Can you please fill out the troubleshoot template and provide more info.
Did you install it both via dietpi-software?
And you run openvpn connection via dietpi-vpn?
If yes the killswitch is enabled and will block any other connection than the one VPN connection.
I have searched the existing open and closed issues
Required Information
DietPi version |
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=25
G_DIETPI_VERSION_RC=1
G_GITBRANCH=‘master’
G_GITOWNER=‘MichaIng’
Distro version |
bookworm
Kernel version |
Linux pihole 5.10.160 #1 SMP Tue Jul 4 15:42:58 CST 2023 aarch64 GNU/Linux
Architecture |
arm64
SBC model |
NanoPi R5S/R5C (aarch64)
Power supply used |
5V3A
SD card used |
onboard eMMC
Additional Information (if applicable)
Software title |
wireguard, openvpn
both installed via diet-pi software not usind diet-pivpn no killswitch enabled
insalled also a ddclient and configured a desecdyn address because I am behind a dslite connection so I need an ipv6 connection
Steps to reproduce
wiereguard installation worked perfect
here is my wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = [privatekey]
ListenPort = 51820
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = sysctl net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
# Client 1
[Peer]
PublicKey = [publickey]
AllowedIPs = 10.0.0.2/32
and here is my client1.conf
[Interface]
Address = 10.0.0.2/32
PrivateKey = [privatekey]
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.178.43
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = [publickey]
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.178.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.178.43/32
AllowedIPs = 192.168.178.43/32
Endpoint = [myddns]:51820
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
Probably your complete internet traffic gets routed via openVPN, when you activate it. Same should happen the other way around?!
So can you explain your use case in more detail?
You use wireguard to onnect to the internet and with openVPN you want to connect to another network, but internet traffic should stay in the wiregurad tunnel?
The problem is that both VPNs has rules to route everything over their own tunnel, you would need to modify your iptables / routing to declare what you wanna route to which destination.
Yes, when you fire up a vpn client connection, all outgoing traffic will use that uplink, so you need to exclude the vpn server traffic by using a policy routing rule, with ip rule add ... in the postup scripts of the vpn client. There are some other threads mentioned with the same problem, so if you cannot work it out, let us know to help you here.
I have the problem that I read these guides all but my situation is a little bit different because I using ipv6 and all posts are about ipv4 and the dyndns is than via the router but my client has directly a dyndns address…
I was born and studied in a ipv4 world so I have no clue about the ipv6 stuff…
I know what to do…so I need to reroute the traffic from wireguard via my ipv6 address is my understanding correct?
In short: The solution
Create a new routing table:
ip route add default via 192.168.178.43 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache
Where v is the IP of your external interface (eth0). Now add this to your wg0.conf:
FwMark = 0x55
Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.
and also this solution
FwMark = 51820
# forwarding
PostUp = iptables -A FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -j REJECT
PreDown = iptables -D FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -j REJECT
# NAT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o vpn-client -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o vpn-client -j MASQUERADE
but no solution worked so far…
I guess becuase I am using a ds lite and ipv6 connection I need sth. in my ipv6 tables?
is this right? But i have absolutely no clue what because I never worked with ip tables or routings.
Let’s take a step back and a deep breath.
Does the wireguard work fine if there is no vpn client enabled?
Does the ddns resolve into an IPv6 or IPv4 (or both)?
Lan hosts use the dietpi or some ISP router as gateway?
Does the wireguard work fine if there is no vpn client enabled? Yes
Does the ddns resolve into an IPv6 or IPv4 (or both)? IPv6
Lan hosts use the dietpi or some ISP router as gateway? I didn’t understand it completely but the nano r5c is connected with a Fritzbox and the Fritzbox is connected with an ISP DS Lite tunnel .And yes I run pihole on it therefore other devices connect to the nano r5c.
Is this .178.1 the dietpi or the ISP router?
Do lan hosts have also IPv6 configured or only IPv4?
Does the VPN tunnel client offer IPv6 as well or only IPv4?