Problem with vpn while on separate WiFi

[Mike A.]

Pings aren't really a good way to test. Lots of things don't respond to pings.

So what magic does the client device use to pass traffic to the remote net without a connection (local IP) to the local router? The local router has no clue and doesn't care (generally) that the client is using VPN and doesn't make some special connection for it. It just sees a local device making requests for traffic that's to be routed outside the local net. The traffic just happens to be encrypted.

 

[mikeynags]

Right - that's the magic of the IP routing table. Everything is handled by the client's IP stack. The router is just the gateway routing packets. The client is aware of where to route packets outbound to reach the host on the other end. The VPN client just packages everything up and encapsulates it as an encrypted package and ships it out based on the local routing table. Depending on the VPN, the successful connection can also result in the VPN client modifying the local routing table also.

Again - my initial thought on this was not to blame having a 192.168.x.x IP scheme as the issue. I connect to many networks having that IP scheme and I have yet to see it affect my ability to reach my VPN.

 

[Valiant]

I'm not sure this is an accurate statement. If you are on someone's guest wifi, when you connect via OpenVPN back to your network, you won't be initiating that connection as the 192.168.X.X address of the guest wifi, you will be using the public NAT IP of the ISP connection. Not sure where the overlap issue comes in.

Good technical discussion here.

Agree on the above, but after successful connection then what happens ?. Yes my response may have been a little simplistic. The original poster mentioned they can connect to the VPN but not connect to their local Lan afterwards. I agree that split tunneling may be short circuiting the traffic to the local wifi LAN and causing the problem.

Perhaps the solution (and a good test) is to reconfigure the VPN server and client so that all traffic is routed via the VPN. Some people prefer this solution because you can then safely use the internet on untrusted public wifi networks, and the home subnet may not need to be reconfigured. Apologies if anyone has already started changing the IP settings on 254 hosts

 

[mikeynags]

Definite a good point. I’ve run two separate VPNs over the years (OpenVPN and Global Protect) and both had to have configuration of what a client can access in place. I have it setup so that when I use the VPN I can access local networks and the Internet as well.

Hurricane Electric makes a great little network troubleshooting app for iPhone, they might have it as well for Android. It may be worthwhile to test just what you have access to on the local LAN once VPN’d in to determine if it’s a VPN routing issue or maybe something wrong with the configuration of the Blue Iris PC that’s preventing you from accessing it while VPN’d in.

I use the tool and the simple ping utility can help determine where the issue lies or at least point you in the right direction.


Sent from my iPhone using Tapatalk

 

[reflection]

Hurricane Electric makes a great little network troubleshooting app for iPhone...

I love this app! Been using it for years. And it's free tool.

mikeynags is right, the OP's issue is VPN split-tunneling. Disabling VPN split-tunneling should fix his problem. As noted, he will not be able to get to anything at the local source location while the VPN is active.

 

[Rakin]

Like the discussions going on here. I still haven’t done anything about it yet since there are only 2 places I must access outside WiFi that I don’t have cell coverage and I’m usually not there long.

So about this split tunneling. I don’t see it even being an option on my iPhone vpn settings. I don’t remember it either in my gateway.


Sent from my iPhone using Tapatalk

 

[ibrouting]

My .02 here- split tunneling being turned off will route ALL of the client device requests to the VPN's network and very likely solve the problem. IP routing is pretty well defined and prefers all locally connected devices to ones that have to transit a connection, adding weight or "costs" to the route. So, if split tunneling was on enabling it to access the local resources if the device does a route lookup for how to get to 192.168.1.21 (BI server) and the device has an IP of 192.168.1.45 on the local/guest network, it will always try the local network first (and fail) unless forced to go to the remote network via the VPN. You can see some of the metrics at work by opening a command prompt on a windows or Mac machine and typing "netstat -nr" and see the weights/metrics.

 

[Rakin]

Ok so on my iPhone in the vpn settings I have the “send all traffic” turned on so I assume that basically means split tunneling is turned off. But for whatever reason I am still having the same issues.


Sent from my iPhone using Tapatalk

 

[ibrouting]

That is very...odd. Can you install a terminal app on it? Any one of these will do: 5 Best SSH Terminal Apps for iPhone - Manage your Cloud Project on the Go and then we can see the local IP, then see the arp/routing table and try to figure out what is going on?

 

[Disposable Income]

I am curious whether anyone else experiencing this issue ended up finding a solution?

I am in a similar boat. Access to BI app on iPhone works flawlessly if using VPN over cellular data (and of course on own home wifi network) but if I use a family/friends wifi network, activate VPN then the BI app on iPhone stalls at the login screen saying “retrying”. Hardware is also similar to the OP (using a Ubiquiti Cloud Gateway Ultra). Thanks

 

[JNDATHP]

Many, if not most, consumer wifi networks are on 192.168.1.0/24. If your subnet is 1.x and the WiFi you are on, outside of the house, is on 1.x, there will be conflicts. That is why ours is 192.168.0.0/24 and our VPN is on 192.168.60.0/24.

Just a thought.

 

[Disposable Income]

Thanks JNDATHP! This suggestion worked perfectly

 

[The Automation Guy]

I'm not sure this is an accurate statement. If you are on someone's guest wifi, when you connect via OpenVPN back to your network, you won't be initiating that connection as the 192.168.X.X address of the guest wifi, you will be using the public NAT IP of the ISP connection. Not sure where the overlap issue comes in.

You are mistaken.....

A VPN connection requires the use of at least three different network subnets: the subnet of the local network that the device trying to establish the VPN finds itself on, the VPN "tunnel" subnet (which is set up in the VPN's server settings), and the network subnet(s) that the VPN is connecting to (ie the subnets at the other end of the VPN connection). NONE of these subnets can be duplicated. If any of the subnets are trying to use the same IP address scheme as one of the other subnets, the VPN connection is not going to work. The public address of the local network where the VPN is being established actually plays no role in this.

 

[bigredfish]

I actually have multiple VPNs working on Asus and Netgear routers, where the subnet the VPN server (router DHCP range) is 192.168.1.x as is the remote VPN client's LAN subnet.

The key for me is to insure the device connected to the router at the server side, has a different IP than any in my home/client side.