In order to be able to access my home network from outside, I have this setting:
- I have a VPS, which runs the OpenVPN service (and the IP address is
10.8.0.1) - A Raspberry Pi at home, that always connect to the VPN (and it has IP address
10.8.0.22) - And when I need to access my home network, I’ll connect my laptop to the same VPN, then either ssh or VNC into the Pi, and do things.
This morning, I was staying at the local library. After I connected to the VPN, I couldn’t access my Pi at all, the attempt to connect simply timed out. And:
- I could access the VPS using
10.8.0.1 - From the VPS, I could access my Pi using
10.8.0.22 - On the Pi, everything seemed to work OK, e.g.,
curl ifconfig.iowould show the public IP of my VPS. - And I could access other websites fine.
(I wasted some time here, as the WiFi wasn’t stable at some spots, I tried moving around and disconnecting/reconnecting multiple times, until I realized it’s time to open the tools to investigate.)
First, I opened Wireshark, and selected the interface for the VPN. If I tried to access some (http) website, the packets were captured and displayed properly. However, the attempt to connect to Pi didn’t go through this interface at all. Instead, it went through the WiFi interface.
So it’s a routing issue. ipconfig gave:
|
1 2 3 4 5 6 |
Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::e9ba:9444:c320:46a2%31 IPv4 Address. . . . . . . . . . . : 10.8.0.6 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : |
Maybe the 255.255.255.252 mask was the culprit? A quick search said no.
The I checked route print, and:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.128.128.128 10.195.98.171 50 0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 257 10.0.0.0 255.0.0.0 On-link 10.195.98.171 306 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 257 10.8.0.4 255.255.255.252 On-link 10.8.0.6 257 10.8.0.6 255.255.255.255 On-link 10.8.0.6 257 10.8.0.7 255.255.255.255 On-link 10.8.0.6 257 10.195.98.171 255.255.255.255 On-link 10.195.98.171 306 10.255.255.255 255.255.255.255 On-link 10.195.98.171 306 <public VPS IP> 255.255.255.255 10.128.128.128 10.195.98.171 311 |
So the 3rd line was the problem. The system thought my Pi was on the WLAN, not the VPN.
The fix was easy, just need to manually change the Netmask to 255.255.0.0.
Extra: port forwarding issue
My router at home allows port forwarding. It stopped working for my Pi. After some digging with tcpdump and port scanner, I found:
- The
wlan0would get179.10.75.34.bc.googleusercontent.com.44726 > 192.168.1.5.8083: Flags [S] - But the response was attempted through
tun0:192.168.1.5.8083 > 179.10.75.34.bc.googleusercontent.com.44726: Flags [S.]
So again problem with route table:
|
1 2 3 4 5 6 |
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.8.0.21 128.0.0.0 UG 0 0 0 tun0 default 192.168.1.1 0.0.0.0 UG 303 0 0 wlan0 10.8.0.1 10.8.0.21 255.255.255.255 UGH 0 0 0 tun0 10.8.0.21 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 <public VPS IP> 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 |
For now, I’m happy with the finding, will leave it to another day for an actual solution.