. . . .

[old_fogie_network]

. . . .

 

[eibgrad]

I'm sure there's a boatload of other threads covering this process, and others will certainly chime in w/ links, but here's a basic summary.

I assume you do NOT have the OpenVPN server configured at the moment. It's simple enough to push the home network and the pihole DNS server(s) to the remote OpenVPN client, and change the default gateway of the remote OpenVPN client to the home OpenVPN server. These options will either be available in the OpenVPN server GUI directly (most commonly), or worst case, something you can add via its custom config field.

push 'route 192.168.1.0 255.255.255.0'
push 'dhcp-option DNS 192.168.1.100'
push 'redirect-gateway def1'

If you want your remote OpenVPN client to have access to your home OpenVPN client, then you need to use PBR (policy based routing) on the home OpenVPN client and add the OpenVPN server's IP tunnel network (e.g., 10.8.0.0/24) as a rule.

P.S. One word of caution, often not mentioned in other threads. Anytime you're using your own OpenVPN server, it's strongly recommended you do NOT use the all too common 192.168.1.x and 192.168.0.x for your home network. If you do, you risk the remote location having the same network, making routing over the VPN impossible (at least for the purposes of accessing your home network). Better to use something more obscure (e.g., 10.99.34.0/24). Also, it's not uncommon for your OpenVPN server and the commercial OpenVPN server to end up using the *same* IP tunnel network (e.g., 10.8.0.0/24). These *must* be different! These are common gotchas that can drive you crazy when things don't work as expected.

 

[eibgrad]

Also, if you're using Merlin, it's generally better to post in that subforum than this one. I've also seen ppl incorrectly use the VPN forum when it involves the VPN (w/ Merlin), but posting in the wireless forum is even worse. I just don't want those best equipped to answer your questions to miss it (I only noticed it when I saw it listed in the Latest Threads section, which eventually falls off).

 

[eibgrad]

Whether you wish to run the OpenVPN server on the router or the RPi is entirely up to you. For most ppl, I suspect it will be much easier to use the router, esp. if the home OpenVPN client is already running there. Integration will simply be easier, esp. when it comes to PBR (policy based routing).

As far as DDNS, you need it in order for your remote OpenVPN client to reliably locate the public IP of your home router. And you can use anything you want, beit duckdns, afraid (my preference), etc. In fact, I believe ASUS provides their own domain name service for their own customers (not sure because I don't use it personally). Use whatever works for you.

 

[eibgrad]

Assuming your OpenVPN client has been configured w/ the pihole IP address on the home network, it may be that the pihole is only listening for DNS requests on the local network (e.g., 192.168.1.0/24), whereas the OpenVPN client is using the tunnel's IP network (e.g., 10.8.0.0/24). Since I don't use pihole, I can't say for sure. But that's where I would initially start looking. Or perhaps the RPi has a local firewall blocking anything but 192.168.1.0/24 (or whatever you're using for your home network).

 

[bbunge]

so i set it up on my router and used the openvpn app on my phone to load the ovpn file. i was able to connect and i think i understand the PBR. but i could not resolve anything on my phone. it is like there was DNS issues? i am not sure where to go from here...

Use the Arne Schawbe OpenVPN client on the phone. Others do not work as well.

 

[eibgrad]

BTW, make sure "Advertise DNS to clients" is set to NO. If set to YES, it will push the router's DNS server (DNSMasq) to the OpenVPN client. But since you're using your own preferred DNS server (the pihole), you need to manually push the DNS directive I initially told you about.

push 'dhcp-option DNS 192.168.1.100'

Change 192.168.1.100 to whatever is the local IP of the pihole.

 

[eibgrad]

where do you put that push code?

It goes in the custom config field of the OpenVPN server.

 

[eibgrad]

still cant resolve anything. shows a good connection on both ends.

Can you ping the pihole from the OpenVPN client?

 

[eibgrad]

from the phone?

how would i do that?

Might be a good idea to install some network utilities from your app store if you're going to be supporting a VPN! I use iOS and an app called (appropriately) Ping (a freebie). Most app stores contain numerous similar apps, including packages that contain traceroute and other common network utilities.

 

[JohnD5000]

P.S. One word of caution, often not mentioned in other threads. Anytime you're using your own OpenVPN server, it's strongly recommended you do NOT use the all too common 192.168.1.x and 192.168.0.x for your home network. If you do, you risk the remote location having the same network, making routing over the VPN impossible (at least for the purposes of accessing your home network). Better to use something more obscure (e.g., 10.99.34.0/24).

I want to do the same, just access my usb attached HD files when I am away from home. On the Merlin VPN/VPN Server tab, I set up a OpenVPN server and I use the OpenVPN Connect app for Android to connect. I have no commercial vpn or piholes running on my system. Does this advice still apply to change the 192.168.1.x for the home network? If so, I am using all default settings and just have the VPN set to LAN only. Would I need to change any of the advanced settings (for example VPN Subnet / Netmask)?

 

[eibgrad]

I want to do the same, just access my usb attached HD files when I am away from home. On the Merlin VPN/VPN Server tab, I set up a OpenVPN server and I use the OpenVPN Connect app for Android to connect. I have no commercial vpn or piholes running on my system. Does this advice still apply to change the 192.168.1.x for the home network? If so, I am using all default settings and just have the VPN set to LAN only. Would I need to change any of the advanced settings (for example VPN Subnet / Netmask)?

