This weekend I was working on a VPN connection between my two raspberry Pi (B and the new model 2). I chose openVPN for it. Both running Raspbian Wheezy.
So my setup is as follows:
|B| is at home connected to the internet (DSL, static IP). The other Pi |2| I'm carrying with me. It's connected to the internet via a UMTS Router. That's works unexpectedly well :) At home on the |B| I got a server running and the |2| logs into it without any problems.
My question for you guys is: How do I connect from my local network (same as PI |B|), say from my iPhone, to the |2| which has already a connection opened to the |B|?
I configured my server like this:
dev tun
proto udp
port 34345
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1 bypass-dhcp"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120
and that's my client config:
dev tun
client
proto udp
remote {myIP} 34345 #same port as on the server
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/pi/vpn/ca.crt
cert /home/pi/vpn/raspi.crt
key /home/pi/vpn/raspi.key
comp-lzo
verb 3
As I said, the connection works well and if I issue "curl www.echoip.net/plain" from within the console on the new raspberry I get my static IP address back. So I guess in general it works.
I already tried to access 10.8.0.* but this didn't work and I can't think of why?
Any ideas?
Thanks in advance, Felix
EDITED AGAIN:
the server log says after successful authentification the following when the raspi connects:
Tue Mar 3 18:59:00 2015 2.240.44.246:26966 [raspi] Peer Connection Initiated with [AF_INET]2.240.44.246:26966
Tue Mar 3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=e8b6:d1be:808e:f8b6:34bb:fdb6:4405:79b8
Tue Mar 3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI: Learn: 10.8.0.6 -> raspi/2.240.44.246:26966
Tue Mar 3 18:59:00 2015 raspi/2.240.44.246:26966 MULTI: primary virtual IP for raspi/2.240.44.246:26966: 10.8.0.6
Tue Mar 3 18:59:02 2015 raspi/2.240.44.246:26966 PUSH: Received control message: 'PUSH_REQUEST'
Tue Mar 3 18:59:02 2015 raspi/2.240.44.246:26966 send_push_reply(): safe_cap=960
Tue Mar 3 18:59:02 2015 raspi/2.240.44.246:26966 SENT CONTROL [raspi]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
the output running on the client RPi 2 looks like this (again, after a successful authentication):
Tue Mar 3 18:59:00 2015 [server] Peer Connection Initiated with [AF_INET]2.240.44.246:34345
Tue Mar 3 18:59:02 2015 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 3 18:59:02 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 3 18:59:02 2015 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 3 18:59:02 2015 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 3 18:59:02 2015 OPTIONS IMPORT: route options modified
Tue Mar 3 18:59:02 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Mar 3 18:59:02 2015 ROUTE default_gateway=192.168.2.201
Tue Mar 3 18:59:02 2015 TUN/TAP device tun0 opened
Tue Mar 3 18:59:02 2015 TUN/TAP TX queue length set to 100
Tue Mar 3 18:59:02 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Mar 3 18:59:02 2015 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Mar 3 18:59:02 2015 /sbin/route add -net 2.240.44.246 netmask 255.255.255.255 gw 192.168.2.201
Tue Mar 3 18:59:02 2015 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Mar 3 18:59:02 2015 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Mar 3 18:59:02 2015 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Tue Mar 3 18:59:02 2015 Initialization Sequence Completed
ifconfig returns on server side additionally to lo and eth0:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1907 errors:0 dropped:0 overruns:0 frame:0
TX packets:1820 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:245870 (240.1 KiB) TX bytes:1046186 (1021.6 KiB)
on the client side it looks like this:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:76 (76.0 B) TX bytes:380 (380.0 B)
Here is an image of the structure: https://i.sstatic.net/z9QUs.jpg
In order to access your RPi |2| client from other VPN clients (in your case its iphone), you must know the IP address of the RPi |2| client. In your current scenario, dynamic IP address is assigned to the RPi |2| client each time it establishes new connection with server.
To solve this issue, static IP address must be used for the RPi |2| client. Procedure for setting static IP address of a particular client can be found here.
