I can connect to OctoPrint when I'm on Wifi, but I can't connect to it over VPN

When on Wifi, I'm on the same subnet as OP. However when using the VPN, I have an IP on a different subnet. Is there any setting in OP that might be blocking other subnets?

Just to add, I'm running home assistant on the same machine as OP and I can connect to that over the VPN, so I'm like 99% sure that it's OP that is blocking me.

I guess this is the setting you're searching for: :slight_smile:

# additional non-local subnets to consider trusted, in CIDR notation, e.g. ""
trustedSubnets: []

Please provide some details about your network including where the VPN server is located. Don't be afraid to provide actual IP addresses as I'm pretty sure all of them will be private.

OctoPi will accept packets from any IP address and will attempt to reply using its routing table (the command route will print this out). Same subnet will be sent directly, different subnet will be sent to the default gateway unless other entries exist.

So to answer your question, there's nothing in OP "blocking" other subnets. Without instructions on where to send replies, communications can't happen.

1 Like

Hello, I have exaclty the same probem...I want to connect to Ocoprintserver through VPN of my fritz.box. I used my iPhone with mobile data - 4G But the Webpage will not open. No error message is coming. Instead If I open the same address "" on my iPhone when I'm connected directly in my network everthing works...

When I'm connected through VPN I'm also able to PING the servers IP... and other Servers in my network can be reached without problems...
I have already asked support from AVM (supplier of fritz.box) but they say everything is ok with my VPN setup....

I'm only a basic user... so I don't know if I should change something in the config_yaml or not... Or how do I find out if everything is correct with my subnet mask...

I would be happy if I could get help here...

Greetings Justin

My reply from a year ago is still valid. Without details about your configuration (i.e. diagrams, route information, IP address assignments, etc. we can do nothing more that sympathize with you.

1 Like

Sure... but can you be more specific, where or how I do collect the information you'll need? Here I attached my Sysinfo from Octoprint... If this helps in any way...
octoprint-systeminfo-20220924125836.zip (48.3 KB)

And then I tried the command "route" from the shell: The result is this:

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         fritz.box         UG    303    0        0 wlan0   U     303    0        0 wlan0

Any other commands I can execute to get more information?

I'm not a network specalist... It's just a normal small mesh private home network: I have a router "frizbox" and this is connected to WAN by a modem from Vodafone. In the mesh is a WLAN repeater for better WLAN singnal in the basement, and a pair of powerline adapter for better (W)LAN connection in the upper rooom of my house. The mesh is completly managed by fritzbox and does not have any problems. (The Octopi server is normally placed in the cellar, so the connection is over the WLAN repeter, but if I place it next to the router it uses direct WLAN connection to it. (but my described problem is there also the same).
Router "fritzbox" has IP address to get to the configuration. it has a DHCP running, but the Octoprint server has a fixed IP that is The octoprint server is connected by WLAN... (The same with my iPhone if I'm in my WLAN, If i'm using VPN through the fritxbox it assigns to the iPhone, and with direct connection it is

  1. While on the system connected through the VPN, type traceroute <IP of OctoPi> and ifconfig.
  2. While SSHed into the OctoPi system, type traceroute <IP of system connected through the VPN> and route.

Post the results here (remember to use the </> icon above when posting).

Note: If the system connected through the VPN is a Windows system, Substitute tracert and ipconfig for the commands.

BTW, try changing the OctoPrint server to DHCP but with a fixed lease. This would be done on the fritzbox. You will have to figure out how to do it as I don't have a fritzbox.

So, OK thanks for commands... It is a bit complicated, since the system connected through VPN is my iPhone, and I don't think there is access to command line, as far as I know... But I searched for some apps that might help me here therefore only screenshots...

  1. So while on the iPhone connected through the VPN a traceoroute app output is the following:

ifconfig or ipconfig is also not available, but a networking app shows me the following, maybe that helps:

(see my next posts, since i'm not allowed to post more than one media... ?!? :zipper_mouth_face:

  1. While SSHed into the OctoPi system traceroute shows the following:
traceroute to (, 30 hops max, 60 byte packets
 1  fritz.box (  6.296 ms  6.959 ms  6.600 ms
 2 (  44.374 ms  51.374 ms  39.340 ms

and for route the result is:

Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         fritz.box         UG    303    0        0 wlan0   U     303    0        0 wlan0

i also did ifconfig of the OctoPrint server (if this helps):

