So near... (VPN Split tunnel - Ubuntu 16.04 and PIA)
|
Posts: 9
Threads: 3
Joined: Nov 2016
Reputation:
0
[Solved]
Nov 07, 2016, 12:00 PM
I'm within touching distance of getting the split tunnel working based on your (excellent) guide, but I can't get the vpn user to route to the tun0 interface.
I've run trace route through my main interface (ens192) and it routes as expected from a UK server.
If I run trace route through the tun0 interface it pops up in Sweden as expected.
If I then run the curl command from the guide as the vpn user it just reports that the interface is in the UK, so it appears that my routing isn't working for the vpn user.
What do I need to post here to give someone a fighting chance of understanding where my problem may lie? I've checked the guide (several times) and I can't get why it isn't working. Previously, when the vpn 'curl' reported that I was in the UK I've rebuilt the server, thinking I'd done something really bizarre to screw it up, however, this time I thought I'd investigate further and found that the tun0 interface is happily punting packets through to Sweden, but only if I point to the interface specifically and not just relying on the vpn user.
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Nov 07, 2016, 01:40 PM
Hi,
very strange. There is a problem somewhere for sure, but we need to locate it somehow.
Since we disable login as vpn user for security reasons (and there is actually no reason at all to allow login), the
Code:
sudo -u vpn -i -- curl ipinfo.io
should always return your VPN ip address.
You are using a regular Ubuntu Server 16.04 LTS install on x64?
First, please double check that you have the interface name (based on your post, it is ens192 in your case). Maybe you didn't change it for the reverse path filtering?
You don't have static IP configured on your server, but from your router, correct?
Posts: 9
Threads: 3
Joined: Nov 2016
Reputation:
0
[Solved]
Nov 07, 2016, 01:54 PM
(Nov 07, 2016, 01:40 PM)drake Wrote: Hi,
very strange. There is a problem somewhere for sure, but we need to locate it somehow.
Since we disable login as vpn user for security reasons (and there is actually no reason at all to allow login), the
Code:
sudo -u vpn -i -- curl ipinfo.io
should always return your VPN ip address.
You are using a regular Ubuntu Server 16.04 LTS install on x64?
First, please double check that you have the interface name (based on your post, it is ens192 in your case). Maybe you didn't change it for the reverse path filtering?
You don't have static IP configured on your server, but from your router, correct?
Hiya,
Yes - the vpn user is set up with disabled login and my ens192 interface is in place of the eth0 interface in the various scripts. The 9999-vpn.conf has been configured with ens192 and the rt_tables entry for vpn (200) has been put in place.
I am using 16.04 x64. The server is running DHCP for the IP addressing, yes.
I'm just confused that the interfaces all seem to be configured properly (ens192 goes out straight to the internet from the UK datacentre in which the VPS is hosted) and the tun0 interface goes out via Sweden as configured. For some reason, the tagging of traffic from the vpn user isn't sending traffic to the tun0 interface.
I'm more than happy to upload any screendumps or text files which could help to resolve this as I feel that it is definitely a case of "So near... And yet - so far."
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Nov 07, 2016, 02:22 PM
(This post was last modified: Nov 07, 2016, 02:29 PM by drake.)
So you are setting up Split Tunnel on a VPS, not a server in your home?
if yes, then it will be because of the way the VPS provider is handling network. There was another user who had problems with a VPS provider, you can find his thread here at the forums. It turned out that his VPS provider used a very minimal Ubuntu Server 16.04 install, and he didn't have even iptables installed.
EDIT: here is the link to the post with VPS LINK
As you can see, TMiC had some problems with VPS, I recommend you to check the /etc/network/interfaces on your server, and set it to dhcp, and check if there is a Set route to network set in your case.
Posts: 9
Threads: 3
Joined: Nov 2016
Reputation:
0
[Solved]
Nov 07, 2016, 05:06 PM
(Nov 07, 2016, 02:22 PM)drake Wrote: So you are setting up Split Tunnel on a VPS, not a server in your home?
if yes, then it will be because of the way the VPS provider is handling network. There was another user who had problems with a VPS provider, you can find his thread here at the forums. It turned out that his VPS provider used a very minimal Ubuntu Server 16.04 install, and he didn't have even iptables installed.
EDIT: here is the link to the post with VPS LINK
As you can see, TMiC had some problems with VPS, I recommend you to check the /etc/network/interfaces on your server, and set it to dhcp, and check if there is a Set route to network set in your case.
I had a look at the interfaces and it returned this:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto ens192
iface ens192 inet dhcp
with nothing else in there. Iptables was installed as my VPS provider gives the option of a minimal install or a 'full' (I forget the exact terminology) install - I always go for the latter.
