Dietpi-Vpn Issue with network traffic

Troubleshooting
1

Creating a bug report/issue

Required Information

  • DietPi version | G_DIETPI_VERSION_CORE=8 G_DIETPI_VERSION_SUB=15 G_DIETPI_VERSION_RC=2 G_GITBRANCH='master' G_GITOWNER='MichaIng' G_LIVE_PATCH_STATUS[0]='not applicable'
  • Distro version | bullseye
  • Kernel version | Linux DietPi 5.15.93-rockchip64 #23.02.2 SMP PREEMPT Fri Feb 17 23:48:36 UTC 2023 aarch64 GNU/Linux
  • SBC model | ROCKPro64 (aarch64)

Additional Information (if applicable)

  • Software title | Dietpi-Vpn

Once connected to ProtonVPn’s free vpn the traffic stays at 0 and when I try to do a speedtest it works but stays with my ip so it’s not working … and the kill switch doesn’t work either

to connect via dietpi-vpn I had to install openvpn

I want to say that in any case I have wireguard with pivpn to connect remotely

root@DietPi:~# route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         nameserver      0.0.0.0         UG    0      0        0 eth0
10.6.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@DietPi:~# sudo ip route show table all
default via 192.168.1.1 dev eth0 onlink 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.35 
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1 
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 
local 192.168.1.35 dev eth0 table local proto kernel scope host src 192.168.1.35 
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.35 
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev vetha797a1c proto kernel metric 256 pref medium
fe80::/64 dev vethd37561a proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev docker0 table local proto kernel metric 0 pref medium
anycast fe80:: dev vetha797a1c table local proto kernel metric 0 pref medium
anycast fe80:: dev vethd37561a table local proto kernel metric 0 pref medium
local fe80::42:72ff:fe3b:26a4 dev docker0 table local proto kernel metric 0 pref medium
local fe80::64f4:5dff:fee7:c10d dev vethd37561a table local proto kernel metric 0 pref medium
local fe80::99aa:91d0:1ffa:d45d dev tun0 table local proto kernel metric 0 pref medium
local fe80::ac59:7dff:fea3:d8d8 dev eth0 table local proto kernel metric 0 pref medium
local fe80::b8d4:d8ff:feba:9a1d dev vetha797a1c table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev docker0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vetha797a1c table local proto kernel metric 256 pref medium
multicast ff00::/8 dev vethd37561a table local proto kernel metric 256 pref medium
root@DietPi:~#
1 Like
2

what is status of service? And can you share logs

systemctl status dietpi-vpn
journalctl -u dietpi-vpn
3 
root@DietPi:~# systemctl status dietpi-vpn
● dietpi-vpn.service - VPN Client (DietPi)
     Loaded: loaded (/etc/systemd/system/dietpi-vpn.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Sat 2023-04-01 18:31:10 CEST; 1h 41min ago
    Process: 4975 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client.ovpn (code=exited, status=0/SUCCESS)
   Main PID: 4975 (code=exited, status=0/SUCCESS)
     Status: "Pre-connection initialization successful"
        CPU: 112ms

