Dietpi-Vpn Issue with network traffic

Troubleshooting
41

What is the output of
ip -4 addr; ip -4 ro list table all; ip -4 ru
when you experience the problem?

42

Idk probably its a problem of my phone?

Iā€™ll tell you more even if I try to disconnect the dietpi from the proton vpn and connect with the phone it doesnā€™t work :frowning:

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.35/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
10: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.24.0.6/16 scope global tun1
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0 table 100 
0.0.0.0/1 via 10.24.0.1 dev tun1
default via 192.168.1.1 dev eth0 onlink
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.24.0.0/16 dev tun1 proto kernel scope link src 10.24.0.6
128.0.0.0/1 via 10.24.0.1 dev tun1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
190.2.138.15 via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.35
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
local 10.24.0.6 dev tun1 table local proto kernel scope host src 10.24.0.6
broadcast 10.24.255.255 dev tun1 table local proto kernel scope link src 10.24.0.6
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1
local 192.168.1.35 dev eth0 table local proto kernel scope host src 192.168.1.35
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.35
0:      from all lookup local
15010:  from all iif lo sport 1194 lookup 100
15010:  from all iif lo sport 51820 lookup 100
32766:  from all lookup main
32767:  from all lookup default
root@DietPi:~#
43

I can see 2 rules in ip policy routing, one with source port 51820 which is for the WG server and one with source port 1194, which is another OpenVPN server to connect from the internet to your home?
I can also see tun0 and tun1, which I assume are interfaces for VPN clients upstream? Then you need for each up-script to use the correct tun interface.

44

So I deleted that thing for port 1194 which was just a test, instead for the rest everything is configured as you told me I didnā€™t touch anything else itā€™s ā€œstandardā€ by Dietpi

I donā€™t understand what I should doā€¦

# Clear this file completely, including line breaks, to have it removed.
ip route add default via 192.168.1.1 table 100
ip rule add iif lo sport 51820 lookup 100 prio 15010
iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun1 -m comment --comment wireguard2openvpn-nat-rule -j MASQUERADE
iptables -A FORWARD -i tun1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun1 -j ACCEPT
iptables -A FORWARD -i tun1 -o wg0 -j ACCEPT

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.1.35/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
10: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.29.0.12/16 scope global tun1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.29.0.1 dev tun1 
default via 192.168.1.1 dev eth0 onlink 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.29.0.0/16 dev tun1 proto kernel scope link src 10.29.0.12 
128.0.0.0/1 via 10.29.0.1 dev tun1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
190.2.138.15 via 192.168.1.1 dev eth0 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.35 
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1 
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
local 10.29.0.12 dev tun1 table local proto kernel scope host src 10.29.0.12 
broadcast 10.29.255.255 dev tun1 table local proto kernel scope link src 10.29.0.12 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1
local 192.168.1.35 dev eth0 table local proto kernel scope host src 192.168.1.35
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.35
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
  1. The device has multiple network interfaces:
  • eth0: Ethernet interface with IP address 192.168.1.35/24
  • tun0: OpenVPN tunnel interface with IP address 10.8.0.1/24
  • tun1: Another OpenVPN tunnel interface with IP address 10.29.0.12/16
  • wg0: WireGuard VPN interface with IP address 10.6.0.1/24
  • docker0: Docker virtual interface with IP address 172.17.0.1/16
  1. There are several routes and routing rules configured:
  • Default route via 192.168.1.1 on eth0
  • Routing for the WireGuard subnet (10.6.0.0/24) and Docker subnet (172.17.0.0/16)
  • Routing for the OpenVPN subnets (10.8.0.0/24, 10.29.0.0/16)
  1. The up.sh script is responsible for setting up additional routing and firewall rules for traffic forwarding between the WireGuard VPN (wg0) and the OpenVPN tunnel (tun1):
  • Add a default route via 192.168.1.1 in table 100
  • Add a rule for traffic with source port 51820 on the loopback interface to use table 100
  • Configure NAT for the WireGuard subnet (10.6.0.0/24) when exiting tun1
  • Configure forwarding rules to allow traffic between wg0 and tun1
45

Then you have to have 2 up.sh scripts, one for each OpenVPN tunnel interface.

iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun1 -m comment --comment wireguard2openvpn-nat-rule -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun1 -j ACCEPT

same for tun0
The route and rule

ip route add default via 192.168.1.1 table 100
ip rule add iif lo sport 51820 lookup 100 prio 15010

only need to be applied once during startup in etc/rc.local for example.
You also need the generic

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

during all times on the firewall.

46

Thank you for your assistance. I followed the steps you provided, and I was able to verify that the rules and routing tables were applied correctly. However, the setup still isnā€™t working as expected. I would like to remind you that I have only two VPNs in my setup ā€“ one inbound VPN (WireGuard) that I primarily use with my phone, and one outbound VPN (OpenVPN) connected to ProtonVPN. I didnā€™t include ā€˜tun0ā€™ as itā€™s not a part of my configuration. Could you please help me identify what might be causing the issue and provide further guidance? Thanks in advance

The configuration now is this

root@DietPi:~# sudo iptables -L INPUT -v -n
Chain INPUT (policy ACCEPT 1684 packets, 298K bytes)
 pkts bytes target     prot opt in     out     source               destination
 4983 1344K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
root@DietPi:~# ip route show table 100
default via 192.168.1.1 dev eth0
root@DietPi:~# ip rule show
0:      from all lookup local
15010:  from all iif lo sport 51820 lookup 100
32766:  from all lookup main
32767:  from all lookup default

