Hi all. I have been working my way through the Split tunneling guide for ubuntu 16.04.
I have completed part one however i dont think the split is functioning correctly. when i run curl ifconfig.co i get the same IP of my VPN for both VPN user and normal users. Not to bad but i didnt want the tunnel to go down and start using my normal connection.
I am a linux newbie but willing to learn. reading other troubleshooting guides i can provide the following information to help identify the problem.
OS is raspbian- Jessie
my VPN providor is called windscribe
my vpn user is called `vpn`
hopefully i have given you enough information to help. any more questions please ask and i greatly appreciate any help. Thank you
sudo -u vpn -i -- curl ifconfig.co
iptables-save
sudo ip route show table vpn
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
iptables -L
iptables -S
I have completed part one however i dont think the split is functioning correctly. when i run curl ifconfig.co i get the same IP of my VPN for both VPN user and normal users. Not to bad but i didnt want the tunnel to go down and start using my normal connection.
I am a linux newbie but willing to learn. reading other troubleshooting guides i can provide the following information to help identify the problem.
OS is raspbian- Jessie
my VPN providor is called windscribe
my vpn user is called `vpn`
hopefully i have given you enough information to help. any more questions please ask and i greatly appreciate any help. Thank you
sudo -u vpn -i -- curl ifconfig.co
Code:
curl ifconfig.co
88.202.231.61
sudo -u vpn -i -- curl ifconfig.co
88.202.231.61
Code:
sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Oct 14 17:06:40 2016
*filter
:INPUT ACCEPT [21966:5226243]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6722:922585]
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.1.3/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Oct 14 17:06:40 2016
# Generated by iptables-save v1.4.21 on Fri Oct 14 17:06:40 2016
*mangle
:PREROUTING ACCEPT [22614:5276595]
:INPUT ACCEPT [22490:5269909]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6754:925195]
:POSTROUTING ACCEPT [6754:925195]
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT ! -d 192.168.1.3/32 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.1.3/32 -p udp -m udp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -d 192.168.1.3/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 1001 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT ! -s 192.168.1.3/32 -j MARK --set-xmark 0x1/0xffffffff
-A OUTPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Fri Oct 14 17:06:40 2016
# Generated by iptables-save v1.4.21 on Fri Oct 14 17:06:40 2016
*nat
:PREROUTING ACCEPT [865:169083]
:INPUT ACCEPT [737:162103]
:OUTPUT ACCEPT [175:12801]
:POSTROUTING ACCEPT [4:417]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 14 17:06:40 2016
Code:
sudo ip route show table vpn
default via 10.110.10.49 dev tun0
default via 127.0.0.1 dev lo
Code:
cat /proc/sys/net/ipv4/conf/{all,default,eth0}/rp_filter
2
2
2
Code:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !192.168.1.3 anywhere reject-with icmp-port-unreachable
Code:
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 192.168.1.3/32 -o eth0 -j REJECT --reject-with icmp-port-unreachable