857106829 ecr 11963060], length 18044: HTTP
15:35:51.032669 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [.], seq 11948983:11960087, ack 1212, win 4705, options [nop,nop,TS val 1857106831 ecr 11963062], length 11104: HTTP
15:35:54.611942 IP 192.168.0.159.51820 > cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80: Flags [.], ack 16700789, win 3467, options [nop,nop,TS val 11963958 ecr 1857110376,nop,nop,sack 3 {17207409:17518321}{17025581:17160217}{16914541:16942301}], length 0
15:35:59.538387 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 20482800:20511948, ack 3630, win 4756, options [nop,nop,TS val 1857115337 ecr 11965188], length 29148: HTTP
15:35:59.539240 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 20511948:20548036, ack 3630, win 4756, options [nop,nop,TS val 1857115338 ecr 11965188], length 36088: HTTP
15:35:59.907766 IP 192.168.0.159.51820 > cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80: Flags [.], ack 25825212, win 3651, options [nop,nop,TS val 11965269 ecr 1857115612,nop,nop,sack 1 {25855748:26119468}], length 0
15:36:03.911194 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 29261367:29300231, ack 4836, win 4781, options [nop,nop,TS val 1857119709 ecr 11966281], length 38864: HTTP
15:36:03.911949 IP 192.168.0.159.51820 > cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80: Flags [.], ack 29063459, win 3966, options [nop,nop,TS val 11966284 ecr 1857119704], length 0
15:36:03.994199 IP 192.168.0.159.53350 > cur1-nfds11-0-0-cust95.8-2.cable.virginm.net.80: Flags [.], ack 11194533, win 4096, options [nop,nop,TS val 11966305 ecr 1068015189], length 0
15:36:04.016504 IP 192.168.0.159.53350 > cur1-nfds11-0-0-cust95.8-2.cable.virginm.net.80: Flags [.], ack 11946829, win 4092, options [nop,nop,TS val 11966311 ecr 1068015211], length 0
15:36:04.020278 IP 192.168.0.159.53350 > cur1-nfds11-0-0-cust95.8-2.cable.virginm.net.80: Flags [.], ack 11949605, win 4096, options [nop,nop,TS val 11966312 ecr 1068015211], length 0
15:36:05.039189 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 41080589:41119453, ack 7255, win 4831, options [nop,nop,TS val 1857120838 ecr 11966563], length 38864: HTTP
15:36:05.040521 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 41119453:41158317, ack 7255, win 4831, options [nop,nop,TS val 1857120839 ecr 11966563], length 38864: HTTP
15:36:05.215919 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 46176210:46201194, ack 7255, win 4831, options [nop,nop,TS val 1857121014 ecr 11966607], length 24984: HTTP
15:36:05.216579 IP cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80 > 192.168.0.159.51820: Flags [P.], seq 46201194:46241446, ack 7255, win 4831, options [nop,nop,TS val 1857121015 ecr 11966607], length 40252: HTTP
15:36:07.311946 IP 192.168.0.159.51820 > cur1-nfds11-0-0-cust111.8-2.cable.virginm.net.80: Flags [.], ack 49151123, win 4066, options [nop,nop,TS val 11967128 ecr 1857123017,nop,nop,sack 3 {49879823:49921463}{49349607:49860391}{49262163:49309355}], length 0
15:36:07.321194 IP 192.168.0.159.53350 > cur1-nfds11-0-0-cust95.8-2.cable.virginm.net.80: Flags [.], ack 12996969, win 4092, options [nop,nop,TS val 11967133 ecr 1068018418,nop,nop,sack 2 {13127441:13845037}{13020565:13103845}], length 0

192.168.0.159 is the IP address that my ISP modem is giving to OWRT, and it's exactly the WAN IP address.

valemaio2 · February 29, 2024, 3:38pm

Sorry not sure I understand, by main router do you mean the ISP modem or OWRT?

AndrewZ · February 29, 2024, 3:48pm

You don't need to configure any static routes, etc.

valemaio2 · February 29, 2024, 3:49pm

What am I missing here then? Surely I must have overlooked something.

AndrewZ · February 29, 2024, 3:50pm

I do not see port 1194 mentioned.
You need to run tcpdump "udp port 1194"

valemaio2 · February 29, 2024, 3:55pm

Ah you're right, my VPN client is not hitting OWRT, that tcpdump snippet is bogus. Checking the client logs while trying to connect, it tries to connect to [mydnsaddress]:1194, then waits and goes into timeout. I'm using DuckDNS and it's reporting my public IP correctly.

AndrewZ · February 29, 2024, 4:02pm

Then the issue has probably nothing to do with OpenWrt. I would check DMZ setup, etc.

valemaio2 · February 29, 2024, 4:12pm

I do believe that the DMZ is configured correctly though, as it has been working before changing router to OWRT. Also yes, I did change the IP in the DMZ to match the one assigned to OWRT.

AndrewZ · February 29, 2024, 4:14pm

Then take OpenWrt out of the game, connect your PC directly to the operator's router, set the static IP on PC or adjust the DMZ, run Wireshark and see.