Does anyone know why we are not able to reach LAN assets when connected to the VPN on iodeOS?
I am thinking this must be related to the iodeOS firewall and block list conflicting with the VPN networking connection configuration.
Silly question, but I assume you have LAN access enabled in the VPN (i.e. that it bypasses the VPN)?
I have no trouble on my BraX3 with my local LAN at home when my VPN is active.
1 Like
I am using the same android client with the same VPN profile. No changes to the VPN server, nor the client setup. This all worked flawlessly on my Brax2; but has never worked on my Brax3.
Yes, but, because it worked on one doesn’t mean it will work on the other… Different hardware and I presume different OS… Have you tried downloading an alternate VPN app and tested with that, just to see if it works? e.g. Proton if thats not the one you currently use?
I did try a different VPN client; but it did not work at all with the same profile that does work on my current client. Yes, the hardware and OS are different between the Brax3 and Brax2; but everything else is the same and you said that VPN is working as expected on your Brax3. Since the phone is the only change and I can connect as normal, just without LAN asset access, this makes me think there is some configuration issue that should be easily fixed if I could identify it. I am using an OpenVPN server and client.
I’m not sure why this is failing on my Brax3 with a standard OpenVPN connection. Especially since this was working fine on the other phone.
Hhmmm. I use Proton and have no issues - so that certainly works for me. Have you tried proton specifically? I know some users here use a couple of other VPNs too, so maybe you should test a few and see which works then try to figure out what’s different between that and what you have?
Using a paid VPN hosted by some other entity is not useful for our use case.
I’m not saying use it longterm, just use it to test if it works. People like Proton provide a free version of their VPN IIRC, so you can easily test with it, check the config that works, then delete…
Would the Proton VPN have access to all of my LAN resources? Wouldn’t I need to install a local server for that to be the case?
No - you just enable “LAN Connections” to allow connect to LAN addresses for printers, speakers, etc… There is also a separate option to enable direct connection to Smart TVs and similar (that can have their own local network).
It’s vaguely similar to split tunnelling which is used for apps that need to bypass the VPN completely.
There must be some agent installed on a client in your LAN that acts as the server or gateway through which your traffic flows over the WAN to your LAN assets.
Yes, the setup is a split tunnel config.
Hang on, are you talking about when you are offsite and trying to access your home LAN remotely???
Sorry, I took from your post you couldn’t get access to your local Home LAN when Home and connected with the VPN running…
Now your server comment makes sense… Are you using port forwarding or similar on a firewall or router, or do you have a cloud server instance running locally on your LAN, like Nextcloud, to provide the access?
Yes, I have neworking configured toallow access to my LAN when connecting to the VPN from an off-site or remote location. If I connect from a Brax2, I can access everything on the LAN; but when I connect with the same account and same OpenVPN profile, I cannot access any LAN assets.
Are you doing that over Mobile Data, or via Wi-Fi?
If it works on mobile data but not over wifi, then I’d bet $2 that your home lan uses a very common ip range, such as 192.168.0.x or 192.168.1.x (maybe even 192.168.100.x, 10.0.0.x, etc.). And if you were to check the ip range given to your phone at the remote (I’ll call it “work” from now on) location, there is overlap. You likely have three different ip ranges to worry about; your main ip range for your home lan, the ip range your “vpn” uses, and the ip range at your work location. There cannot be any overlap if you want it to just work without any fiddling. Not to worry, we can still work around most issues.
If the work ip range and the vpn ip range overlap…just change the vpn ip range. You should be back in business. If the work ip range and the home lan ip range overlap, you need to configure in the vpn software how to handle certain ip addresses. I know in wireguard you can select what ip addresses to force to go over the vpn connection even if it would normally go over the local lan. If there are devices you need to connect to that use the same ip both at home and at work…well…you either got to choose which is more important or change the ip address of one of the devices to resolve the conflict.
Also note, that just because you’re given an ip address of 192.168.1.x does not mean only 192.168.1.x addresses are part of the range. I won’t get too deep into things, but if the subnet mask is 255.255.255.0 then only the last number would change (i.e. 192.168.1.1 to 192.168.1.254), but if the subnet mask is 255.255.0.0 then only the last TWO numbers would change (i.e. 192.168.0.1 to 192.168.254.254).
1 Like
I am doing this over mobile data
Thank you for your reply. I have different subnets for various purposes on the VPN. The necessary routes are built to allow routing between the VPN subnet in question and the default LAN subnet. Again, for clarity, this works as expected on other clients (PCs and other mobile devices). It is just failing on the Brax3. So, I know its not a netowrking issue; unless that networking issue is a client side configuration issue on the Brax3. The VPN client and profile are the same as on the Brax2, which works as expected.
I confirmed that I can ping assets on the lan, but whenever I try to load a web interface for any asset, the web interfaces for everything fail to load. It has to be something that’s being blocked by iode. I could be wrong, but nothing else makes sense.
I added global allow rules for all of my assets and my local lan and my domain names in the iode app so it shouldn’t be blocking anything but it seems like it still is. Does anyone have any ideas here?
I did try clicking the button in the iode app to disable blocking, and it made no difference. I can still ping all of my assets, but all web interfaces fail to load. And again, this only happens on the Braxs 3. It does not happen on the Braxs 2, or my other VPN clients.
Have you done trace routes and such and followed the hops to see at which point the failure occurs? i.e. does it not leave your phone, or does it get to your home external address via VPN and fails?