VPN Split Tunnel Ubuntu 16.04 expected behavior?
|
Posts: 7
Threads: 2
Joined: Jan 2017
Reputation:
0
[Solved]
Jan 22, 2017, 08:46 AM
Hello, thanks for the great guide on configuring Split Tunnel VPN on Ubuntu 16.04. I have followed the guide and got things working properly from what I can see in the guide with one exception.
The only app I currently have configured as the VPN user is Transmission. However, when my connection to PIA is dropped I lose all connectivity on my server (all users). From what I have read this should not be the case if the split tunnel configuration is working as designed?
Please provide any trouble shooting steps I should be taking. I did double check that all the steps in the guide were followed, and when running the tests at the end of "part 1" all appears to be responding correctly. However, I am curious why the output of the DNS test would be returning the PIA servers for all of my users as opposed to just the VPN user?
Thanks in advance!
M
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Jan 22, 2017, 04:50 PM
Glad you liked the guide!
If for some reason your connection to VPN brakes, or you just simply stop OpenVPN, then only the vpn user's connection will be blocked, that is, not blocked but since only vpn user is allowed to access Internet over vpn, and there is no VPN connection available, in practice this will mean there is no connection to Internet in any form, until VPN connection is up and running again.
All other users should be able to work and able to access Internet regardless if the VPN connection is active or not. There is probably something wrong with your setup.
As for the DNS: it is normal, you will have the DNS same for all your users. It is possible to have different DNS for vpn user and regular users, but that would give all sort of troubles, and there is no need for that, since you can safely use these DNS servers all the time.
To troubleshoot your problem with connections:
1) Please give the output of
Code:
cat /etc/openvpn/openvpn.conf
2)
when connected to VPN server, the ip address check returns correct IP's for both regular and vpn user?
Code:
sudo -u vpn -i -- curl ipinfo.io
What do you get if you disconnect from the VPN server?
3) please give me the outputs of
Code:
sudo iptables -S
sudo iptables -L
Posts: 7
Threads: 2
Joined: Jan 2017
Reputation:
0
[Solved]
Jan 22, 2017, 06:39 PM
Thanks for the quick reply! based on your requests I have provided the outputs requested
1)
client
dev tun
proto udp
remote ca.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-128-CBC
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.txt
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
route-noexec
#up and down scripts to be executed when VPN starts or stops
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf
2a) "VPN UP"
{
"ip": "24.xxx.8x.1xx",
"hostname": "1xx-8x-2xx-2x.gci.net",
"city": "Anchorage",
"region": "Alaska",
"country": "US",
"loc": "61.1637,-149.9917",
"org": "AS8047 GENERAL COMMUNICATION, INC.",
"postal": "99502"
(2b) "VPN UP"
{
"ip": "1xx.x9x.x5.xx",
"hostname": "1xx.x9x.x5.xx.choopa.net",
"city": "Montreal",
"region": "Quebec",
"country": "CA",
"loc": "45.4594,-73.5501",
"org": "AS20473 Choopa, LLC",
"postal": "H3E"
2c) "VPN Down"
Same as 2a
2d) "VPN Down"
no respone, control "c" to stop
3a) "iptables -S"
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 34884 -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT ! -s 192.168.1.208/32 -o enpls0 -j REJECT --reject-with icmp-port-unreachable
3b) "iptables -L"
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:34884
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
REJECT all -- !mediaserver anywhere reject-with icmp-port-unreachable
Thanks in advance!
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Jan 22, 2017, 06:46 PM
(Jan 22, 2017, 06:39 PM)halfrican Wrote: 2c) "VPN Down"
Same as 2a
2d) "VPN Down"
no respone, control "c" to stop
Does this mean that with VPN down you get regular IP correctly? If that is the case, then it is correct, you have access to Internet using your regular (non vpn) user even if your VPN connection is down? If yes, then what is the problem, it is working exactly as it should.
For VPN user you don't have a response when VPN connection is down, as it is blocked (the Kill Switch is working), it would be a problem if you receive an IP if no VPN connection is active.
Maybe I didn't understand your question correctly?
When VPN is stopped, can you do a regular apt-get update?
Posts: 7
Threads: 2
Joined: Jan 2017
Reputation:
0
[Solved]
Jan 22, 2017, 07:02 PM
yes, you understanding of what I typed is correct. I do believe after going through the steps you detailed that all is working as designed. With VPN down, I am able to complete "apt-get update" .
so, in the end, I believe I was incorrect all along (sorry to bother you).
One last question, during apt-get update I am getting an error, is this something that also has an easy fix?
E: Failed to fetch https://swupdate.openvpn.net/apt/dists/xenial/Release Invalid 'Valid-Until' entry in Release file /var/lib/apt/lists/partial/swupdate.openvpn.net_apt_dists_xenial_Release
E: Some index files failed to download. They have been ignored, or old ones used instead.
Thanks again!
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Jan 22, 2017, 08:29 PM
Excellent, I'm glad it is solved! It is working for you as it should.
About the update error: I just noticed it myself too, OpenVPN changed their apt repo (two days ago it was working), I will also update the guide. Guess it was do to their 2.4 version jump.
You need to change the repository, so first remove the now obsolete one from
Code:
/etc/apt/sources.list.d/openvpn.list
And add the new one, if you are using Ubuntu Serve 16.04, then
Code:
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main
" | sudo tee -a /etc/apt/sources.list.d/openvpn.list
Then run update and upgrade
Code:
sudo apt-get update
sudo apt-get upgrade
Not sure about the GPG key, it worked for me fine with the old key. Let me know how it works.
Posts: 7
Threads: 2
Joined: Jan 2017
Reputation:
0
[Solved]
Jan 22, 2017, 09:52 PM
(Jan 22, 2017, 08:29 PM)drake Wrote: Excellent, I'm glad it is solved! It is working for you as it should.
About the update error: I just noticed it myself too, OpenVPN changed their apt repo (two days ago it was working), I will also update the guide. Guess it was do to their 2.4 version jump.
You need to change the repository, so first remove the now obsolete one from
Code:
/etc/apt/sources.list.d/openvpn.list
And add the new one, if you are using Ubuntu Serve 16.04, then
Code:
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main
" | sudo tee -a /etc/apt/sources.list.d/openvpn.list
Then run update and upgrade
Code:
sudo apt-get update
sudo apt-get upgrade
Not sure about the GPG key, it worked for me fine with the old key. Let me know how it works.
Problem solved, thanks again!
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|