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:19:db:eb:f4:e2  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Lokale Schleife)
        RX packets 514  bytes 6596767 (6.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 514  bytes 6596767 (6.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::b4c1:f695:a8ee:5965  prefixlen 64  scopeid 0x20<link>
        inet6 fd0d:6623:5644:4070:1929:c7de:afed:b505  prefixlen 64  scopeid 0x0<global>
        ether 00:19:db:9c:ac:80  txqueuelen 1000  (Ethernet)
        RX packets 23789  bytes 5494851 (5.2 MiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 3030  bytes 535850 (523.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Surprisingly I found out, that if I want to log in with SSH from my iPhone connected with VPN is is unbelievable slow... it tooks around 2min ?!? only for the login... (and again if the iPhone is directly within my WLAN the SSH login is there in in second...)

Regarding the change of Octopint server to DHCP with fixed lease: I'm not sure how to setup this, because fritzbox is only userfriendly for non IT-persons... so in the config I have only a simple option to mark Octoprint Server IP and then I can add the option called "Assign always the same IPv4-address to this network device", which I did... I can only unmark this option and change the time after new DHCP addresses will be given (from default 10 days) to 1 day to get the the possibility to get a new IP address for the OctoprintServer... choosen by fritzbox DHCP...

here the missing pictures:

I think I see the problem. A system connected via the VPN should be in a different netblock than the LAN that the OctoPrint server is on. If it is in the same netblock, then it is assumed to be reachable without routing through the VPN, i.e. its on the same LAN so direct system to system communication is attempted (and fails).

So what could I do now? Do I understand it right, that theoretically the IP of VPN system must be more different to the IP of OctoPrint? I.e. ?!

In IPV4, a netblock is a range of consecutive IP addresses, for instance: Netblocks are sometimes displayed in Classless Inter-Domain Routing (CIDR) notation. For instance, is Typical home networks use netblocks that contain 256 addresses (netmask or 192.168.0-255.0/24).

Addresses within a netblock must be able to communicate directly. To communicate with different netblocks require routing through a gateway.

It appears that your local area network is so using for the VPN would work. The Fritzbox will be the gateway for both sides.

I'm sorry I can't be more helpful. Configuring VPNs is an advanced networking task.

Ok, yes, it seems very difficult... and I understand your thoughts, do you have also an explanation, why for example the config webintefaces of all my smart home devices (shelly2.5) are reachable without any problems from my iPhone through the VPN? They have also IP addresses of the same netblock. (i.e. And so I though theoretically they would ran into the same communication problems as the Octoprint server, but they did not...
A tracerouet to the IP made from Iphone through VPN looks for me the same as for Octoprintserver...

You have not shared with us the actual netblock configuration(s). For example can communicate through a VPN with if the mask is (i.e. one netblock is and the other is

Perhaps the only thing wrong with the OctoPrint setup is that the netmask is incorrect.

Note that the netmask of the iPhone appears to be which means that it is the only IP address in the netblock and everything must be routed through the gateway.

The advantage of using DHCP to configure a network adapter is that in addition to an IP address, all the other parameters needed for successful communication are passed along as well. When you setup a static IP, the responsibility for setting the other parameters is yours.

The netblock configuration in FRITZ!Box is means Netmask for all Host IPs in the IP range till DHCP assigns IPs from 1 to 199… but with the mentioned option I could advise the DHCP always to assign the same IP to the same MAC Adress if I want…. VPN Clients get automatically the next free IP after DHCP range therefore my iPhone VPN got

Would it helps if I set the netmask for the OctoPrint server manually to and change its IP to for example. Then for the OctoServer only half of my IPs in my home network are „local“ and from the IPs are in another netblock from the view of the OctoServer. But I thought that all IPs in my network of my router must have the same netmask that the network will work correctly.
Sorry but I have never thought so deep into networking details…

I'm afraid I've been "Peter principled".

Just to satisfy my own curiosity I enabled OpenVPN on my IPFire firewall and installed OpenVPN for Android on my Samsung Galaxy S22 phone.

Had to fiddle with the OpenVPN server to get a connection but once the connection was established, I opened (the internal IP address of my OctoPi system) from Chrome on my phone and the OctoPrint web page came up.

I know this doesn't help you get your connection working but I believe it demonstrates that nothing special needs to be done to OctoPi / OctoPrint.

...yeah ok. I believe that... At least thanks a lot for your effort!