1st, if this isn’t the place for this just let me know and I’ll delete this. I’m just posting here because a vpn seems like “must have” to tinker with h.e and pivpn seems like the cheapest and easier way.
So
Pivpn installed successfully. External ip and google dns
Successfully ftp the ovpn client file
Opened it on iPad and it wouldn’t connect
Trouble shooting so far, I made sure the external ip in the file matched my ip
And I double checked port forwarding. Opened router settings, clicked my pi and forwarded 1194. Then I totally disabled my pi hole. Still no luck.
I tried from a cell connection, bypassing any in network conflicts. Any suggestions?
Is your iPad on your home network? Or on an external network? I use OpenVPN on my ASUS router, but I can only connect with clients that are not on my home network.
Silly question, but did you forward UDP packets to port 1194 on your Rpi?
I previously had pivpn configured (worked great btw) but switched to a router that had it built-in because it didn't rely on an internal devices to exposed on an external port.
However when I used pivpn, I used the android client. I forgot the minor issues I ran into but there was a log in the openvpn app that told me why the connection couldn't be established (cert, password or otherwise). Verify whether there is a log on the IOS app and keep it open when you try to connect. It might point you in the right direction.
PS this is the video that I used as a guide for my install back then:
Because of Fios tv, I HAVE to use their router first. I’m not opposed to running an open vpn capable asus router second, but I’m not sure if I can run a vpn on a router in bridge mode
I'm glad you got your PiVPN working. @stephack wrote more clearly what I meant when I asked if the correct transport was selected in your port forwarding rule.
OpenVPN can use either TCP or UDP as the transport. UDP is chosen by default (I think), but TCP works more reliably in some situations.
Yea, I see that now. Thank you. Btw, have you ever run vpn off a router that’s only a bridge or access point?
Edit: I have Fios and you HAVE to use their router first for tv to work. But their WiFi stinks. I plan on turning WiFi off, buying my own router then connected lan to wan. Then using the second router in bridge mode for WiFi. Can that second router have a vpn server while only in bridge mode?
I also use an ASUS router with its built-in OpenVPN server, which should still work even when the router is set to bridge or access point (although I haven’t actually tested that personally).
In that case you would set your Fios router to port forward to the IP address of the ASUS device that you’ve set to bridge mode, instead of your raspberry pi.
That how it SHOULD work, but I get varying answers on google so I’m looking for someone who has personally done it. I’d hate to spend $150 on a router and not be able to do it.
I did not realize there was a security difference and assumed there would only be a performance hit. I am only able to get TCP outbound on specific ports on our enterprise wifi so I'm forced to use TCP. Can't change it yet (hopefully soon), but good to know.
In my opinion, considering that the OpenVPN payload is encrypted (default 256-bit) with an industrial grade cipher (AES-256-CBC), the capacity to more easily reassemble a sequence of TCP frames reduces security by a minuscule amount. I wouldn't lose any sleep over it.
Back when I started using openvpn I read it somewhere and blindly followed the advise. I just read up on things and can conclude that it is far from true. It might even be a little bit the other way around, especially in case of connecting to your own VPN via a smartphone over 4G. Because UDP doesn't use a 3-way handshake and package numbering it's easier to spoof the connection and insert packages (though easily secured with source IP white list). TCP on the other hand uses 3-way handshake and package numbering. So that is harder to actually insert packages in, but it never checks the security or source again after successful handshake and the first package with the right package number is accepted and therefore spoofable. But I think, no that I actually read all this, it's not very likely anybody would be able to get in your TCP connection in the first place because they would need your encryption key in the first place.
Though, the one you should consider is that TCP might be slower, it does check for errors and resends package if they are corrupted in any way. UDP might be faster because the lack of error checking, though you might have more problems with package loss.
