Force Torrent Traffic through VPN Split Tunnel Debian 8 + Ubuntu 16.04
|
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Dec 13, 2016, 04:09 PM
(This post was last modified: Dec 13, 2016, 04:10 PM by drake.)
Please give me output of the following:
Code:
sudo systemctl status openvpn@openvpn.service
Below replace eth0 with your network interface name
Code:
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
Code:
cat /proc/sys/net/ipv4/conf/tun0/rp_filter
EDIT: btw, are you using PIA as VPN provider?
Posts: 5
Threads: 0
Joined: Dec 2016
Reputation:
0
[Not Solved]
Dec 13, 2016, 05:28 PM
I signed up with PIA as I was going through the how-to; I figured it was worth $40 to not have to figure out what changes to make for TigerVPN.
I've reset the thing to a fresh 16.04 install, and will go through the how-to and post the requested bits.
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Dec 13, 2016, 05:41 PM
(This post was last modified: Dec 13, 2016, 05:42 PM by drake.)
PIA is good, I'm satisfied with their service and pricing. And they really support advance features, like script based port forwarding.
Anyaway, it will work for sure, just follow the steps in the guide. If for some reason it doesn't work again, don't worry, we will find the reason. Let me know, your results.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 5
Threads: 0
Joined: Dec 2016
Reputation:
0
[Not Solved]
Dec 13, 2016, 05:41 PM
Thanks for your help; apparently I somehow fat-fingered something the first time through. I reinstalled and went through the how-to with no errors, and now everything is working fine.
Code:
chaz@brand:~$ curl ipinfo.io
{
"ip": "###.###.###.###",
"hostname": "###-###-###-###.foo.bar.com",
"city": "SOME CITY",
"region": "SOME STATE",
"country": "US",
"loc": "11.1111,-11.1111",
"org": "SOME INTERNET OUTFIT",
"postal": "11111"
}chaz@brand:~$ sudo -u vpn -i -- curl ipinfo.io
{
"ip": "###.###.###.###",
"hostname": "No Hostname",
"city": "",
"region": "",
"country": "SE",
"loc": "59.3247,18.0560",
"org": "AS57858 Inter Connects Inc"
The first time through, I got an error at this point:
Quote:Now enable the openvpn@openvpn.service we just created
Code:
sudo systemctl enable openvpn@openvpn.service
The error was:
Code:
Failed to execute operation: Invalid argument
I googled around trying to fix that, and apparently broke something else.
Seems all good now. Thanks for all your work on these how-tos.
chazl
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Dec 13, 2016, 06:45 PM
Glad that it is working for you now. I don't know what could have been the problem with enabling the openvpn systemd unit. The important thing is that it is working now.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 2
Threads: 0
Joined: Mar 2017
Reputation:
0
[Not Solved]
Mar 07, 2017, 08:13 PM
I'm having an issue with the scripts.
sudo systemctl status openvpn@openvpn.service:
Code:
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/etc/systemd/system/openvpn@openvpn.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2017-03-07 12:03:53 PST; 2min 41s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 6841 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.co
Main PID: 6843 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─6843 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/ope
Mar 07 12:03:53 hostname ovpn-openvpn[6843]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.156.228.150:1198
Mar 07 12:03:53 hostname ovpn-openvpn[6843]: UDP link local: (not bound)
Mar 07 12:03:53 hostname ovpn-openvpn[6843]: UDP link remote: [AF_INET]104.156.228.150:1198
Mar 07 12:03:53 hostname ovpn-openvpn[6843]: [2d260c9c8c7453240ce1fc039ce9837a] Peer Connection Initiated with [AF_INET]104.156.228.150:1198
Mar 07 12:03:54 hostname ovpn-openvpn[6843]: TUN/TAP device tun0 opened
Mar 07 12:03:54 hostname ovpn-openvpn[6843]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 07 12:03:54 hostname ovpn-openvpn[6843]: /sbin/ip link set dev tun0 up mtu 1500
Mar 07 12:03:54 hostname ovpn-openvpn[6843]: /sbin/ip addr add dev tun0 local 10.58.10.6 peer 10.58.10.5
Mar 07 12:03:54 hostname ovpn-openvpn[6843]: /etc/openvpn/iptables.sh tun0 1500 1558 10.58.10.6 10.58.10.5 init
Mar 07 12:03:55 hostname ovpn-openvpn[6843]: Initialization Sequence Completed
So it doesn't look like there are any errors in there. I've gone through the guide multiple times in case I made any errors, but it looks like I followed it correctly. When I try sudo -u vpn -i -- curl ipinfo.io, I get "curl: (6) Could not resolve host: ipinfo.io"
Any idea?
