[Not Solved]
Oct 30, 2017, 03:35 PM
(This post was last modified: Oct 30, 2017, 04:21 PM by startrekin.)
Hey there! Hit a bit of a snag with the VPN split tunneling and Transmission. I'm running Ubuntu Server 16.04. I worked through part 1 of the guide and had everything working correctly. In the Openvpn.conf section, I set the VPN location as suggested (Sweden). Upon completing part 2 and successfully installing/configuring Transmission and confirming my VPN location, I noticed that I was getting terrible download speeds. I thought maybe I'd check to see if a different geographic location would increase my speeds. I went and edited the Openvpn.conf file as we did in Part 1 by using a different location. In my troubleshooting, (I reset the Openvpn.conf back to the location that was suggested in the guide, which you'll see down below). At that point, my Openvpn must have barfed and now I cannot connect to anything via the VPN user account. I believe I made sure to stop all services before editing the .conf file. Since then I've started them, stopped them, did a full shutdown/restart, rebooted several times trying to troubleshoot. I can still access Transmission through my Nginx reverse proxy, but nothing will download. Perhaps this had nothing to do with changing the location, but it seems to me that everything went downhill when I started monkeying with that. Following is a bit of code that may (or may not!) be relevant. I do note in the Openvpn service status, UDP is not bound. Could that be the issue? I am pretty sure I did change eth0 to enp2s0 in all of the scripts/locations (as that was what my network interface is labeled as). I believe certificates are installed to etc/openvpn, too. I appreciate any help! Thanks for the great guides, too! I've worked through many of them. See below for code snippets. Let me know what else I can provide to help troubleshoot. Thanks!
EDIT: OK -- so now this is weird. It all the sudden started working. I swear it wouldn't work all yesterday afternoon and all this morning. Would someone more knowledgable than me, maybe scan through my post and see if something sticks out as problematic? Maybe the connection is dropping, reconnecting and dropping again?
If all the above looks OK, maybe one thing to take me through is changing the VPN location. As I said in the above post, changing that on the fly seems to be what caused all the ruckus. What services should I be stopping, and in what order should I be making changes to the PIA location. Maybe in terms of what the best practice is for changing that location. It is super, super slow... 137 kB/s. I know it's VPN and one should never expect blazing fast, but maybe there is something in my configuration hanging things up?
Again, thanks for the help!
If all the above looks OK, maybe one thing to take me through is changing the VPN location. As I said in the above post, changing that on the fly seems to be what caused all the ruckus. What services should I be stopping, and in what order should I be making changes to the PIA location. Maybe in terms of what the best practice is for changing that location. It is super, super slow... 137 kB/s. I know it's VPN and one should never expect blazing fast, but maybe there is something in my configuration hanging things up?
Again, thanks for the help!
Code:
"curl ipinfo.io"
produces "my non-vpn location" -- everything looks OK here.