Apr 01 18:31:04 DietPi openvpn[4975]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY EKU OK
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY OK: depth=0, CN=node-nl-56.protonvpn.net
Apr 01 18:31:04 DietPi openvpn[4975]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Apr 01 18:31:04 DietPi openvpn[4975]: [node-nl-56.protonvpn.net] Peer Connection Initiated with [AF_INET]190.2.138.15:1194
Apr 01 18:31:05 DietPi openvpn[4975]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:31:10 DietPi openvpn[4975]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:31:10 DietPi openvpn[4975]: AUTH: Received control message: AUTH_FAILED
Apr 01 18:31:10 DietPi openvpn[4975]: SIGTERM[soft,auth-failure] received, process exiting
Apr 01 18:31:10 DietPi systemd[1]: dietpi-vpn.service: Succeeded.
root@DietPi:~# journalctl -u dietpi-vpn
-- Journal begins at Sat 2023-04-01 18:19:13 CEST, ends at Sat 2023-04-01 20:13:15 CEST. --
Apr 01 18:19:19 DietPi systemd[1]: Starting VPN Client (DietPi)...
Apr 01 18:19:19 DietPi openvpn[963]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 01 18:19:19 DietPi openvpn[963]: OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 01 18:19:19 DietPi openvpn[963]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Apr 01 18:19:22 DietPi openvpn[963]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 01 18:19:22 DietPi openvpn[963]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:19:22 DietPi openvpn[963]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:19:22 DietPi systemd[1]: Started VPN Client (DietPi).
Apr 01 18:19:22 DietPi openvpn[963]: TCP/UDP: Preserving recently used remote address: [AF_INET]190.2.138.15:1194
Apr 01 18:19:22 DietPi openvpn[963]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 01 18:19:22 DietPi openvpn[963]: UDP link local: (not bound)
Apr 01 18:19:22 DietPi openvpn[963]: UDP link remote: [AF_INET]190.2.138.15:1194
Apr 01 18:19:22 DietPi openvpn[963]: TLS: Initial packet from [AF_INET]190.2.138.15:1194, sid=c3009b64 b8826ee1
Apr 01 18:19:22 DietPi openvpn[963]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Apr 01 18:19:22 DietPi openvpn[963]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Apr 01 18:19:22 DietPi openvpn[963]: VERIFY KU OK
Apr 01 18:19:22 DietPi openvpn[963]: Validating certificate extended key usage
Apr 01 18:19:22 DietPi openvpn[963]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 01 18:19:22 DietPi openvpn[963]: VERIFY EKU OK
Apr 01 18:19:22 DietPi openvpn[963]: VERIFY OK: depth=0, CN=node-nl-56.protonvpn.net
Apr 01 18:19:22 DietPi openvpn[963]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Apr 01 18:19:22 DietPi openvpn[963]: [node-nl-56.protonvpn.net] Peer Connection Initiated with [AF_INET]190.2.138.15:1194
Apr 01 18:19:24 DietPi openvpn[963]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:19:29 DietPi openvpn[963]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:19:29 DietPi openvpn[963]: AUTH: Received control message: AUTH_FAILED
Apr 01 18:19:29 DietPi openvpn[963]: SIGTERM[soft,auth-failure] received, process exiting
Apr 01 18:19:29 DietPi systemd[1]: dietpi-vpn.service: Succeeded.
Apr 01 18:23:38 DietPi systemd[1]: Starting VPN Client (DietPi)...
Apr 01 18:23:38 DietPi openvpn[3649]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 01 18:23:38 DietPi openvpn[3649]: OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 01 18:23:38 DietPi openvpn[3649]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Apr 01 18:23:38 DietPi openvpn[3649]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 01 18:23:38 DietPi openvpn[3649]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:23:38 DietPi openvpn[3649]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:23:38 DietPi systemd[1]: Started VPN Client (DietPi).
Apr 01 18:23:38 DietPi openvpn[3649]: TCP/UDP: Preserving recently used remote address: [AF_INET]190.2.138.15:1194
Apr 01 18:23:38 DietPi openvpn[3649]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 01 18:23:38 DietPi openvpn[3649]: UDP link local: (not bound)
Apr 01 18:23:38 DietPi openvpn[3649]: UDP link remote: [AF_INET]190.2.138.15:1194
Apr 01 18:23:38 DietPi openvpn[3649]: TLS: Initial packet from [AF_INET]190.2.138.15:1194, sid=0edb0144 7091f766
Apr 01 18:23:38 DietPi openvpn[3649]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Apr 01 18:23:38 DietPi openvpn[3649]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Apr 01 18:23:38 DietPi openvpn[3649]: VERIFY KU OK
Apr 01 18:23:38 DietPi openvpn[3649]: Validating certificate extended key usage
Apr 01 18:23:38 DietPi openvpn[3649]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 01 18:23:38 DietPi openvpn[3649]: VERIFY EKU OK
Apr 01 18:23:38 DietPi openvpn[3649]: VERIFY OK: depth=0, CN=node-nl-56.protonvpn.net
