DietPi-VPN cannot access local web UI

Troubleshooting
1

Hi Everyone,

Thank you to all the contributors DietPI! I have been having a blast with DIET PI 8 and my RPI 3B.

I have one issue I am unable to figure out and need some help with is to be able to access the sonarr’s web interface in a browser once diet-VPN is switched on.

I have set up my RPI to connect via wifi to the internet.
I have set up a client-side VPN using a custom ovpn file. I have switched on both AutoStart and killswitch.
The VPN state is: connected, the VPN provider IP is shown.

If the VPN is turned off I can access sonarr (http://192.168.1.23:8989) in a browser once the VPN is turned on it does not connect.
Any idea what I can do to have the VPN on and access sonarr locally?

Thank you!

2

This is as expected if killswitch has been turned on. See our online docs, section killswitch https://dietpi.com/docs/dietpi_tools/#dietpi-vpn

3

Makes sense thank you for the doc link Joulinar!

I did not try it yet but that would also imply that if the VPN is on then the jellyfin server would not be accessible?

Is there a way to allow a specific local network IP to access sonarr’s web interface when the killswitch is on?

4

thank you for the doc link Joulinar!

yw :sunglasses:

I did not try it yet but that would also imply that if the VPN is on then the jellyfin server would not be accessible?

Yes, on a default configuration, SSH is the only service working.

Is there a way to allow a specific local network IP to access sonarr’s web interface when the killswitch is on?

Yep, that should be possible to allow more service. But I need to say I’m not an iptables expert. Not 100% sure but probably the port to be added into /var/lib/dietpi/dietpi-vpn/killswitch.rules. Same way as it has been done for SSH port 22

-A INPUT -p tcp --dport <PORT> -j ACCEPT
5

Works for qbittorrentt (port 1340), and dashboard (8088) many thanks.

PS The Dashboard service does not seem to remain active for long , but I presume that is due to it being Beta so I’ll revisit that later.

6

try to update the DietPi as well as Dashboard. I see you are using port 8088 still. This has been changed recently to port 5252.

7

I updated to the “5252” version last night - it works for a bit then service shows failed, as before. I probably shouldn’t hijack this thread with this - shall I start another one?

8

Pls open an own issue on the related GitHub project for challenges with the Dashboard

9

Roger that. I might do a fresh rebuild DietPi first anyway (this one has been kicking around for a while now!)

Thanks.

10

ah missed the link to GitHub https://github.com/ravenclaw900/DietPi-Dashboard

11

Many thanks.

12

DietPi dashboard is stable now, I think the update did it after all.

13

Ok perfect

14

Hi Joulinar,

It works perfectly, thank you!

For anyone new, I have noticed you can only modify the ‘killswitch.rules’ once the VPN is active for the file to be present. I added the following line: “-A INPUT -s 192.168.1.0/16 -p tcp --dport 8989 -j ACCEPT” to the rules file. Then I saved and restarted the VPN.

Can I suggest in the getting started documentation under Killswitch a mention to modify the rules file if you need remote web access :sunglasses: .

I have follow up questions:

  1. Is there way to persist the killswitch.rules file? I have noticed if I turn off the killswitch in dietpi-vpn my changes are lost?
  2. Sometimes on boot the VPN doesn’t connect and needs to be manually started, although I have selected “Connect to VPN on boot” is there way to increase the retries, maybe that’s the issue ?
  3. Is there way to force a specific DNS server for the VPN, since my VPN has a dns leak. I used sh script from https://github.com/macvk/dnsleaktest to test. Maybe there is way to force the nameserver in /etc/resolv.conf to 9.9.9.9 for example?

Thanks for all the help!

15

let’s try to answer your questions

  1. Is there way to persist the killswitch.rules file? I have noticed if I turn off the killswitch in dietpi-vpn my changes are lost?

yeah that’s true. killswitch.rules is going to be removed as soon as feature will be disabled. But there might be a workaround. You would need to create a an own script that gets executed right after the VPN is connected. There is an option inside dietpi-vpn to do so. Just select Edit Up and add following into the file

if [[ -f /var/lib/dietpi/dietpi-vpn/killswitch.rules ]]
then
	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 443 -j ACCEPT
fi

This is just an example for port 80/443 and would need to be adjusted on your needs. The script will check on the availability of killswitch.rules and apply your custom settings.

  1. Sometimes on boot the VPN doesn’t connect and needs to be manually started, although I have selected “Connect to VPN on boot” is there way to increase the retries, maybe that’s the issue ?

Check log files if VPN connection did not succeed.

systemctl status dietpi-vpn.service
journalctl -u dietpi-vpn.service



  1. Is there way to force a specific DNS server for the VPN, since my VPN has a dns leak. I used sh script from > https://github.com/macvk/dnsleaktest > to test. Maybe there is way to force the nameserver in /etc/resolv.conf to 9.9.9.9 for example?

hmm you could have a look into /var/lib/dietpi/dietpi-vpn/settings_ovpn.conf if there is any DNS specified. If not, DNS might be pushed by the VPN server side.

16

Great solution for question 1, works perfect!

For question 2, I will run those command when it fails.

For question 3, if I open the file under : /var/lib/dietpi/dietpi-vpn/settings_ovpn.conf, only the user name and password are displayed. For the ovpn file. I also tried adding :

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
dhcp-option DNS 9.9.9.9

And
I also tried added foreign_option_1 and foreign_option_2 in /etc/openvpn/update-resolv-conf file ( foreign_option_1=‘dhcp-option DNS 9.9.9.9’
foreign_option_2=‘dhcp-option DNS 149.112.112.112’)

but no luck. Any more ideas ? :sunglasses:

17

honestly I’m not an expert on OpenVPN. But it might be that VPN server settings going to overrule local settings? I’m not sure. Maybe MichaIng or trendy know how OpenVPN is handling it.

To check what DNS server is used, you could install the DNS utility package

apt install dnsutils
dig google.com

the dig command will perform a DNS check. On the output you will find an ANSWER SECTION:. There you have the information about DNS server used

;; Query time: 20 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
18

It is my understanding that the dns options are pushed by the server. The client in the .ovpn configuration file only needs to run the up/down script to ensure that the options will be applied to the host.
https://steamforge.net/wiki/index.php/How_to_configure_OpenVPN_to_resolve_local_DNS_&_hostnames

19

If you use an upstream DNS anyway (not LAN/router DNS nameserver), then it shouldn’t matter since requests to the upstream DNS are tunnelled as well, isn’t it? But when you use DHCP for local network, then the router may promote itself as DNS nameserver, then it makes sense to force a different one to not bypass the VPN. When the VPN server pushes a DNS server, I would expect that OpenVPN applies this to /etc/resolv.conf automatically, without any additional scripts, but not 100% sure to be true.

If you want/need to apply manually, try to use post-up /etc/openvpn/update-resolv-conf to apply it after the VPN connection has been established, to override anything done by OpenVPN in this regards.

dhcp-option DNS 9.9.9.9 is btw the OpenVPN server side option to pass a DNS server to clients, hence shouldn’t have any effect on the client.

20

Apparently not, because it is not able to revert the resolv.conf to the original state after disconnection without the help from resolvconf package.