Raspberry Pi with Meshnet IP Forwarding Connectivity Issues

[clockthat]

Hello! I have been having some trouble with routing my traffic from one raspberry pi (RPi1 in my home) to another raspberry pi (RPi2 in another home), and was wondering if anyone could help me.

My intent is to connect my TV so that it looks like it is under my other home's IP address. To do this, I originally followed this link https://meshnet.nordvpn.com/how-to/security/vpn-router. And I got it to work (connected my TV to RPi1), even barring some issues with the operating system that I had loaded.

This was okay but there were a few issues. 1) the speeds with using raspap / network manager combined with meshnet were limited. 2) once i routed traffic to another Raspberry pi (from RPi1 to RPi2) I was unable to connect to the raspberry pi wifi, so it had to be done sequentially and this was bad if I lost connection for whatever reason.

So I then tried to connect my computer via ethernet from RPi1 rather than using RaspAP or network manager to fix the speed issues. I executed the following steps:

1. sud apt-get update
2. sudo apt-get install dnsmasq
3. adding "interface eth0 \n static ip_address=192.168.4.1/24" to sudo nano /etc/dhcpcd.conf
   4)sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
4. added "interface = eth0 \n dhcp-range=192.168.4.8,192.168.4.250,255.255.255.0,12h" to sudo nano /etc/dnsmasq.conf
5. enabled net.ipv4.ip_forward=1 in /etc/sysctl.conf using sudo nano
6. and finally added iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE to /etc/rc.local

This worked with forwarding the internet from the raspberry pi over ethernet. However, when I then went to connect via meshnet again using "nordvpn mesh connnect ...", I lost internet connection through my ethernet port. I tried to add the local network to the allowlist using "nordvpn allowlist add subnet 192.168.0.0/16" as well, but that did not help.

NordVPN Settings from RPi1:
“Technology: NordLYNX
Firewall: enabled (eventually changed to off while troubleshooting)
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: enabled
Auto-connect: disabled
IPv6 disabled
Meshnet: enabled
DNS: disabled
LAN Discovery disabled (eventually changed to on while troubleshooting)
Virtual Location: enabled
POst quantum VPN: disabled"

Allowlisted subnets: 192.168.0.0/16, 47.151.0.0/16, 192.168.4.0/24, 255.255.255.0/24, 255.255.0.0/16"

One additional piece of information. I used "sudo iptables -S FORWARD" to see the rules before and after I enable meshnet and this is what i have found:

BEFORE ENABLING MESHNET:
"-P FORWARD ACCEPT"

AFTER ENABLING MESHNET:
"-P FORWARD ACCEPT
-A FORWARD -s 100.64.0.0/10 -d 169.254.0.0/16 -m comment --comment nordvpn-exitnode-transient -j DROP
-A FORWARD -s 100.64.0.0/10 -d 192.168.0.0/16 -m comment --comment nordvpn-exitnode-transient -j DROP
-A FORWARD -s 100.64.0.0/10 -d 172.16.0.0/12 -m comment --comment nordvpn-exitnode-transient -j DROP
-A FORWARD -s 100.64.0.0/10 -d 10.0.0.0/8 -m comment --comment nordvpn-exitnode-transient -j DROP
-A FORWARD -s 100.64.0.0/10 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment nordvpn-exitnode-permanent -j ACCEPT
-A FORWARD -s 100.64.0.0/10 -m comment --comment nordvpn-exitnode-permanent -j DROP
-A FORWARD -s 100.64.0.0/10 -m comment --comment nordvpn-exitnode-permanent -j DROP"

Do you have any idea what I did wrong and how I can fix it? Is there an easier way of going about this?

I notice there are some threads in here that deal with similar issues but I do not see any solutions unless I missed something.

[mariusSincovici]

Hi,

thanks for your feedback.

Could you help me to better understand your setup?

Is it like this?

1. Rasp1 is connected to internet over WiFi
2. Computer connected over LAN to Rasp1, eth0. And uses Rasp1 internet over WiFi.
3. Rasp1 routes traffic through Rasp2(other home) using meshnet.

When Rasp1 is connected it cannot access its own LAN over eth0, the computer?

---

Regarding iptables FORWARD, those rules are added to not allow other meshnet peers from accessing current machine LAN devices. By default this is disabled for security reasons. To give access to another peer use the command :nordvpn mesh peer local allow <peer>.
To inspect what access have the peers use:nordvpn mesh peer list,

• Allow Local Network Access - the other peer can access current device LAN devices
• Allows Local Network Access: - checks if the other peer allows current current to access other peer LAN devices.

Br

[clockthat]

Hi Marius! Thank you for your response.

You got it exactly right with your setup.

Rasp1 is connected to internet over WiFi (correct)
Computer connected over LAN to Rasp1, eth0. And uses Rasp1 internet over WiFi. (correct)
Rasp1 routes traffic through Rasp2(other home) using meshnet. (correct)
When Rasp1 is connected it cannot access its own LAN over eth0, the computer? (correct)

It sounds like from your last comment that it is not the iptables forward results that are affecting my result of my computer not having internet connection, am I understanding that correct? It sounds like they are more for restricting and allowing peer to peer access.

Do you have any idea what may be my problem then?

[mariusSincovici]

Hi,

Could you check 2 more things?