My problem is, I'm right at the frayed edge of what I know about Ubuntu so I may just be helpless here (but I really appreciate what you've done!)
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Nov 07, 2016, 05:39 PM
Interfaces are fine, at least based on the output. Don't worry, we will resolve this somehow. It is certainly the VPS, since the same guide works for lot of people. And on Ubuntu Server it is even easier to configure then on Debian. I will ask for the output for some commands, but now I am from phone. Can you try and see if openvpn is working for you without split tunnel? So if you start openvpn connection, then everything is routed over the vpn?
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 9
Threads: 3
Joined: Nov 2016
Reputation:
0
[Solved]
Nov 07, 2016, 07:36 PM
(Nov 07, 2016, 05:39 PM)drake Wrote: Interfaces are fine, at least based on the output. Don't worry, we will resolve this somehow. It is certainly the VPS, since the same guide works for lot of people. And on Ubuntu Server it is even easier to configure then on Debian. I will ask for the output for some commands, but now I am from phone. Can you try and see if openvpn is working for you without split tunnel? So if you start openvpn connection, then everything is routed over the vpn?
Sent from my Xperia Z3 Compact using Tapatalk
I did some research and found that editing sysctl.conf and uncommenting(sp?):
Net.ipv4.ip_forward=1
then restarting the service, resulted in my vpn user popping up in Sweden!!!
I have absolutely no idea why this worked, but it seems to have done the trick!
Thanks so much for your help - I thought I was going mad!
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Nov 08, 2016, 08:19 AM
(This post was last modified: Nov 08, 2016, 09:12 AM by drake.)
Great work bedmanager!
I'm glad that it is working for you now. The solution was to enable forwarding between the interfaces, what you actually did. It should be related to the way your VPS provider is configuring network interfaces. Some VPS users don't need forwarding enabled, some need, it depends on the way VPS provider is handling network related configurations.
Sometimes these things require troubleshooting, but most of the time there is a solution, just need to be patient and gather the required information to start narrowing done the issue. You did a great job here!
I take the opportunity here to draw your attention to a bug that we discovered thanks to a user's feedback: if you add worng PIA login credentials (or for some reason they are rejected by PIA), then OpenVPN will not execute the up scripts, therefore vpn user will not have the killswitch and routing enabled! This could lead to a potential real IP address leak! In order to prevent this, we need a persistent ip tables rule that will block vpn user's access to Internet until the split tunnel scripts are executed. To do this:
Clear all the iptables rule:
Add the following rule, which will block vpn user's access to Internet (except lo):
Code:
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
Then install (for Ubuntu 16.04)
Code:
sudo apt-get install -y iptables-persistent
It will ask you to save the current rules, select yes. Now when the system starts, and you use the wrong credentials for PIA or the first login to VPN is not possible, the vpn user will not have access to Internet. Once the script is started, this rule will be deleted, and the correct rules will be applied from the script.
We will update soon our guides with this information!
Posts: 9
Threads: 3
Joined: Nov 2016
Reputation:
0
[Solved]
Nov 08, 2016, 08:46 AM
(Nov 08, 2016, 08:19 AM)drake Wrote: Great work bedmanager!
I'm glad that it is working for you now. The solution was to enable forwarding between the interfaces, what you actually did. It should be related to the way your VPS provider is configuring network interfaces. Some VPS users don't need forwarding enabled, some need, it depends on the way VPS provider is handling network related configurations.
Sometimes these things require troubleshooting, but most of the time there is a solution, just need to be patient and gather the required information to start narrowing done the issue. You did a great job here!
I take the opportunity here to draw your attention to a bug that we discovered thanks to a user's feedback: if you add worng PIA login credentials (or for some reason they are rejected by PIA), then OpenVPN will not execute the up scripts, therefore vpn user will not have the killswitch and routing enabled! This could lead to a potential real IP address like! In order to prevent this, we need a persistent ip tables rule that will block vpn user's access to Internet until the split tunnel scripts are executed. To do this:
Clear all the iptables rule:
Add the following rule, which will block vpn user's access to Internet (except lo):
Code:
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
Then install (for Ubuntu 16.04)
Code:
sudo apt-get install -y iptables-persistent
It will ask you to save the current rules, select yes. Now when the system starts, and you use the wrong credentials for PIA or the first login to VPN is not possible, the vpn user will not have access to Internet. Once the script is started, this rule will be deleted, and the correct rules will be applied from the script.
We will update soon our guides with this information!
Thanks for your help and guidance - I've added what you've written above and so I'm just now going to dig into getting Deluge working. It wouldn't be one of my projects if I didn't create myself a bundle of trouble by the Deluged and Deluge-web services not starting, but that's a story for another day after I've tried everything - I don't want to wear out my welcome!
Thanks so much for the help - truly appreciated!
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|