I have an android phone (grapheneos) and installed OpenVPN for Android (by Arne Schwabe), imported both full and split profiles from the B20X (latest firmware)
I can connect the tunnel with either full or split profile. In the router page connected clients, I can see my phone has connected and has been assigned a correct IP for that VLAN, but I can’t connect the phone to anything.
There is also a pi on this vlan (connected locally) and that can connect to the NAS and ping it, so local routing is fine. But the pi cannot ping the phone.
The phone has the app termux giving me a command prompt and I cannot ping from the phone to the nas or pi.
There is limited outbound connectivity on this vlan (some specific ports are allowed for the NAS like time. The pi which I use to administer the NAS has no internet connectivity).
I was hoping to have this vlan for the purpose to VPN in and use the NAS for music, synching files etc but have no outbound - hopefully making this a safe (ish) way to get access to my NAS.
I’ve searched through the forum and some posts have come close to a solution
There’s no port forwarding setup (I previously port forwarded 443 and used a reverse proxy in combination with different sub domains for different services from the NAS like movies.mydomain.com and files.mydomain.com, but with a VPN I hoped to not need to forward any ports)
The firewall rules are not restrictive within the vlan.
I have a block all rule within “Inbound Firewall Rules” & “Local Service Firewall Rules” both set to log events and nothing is showing as being blocked when I try to ping from the phone or connect to the nas with a browser.
I think it all points to a routing problem of some kind but I’m at a loss if this is a fix that is applied on the router side or app on the phone.
If I make changes in the router, do I need to regenerate the OpenVPN profiles?
Within the LAN settings for this VLAN, I have DNS servers assisned automatically, but my pi which has no actual access to the internet so cannot see those DNS servers can access the NAS just fine.
Just adding a bit more info.
On the main network page Network Tab > Network Settings
DNS proxy is enabled
I have the NAS added in “Local DNS Records”
DNS Resolvers - WAN connection - I have an OpenVPN DNS server for ProtonVPN as all my other VLANs are set to outbound using my protonvpn connection.
But my NAS VLAN has not been set to use protonvpn in “Outbound Policy”
Little update
There was an option within the phone app “no local binding”
With this selected, I can ping the vlan gateway of the router - so the vpn connects, username and password check, dhcp assigns correct IP and it registers presence in “connected devices” on router status page, but I am still unable to ping the NAS or raspberry pi on that vlan (they have their own firewalls off for test)
I’m just trying things at random right now hoping I get the right setting.
Anyone know a setting that causes this? my phones connected to the vlan, i can ping the router, but not the rest of the lan.
That’s unmodified from my B20X.
Should that route for VPN gateway be all 0s?
Shouldnt the config file from the router contain the routes its pushing? And as I specified the vlan for the client to access in remote user access, that route should be there?
Someone with a peplink must have tried this before any help or pointers would be so welcome. I have raised a ticket and will be sure to include screenshots for other folks that may want to do this and aren’t a network guru which im clearly not.
Arne Schwab’s open VPN client on android > mydomain.com > noip.com ddns > balance 20x openvpn server > vlan access to NAS
So it was an internal firewall rule. But there is a weird thing (weird to my level of understanding anyhow) because the pi wasn’t affected by this rule
VLAN Gateway 10.77.99.217/29
NAS 10.77.99.218
Pi 10.77.99.219
I had two internal network firewall rules to isolate this vlan from all the other vlans
Protocol Source Destination Action
Any Any 10.77.99.217/29 block
Any 10.77.99.217/29 Any block
With these rules in place, my pi could ping and login to the NAS. They could talk just fine.
But these stopped the phone (connecting through openVPN as 10.77.99.220) from any communication with other devices on this vlan.
So added a rule and it works
Protocol Source Destination Action
Any 10.77.99.217/29 10.77.99.217/29 allow
Any Any 10.77.99.217/29 block
Any 10.77.99.217/29 Any block
But I am not clear on why this internal firewall rule was needed for the phone, but not the pi.