I have a raspberry box running an OpenVPN server that I'm using as a way to connect to use my Pihole installation when outside my home network. This is working without issues.
| HOME NETWORK/Pihole |
(Remote client) -- (Open VPN Server ) --- Internet
Separately I have a remote VPN service that I can connect to via an OpenVPN client from the Pi device. That I tested successfully as well.
| HOME NETWORK/Pihole |
(Open VPN Client ) - VPN provider
I would like to be combine both services such that the final installation would look like this
| HOME NETWORK /Pihole |
(Remote client) -- (Open VPN Server) -- (Open VPN Client) --- Remote VPN service
I have tried solutions like the one described in this similar question (Wireguard server with active OpenVPN client) with negative similar results: Once you activate the Open VPN client (tun1) the server (tun0) becomes unreachable.
Here's what the routing table looks like when both interfaces tun[01] are up
0.0.0.0/1 via 10.50.11.5 dev tun1
default via 192.168.1.1 dev wlan0 src 192.168.1.164 metric 303
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.50.11.1 via 10.50.11.5 dev tun1
10.50.11.5 dev tun1 proto kernel scope link src 10.50.11.6
128.0.0.0/1 via 10.50.11.5 dev tun1
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.164 metric 303
199.116.115.135 via 192.168.1.1 dev wlan0
Here's the current output of my openvpn server when I try to connect.
pi@raspberrypi:/etc/openvpn $ sudo more openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Jun 29 23:30:41 2019
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
UNDEF,x.x.x.x:39159,860,442,Sat Jun 29 23:30:02 2019
This is what the error log looks like
Sat Jun 29 23:34:47 2019 x.x.x.x:28162 TLS Error: incoming packet authentication failed from [AF_INET]172.58.87.22:28162
Sat Jun 29 23:34:48 2019 x.x.x.x:28162 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1561869285) Sat Jun 29 23:34:45 2019 ] -- see the man page entry for --no-replay and --replay-window for more
info or silence this warning with --mute-replay-warnings
Sat Jun 29 23:34:48 2019 x.x.x.x:28162 TLS Error: incoming packet authentication failed from [AF_INET]x.x.x.x:28162
Apparently the client connection is getting corrupted?
I also tried the solution in OpenVPN Client and Server on same machine – Server doesn't allow connections when client is connected which I discovered after posting this question, to no avail. This would appear to be directly related to my issue but it's still not working.
Best Answer
You will need this rule to route the outgoing traffic from the openvpn server (10.8.0.0/24) through your openvpn client connection (tun1)
To reach your openvpn server from outside your home network you have to use these rules from this answer:
Where 192.168.1.164 is your Pi-IP.
An alternative to only allow vpn traffic would be: