OpenVPN on DietPi (as DNS) and separate OMV Sever: can't connect to OMV :(

OMV_user · 11. Oktober 2019

Hi there,

I have some troubles setting up my Openvpn on a DietPie (running as DNS / PiHole) and a seperate OMV NAS.
I'm trying to get the connection to the NAS (webGUI + SMB) via OpenVPN (except there's a better way?)
What I still got working is acess to Internet via VPN and I can connect to Router (running on 192.168.xxx.1) und DietPi (192.168.xxx.2)

What I've done so far:

1. Setting up Router with
- 192.168.xxx.2 as DNS-server
- portfowarding of udp 1194 on 192.168.xxx.2
- a route from 10.8.0.0 to 192.168.xxx.2

2. Running OpenVPN on Dietpi with this config (comes from PiVPN):

Code

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/DietPi_7b1f0602-c12b-4152-adf3-bf1d69a4d9$
key /etc/openvpn/easy-rsa/pki/private/DietPi_7b1f0602-c12b-4152-adf3-bf1d69a4d9$
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.xxx.1"
#push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn


#LAN Access
push "route 192.168.xxx.0 255.255.255.0"

Alles anzeigen

Router is defined as DNS in server.conf, but forwards to DietPi / PiHole on 192.168.xxx.2

3. Iptables on OMV machine:

Bash

#!/bin/sh


iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT


# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT


# 192.168.xxx.0/24 = LAN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE


echo 1 > /proc/sys/net/ipv4/ip_forward

Alles anzeigen

If you have any ideas how to solve my problem, please let me know....

Viele Grüße
Martin

Jetzt mitmachen!