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Mar 09, 2017, 08:56 AM
Can you please give the outputs from post #11 and then we can see what could be wrong.
Posts: 2
Threads: 0
Joined: Mar 2017
Reputation:
0
[Not Solved]
Mar 09, 2017, 07:46 PM
(Mar 09, 2017, 08:56 AM)drake Wrote: Can you please give the outputs from post #11 and then we can see what could be wrong.
Code:
plex@TreyFive:~$ sudo systemctl status openvpn@openvpn.service
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/etc/systemd/system/openvpn@openvpn.service; enabled; vendor pre
Active: active (running) since Thu 2017-03-09 10:11:01 PST; 1h 34min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 916 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%
Main PID: 959 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─959 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/open
Mar 09 10:11:06 TreyFive ovpn-openvpn[959]: TCP/UDP: Preserving recently used remot
Mar 09 10:11:06 TreyFive ovpn-openvpn[959]: UDP link local: (not bound)
Mar 09 10:11:06 TreyFive ovpn-openvpn[959]: UDP link remote: [AF_INET]104.156.228.7
Mar 09 10:11:06 TreyFive ovpn-openvpn[959]: [e964637aeb3b95a978d11afcbc3e4af2] Peer
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: TUN/TAP device tun0 opened
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: do_ifconfig, tt->did_ifconfig_ipv6_setu
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: /sbin/ip link set dev tun0 up mtu 1500
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: /sbin/ip addr add dev tun0 local 10.60.
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: /etc/openvpn/iptables.sh tun0 1500 1558
Mar 09 10:11:08 TreyFive ovpn-openvpn[959]: Initialization Sequence Completed
plex@TreyFive:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-nginx-auth
-N f2b-sshd
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.1.29/32 -o enp1s0f0 -j REJECT --reject-with icmp-port-unreachable
plex@TreyFive:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.1.29 anywhere reject-with icmp-port-unreachable
Chain f2b-nginx-auth (0 references)
target prot opt source destination
Chain f2b-sshd (0 references)
target prot opt source destination
plex@TreyFive:~$ cat /proc/sys/net/ipv4/conf/enp1s0f0/rp_filter
2
plex@TreyFive:~$ cat /proc/sys/net/ipv4/conf/tun0/rp_filter
2
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Not Solved]
Mar 10, 2017, 08:40 AM
OK, you have fail2ban configured, this can make things more complicated. To be able to troubleshoot, try to configure Split Tunnel on clean system without any firewall rules added (like fail2ban, UFW, etc).
Then you should have a working Split Tunnel setup, and you can proceed with fail2ban jails. You will be able to track down if any of the fail2ban settings brake Split Tunnel.
Posts: 1
Threads: 0
Joined: Apr 2017
Reputation:
0
[Not Solved]
Apr 20, 2017, 11:53 AM
Hallo,
I used this guide and it looks pretty good, but does not work for me. if I do check with curl I have following error:
Code:
sudo -u vpn -i -- curl ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
also I can't do ping:
Code:
~$ sudo -u vpn -i -- ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4133ms
~$ sudo -u vpn -i -- ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
OpenVPN seems working good, but I do not have correct DNS entrances for VPN user:
Code:
sudo -u vpn -i -- cat /etc/resolv.conf
nameserver 192.168.66.1
nameserver 8.8.8.8
I switch off Fail2Ban, but it still does not work...
##################################
More information about System:
Ubunutu 16.04. - armbain
Code:
ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.15.10.6 P-t-P:10.15.10.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Code:
sudo systemctl status openvpn@openvpn.service
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/etc/systemd/system/openvpn@openvpn.service; enabled; vendor preset: enabled)
Active: active (running) since Do 2017-04-20 13:32:19 CEST; 6min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1048 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --
Main PID: 1093 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─1093 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --script-security 2
Apr 20 13:32:19 cubietruck systemd[1]: Started OpenVPN connection to openvpn.