Apr 01 18:23:38 DietPi openvpn[3649]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Apr 01 18:23:38 DietPi openvpn[3649]: [node-nl-56.protonvpn.net] Peer Connection Initiated with [AF_INET]190.2.138.15:1194
Apr 01 18:23:39 DietPi openvpn[3649]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:23:44 DietPi openvpn[3649]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:23:44 DietPi openvpn[3649]: AUTH: Received control message: AUTH_FAILED
Apr 01 18:23:44 DietPi openvpn[3649]: SIGTERM[soft,auth-failure] received, process exiting
Apr 01 18:23:44 DietPi systemd[1]: dietpi-vpn.service: Succeeded.
Apr 01 18:24:55 DietPi systemd[1]: Starting VPN Client (DietPi)...
Apr 01 18:24:55 DietPi openvpn[4054]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 01 18:24:55 DietPi openvpn[4054]: OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 01 18:24:55 DietPi openvpn[4054]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Apr 01 18:24:55 DietPi openvpn[4054]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 01 18:24:55 DietPi openvpn[4054]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:24:55 DietPi openvpn[4054]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:24:55 DietPi systemd[1]: Started VPN Client (DietPi).
Apr 01 18:24:55 DietPi openvpn[4054]: TCP/UDP: Preserving recently used remote address: [AF_INET]190.2.138.15:1194
Apr 01 18:24:55 DietPi openvpn[4054]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 01 18:24:55 DietPi openvpn[4054]: UDP link local: (not bound)
Apr 01 18:24:55 DietPi openvpn[4054]: UDP link remote: [AF_INET]190.2.138.15:1194
Apr 01 18:24:55 DietPi openvpn[4054]: TLS: Initial packet from [AF_INET]190.2.138.15:1194, sid=3d63d9e8 bddb6366
Apr 01 18:24:55 DietPi openvpn[4054]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Apr 01 18:24:55 DietPi openvpn[4054]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Apr 01 18:24:55 DietPi openvpn[4054]: VERIFY KU OK
Apr 01 18:24:55 DietPi openvpn[4054]: Validating certificate extended key usage
Apr 01 18:24:55 DietPi openvpn[4054]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 01 18:24:55 DietPi openvpn[4054]: VERIFY EKU OK
Apr 01 18:24:55 DietPi openvpn[4054]: VERIFY OK: depth=0, CN=node-nl-56.protonvpn.net
Apr 01 18:24:55 DietPi openvpn[4054]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Apr 01 18:24:55 DietPi openvpn[4054]: [node-nl-56.protonvpn.net] Peer Connection Initiated with [AF_INET]190.2.138.15:1194
Apr 01 18:24:56 DietPi openvpn[4054]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:25:01 DietPi openvpn[4054]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:25:01 DietPi openvpn[4054]: AUTH: Received control message: AUTH_FAILED
Apr 01 18:25:01 DietPi openvpn[4054]: SIGTERM[soft,auth-failure] received, process exiting
Apr 01 18:25:01 DietPi systemd[1]: dietpi-vpn.service: Succeeded.
Apr 01 18:31:03 DietPi systemd[1]: Starting VPN Client (DietPi)...
Apr 01 18:31:04 DietPi openvpn[4975]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 01 18:31:04 DietPi openvpn[4975]: OpenVPN 2.5.1 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 01 18:31:04 DietPi openvpn[4975]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Apr 01 18:31:04 DietPi openvpn[4975]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 01 18:31:04 DietPi openvpn[4975]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:31:04 DietPi openvpn[4975]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 01 18:31:04 DietPi systemd[1]: Started VPN Client (DietPi).
Apr 01 18:31:04 DietPi openvpn[4975]: TCP/UDP: Preserving recently used remote address: [AF_INET]190.2.138.15:1194
Apr 01 18:31:04 DietPi openvpn[4975]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Apr 01 18:31:04 DietPi openvpn[4975]: UDP link local: (not bound)
Apr 01 18:31:04 DietPi openvpn[4975]: UDP link remote: [AF_INET]190.2.138.15:1194
Apr 01 18:31:04 DietPi openvpn[4975]: TLS: Initial packet from [AF_INET]190.2.138.15:1194, sid=c560f700 a92bce8e
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY KU OK
Apr 01 18:31:04 DietPi openvpn[4975]: Validating certificate extended key usage
Apr 01 18:31:04 DietPi openvpn[4975]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY EKU OK
Apr 01 18:31:04 DietPi openvpn[4975]: VERIFY OK: depth=0, CN=node-nl-56.protonvpn.net
Apr 01 18:31:04 DietPi openvpn[4975]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Apr 01 18:31:04 DietPi openvpn[4975]: [node-nl-56.protonvpn.net] Peer Connection Initiated with [AF_INET]190.2.138.15:1194
Apr 01 18:31:05 DietPi openvpn[4975]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:31:10 DietPi openvpn[4975]: SENT CONTROL [node-nl-56.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Apr 01 18:31:10 DietPi openvpn[4975]: AUTH: Received control message: AUTH_FAILED
Apr 01 18:31:10 DietPi openvpn[4975]: SIGTERM[soft,auth-failure] received, process exiting
Apr 01 18:31:10 DietPi systemd[1]: dietpi-vpn.service: Succeeded.
root@DietPi:~#
4

