Connected to network remotely via OpenVPN or Tunnelblik to Firewalla Gold vpn server. Unable to ping hubitat hubs (2). Can connect via remote access. VPN is on 192.168.2.1/24 net. Hubitat is on 192.168.1.1/24. I've tried adding routes, emergency access, rules all to no avail. Able to ping and access other local devices on 192.168.1.1/24 net. Not seeing any blocks in firewalla, am seeing flows. Thinking hubitat is dropping traffic, but unable to comprehensively determine that to be the case. Would appreciate any thoughts or assistance.
Might try running this:
http://<hub IP Address>/hub/allowSubnets?192.168.1.0
on each hub.
1 Like
New command I had not come across prior - ran on both hubs and for subnets 192.168.1.0 (local LAN) and 192.168.2.0 (VPN LAN). Still no ping or connectivity.
I'm also using VPN (OpenVPN specifically). My VPN server is a part of Linksys router firmware. And it works fine.
You pointed that HUB has ..1.1 address. And what is the address of your VPN server in your HUBs network? Is it ..2.1? If so and mask is 255.255.255.0 (/24) then they are in different sub-networks.
Then you can try to either move (maybe temporary) hub or VPN server to the same network or change mask from /24 to /22 (basically merging sub-networks)
Can't help, but this is an interesting/entertaining puzzle...
1 Like
Correct.
This is the default Firewalla set-up for the VPN server. and worked until approximately a year ago. I've been trying to troubleshoot every since.
I'm unable to move the hubs from the native, primary, physical network (192.168.1.0/24) to the logical OpenVPN network (192.168.2.0/24). I've created routes, rules and now let the hubs know that 192.168.2.0 is allowed.
I think that @rlithgow1 uses Firewalla, maybe he has a suggestion?
@gatewoodgreen and @user5298) are also "networking dudes" from what I've seen and (hopefully) won't hit me for nominating them. 
2 Likes
I use a Watchguard T35...
It seems that you made a typo when you entered user5298. You might want to correct that if you hope to get a "networking dude"
Let me start by saying that I have never heard of Firewalla until now, but I don’t think I need to know anything about it, to look at this problem logically.
I do not experience this problem using OpenVPN, whether it is running on my Synology NAS, or on my Asus router.
My Hubitat has an IP of 192.168.100.161 on the LAN, and my phone takes on an IP of 10.8.0.x. so a similar situation to your own.
When using either of these VPN servers, I have never been required to setup any static routes, or to modify netmasks. After all, the purpose of a VPN is to allow EASY remote access to your LAN, and any special routing rules would have been taken care of internally. The fact that you can ping other devices also proves that your VPN software is allowing pings to transverse the 2 networks. You VPN server would have no way of knowing that 2 of your devices were Hubitat’s and choose to block only them.
So, if we rule out the VPN software, the next suspect is that the Hubitat has some internal firewall that blocks access from non-local IP’s. In fact, this firewall rule does exist by default in Windows firewall and caused me a lot of grief before discovering it.
I would have immediately ruled out this possibility. because in my case, I can ping my Hubitat despite being on a different subnet. But after @thebearmay posted a command to “allowsubnets” on the hub, it seems to indicate that the hub does have an internal firewall (which I wasn’t aware of), although blocking non-local IP’s doesn’t seem to be the default.
You have mentioned that you can’t ping the hub over the VPN, but you didn’t say if you could connect to the hub using a browser I am trying to determine if the hub handles different protocols differently. (e.g. ICMP, UDP, TCP, etc.)
1 Like
It has been a while now but there was a release where Hubitat added some logic to block what would be non local IP. More specifically ip's that are not in private space.
The URL endpoint @thebearmay provided was a way to override that.
This was implemented because users were putting there hub directly on the internet which is a big problem if done.
Can you browse to it on port 80 would be my first question. Ping is not a really great test of connectivity.
1 Like
I use OpenVPN with routed and bridged configurations. I actually have a complex network and VPN setup, and I have no issue accessing the Hubitat interface. I really need more info to help effectively, have you run tcpdump on the OpenVPN server tun or tap interface to see that packets are and are not flowing and the details on what isn’t?
By complex I mean this:
2 Likes
Routes, network rules and other tweaks internal to the Firewalla were not necessary when this worked prior. However, after it stopped working, I threw everything I knew at the issue, not knowing about the hubitat firewall.
I can not browse to either hub in Safari or Chrome via the standard port or the 8081 diagnostic port, unless going to https://remoteaccess.aws.hubitat.com/.
I am able to access all other resources on the same network as the hubs remotely on VPN as well as the internet.
@thebearmay might you know the syntax or have a link to the documentation for this command? I've tried it a few times. Currently, the allowed subnets returned when running: http://192.168.1.200/hub/allowSubnets is
192.168.2.1/24,192.168.1.1/24
No change in connectivity via VPN with this.
A packet capture may be a good idea to help zero in on this.
This is pretty much all that exists Release Notes: 2.2.9 | Hubitat Documentation - down under platform changes
2 Likes
Read these as well, didn't learn much, but thanks for sharing!
If your VPN is on a different subnet than your hub you only have to use the allowed endpoint on the hub then on the firewall allow to go to that subnet. You will also want to open port 5353 UDP between those subnets as well.
Installed wireshark and saw a ton a few syncs with no acks followed by multiple retrans. For giggles I installed WireGuard and connected successfully with no configuration and zero issues narrowing down to my OpenVPN config. Had to increase the client default MTU to regain ability to SSH into connected RPis, but otherwise no big deal.
Will find more time to screw with it...or just run with WireGuard from here on out.
2 Likes
One more point - interestingly enough, when Firewalla set-up the WireGuard endpoint, it connected it to a new network as well (10.189.x.x/24). I did not have to add the new subnet to the hubitat and was allowed to connect.
Certainly not a bad option, some would say the best option. 
1 Like