Code:
"sudo -u vpn -i -- curl ipinfo.io"
curl: (6) Could not resolve host: ipinfo.io
Code:
"sudo systemctl status openvpn@openvpn.service"
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/etc/systemd/system/openvpn@openvpn.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2017-10-29 19:06:44 CDT; 13h ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1513 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
Main PID: 1544 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
└─1544 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/openvpn.conf --writepid /run/openvpn
Oct 29 19:06:44 XXName_of_my_ServerXX ovpn-openvpn[1544]: UDP link local: (not bound)
Oct 29 19:06:44 XXName_of_my_ServerXX ovpn-openvpn[1544]: UDP link remote: [AF_INET]5.153.233.114:1198
Oct 29 19:06:45 XXName_of_my_ServerXX ovpn-openvpn[1544]: [cb930afb7d781fd333da3ea258cfd667] Peer Connection Initiated with [AF_INET]5.153.233.114:1198
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: auth-token received, disabling auth-nocache for the authentication token
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: TUN/TAP device tun0 opened
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: /sbin/ip link set dev tun0 up mtu 1500
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: /sbin/ip addr add dev tun0 local 10.15.10.6 peer 10.15.10.5
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: /etc/openvpn/iptables.sh tun0 1500 1558 10.15.10.6 10.15.10.5 init
Oct 29 19:06:46 XXName_of_my_ServerXX ovpn-openvpn[1544]: Initialization Sequence Completed
Code:
"sudo nano /etc/openvpn/openvpn.conf"
[size=small]client[/size]
[size=small]dev tun[/size]
[size=small]proto udp[/size]
[size=small]remote sweden.privateinternetaccess.com 1198[/size]
[size=small]resolv-retry infinite[/size]
[size=small]nobind[/size]
[size=small]persist-key[/size]
[size=small]persist-tun[/size]
[size=small]cipher aes-128-cbc[/size]
[size=small]auth sha1[/size]
[size=small]tls-client[/size]
[size=small]remote-cert-tls server[/size]
[size=small]auth-user-pass /etc/openvpn/login.txt[/size]
[size=small]auth-nocache[/size]
[size=small]comp-lzo[/size]
[size=small]verb 1[/size]
[size=small]reneg-sec 0[/size]
[size=small]crl-verify /etc/openvpn/crl.rsa.2048.pem[/size]
[size=small]ca /etc/openvpn/ca.rsa.2048.crt[/size]
[size=small]disable-occ[/size]
[size=small]script-security 2[/size]
[size=small]route-noexec[/size]
[size=small][/size]
[size=small]#up and down scripts to be executed when VPN starts or stops[/size]
[size=small]up /etc/openvpn/iptables.sh[/size]
down /etc/openvpn/update-resolv-conf
Code:
"sudo nano /etc/openvpn/update-resolv-conf"
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Code:
"sudo nano /etc/openvpn/iptables.sh"
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.X.XXX"
export NETIF="enp2s0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# Start routing script
/etc/openvpn/routing.sh
exit 0
Code:
"sudo iptables -L"
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.X.XXX anywhere reject-with icmp-port-unreachable
Chain f2b-nginx-auth (0 references)
target prot opt source destination
Chain f2b-sshd (0 references)
target prot opt source destination
Code:
"/etc/systemd/system/openvpn@openvpn.service"
[Unit]
# HTPC Guides - www.htpcguides.com
Description=OpenVPN connection to %i
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target
[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
Code:
"ip route list"
default via 192.168.X.X dev enp2s0
10.12.10.9 dev tun0 proto kernel scope link src 10.12.10.10
192.168.0.0/24 dev enp2s0 proto kernel scope link src 192.168.X.XXX
Code:
"sudo nano /etc/openvpn/routing.sh"
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #33bbc8; background-color: #ffffff} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff; min-height: 13.0px} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #afad24; background-color: #ffffff} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #34bc26; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures; color: #000000} span.s3 {font-variant-ligatures: no-common-ligatures; color: #34bc26} span.s4 {font-variant-ligatures: no-common-ligatures; color: #afad24} span.s5 {font-variant-ligatures: no-common-ligatures; color: #c33720} span.s6 {font-variant-ligatures: no-common-ligatures; color: #5230e1}
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
VPNIF=[b]"tun0"[/b]
VPNUSER=[b]"vpn"[/b]
GATEWAYIP=$(ifconfig [b]$VPNIF[/b] | egrep -o [b]'([0-9]{1,3}\.){3}[0-9]{1,3}'[/b] | egrep -v [b]'255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})'[/b] | tail -n1)
if [[ `ip rule list | [b]grep[/b] -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup [b]$VPNUSER[/b]
fi
ip route replace default via [b]$GATEWAYIP[/b] table [b]$VPNUSER[/b]
ip route append default via 127.0.0.1 dev lo table [b]$VPNUSER[/b]
ip route flush cache
# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf
exit 0
Code:
"sudo nano /etc/iproute2/rt_tables"
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
200 vpn