Your connection is not working due to authentication issues. Maybe wrong password?

1 Like
5

Wow, how stupid it would be to delete this issue, but while I’m at it I would like to ask you one more thing: now the vpn works but when I try to connect from the outside to my “dietpi” via wireguard it doesn’t work anymore is it normal? can this be remedied?

6

This is to be expected because incoming traffic arrives via the wireguard interface wg0, while outgoing traffic is sent via the OpenVPN interface tun0. Since both paths are different, your client cannot connect. There might be a way around the problem, but that would require manual configuration to exclude wireguard traffic from your ProtonVPN. But I’m not a network expert. Maybe @trendy can help.

1 Like
7

Yes, you need to create a separate routing table for the traffic that uses the wireguard tunnel.
An example from another topic.

8

Thx for the reply @trendy,

i follow the guide :slightly_smiling_face:

  GNU nano 5.4                                /var/lib/dietpi/dietpi-vpn/up.sh                                          #!/bin/bash
# Clear this file completely, including line breaks, to have it removed



ip route add to default via 10.8.0.1 table 100
ip rule add iif wg0 to 10.6.0.0/24 lookup main prio 16000
ip rule add iif wg0 to default lookup 100 prio 16010
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP


  GNU nano 5.4                               /var/lib/dietpi/dietpi-vpn/down.sh
#!/bin/bash
# Clear this file completely, including line breaks, to have it removed.


ip route del default via 10.8.0.1 table 100
ip rule del iif wg0 to 10.6.0.0/24 lookup main prio 16000
ip rule del iif wg0 to default lookup 100 prio 16010
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD ACCEPT

But is still not working
When I activate dietpi-vpn automatically wireguard doesn’t “work” anymore and I lose the ssh connection to the rockpro64. :smiling_face_with_tear:

9

The classification is not correct. You want to route based on the wireguard packets not the destination. So you need to classify using the port that wireguard uses, usually 51820.
ip rule add iif lo sport 51820 to default lookup 100 prio 15010
Also the new routing table doesn’t have the correct gateway, you want to use the ISP uplink, not the VPN.

