VPN Primer for Noobs

[RicRat2009]

VPN subnet is 10.0.2.0, it starts and the iPhone connects instantly, but no connection with any camera App.
So how do I get the server and iPhone to see the 192.168.1.0 subnet?

 

[Probird79]

Without much to go on it might be a firewall issue. Have you tried disabling the firewall temporarily for testing purposes? My VPN server is on my router so it's a bit different. To access my Windows 10 computer I had to set a firewall rule on that computer to allow my VPN subnet. I didn't have any issues with accessing the camera except there is a specific issue using iDMSS with OpenVPN over a T-Mobile connection that was figured out (iDMSS Failure to connect over cell service only).

I'm going to assume you set up your router correctly since you are saying you are connecting...

Be a little more forthcoming with information. What is your setup?

Are you able to view the cameras on your LAN using your phone without VPN?

 

[RicRat2009]

Sorry if I wasn't clear. I set up the sever on a always on PC, Windows 10, I am able to connect to all camera apps on wifi as well as logon to my router through a browser on the iPhone. Can't connect to the cameras with a browser due to plugin issues with browsers, I can get to the webui, just no video.
When connected to the VPN server can't connect to anything, no apps or browser to cams or router. The server doesn't know the lan is there.
I had tried to setup the router VPN, NG R7000, but had no luck with that, so read forum posts and watched many YT vids and finally got the PC server to work and the iPhone to connect, just no lan communication. I can get internet while on the VPN.
Seems I just don't have something in the server config file to route to the subnet 192.168.1.0.

Edit: I have turned off the firewall testing also.

 

[Tinman]

Did you set your BI for your local lan to the VPN subnet ? This is how mine is configured on BI.

 

[roady]

Ok a little help or advice please. I bought the Asus AC1900 router in hopes to run my VPN on but it looks like I cant. I have a Wireless ISP provider that provides me a private IP 192.168.xx.xx so I couldnt get the DDNS set up because of this. When I showed the network map it showed that private IP as my WAN IP. I see a few post back that someone else was having that same issue. So since I cant get a VPN to work that way what are my options Can I run it on a Windows machine that I will have set up for BI?

 

[fenderman]

Ok a little help or advice please. I bought the Asus AC1900 router in hopes to run my VPN on but it looks like I cant. I have a Wireless ISP provider that provides me a private IP 192.168.xx.xx so I couldnt get the DDNS set up because of this. When I showed the network map it showed that private IP as my WAN IP. I see a few post back that someone else was having that same issue. So since I cant get a VPN to work that way what are my options Can I run it on a Windows machine that I will have set up for BI?

In that case you cant port forward either...there is a thread where a user uses hamachi by logmein with success...that would be easiest..

 

[roady]

fenderman,

Thanks for the info. I will search for that thread and read up on it. Living rural certainly has its benefits but also has some drawbacks at times. I guess I am still lucky enough that I dont have to use dial up or satellite internet!!

 

[Probird79]

Sorry if I wasn't clear. I set up the sever on a always on PC, Windows 10, I am able to connect to all camera apps on wifi as well as logon to my router through a browser on the iPhone. Can't connect to the cameras with a browser due to plugin issues with browsers, I can get to the webui, just no video.
When connected to the VPN server can't connect to anything, no apps or browser to cams or router. The server doesn't know the lan is there.
I had tried to setup the router VPN, NG R7000, but had no luck with that, so read forum posts and watched many YT vids and finally got the PC server to work and the iPhone to connect, just no lan communication. I can get internet while on the VPN.
Seems I just don't have something in the server config file to route to the subnet 192.168.1.0.

I believe OpenVPN already routes the VPN subnet to your local subnet. Are you using TUN or TAP? I recommend using TUN.

Can you ping any of your devices on your LAN from your phone while connected via VPN? This is the first place to start. Disable the firewall first to make sure you are able to ping your devices on your network. Don't be fixated strictly on your camera system right now so ping your PC, router, and other devices as well. If you can't ping anything then something isn't setup correctly (probably a firewall issue).

Go here and scroll down to "Starting up the VPN and testing for initial connectivity" & "Creating configuration files for server and clients". Go over all of this and double check your settings and connectivity.

Just to be clear you aren't connecting via VPN while connected to your Wifi LAN? If so you can't do that but I don't think you would get a successful connection. If I try this it my phone never connects to the OpenVPN server.

You might also want to post on OpenVPN's forum: OpenVPN Support Forum - Index page

We don't have any information on your setup. Are you running a NVR or PC software? Are the cameras and NVR (or PC) setup with static IP's?

 

[RicRat2009]

Using TUN.
No ping from iPhone while on VPN. Firewall on or off, no difference.
Can ping all devices with VPN off. I have internet connection while on VPN.
I turn the wifi off and use cellular connection to test VPN.
I have OpenVPN installed on a windows PC. PC and cameras are on static IP's.
It does allow me to connect to the VPN while on wifi, but I have been disconnected from wifi for testing.

