It’s been 15+ years since I did any serious networking professionally, but I used to work in a NOC and completed a Network+ YEARS ago. That said, it’s been a while.
Finally setting up a homelab to dust off my knowledge and I’m trying to set up Client to LAN L2TP VPn to use when I’m out and about.
I have a gigabit fiber connection and am setting this up on directly on a TP-LINK ER605 (no controller).
Client says it’s connecting just fine but I’m unable to route to the Internet from my phone when connected. Tunnel shows as connected and active on the router also.
I’m thinking the issue is my VPN IP pool, which I set up on 192.168.10.100-200. LAN IPs are 192.168.0.0/24 and I cannot see how to halve that range to allow me to put the VPN IP pool on the same range. My preference is to have VPN clients come in with a different pool, but want to eliminate that difference as the cause of the issue first.
My only other thought is DNS. I’m running Pi-Hole as DNS sinkhole on a RaspberryPi, but it’s currently disabled.
Edit: Solved, sort of.
Pings were going through, but nothing else. So I realized (duh!) it’s DNS. Changed the VPN setting in the user to 8.8.8.8 and all working.
Still, would like to have VPN clients using the Pi-Hole local DNS sink eventually.
I probably need to do a proper architecture on this to separate out my kid’s devices from mine, and the streaming stuff and IoT. But it’s at least working now.
Thanks for your help!
Is the VPN passing a default route to your client? What’s the route table on your router look like? Does it have routes for your VPN subnet? My first thought is you have a route missing somewhere.
Probably routing and/or NAT issue. If you want to access the internet via the vpn, you need to have default route which points to the vpn interface. You also need a static route for the vpn server ip address with the nexthop set as to the real default gateway so the vpn traffic is still sent to the local internet breakout. Then there is the NAT. The router (which is also the vpn server in this case) has to be configured to NAT the vpn range too.
Having the same subnet on the vpn as on the lan may not be the best idea unless you want to bridge the l2tp to the lan.
Looks like it has added a route to the table. Copied it here as compared to the LAN route (192.168.0.x). I’m guessing that subnet mask is the problem.
ID |
Destination IP |
Subnet Mask |
Next Hop |
Interface |
Metric |
5 |
192.168.10.102 |
255.255.255.255 |
0.0.0.0 |
ppp0 |
0 |
6 |
192.168.0.0 |
255.255.255.0 |
0.0.0.0 |
LAN |
0 |
Can’t do a direct IP, only a range set in the VPN IP pool. I currently have it set to 192.180.1.100-200. I will probably never have that many connections, so cut that down to 100-110.
Typically, the client connects and gets 101, 102, or 103, as I only have three concurrent connections enabled.
It was DNS. But could still be NAT?
Previously had the DNS entry as my Pi-Hole. Changed the DNS IP on the VPN user only to 8.8.8.8 and it worked. Maybe the VPN subnet can’t reach the Pi-hole for DNS?
Double check that IP - it’s 192.160.10.102 over a PPP interface, that’s your WAN public IP. Where’s 192.168.10.0/24?
Ping it, you’ll see. But I think the pihole is configured to only serve local clients. At least that’s the default.
If I were you, would still verify that the internet traffic is indeed routed via the vpn tunnel or not.
Oh yeah. That was just my mistype. It is 168.
I have three concurrent connections set in the user, so it typically connect over 192.168.10.101,102,or 103
Yeah. It’s not pinging. In fact, aside from the gateway (192.168.0.1), I can’t seem to get to anything else on the local network. I can actually log into the router web interface just fine. Anything on the Internet is fine too.
So, I’ve isolated the VPN to its own subnet and it ain’t talking to the LAN. Which is fine until I need to get to a couple things for maintenance eventually. Something to sort out later.
Ok that makes sense then, it’s been a while since I’ve toyed with l2tp and never on a TP-Link. I’m looking at the documentation How to establish an L2TP Server by Omada Gateway in Standalone mode | TP-Link and if what you have is the same as the example for the most part, which it sounds like it might be, it should be working, at least to access stuff on your local network. Can the client talk to anything on your 192.168.0.0/24 network and just not the internet? Or can it not reach the local network as well?
Solved it, sort of. I realized pings were going through, but nothing else. So I realized (duh!) it’s DNS. Changed the VPN setting in the user to 8.8.8.8 and all working.
Still, would like to have VPN clients using the Pi-Hole local DNS sink eventually.
I probably need to do a proper architecture on this to separate out my kid’s devices from mine, and the streaming stuff and IoT. But it’s at least working now.
Thanks for your help!