ip route add to default via 192.168.1.1 table 100
10

So sorry if I bother you: the situation is the following I added these routing rules and now the connection to my behind server via ssh works but I can’t surf the internet so when from my phone I connect via wireguard to the behind server it works and I can I ssh into behindpi but I can’t navigate :frowning:

all this when i’m connected to proton’s vpn via dietpi-vpn

 /var/lib/dietpi/dietpi-vpn/up.sh   

ip route add default via 192.168.1.1 table 100
ip rule add iif lo sport 51820 lookup 100 prio 15010
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP

  /var/lib/dietpi/dietpi-vpn/down.sh                                                                                        

ip route del default via 192.168.1.1 table 100
ip rule del iif lo sport 51820 lookup 100 prio 15010
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i wg0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD ACCEPT
11

What are the allowed IPs on the client devices?

12

is this?

root@DietPi:~# cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = censured=
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
### begin oneplus7 ###
[Peer]
PublicKey = +TgC4tto0l+Mj/gUvGG1RPtL94gozvBopDOGkKGbRyc=
PresharedKey = 8TN0Ui8TY3+uvXifKg3++ZXbNLgNqoRVEw70bw9nfy4=
AllowedIPs = 10.6.0.2/32
### end oneplus7 ###
13

Like this, but on the Oneplus7 device.

14

Screenshot_20230403-231110_WireGuard
Screenshot_20230403-231110_WireGuard1080×2376 180 KB

Also locally I have a dns server on behind I can continue to use it right?

the ip is 10.6.0.2

root@DietPi:~# pivpn -c
::: Connected Clients List :::
Name          Remote IP              Virtual IP      Bytes Received      Bytes Sent      Last Seen
oneplus7      37.161.71.5:38752      10.6.0.2        16MiB               279MiB          Apr 03 2023 - 23:13:51
15

Try to add these in the up/down scripts

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

...

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
16

No unfortunately it doesn’t work or rather it makes me connect via ssh but I don’t surf from my phone :frowning:

if not something about my configuration, ask me for the commands and I’ll show you everything

17

Add also

iptables -A FORWARD -o eth0 -i wg0 -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

To allow the traffic from wg to the DNS server .1.35
Keep the masquerades as well, most likely the dns has default gateway to the .1.1, which doesn’t know about the wg subnet.

18

Still not working agrr

19

Install tcpdump on the dietpi and the dns (if you can). Verify that the packets are received and sent properly.
tcpdump -i wg0 -vn -c 10 host 10.6.0.2 from roadwarrior
tcpdump -i eth0 -vn -c 10 host 192.168.1.35 to dns
tcpdump -i tun0 -vn -c 10 host 8.8.4.4 to the internet
-c 10 will stop capturing at 10 packets. You can change the host which filters the results.