I will check your link, hell I've checked a couple dozen others.
Thanks.

Edit: UDP port 443, port forwarding on router to server PC.

 

[RicRat2009]

Something is blocking the iPhone, it can't even see or ping the VPN server.
The only IP the phone can see is itself.

 

[Tinman]

Something is blocking the iPhone, it can't even see or ping the VPN server.
The only IP the phone can see is itself.

What is your BI server local lan IP# set to ? When you click the interfaces down arrow it should show the 10.0.2.1, as you stated your subnet was set to 10.0.2.0. You need to check this area of the server.ovpn file. I left mine default just to make it simple.

 

[RicRat2009]

Have not installed BI yet.
I messed around with the firewall a little and found with it turned off the phone could ping the VPN server. With it turned on the phone could not ping anything including the VPN. Turn off just the Public firewall and it could ping the VPN.
So even with the firewall off, no LAN access.

 

[Probird79]

Using TUN.
No ping from iPhone while on VPN. Firewall on or off, no difference.
Can ping all devices with VPN off. I have internet connection while on VPN.
I turn the wifi off and use cellular connection to test VPN.
I have OpenVPN installed on a windows PC. PC and cameras are on static IP's.
It does allow me to connect to the VPN while on wifi, but I have been disconnected from wifi for testing.

I will check your link, hell I've checked a couple dozen others.
Thanks.

Edit: UDP port 443, port forwarding on router to server PC.

Are you disabling the PC firewall or router firewall? Try both if you haven't already. If you can't ping any device on your LAN while connected via VPN then something isn't right (obviously).

 

[RicRat2009]

Are you disabling the PC firewall or router firewall? Try both if you haven't already. If you can't ping any device on your LAN while connected via VPN then something isn't right (obviously).

PC firewall, router does not have a firewall. With the firewall off, I can ping the VPN server and the server can ping the phone. Just can't see 192.168.1.xxx from the phone.

Saw this.
"Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directive in the OpenVPN server configuration file.

First, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive:

push "route 10.66.0.0 255.255.255.0"

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

Seems to me that this is a routing issue. Need to tell the server and phone that 192.168.1.xxx is there.

 

[Tinman]

PC firewall, router does not have a firewall. With the firewall off, I can ping the VPN server and the server can ping the phone. Just can't see 192.168.1.xxx from the phone.

Saw this.
"Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24 as cited in the server directive in the OpenVPN server configuration file.

First, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive:

push "route 10.66.0.0 255.255.255.0"

Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)."

Seems to me that this is a routing issue. Need to tell the server and phone that 192.168.1.xxx is there.

You are correct, This is why I was telling you to check what you have BI set as....thinking you used BI. Since my VPN and BI machine are the same I never had this issue. So in your case I believe you will have to define the route. I have not done that so see how it works and fill us in

 

[RicRat2009]

I give up! I think its Windows somehow, I've rebuilt the server and client config file multiple times and read every howto I could find. Every config file looks the same.

 

[Probird79]

I give up! I think its Windows somehow, I've rebuilt the server and client config file multiple times and read every howto I could find. Every config file looks the same.

Don't give up. Just walk away when you need to. I believe you are 100% correct on the routing issue now as I dug a little deeper. Apparently when you have the VPN server on your router it routes it for you without having to do anything.

I believe all you need to do is open your server.conf file and add (if you haven't already):

push "route 192.168.1.0 255.255.255.0"

What is your OpenVPN logs telling you?

 

[RicRat2009]

Don't give up. Just walk away when you need to. I believe you are 100% correct on the routing issue now as I dug a little deeper. Apparently when you have the VPN server on your router it routes it for you without having to do anything.

I believe all you need to do is open your server.conf file and add (if you haven't already):

push "route 192.168.1.0 255.255.255.0"

What is your OpenVPN logs telling you?

Yep, done that.
Thats another problem, log shows no issues, so nothing to look up.
Think I'll start over and try the router again, but from what I've read this router is not the best for VPN. Was thinking about a Raspberry Pi, I've been wanting to put one together anyway.

 

[Tinman]

I have also read somewhere about having to set a static route in your router. Netgear's VPN works fine and easy as long as you are the only client planning on using it. It will only generate "one" set of credentials.....and no way of ever changing them. Good luck !

 

[RicRat2009]

I have also read somewhere about having to set a static route in your router. Netgear's VPN works fine and easy as long as you are the only client planning on using it. It will only generate "one" set of credentials.....and no way of ever changing them. Good luck !

Yeah, that doesn't sound like a good setup. Would like to setup the wife and I's phones to check cameras.

I did set a static route on the router, didn't make a difference.