Dietpi-VPN GATEWAY with Pivpn server and Pihole

black00019 · 5 April 2024 10:14

How did you come to this conclusion? The gateway is used for the wireguard server outgoing packets and not for the forwarded.

I check exit with public ip on my primary router 192.168.10.1

trendy · 5 April 2024 10:44

Then the tunnel was down for some reason.

black00019 · 27 April 2024 08:26

Hi @trendy
I have insert in my VPN up script this rule:

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o tun0 -m comment --comment >
iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun0 -m comment --comment wire>
ip route add to default via 192.168.10.1 table isp
ip rule add iif lo sport 51820 to default lookup isp prio 15000

and now the PC traffic on eth0 (setting 192.168.10.5 (dietpi) as the gateway on the PCs and not the 10.1 router) comes out with tun0, and the smartphone with wireguard (wg0) also comes out with tun0. DNS traffic is always covered with 10.5 (pihole+unbound), so everything is OK.
Except for this oddity:
On the 10.1 router I have two portforwarding rules:
51820 → 192.168.10.5 (wireguard server - wg0)
54936 → 192.168.10.5 (transmission torrent server)
Also on the router I have the DDNS script to access the outside (wireguard) and it also works with the tun0 VPN turned on.
Instead transmission tells me that the port is “Closed”, I can’t understand why Wireguard’s portforwarding rule works and this one doesn’t.
I hope I have explained myself.
Could you help me? Thanks

trendy · 29 April 2024 07:17

When you turn the VPN on then all traffic from the DietPi goes through the VPN, hence the port forwarding on the router will no longer take effect. You will have to setup the port forwarding at the VPN provider, if it is supported.

black00019 · 29 April 2024 07:28

Ok,
But i don’t understand because the portforwarding for vpn wireguard work
In a router:
Port In 58120 (wg0) → 192.168.10.5 (dietpi)
In the router i have the ddns active and exit with main IP (verified on site’s ddns provider)

And this work also with VPN Proton active on DietPi Transmission

This rule:

ip route add to default via 192.168.10.1 table isp
ip rule add iif lo sport 51820 to default lookup isp prio 15000

was modified also for transmission port? what is it for?

trendy · 29 April 2024 07:31

Because you have added the rule to send Wireguard server traffic via the ISP.

ip route add to default via 192.168.10.1 table isp
ip rule add iif lo sport 51820 to default lookup isp prio 15000

black00019 · 29 April 2024 07:32

ok, so I could also use it for the transmission port?

trendy · 29 April 2024 07:33

You could, but I don’t think this is a good idea.

black00019 · 29 April 2024 07:37

Why could this be a security issue?

trendy · 29 April 2024 08:16

It depends what are you trying to download with transmission and why did you install the vpn client in the first place.

black00019 · 30 April 2024 06:18

I managed to do port forwarding, installing natpmc on dietpi, and following this guide:
https://protonvpn.com/support/port-forwarding-manual-setup/#openvpn

The problem remains of when to launch the script, in fact it works as long as I have the ssh terminal open.

trendy · 30 April 2024 09:17

You can run it in background with screen or tmux

black00019 · 30 April 2024 09:29

couldn’t I add it to the UP script of the VPN connection? and if so in what way?

trendy · 30 April 2024 09:33

If you manage to automate adding the port that gets forwarded in the torrent client, I guess you could.