Split VPN
|
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 01, 2016, 03:10 PM
(This post was last modified: Aug 01, 2016, 03:11 PM by Gompy.)
Your guide doesn't seem to work for me.
Openvpn service is running
Ifconfig DOES list tun0
No errors in syslog
Curl ipinfo.io is the same for vpn user
Sent from my Nexus 5X using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 01, 2016, 07:50 PM
(This post was last modified: Aug 01, 2016, 07:57 PM by drake.)
Hi Gompy,
Can you tell me the following: which Linux distribution are you using, which vpn provider, do you have any firewall enabled, aftet you completet the guide, did you try a full system restart?
Can you give me the outpit of:
sudo iptables-save
sudo ip route show table vpnuser
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
Replacing eth0 with your network interface, if different.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 02, 2016, 04:00 AM
(This post was last modified: Aug 02, 2016, 04:03 AM by Gompy.)
Hi, I cant give you the output of those commands right now as I'm not at home but will do tonight (RPI is running my old sd/config).
I'm was using the latest minibian to test the vpn setup. My vpn provider is PIA. I did multiple reboots. Network interface is eth0. So didn't have to make changes there. No firewall enabled.
Thank you
Sent from my Nexus 5X using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 02, 2016, 09:40 AM
(This post was last modified: Aug 02, 2016, 09:44 AM by drake.)
Ok, we will certainly make this work, as the guide is confirmed as working perfectly fine by many users on RPi and Debian. I won't be available for 10 days, but Mike will try to help you, or when I returned home.
Please give me the output of the following command too:
sudo iptables -L
sudo iptables -S
Edit: not sure if you need sudo on RPi, if you are root. Remember, once you have vpn split tunnel up and running, for the second part you will need to use systemd instead of upstart, as the guide is for Ubuntu Server 14.04.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 02, 2016, 10:49 AM
Thanks, ill be Home in about 4 hrs. There's no sudo on minibian. I suspect it's missing some packages.
Sent from my Nexus 5X using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 02, 2016, 10:56 AM
Ok, let me know the output of the commands I asked, then we will see. I might not be able to reply soon, as I'm on the road.
For dns you need to install resolvconf on Debian, amd make sure you don't have static ip set on RPi, but on the router.
apt-get install resolvconf
We will know more one I see your answer.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 02, 2016, 11:07 AM
(This post was last modified: Aug 02, 2016, 11:22 AM by Gompy.)
Thanks, maybe you could suggest some more packages that might be missing on minibian, if I remember correctly; even iptables didn't work out of the box.
PS static IP is configured on the router side
Sent from my Nexus 5X using Tapatalk
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Aug 02, 2016, 11:31 AM
Afaik, no other packages are requires, but I don't have access to an RPi now, actually to no other device just my phone, so I can't check it. You need openvpn (don't use the ppa), iptables, and resolvconf for sure.
Once we have the output of commands, we will know more.
Sent from my Xperia Z3 Compact using Tapatalk
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 02, 2016, 12:28 PM
Ok thank you, will update ASAP
Sent from my Nexus 5X using Tapatalk
Posts: 140
Threads: 13
Joined: Jan 2016
Reputation:
26
[Solved]
Aug 02, 2016, 03:25 PM
first of all, when I run apt-get update i get this:
Code:
W: Failed to fetch https://swupdate.openvpn.net/apt/dists/trusty/Release Unable to find expected entry 'main/binary-armhf/Packages' in Release file (Wrong sources.list entry or malformed file)
Output iptables-save:
Code:
~# iptables-save
# Generated by iptables-save v1.4.21 on Tue Aug 2 16:18:41 2016
*filter
:INPUT ACCEPT [7252:9576089]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1883:176340]
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.178.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Aug 2 16:18:41 2016
# Generated by iptables-save v1.4.21 on Tue Aug 2 16:18:41 2016
*mangle
:PREROUTING ACCEPT [7307:9583696]
:INPUT ACCEPT [7305:9583632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1891:177522]
:POSTROUTING ACCEPT [1892:177554]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.178.10/32 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.178.10/32 -p udp -m udp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.178.10/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT ! -s 192.168.178.10/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Tue Aug 2 16:18:41 2016
# Generated by iptables-save v1.4.21 on Tue Aug 2 16:18:41 2016
*nat
:PREROUTING ACCEPT [31:5795]
:INPUT ACCEPT [29:5731]
:OUTPUT ACCEPT [53:4205]
:POSTROUTING ACCEPT [21:1361]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Tue Aug 2 16:18:41 2016
ip route show table vpn
Code:
~# ip route show table vpn
default via 10.139.1.5 dev tun0
default via 127.0.0.1 dev lo
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
Code:
:~# cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
2
2
2
iptables -L
Code:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.178.10 anywhere reject-with icmp-port-unreachable
iptables -S
Code:
~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.178.10/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
|
|
Recent Posts
|
About Swap
jonescelinaa Apr 10, 2024, 06:58 AM
|
Tracker Status: Error Connection Time Out
jonesPhedra Apr 04, 2024, 08:17 AM
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Latest unread posts | Unanswered posts |
|