[General Issue]: PiVPN works on mobile data, does not work on External SSID even after reconfiguring IPs to be on different IP ranges

Question

[General Issue]: PiVPN works on mobile data, does not work on External SSID even after reconfiguring IPs to be on different IP ranges

MalusLupus420 opened this issue 4 months ago · 3 comments

In raising this issue I confirm that

I have read the documentation
I have read and understood the PiVPN General Guidelines
I have read and understood the PiVPN Troubleshooting Guidelines
The issue I am reporting isn't a duplicate, see closed issues and open issues.
I have searched for similar issues and solutions
I can replicate the issue even after a clean OS installation

Describe the issue

I faced this issue and looked up previous closed issues for answers and found one suggestion, that is, both networks need to be on different IP ranges. So I formatted my Raspberry Pi 5 once again with a fresh install, installed PiHole and PiVPN but this time set my home network to a 172.16.24.X IP range because the External SSID I was connecting to had a 192.168.X.X IP range. I then went to the location where the external SSID was and connected through PiVPN and my internet just refused to work. It works fine when I am on mobile data though, which is really weird.

Expected behavior

Since my home network and the external network both are running different IP ranges now, I believed I should have solved the issue but it looks like that hasn't worked out as planned.

Please describe the steps to replicate the issue

Connect to Mobile Network: PiVPN works perfectly.
Connect to External SSID: PiVPN connects, sends data but receives nothing back.

Have you taken any steps towards solving your issue?

I have reconfigured my IP range on my home network to avoid any potential conflicts but it's still not working out.

Screenshots

I am adding my debug output below.

Where did you run pivpn?

Raspberry Pi 5 8GB with a 64GB UHS-1 SD Card

Please provide your output from `uname -a`

Linux pi5inthesky 6.1.0-rpi7-rpi-2712 #1 SMP PREEMPT Debian 1:6.1.63-1+rpt1 (2023-11-24) aarch64 GNU/Linux

Details about Operative System

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Installation

No response

Profile / Client creation

No response

Debug output

::: Generating Debug Output
::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
Branch: master
Commit: a85d3752ef94ed1aaad70ba6d483f93583152eca
Author: Orazio
Date: Wed Dec 13 18:09:55 2023 +0100
Summary: fix(scripts): disallow using server's name as client name (#1791)
=============================================
::::        Installation settings        ::::
PLAT=Debian
OSCN=bookworm
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
dhcpReserv=1
IPv4addr=172.16.24.52/24
IPv4gw=172.16.24.1
install_user=p$$$$$
install_home=/home/p$$$$$
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.43.23.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.43.23.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(grepcidr bsdmainutils iptables-persistent wireguard-tools qrencode unattended-upgrades)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.43.23.1/24
MTU = 1420
ListenPort = 51820
### begin iphone14plus ###
[Peer]
PublicKey = iphone14plus_pub
PresharedKey = iphone14plus_psk
AllowedIPs = 10.43.23.2/32
### end iphone14plus ###
### begin op7t ###
[Peer]
PublicKey = op7t_pub
PresharedKey = op7t_psk
AllowedIPs = 10.43.23.3/32
### end op7t ###
### begin pop7t ###
[Peer]
PublicKey = pop7t_pub
PresharedKey = pop7t_psk
AllowedIPs = 10.43.23.4/32
### end pop7t ###
### begin kk-op7t ###
[Peer]
PublicKey = kk-op7t_pub
PresharedKey = kk-op7t_psk
AllowedIPs = 10.43.23.5/32
### end kk-op7t ###
### begin iphonese2020 ###
[Peer]
PublicKey = iphonese2020_pub
PresharedKey = iphonese2020_psk
AllowedIPs = 10.43.23.6/32
### end iphonese2020 ###
### begin ipadpro ###
[Peer]
PublicKey = ipadpro_pub
PresharedKey = ipadpro_psk
AllowedIPs = 10.43.23.7/32
### end ipadpro ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = iphone14plus_priv
Address = 10.43.23.2/24
DNS = 10.43.23.1

[Peer]
PublicKey = server_pub
PresharedKey = iphone14plus_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
::::    Recursive list of files in       ::::
::::    /etc/wireguard shown below       ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
clients.txt
kk-op7t.conf
op7t.conf
ipadpro.conf
iphone14plus.conf
iphonese2020.conf
pop7t.conf

/etc/wireguard/keys:
kk-op7t_priv
kk-op7t_psk
kk-op7t_pub
op7t_priv
op7t_psk
op7t_pub
ipadpro_priv
ipadpro_psk
ipadpro_pub
iphone14plus_priv
iphone14plus_psk
iphone14plus_pub
iphonese2020_priv
iphonese2020_psk
iphonese2020_pub
pop7t_priv
pop7t_psk
pop7t_pub
server_priv
server_pub
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::            Debug complete           ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::

Answer 1 · 2024-01-29T08:18:37.000Z

Can you explain more how your network is structured and where you are connecting from? Also post the output of iptables -vnL and iptables -t nat -vnL

Answer 2 · 2024-02-17T10:44:03.000Z

In fact, it works even if the range of IP addresses is the same. I've tested it with PiVPN + WireGuard.

For example: PiVPN installed in your Home Network with IP 192.168.1.5. The server/resource you want to access remotely in the same Home Network has IP 192.168.1.25, and you want to access it from a Remote Network.

The Remote Network has the same range of IP addresses with a router at 192.168.1.1 and the IP of the device where you have Wireguard client installed is 192.168.1.40 (assigned from the Remote Network).

To make it work, and so you can connect from the Remote Network to 192.168.1.25 on your Home Network, you need to add the following in the Wireguard client configuration:

AllowedIPs = ::/0, 0.0.0.0/0, 192.168.1.25/32

This way, when you are connected to the VPN, it will redirect through the VPN tunnel the traffic destined for 192.168.1.25, and you will reach that server on your Home Network.

(obviously, you won't be able to access a server at 192.168.1.25 that might exist in the Remote Network).

I've tried it, and it works!

Answer 3 · 2024-04-06T09:15:41.000Z

Pre-archive closing, more information here