Problem with vpn while on separate WiFi

Rakin

Pulling my weight
Joined
May 27, 2019
Messages
216
Reaction score
147
Location
US
Ok so I have a L2TP set up on my Unifi usg4pro and an account for it set up on my iPhone. While I am on LTE or 4g cellular and connected to my vpn server I have no issues accessing my BI server through the BI app and also my UnIfi controller from the unifi app. Everything works as planned with vpn on cellular. But as soon as I connect to a WiFi network other then mine and connect the vpn I can’t access my Bi server or unifi controller. What could be the deal? The VPN will show connected.


Sent from my iPhone using Tapatalk
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
when on someone's wifi as a guest, with VPN connected, are you other to connect to other LAN assets? For example, can you do RDP into a PC on your LAN when you are away and on WIFI/VPN?

When troubleshooting some things on my side, I was surprised that I wasn't able to access my router via my phone/vpn, due to "remote administration" being purposefully turned off. Even being connected via VPN doesn't mean you are truly local for that purpose, I found out. I thought it was something more complicated.

If you can't access ANY LAN assets while on the wifi/VPN, I think the phone is doing something funky. If you can access at least some things, it's probably a router setup rule.
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Are you using a commonly used subnet such as 192.168.0.x or 192.168.1.x?

If the wifi you are connecting to uses the same, then routing will fail. For those setting up openVPN this warning is explicitly mentioned in their setup documentation.

You should probably reconfigure your own subnet to something more unique.
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
Are you using a commonly used subnet such as 192.168.0.x or 192.168.1.x?

If the wifi you are connecting to uses the same, then routing will fail. For those setting up openVPN this warning is explicitly mentioned in their setup documentation.

You should probably reconfigure your own subnet to something more unique.
This is a great response and deserves to stickied somewhere.

Sent from my ONEPLUS A6013 using Tapatalk
 

Rakin

Pulling my weight
Joined
May 27, 2019
Messages
216
Reaction score
147
Location
US
Are you using a commonly used subnet such as 192.168.0.x or 192.168.1.x?

If the wifi you are connecting to uses the same, then routing will fail. For those setting up openVPN this warning is explicitly mentioned in their setup documentation.

You should probably reconfigure your own subnet to something more unique.
Ah I feel stupid now. Didn’t even cross my mind. Thank you.


Sent from my iPhone using Tapatalk
 

Rakin

Pulling my weight
Joined
May 27, 2019
Messages
216
Reaction score
147
Location
US
Dont feel bad, been there done that
Well I should have known better lol. I used the same subnet that we use at our different offices at work when I originally set up my network. I guess just out of habit. I just recently got the VPN at home up and running and the whole WiFi thing has me stumped. I’ll change my subnet probably this weekend.


Sent from my iPhone using Tapatalk
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
Now, of course, I'm going to have to consider reconfiguring my own subnet too. Sigh.

Sent from my ONEPLUS A6013 using Tapatalk
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
Are you using a commonly used subnet such as 192.168.0.x or 192.168.1.x?

If the wifi you are connecting to uses the same, then routing will fail. For those setting up openVPN this warning is explicitly mentioned in their setup documentation.

You should probably reconfigure your own subnet to something more unique.
I'm not sure this is an accurate statement. If you are on someone's guest wifi, when you connect via OpenVPN back to your network, you won't be initiating that connection as the 192.168.X.X address of the guest wifi, you will be using the public NAT IP of the ISP connection. Not sure where the overlap issue comes in.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
It's not - 192.168.X.X is a non-routable subnet per the RFC-1918 standard so, when connecting to your home VPN, the router at your house will see the IP public IP address assigned by the ISP not the 192.168.X.X address of the wifi you are connected to.
I think it's more the client that's the issue vs the router. You're right, the router doesn't care what ISP IP is coming in. The VPN server doesn't care as long as the credentials are right and the connection is made.

Maybe easier think about it from the perspective of your own network.

Say you have it set up as 192.168.1.x .

Your client (phone) on your net is assigned 192.168.1.99.

You want to access an IP on a remote network via VPN.

You make the connection over whatever ISP connection and come in as a 10.x.x.x address (by default using OpenVPN) which then is translated to 192.168.1.x as a client on the remote network.

You use your browser to try to hit 192.168.1.5 on the remote network.

Where does the request go, local or remote?
 
Last edited:

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
If you have the VPN configured to allow local network access, (assuming that 192.168.1.5 is local) it stays local.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
If you have the VPN configured to allow local network access, (assuming that 192.168.1.5 is local) it stays local.
Right (generally at least). So if you're on an outside guest network with a 192.168.1.x IP (and no access to local resources), what happens when you try to request 192.168.1.5 on your own network via VPN?
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
It goes to the 192.168.1.5 on the VPN network. Remember, when you engage the VPN client, your connection is basically "invisible" to the guest network you are on.

Now, there is something called split tunneling that you can have enabled and that's where it gets interesting. That means you allow the device to access both the local network and the remote VPN network at the same time. I can see that potentially creating issues. It's not usually a default "ON" setting on most VPNs.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
It goes to the 192.168.1.5 on the VPN network. Remember, when you engage the VPN client, your connection is basically "invisible" to the guest network you are on.

Now, there is something called split tunneling that you can have enabled and that's where it gets interesting. That means you allow the device to access both the local network and the remote VPN network at the same time. I can see that potentially creating issues. It's not usually a default "ON" setting on most VPNs.
The traffic for whatever is routed over the VPN is encrypted (invisible). Your device itself is not invisible. It still has a local IP of 192.168.1.x (otherwise you'd have no connection to the local net). Starting the VPN doesn't replace that, it establishes an additional interface/IP for traffic determined to be destined outside of the local net. Generally anyway. Just as it works on your own local net. You're just on someone else's local net. I'm sure that there likely are various way that you can set options/specify routing to change that.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
Agreed on the encryption. If split tunneling is disabled, you are invisible to the local network. You won't even be able to ping the device locally if it VPN'd into a remote network. Different VPNs have different options so, there are many variables at play. I was initially just commenting on the guest network IP scheme not necessarily being the issue here.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Agreed on the encryption. If split tunneling is disabled, you are invisible to the local network. You won't even be able to ping the device locally if it VPN'd into a remote network. Different VPNs have different options so, there are many variables at play. I was initially just commenting on the guest network IP scheme not necessarily being the issue here.
It can't be. It must have a local IP and must be able to access the gateway on that subnet. All traffic may be routed over the VPN by the client otherwise but it still must have a local IP. Otherwise, it has no path for the VPN to work. Whether it responds to pings is a different matter.

Anyway... That's where the confusion comes in. Conflicts among what gets routed where by the client and various ways that the networks may be set up and/or conflict in various way.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
Connect to a VPN that does not allow split tunneling and try to ping it from another machine on the local network and let me know what happens. You won't get a response. Agreed on cases where there is split tunneling going on, routing may be determined by the client itself in the event of a conflict.
 
Top