• does Rasp2 allow LAN access for Raspi1 in meshnet?
  in Rasp1 run nordvpn mesh peer list while meshnet is enabled. What is the value of Allows Local Network Access: for Rasp2 device
• if the above is set to true check the LAN IPs for Rasp1 and Rasp2

Thanks

[clockthat]

Hello sir! I want to take a moment and thank you for the support. This has been a real head scratcher for me as I am learning so having any support is very helpful.

I checked "Allows local network access" and I enabled it (was originally disabled) but this did not change the result (still lost internet when connect to RPi2 over meshnet but came back when i turn it off).

Here are my two local IPs from ifconfig for your reference:
RPi1:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
TX packets 0 bytes 0 (0.0 B)

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.225 netmask 255.255.255.0 broadcast 192.168.1.255
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 62042 bytes 70488807 (67.2 MiB)
TX packets 40712 bytes 7642249 (7.2 MiB)

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
RX packets 702 bytes 93422 (91.2 KiB)
TX packets 702 bytes 93422 (91.2 KiB)

RPi2:
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
TX packets 0 bytes 0 (0.0 B)

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.200 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 [REDACTED] # Local IPv6 removed
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet)
RX packets 14133 bytes 4366830 (4.1 MiB)
TX packets 9164 bytes 2672646 (2.5 MiB)

I removed the nordvpn IP addresses in case there is a security concern with sharing that online. Let me know if you need them.

I notice that the ethernet ip address i'm using on raspberrypi1 for my ethernet output seems to be 192.168.4.X while the wifi is coming in as 192.168.1.X (confirmed from router)

I also have this "lo" setting, i'm not sure what this is, could it be causing issues?

Please let me know if anything stands out. Any idea on what else I should try or may be the issue?

[mariusSincovici]

Hi,

Raspi1 would not be able to access other devices from its WiFi LAN, but it should work with the cable LAN.

To be able to give some useful information, I'll need to setup to have the same env and to try to reproduce the issue.

Since it might take some time, until then if you could try with Rasp1:

• try to install the OS on Raspi1, maybe with another SDCARD
• install NordVPN and enable meshnet on it
• route traffic thru Rasp2 using meshnet
• check if in this case you can access the other LAN devices from Ethernet
• if it works, then just insert the iptable with the FORWARD
• then the rest of the steps

Basically to see at what step the LAN devices are not accessible anymore.

[clockthat]

Hello sir,

I don't fully understand what you are saying. I would like to clarify.

Just a recap.
RPi1 is the Raspberry Pi at my house.
RPi2 is the Raspberry Pi at another home.
My desired outcome:
laptop --(ethernet)-->RPi1--(meshnet)-->RPi2
Current outcome:
laptop--(connected via ethernet but not getting internet)-->RPi1(has internet)--(meshnet)-->RPi2(has internet)

You mention in your last message that "Raspi1 would not be able to access other devices from its WiFi LAN, but it should work with the cable LAN.", what do you mean by this? I don't necessarily care that RPi1 can access other devices but rather that my laptop has internet connection from my RPi1 (and has RPi2s IP address). Am I misunderstanding the importance of "accessing other devices"?

As for what I can try, i just want to understand it better: you mention "route traffic thru Rasp2 using meshnet, check if in this case you can access the other LAN devices from Ethernet" You want to see if I can ping other devices on my local home network? Like other computers or the RPi1? I can confirm.

And then you mention: "just insert the iptable with the FORWARD... Basically to see at what step the LAN devices are not accessible anymore.", you want me to do the same rule i used to forward through the ethernet 'sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE" and see if I can still access the local devices on my home network, is that correct? I'm struggling to understand what the two outcomes here would entail. If I am connected to meshnet and have access to LAN devices at my home but no internet, why would you suspect somewhere after me doing the iptables rule i would lose access to the the other LAN devices? And then if I don't have access after I am already connected to meshnet then it gives us no further information.

As for setting up the issue, i'm not sure if you are able to, but if you would desire jumping on a call on discord or something to better inspect my situation and the process I followed, i would really appreciate the help :). I am fairly new to interfacing with the pi and have a worry I may be making a stupid mistake somewhere. I can easily walk through the process on a call in not that long of a time.

[mariusSincovici]

Hi,

Regarding your configuration, no to go into more technical details, it should work: laptop --(ethernet)-->RPi1--(wifi & meshnet)-->RPi2

I think you're affected by this issue: #659.
To prove this could you try on Rasp1, after you're routing traffic thru Raspi2, to reinsert the at the begging of the iptable , with -I:

sudo iptables -t nat -I POSTROUTING -o wlan0 -j MASQUERADE

so it is inserted before the rules added by NordVPN?

Did you also wrote also to customer support about this? Because there I've saw a ticket there, and if yes, in case we need more sensitive data you could send it there.

Thanks

[clockthat]

Hello!

I wanted to give an update since it has been a couple days. Yes I believe that issue #659 is related, I found it before putting my issue here but was not completely sure if it was the same and was hoping for some confirmation. I will be gone this weekend and unable to work on it and back monday.

I will try putting in the iptables rule after routing to see the effect. However, I believe I have done that already (or something very similar) and it did not work.

Is the issue #659 looking to be resolved in a future update?

In response to if I put in a ticket with customer support, yes I did 😆. I was not sure if they were related and had noticed you were active with your responses here. So I reached out to both.