Apr 20 13:32:19 cubietruck ovpn-openvpn[1093]: UDPv4 link local: [undef]
Apr 20 13:32:19 cubietruck ovpn-openvpn[1093]: UDPv4 link remote: [AF_INET]46.166.190.194:1198
Apr 20 13:32:20 cubietruck ovpn-openvpn[1093]: [860ca334e88ffde3c925a7f0598ee9bf] Peer Connection Initiated with [AF_INET]46.166.190.194
Apr 20 13:32:23 cubietruck ovpn-openvpn[1093]: TUN/TAP device tun0 opened
Apr 20 13:32:23 cubietruck ovpn-openvpn[1093]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 20 13:32:23 cubietruck ovpn-openvpn[1093]: /sbin/ip link set dev tun0 up mtu 1500
Apr 20 13:32:23 cubietruck ovpn-openvpn[1093]: /sbin/ip addr add dev tun0 local 10.15.10.6 peer 10.15.10.5
Apr 20 13:32:23 cubietruck ovpn-openvpn[1093]: /etc/openvpn/iptables.sh tun0 1500 1561 10.15.10.6 10.15.10.5 init
Apr 20 13:32:57 cubietruck ovpn-openvpn[1093]: Initialization Sequence Completed
Code:
sudo ip route show table vpn
default via 10.15.10.5 dev tun0
default via 127.0.0.1 dev lo
Code:
~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp multiport dports https,ssh,webmin
ACCEPT tcp -- 192.168.66.0/24 anywhere tcp multiport dports loc-srv,netbios-ssn,microsoft-ds,nfs
DROP icmp -- !192.168.66.0/24 anywhere
ACCEPT udp -- 192.168.66.0/24 anywhere udp multiport dports netbios-ns,netbios-dgm,sunrpc
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !cubietruck.lan anywhere reject-with icmp-port-unreachable
~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 443,22,10000 -j ACCEPT
-A INPUT -s 192.168.66.0/24 -p tcp -m tcp -m multiport --dports 135,139,445,2049 -j ACCEPT
-A INPUT ! -s 192.168.66.0/24 -p icmp -j DROP
-A INPUT -s 192.168.66.0/24 -p udp -m udp -m multiport --dports 137,138,111 -j ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT ! -o lo -m owner --uid-owner 1001 -j DROP
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.66.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
All files are executable:
Code:
~$ ls -la /etc/openvpn/ | grep x
drwxr-xr-x 2 root root 4,0K Apr 20 11:25 ./
drwxr-xr-x 113 root root 4,0K Apr 20 12:04 ../
-rwxr-xr-x 1 root root 2,9K Apr 20 11:25 iptables.sh*
-rw------- 1 root root 19 Apr 18 14:00 login.txt
-rwxr-xr-x 1 root root 611 Apr 20 08:58 routing.sh*
-rwxr-xr-x 1 root root 1,3K Apr 20 10:26 update-resolv-conf*
Part of update resolve config;
Code:
~$ more /etc/openvpn/update-resolv-conf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
#
iptables.sh
Code:
~$ more /etc/openvpn/iptables.sh
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.66.10"
export NETIF="eth0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
#My Rules:
#open ports: https, ssh, and webadmin
iptables -A INPUT -p tcp -m tcp -m multiport --dports 443,22,10000 -j ACCEPT
#Samba
iptables -A INPUT -s 192.168.66.0/24 -p tcp -m tcp -m multiport --dports 135,139,445,2049 -j ACCEPT
iptables -A INPUT ! -s 192.168.66.0/24 -p icmp -j DROP
#Samba
iptables -A INPUT -s 192.168.66.0/24 -p udp -m udp -m multiport --dports 137,138,111 -j ACCEPT
iptables -A OUTPUT ! -o lo -m owner --uid-owner 1001 -j DROP
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# Start routing script
/etc/openvpn/routing.sh
exit 0
Could you please check why it does not work? I see that DNS does not up for vpn user, but how to solve it?
|
|
Recent Posts
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
About Swap
jonescelinaa Mar 18, 2024, 02:11 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Find My IP Address - Kodi - Updated
jonesPhedra Jan 29, 2024, 02:56 AM
|
Latest unread posts | Unanswered posts |
|