Non aviation content. Play nice – No religion, no politics and no axe grinding please.
By Colonel Panic
#1738521
I might be pushing my luck with this one, but I'll ask anyway :wink:

I have followed various "tutorials" on YouTube, and have done the following ...

Within my router > Services
    Created a RADIUS user, with a name & a "secret", with Authentication Port 1812 & Accounting Port 1813 (both numbers were pre-populated)
    Created a RADIUS server, with name & password, with L2TP & IPv4
Within my router > Networks
    Created a Remote User VPN, with a network name, the "secret" (see above), L2TP Server, Gateway/Subnet 192.168.3.1/29 (which gives me 6 users which is fine), and selected the Default RADIUS profile
Within my iPhone > General > VPN
    Created a VPN with L2TP, Server is my public IP, a/c is my RADIUS User as above, ditto password, ditto secret

But the iPhone won't connect to the VPN. The error message is "The L2TP-VPN server was unreachable. Verify the server address & try reconnecting. If the problem continues, contact the Flyer Forum for assistance" :wink:

Where have I gone wrong? Do I need to change the Server IP (I have also tried my public IP:1812)?

Any tips?

TIA
User avatar
By carlmeek
#1738541
My advice, probably not quite what you want to hear, is to get a router that supports OpenVPN. Very easy to use and reliable.
By rjc101
#1738582
Take a look here, especially at the bullet points at the end... https://help.ubnt.com/hc/en-us/articles ... Access-VPN

The first one might be a problem unless the phone has the ability to route all networks over the VPN (not tried it on a phone). I do use the USG VPN from laptop to home/office fine, and the site to site works well too.
User avatar
By Sjoram
#1738598
rjc101 wrote:...unless the phone has the ability to route all networks over the VPN (not tried it on a phone).


I use SoftEther as my VPN server and the Android native VPN client works fine with this. I haven't tested with iOS.
By Colonel Panic
#1738809
Thanks to all; I had been using my iPhone on 3G, so that wasn't the issue. The bullet points above were helpful, but still resulted in a conflict. I'd never heard of OpenVPN before, but have now, and I see my Synology NAS can act as a server, so will give that a try instead.
By Colonel Panic
#1738833
[UPDATE: I am now in a cafe and whilst I can connect to the VPN via Tunnelblick, the DNS issue below means that I can't access anything (but it is connected). :? ]

I can now connect to the OpenVPN server running on my Synology NAS via Tunnelblick on my laptop, using a Personal Hotspot on my iPhone / 3G.

Looking within SysPref / Network the laptop shows up as 172.20.10.5 which surprises me, as my LAN is 192.168.2.x and I set the VPN within the NAS to use Dynamic IP addresses 192.168.3.1 etc . And the Tunnelblick log states "2020-01-06 11:30:09.096717 *Tunnelblick: DNS address 192.168.3.1 is being routed through the VPN".

But whilst I can access the NAS fine, no other web page opens and after a while I get an error message saying the DNS server is not responding. Within the NAS I have set my Pi-Hole 192.168.2.56 to be the main DNS Server, and after the initial blocking I added OpenDNS's 208.67.222.222 as well, but still it doesn't load. "After connecting to VPNConfig, DNS does not appear to be working. This may mean that your VPN is not configured correctly."

This may be due to the comms between the NAS 192.168.2.29 & the USG router 192.168.2.1 (& possibly even the modem on 192.168.1.1:8080 ?) but I can't see where I have gone wrong. I have set the NAS VPN to "Allow clients to access server's LAN", and have set up port forwarding from the USG to the NAS on 1194 UDP.

Where else might I need to tweak the settings?

TIA
By Colonel Panic
#1741432
Famous last words, but I think I have finally managed to get my UniFi USG based VPN to work. (Full proof will follow when I'm next out in a cafe). I have had to check the "Require MS-CHAP v2" box which surprised me (& isn't mentioned in most YouTube videos).

When logged in via the VPN (with a local IP of 192.168.3.1) I can access devices on the main 192.168.2.x subnet fine, but when I type emonpi.local in a browser it doesn't connect.

emonpi.local is the same as 192.168.2.50 (which does work), so what is it about a VPN that blocks the former from resolving?
By Colonel Panic
#1741912
Thanks @stevelup - I had never heard of mDNS, but I know have 8)

WRT to the VPN, again today when in a cafe I can start the VPN on my MacBookPro, everything within SysPref/Network looks right, and I am given an IP of 192.168.3.1 - which fits in with what I had asked the USG to give out (ie 192.168.3.1/29 , which gives up to 6 connections).

But I still can't access things on my LAN, ie 192.168.2.60 (Synology NVR). Might this be due to the 3 subnet instead of the 2 that the NVR is on? How might I get round this? Can I tell the USG to give out (say) 192.168.2.90-95 to inbound VPN access?

Or have I missed out another step somewhere?

TIA
User avatar
By Sjoram
#1741916
You are most likely spot on. Unless the USG has been configured to perform routing between the two subnets, they will be unable to see each other.

I would suggest amending the DHCP for the local network to create some space from which the VPN clients can be served.

I don't know the default behaviour of the USG, but a lot of consumer kit will enable DHCP across the whole range of addresses. I always prefer to have a section at the beginning and end of the subnet available for static allocation. You could then also serve your VPN clients from within that range.

Example - If your network is 192.168.2.0/24 and your USG is 192.168.2.1 (I haven't checked back earlier posts, so this is an example only)

DHCP: 192.168.2.100 - 192.168.2.200
Available for static assginment: 192.168.2.2 - 192.168.2.99
VPN clients: 192.168.2.201 - 192.168.2.254

All clients would need to have a /24 (255.255.255.0) subnet mask to be able to see each other without configuring routing separately.
User avatar
By stevelup
#1741922
I'm confused because you said you could access emonpi on 192.168.2.50 whilst connected to the VPN.

If one thing works, everything should work.

If emonpi is working, but not the NAS it could be that the NAS doesn't have the correct gateway set for example. Or your NAS is configured to only allow connections from the local subnet or something.