  GNU nano 5.4                                                        /var/lib/dietpi/dietpi-vpn/up.sh                                                                          #!/bin/bash
# Clear this file completely, including line breaks, to have it removed.
iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun1 -m comment --comment wireguard2openvpn-nat-rule -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun1 -j ACCEPT



root@DietPi:~# tcpdump -i any -vn host 104.18.114.97 or host 104.18.115.97
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
23:12:55.008007 wg0   In  IP (tos 0x0, ttl 255, id 36482, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [SEW], cksum 0x59d6 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136796920 ecr 0,nop,wscale 9], length 0
23:12:55.008190 tun1  Out IP (tos 0x0, ttl 254, id 36482, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [SEW], cksum 0x59d6 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136796920 ecr 0,nop,wscale 9], length 0
23:12:55.079264 wg0   In  IP (tos 0x0, ttl 255, id 11318, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [SEW], cksum 0xc879 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136796977 ecr 0,nop,wscale 9], length 0
23:12:55.079407 tun1  Out IP (tos 0x0, ttl 254, id 11318, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [SEW], cksum 0xc879 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136796977 ecr 0,nop,wscale 9], length 0
23:12:56.087460 wg0   In  IP (tos 0x0, ttl 255, id 36483, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [S], cksum 0x5697 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136797943 ecr 0,nop,wscale 9], length 0
23:12:56.087563 tun1  Out IP (tos 0x0, ttl 254, id 36483, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [S], cksum 0x5697 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136797943 ecr 0,nop,wscale 9], length 0
23:12:56.115163 wg0   In  IP (tos 0x0, ttl 255, id 11319, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [S], cksum 0xc533 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136798007 ecr 0,nop,wscale 9], length 0
23:12:56.115307 tun1  Out IP (tos 0x0, ttl 254, id 11319, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [S], cksum 0xc533 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136798007 ecr 0,nop,wscale 9], length 0
23:12:58.161867 wg0   In  IP (tos 0x0, ttl 255, id 36484, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [S], cksum 0x4e97 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136799991 ecr 0,nop,wscale 9], length 0
23:12:58.161870 wg0   In  IP (tos 0x0, ttl 255, id 11320, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [S], cksum 0xbd33 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136800055 ecr 0,nop,wscale 9], length 0
23:12:58.162019 tun1  Out IP (tos 0x0, ttl 254, id 36484, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46744 > 104.18.115.97.443: Flags [S], cksum 0x4e97 (correct), seq 2446611942, win 65535, options [mss 1240,sackOK,TS val 1136799991 ecr 0,nop,wscale 9], length 0
23:12:58.162038 tun1  Out IP (tos 0x0, ttl 254, id 11320, offset 0, flags [DF], proto TCP (6), length 60)
    10.6.0.2.46754 > 104.18.115.97.443: Flags [S], cksum 0xbd33 (correct), seq 1153381397, win 65535, options [mss 1240,sackOK,TS val 1136800055 ecr 0,nop,wscale 9], length 0

root@DietPi:~# iptables-save -c
# Generated by iptables-save v1.8.7 on Mon Apr 10 23:13:29 2023
*mangle
:PREROUTING ACCEPT [15058:4059233]
:INPUT ACCEPT [13453:3000215]
:FORWARD ACCEPT [1597:1058618]
:OUTPUT ACCEPT [12806:3242698]
:POSTROUTING ACCEPT [14507:4315957]
COMMIT
# Completed on Mon Apr 10 23:13:29 2023
# Generated by iptables-save v1.8.7 on Mon Apr 10 23:13:29 2023
*filter
:INPUT ACCEPT [2660:429852]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12806:3242698]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[10793:2570363] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[1597:1058618] -A FORWARD -j DOCKER-USER
[1597:1058618] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[805:822693] -A FORWARD -d 10.6.0.0/24 -i eth0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment wireguard-forward-rule -j ACCEPT
[443:104264] -A FORWARD -s 10.6.0.0/24 -i wg0 -o eth0 -m comment --comment wireguard-forward-rule -j ACCEPT
[349:131661] -A FORWARD -i wg0 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[1597:1058618] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[1597:1058618] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Apr 10 23:13:29 2023
# Generated by iptables-save v1.8.7 on Mon Apr 10 23:13:29 2023
*nat
:PREROUTING ACCEPT [325:63220]
:INPUT ACCEPT [232:27201]
:OUTPUT ACCEPT [1803:140607]
:POSTROUTING ACCEPT [1011:92129]
:DOCKER - [0:0]
[106:10916] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[60:4106] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[18:13260] -A POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
[859:70837] -A POSTROUTING -o eth0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 3000 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9002 -j DNAT --to-destination 172.17.0.2:9000
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.17.0.3:3000
COMMIT
# Completed on Mon Apr 10 23:13:29 2023
root@DietPi:~#
47

I donā€™t see any of the iptables rules from the up script applied.
Check if the file is executable and use absolute paths, i.e /usr/sbin/iptables

1 Like
48

Thank you sorry if I made you bored, now everything works fine, you have been very kind thanks we can close this issue

1 Like
49

Iā€™m glad we sorted it out :slight_smile:

1 Like
50

thx for your continues support. @trendy

2 Likes