20 
root@DietPi:~# tcpdump -i wg0 -vn -c 10 host 10.6.0.2
tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:01:44.250255 IP (tos 0x0, ttl 255, id 39139, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [SEW], cksum 0xf6ee (correct), seq 1540618455, win 65535, options [mss 1240,sackOK,TS val 1200831769 ecr 0,nop,wscale 9], length 0
10:01:44.250510 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [S.E], cksum 0xcc01 (incorrect -> 0x6f75), seq 1734323317, ack 1540618456, win 64296, options [mss 1380,sackOK,TS val 2131556691 ecr 1200831769,nop,wscale 7], length 0
10:01:44.253494 IP (tos 0x0, ttl 255, id 39140, offset 0, flags [DF], proto TCP (6), length 52)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [.], cksum 0x98bb (correct), ack 1, win 128, options [nop,nop,TS val 1200831800 ecr 2131556691], length 0
10:01:44.253499 IP (tos 0x2,ECT(0), ttl 255, id 39141, offset 0, flags [DF], proto TCP (6), length 74)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0x8fd5 (correct), seq 1:23, ack 1, win 128, options [nop,nop,TS val 1200831800 ecr 2131556691], length 22: SSH: SSH-2.0-libssh_0.9.3
10:01:44.253809 IP (tos 0x10, ttl 64, id 35517, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [.], cksum 0xcbf9 (incorrect -> 0x972b), ack 23, win 503, options [nop,nop,TS val 2131556694 ecr 1200831800], length 0
10:01:44.266840 IP (tos 0x12,ECT(0), ttl 64, id 35518, offset 0, flags [DF], proto TCP (6), length 582)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [P.], cksum 0xce0b (incorrect -> 0xd6ae), seq 1:531, ack 23, win 503, options [nop,nop,TS val 2131556707 ecr 1200831800], length 530: SSH: SSH-2.0-dropbear_2020.81
10:01:44.270030 IP (tos 0x0, ttl 255, id 39142, offset 0, flags [DF], proto TCP (6), length 52)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [.], cksum 0x966f (correct), ack 531, win 131, options [nop,nop,TS val 1200831817 ecr 2131556707], length 0
10:01:44.271847 IP (tos 0x2,ECT(0), ttl 255, id 39143, offset 0, flags [DF], proto TCP (6), length 1076)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0x0b0c (correct), seq 23:1047, ack 531, win 131, options [nop,nop,TS val 1200831818 ecr 2131556707], length 1024
10:01:44.313363 IP (tos 0x10, ttl 64, id 35519, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.35.22 > 10.6.0.2.44010: Flags [.], cksum 0xcbf9 (incorrect -> 0x90cc), ack 1047, win 502, options [nop,nop,TS val 2131556754 ecr 1200831818], length 0
10:01:44.316466 IP (tos 0x2,ECT(0), ttl 255, id 39144, offset 0, flags [DF], proto TCP (6), length 100)
    10.6.0.2.44010 > 192.168.1.35.22: Flags [P.], cksum 0xe54c (correct), seq 1047:1095, ack 531, win 131, options [nop,nop,TS val 1200831863 ecr 2131556754], length 48
10 packets captured
14 packets received by filter
0 packets dropped by kernel
root@DietPi:~# 


root@DietPi:~# tcpdump -i eth0 -vn -c 10 host 192.168.1.35
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:01:58.861083 IP (tos 0x10, ttl 64, id 42055, offset 0, flags [DF], proto TCP (6), length 164)
    192.168.1.35.22 > 192.168.1.13.53450: Flags [P.], cksum 0x8417 (incorrect -> 0x222b), seq 1493322062:1493322186, ack 1292554984, win 501, length 124
10:01:58.861591 IP (tos 0x0, ttl 47, id 27264, offset 0, flags [DF], proto UDP (17), length 139)
    190.2.138.15.1194 > 192.168.1.35.39738: UDP, length 111
10:01:58.907674 IP (tos 0x0, ttl 128, id 27886, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.13.53450 > 192.168.1.35.22: Flags [.], cksum 0x78b5 (correct), ack 124, win 8190, length 0
10:01:58.940090 IP (tos 0x0, ttl 254, id 11774, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940096 IP (tos 0x0, ttl 254, id 11778, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940100 IP (tos 0x0, ttl 254, id 11779, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940104 IP (tos 0x0, ttl 254, id 11780, offset 0, flags [DF], proto UDP (17), length 124)
    37.117.191.196.44742 > 192.168.1.35.51820: UDP, length 96
10:01:58.940816 IP (tos 0x0, ttl 64, id 34929, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10:01:58.940966 IP (tos 0x0, ttl 64, id 34930, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10:01:58.941091 IP (tos 0x0, ttl 64, id 34931, offset 0, flags [DF], proto UDP (17), length 113)
    192.168.1.35.39738 > 190.2.138.15.1194: UDP, length 85
10 packets captured
15 packets received by filter
0 packets dropped by kernel
root@DietPi:~# 


root@DietPi:~# tcpdump -i tun0 -vn -c 10 host 8.8.4.4
tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@DietPi:~#