[SOLVED] OpenVPN with Raspberry Pi4

Hello everyone.

I very recently installed the Freedombox image (Debian GNU/Linux 12 (bookworm) and FreedomBox version 23.6.2) provided on the Freedombox website to my Raspberry Pi4.

My Pi4 is connected with a cable to my router that runs OpenWRT. All port handling is done by my router. My Freedombox attributed the Pi4 wifi (wlan) part of the Internal network and my cable connection (eth0) as External.

I’ve installed OpenVPN on my Freedombox, I can connect to my OVPN from my phone client with no trouble. From there, I can SSH and all…

My trouble is when I connect to VPN, I lose the ability to use the web and any apps related (i.e. xmpp). This is critical for me as when working on my phone or PC, I need to be able to access the web and the files on my server at the same time.

In the past (debian 11), I had an installation of Freedombox on top of a clean debian for pi. For that instance, I deliberately did not configure internal or external networks on the pi interface (though I could see them on cockpit). There, everything was just as I expected and I didn’t have trouble. With Freedombox’s own image, I cant do that.

Would anyone have any idea or experience with Raspberry Pi4 to configure so that when connected to Freedombox through VPN, I dont lose other internet capabilities (i.e. xmpp, browsing, etc.). Help would be greatly appreciated.


I believe to have found a work-around for this issue. Apparently, I’m not the only one suffering as, the Raspberry Pi4B has issues like this in other instances.

Since my FBX is wired to a router and my router does all the port forwarding, I found it safe to continue with the below. If you are directly connected to the internet or connected with DMZ, please do not use this.

I followed a path of masquerading my Internal network and configuring my wired connection as Internal. At the cost of practically not having an Internal and External network any more, my problem disappeared.

If you wish to take this route, you may apply the following:

firewall-cmd --zone=internal --add-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent

Next, use the Plinth interface to go to System > Networks and change the setting of your WAN connection to Internal.

Now, as a warning I must admit I do not have knowledge to the full extent of implications for the above. I am depending on my router to provide my security so if anyone wishes to comment on this resolution, please feel free to do so.


On the Pioneer, there is only an ethernet cable connection. I believe that by default it is set to “internal” while tun0 is set to “external”.

As a consequence, when connecting to the OpenVPN server:

  • all services that are accessible only on the local network, e.g. smb shares, are accessible
  • all services that are accessible externally, e.g. email, xmpp, are not accessible

One possibility is to change the ethernet cable connection to “external”, then all services accessible externally will be accessible, but services only accessible on the local network will not. This is briefly mentioned in the documentation and also discussed here.

This was mentioned here, with the same question on security implications, I don’t know whether there is some anwer. By the way, I have no clue what “masquerade” means, any explanation is welcome.

1 Like

Yep, its the same source I too went over. In laymans terms, its a way for internal ips to invisibly reach the internet.

What I did was configure my network internal only and gave that internet access. My router forwarded the openvpn port to my FBX. So when I connect, I automatically gain internet access as well.

With my setup, it’s my router controlling incoming traffic so I take my security measures there. I’ve made my FBX open to both incoming and outgoing traffic to solve the issue.