Changing your home network from the all-too-common 192.168.1.x and 192.168.0.x networks is strongly *recommended*, but if you don't want to do it, you don't have to. Just beware that most devices default to one of these two networks, and just like YOU deciding to accept the default, the owner of the wifi cafe you frequent and want to use your OpenVPN client from, might decide to accept the same default! And if that happens, it will become *impossible* for you to reach any of the devices on your home network because your client will assume anything on that network is *local* to the wifi cafe, and therefore never routed over the tunnel! But if you use something more obscure for your home network (e.g., 10.99.34.0/24), the chances of that happening, while never zero, is greatly diminished.

When it comes to the VPN subnet and mask, the same thing could happen. By convention, OpenVPN implementations tend to default to the 10.8.0.0/24 network, because that's what's used in the OpenVPN documentation for its examples. But you could use anything you like, provided you don't create a clash of networks. In most cases, leaving the VPN subnet and mask as 10.8.0.0/24 is fine. The only time I've seen a clash is when the user establishes an OpenVPN client on the same router as the OpenVPN server, and the commercial OpenVPN provider also happens to be using 10.8.0.0/24! So that would force you to change your OpenVPN server's tunnel to something else, say 10.9.0.0/24.

It's all about making sure that each and every network that becomes part of your overall configuration never results in network clashes.

 

[JohnD5000]

Changing your home network from the all-too-common 192.168.1.x and 192.168.0.x networks is strongly *recommended*, but if you don't want to do it, you don't have to. Just beware that most devices default to one of these two networks, and just like YOU deciding to accept the default, the owner of the wifi cafe you frequent and want to use your OpenVPN client from, might decide to accept the same default! And if that happens, it will become *impossible* for you to reach any of the devices on your home network because your client will assume anything on that network is *local* to the wifi cafe, and therefore never routed over the tunnel! But if you use something more obscure for your home network (e.g., 10.99.34.0/24), the chances of that happening, while never zero, is greatly diminished.

When it comes to the VPN subnet and mask, the same thing could happen. By convention, OpenVPN implementations tend to default to the 10.8.0.0/24 network, because that's what's used in the OpenVPN documentation for its examples. But you could use anything you like, provided you don't create a clash of networks. In most cases, leaving the VPN subnet and mask as 10.8.0.0/24 is fine. The only time I've seen a clash is when the user establishes an OpenVPN client on the same router as the OpenVPN server, and the commercial OpenVPN provider also happens to be using 10.8.0.0/24! So that would force you to change your OpenVPN server's tunnel to something else, say 10.9.0.0/24.
xx
It's all about making sure that each and every network that becomes part of your overall configuration never results in network clashes.

I am only familiar with 192.168.x.x, what are other allowed ranges? I have a bunch of static devices of 192.168.1.xx (147,153, 200,etc). Can I switch and just change the first 2 digits and keep the last 2 (x.x1.147, x.x,153, etc)

 

[octopus]

I am only familiar with 192.168.x.x, what are other allowed ranges? I have a bunch of static devices of 192.168.1.xx (147,153, 200,etc). Can I switch and just change the first 2 digits and keep the last 2 (x.x1.147, x.x,153, etc)

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

 

[JohnD5000]

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Thanks, I don't know what 10/8 prefix, 12 prefix 16 prefix mean. If I currently have 192.168.1.XXX
(XXX) Where the router is at 1, and all my static addresses for devices are at 147-215.

Could I use 172.16.1.XXX and just replace the 192.168 with 172.16 (i.e. 192.168.1.147 becomes 172.16.1.147 etc)?

 

[octopus]

Thanks, I don't know what 10/8 prefix, 12 prefix 16 prefix mean. If I currently have 192.168.1.XXX
(XXX) Where the router is at 1, and all my static addresses for devices are at 147-215.

Could I use 172.16.1.XXX and just replace the 192.168 with 172.16 (i.e. 192.168.1.147 becomes 172.16.1.147 etc)?

Here you can calculate your /prefix https://www.ipaddressguide.com/cidr

 

[JohnD5000]

Here you can calculate your /prefix https://www.ipaddressguide.com/cidr

So I still don't really understand the numbers (sorry).

Can I just make the following changes?


Lan IP
Currently:
IP Address 192.168.1.1
Subnet Mask 255.255.255.0

Change to:
IP Address 172.16.1.1
Subnet Mask 255.255.255.0

----------

DHCP Server
Currently:
IP Pool Starting Address 192.168.1.3
IP Pool Ending Address 192.168.1.254

Change to:
IP Pool Starting Address 172.16.1.3
IP Pool Ending Address 172.16.1.254

-----------

Manually Assigned IP Addresses to Devices

Currently:
192.168.1.147
192.168.1.185
192.168.1.221
192.168.1.254

Change to:
172.16.1.147
172.16.1.185
172.16.1.221
172.16.1.254

In other words, can I just change every 192.168 to 172.16
and keep Subnet Mask the same?

Thanks

 

[eibgrad]

No need to make this overly complex. Something like 192.168.83.0/24 will do the job. IOW, just a simple change to the third octet, everything else remaining the same.

192.168.83.1 = router
192.168.83.100 = PC
192.168.83.200 = nas
...

 

[JohnD5000]

No need to make this overly complex. Something like 192.168.83.0/24 will do the job. IOW, just a simple change to the third octet, everything else remaining the same.

192.168.83.1 = router
192.168.83.100 = PC
192.168.83.200 = nas
...

Thanks, Can I use any number between 2 and 254 in the 3rd octet? Also, does the subnet mask remain the same?

 

[elorimer]

Thanks, Can I use any number between 2 and 254 in the 3rd octet?

Yes, except avoid 2 and 100 as well. A lot of cable modems use 192.168.100.1 as their LAN side address, part of the same idea of being rare.