Hello all,
I have a working wireguard server running and I can connect to it without any problems.
But when I start in parallel an openvpn connection
sudo openvpn --daemon client --log /var/log/vpn.log --config [myconfig]
the wireguard connections drops and I can’t connect …
what is wrong?
Can you please fill out the troubleshoot template and provide more info.
Did you install it both via dietpi-software?
And you run openvpn connection via dietpi-vpn?
If yes the killswitch is enabled and will block any other connection than the one VPN connection.
See here my detiled report @Jappe
I have searched the existing open and closed issues
DietPi version |
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=25
G_DIETPI_VERSION_RC=1
G_GITBRANCH=‘master’
G_GITOWNER=‘MichaIng’
Distro version |
bookworm
Kernel version |
Linux pihole 5.10.160 #1 SMP Tue Jul 4 15:42:58 CST 2023 aarch64 GNU/Linux
Architecture |
arm64
SBC model |
NanoPi R5S/R5C (aarch64)
Power supply used |
5V3A
SD card used |
onboard eMMC
insalled also a ddclient and configured a desecdyn address because I am behind a dslite connection so I need an ipv6 connection
wiereguard installation worked perfect
here is my wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = [privatekey]
ListenPort = 51820
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = sysctl net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE
# Client 1
[Peer]
PublicKey = [publickey]
AllowedIPs = 10.0.0.2/32
and here is my client1.conf
[Interface]
Address = 10.0.0.2/32
PrivateKey = [privatekey]
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 192.168.178.43
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = [publickey]
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.178.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.178.43/32
AllowedIPs = 192.168.178.43/32
Endpoint = [myddns]:51820
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
#PersistentKeepalive = 25
when I start an openvpn connection with
sudo openvpn --daemon client --log /var/log/vpn.log --config [myconfig]
using a PIA vpn file my wireguard connection is not working anymore
working wireguard connection
Probably your complete internet traffic gets routed via openVPN, when you activate it. Same should happen the other way around?!
So can you explain your use case in more detail?
You use wireguard to onnect to the internet and with openVPN you want to connect to another network, but internet traffic should stay in the wiregurad tunnel?
I want to have wifi hotspot which is than connected to the vpn so I can easily use the PIA network via hotspot…
And for what is the wireguard connection?
The problem is that both VPNs has rules to route everything over their own tunnel, you would need to modify your iptables / routing to declare what you wanna route to which destination.
Yes, I understood this …
can zou help me with creating ths tunnels? I am not really familiar wirth ip routing
Searching the forum should help sometimes. We have quite a lot of similar request where split tunnel is setup.
Hallo Joulinar i searched but ahven’t found anything maybe you can direct me to the post?
Yes, when you fire up a vpn client connection, all outgoing traffic will use that uplink, so you need to exclude the vpn server traffic by using a policy routing rule, with ip rule add ... in the postup scripts of the vpn client. There are some other threads mentioned with the same problem, so if you cannot work it out, let us know to help you here.
I have the problem that I read these guides all but my situation is a little bit different because I using ipv6 and all posts are about ipv4 and the dyndns is than via the router but my client has directly a dyndns address…
I was born and studied in a ipv4 world so I have no clue about the ipv6 stuff…
I know what to do…so I need to reroute the traffic from wireguard via my ipv6 address is my understanding correct?
Hello all.
this is what I tried this solution
In short: The solution
Create a new routing table:
ip route add default via 192.168.178.43 dev eth0 table 7
ip rule add fwmark 0x55 priority 1000 table 7
ip route flush cache
Where v is the IP of your external interface (eth0). Now add this to your wg0.conf:
FwMark = 0x55
Now you will be able to connect to your home-server via WireGuard even when it's OpenVPN tunnel is open.
and also this solution
FwMark = 51820
# forwarding
PostUp = iptables -A FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -A FORWARD -j REJECT
PreDown = iptables -D FORWARD -o eth0 ! -d 192.168.178.0/24 -j REJECT
PreDown = iptables -D FORWARD -i %i -j ACCEPT
PreDown = iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
PreDown = iptables -D FORWARD -j REJECT
# NAT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o vpn-client -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o vpn-client -j MASQUERADE
but no solution worked so far…
I guess becuase I am using a ds lite and ipv6 connection I need sth. in my ipv6 tables?
is this right? But i have absolutely no clue what because I never worked with ip tables or routings.
Therefore zour help s really appreciated @trendy
I guess I need sth similiar but in ipv6 language
means this in descriping language
ip -6 route add default via [myipv6address] dev eth0 table 7
ip -6 rule add fwmark 0x55 priority 1000 table 7
ip -6 route flush cache
but how write this correctly?
Let’s take a step back and a deep breath.
Does the wireguard work fine if there is no vpn client enabled?
Does the ddns resolve into an IPv6 or IPv4 (or both)?
Lan hosts use the dietpi or some ISP router as gateway?
Does the wireguard work fine if there is no vpn client enabled? Yes
Does the ddns resolve into an IPv6 or IPv4 (or both)? IPv6
Lan hosts use the dietpi or some ISP router as gateway?
I didn’t understand it completely but the nano r5c is connected with a Fritzbox and the Fritzbox is connected with an ISP DS Lite tunnel .And yes I run pihole on it therefore other devices connect to the nano r5c.
You can check the gateway on a lan host. route print in windows, look for destination 0.0.0.0 Netmask 0.0.0.0, or ip -4 route show | grep default
default via 192.168.178.1 dev eth1
Is this .178.1 the dietpi or the ISP router?
Do lan hosts have also IPv6 configured or only IPv4?
Does the VPN tunnel client offer IPv6 as well or only IPv4?
Is this .178.1 the dietpi or the ISP router?
ISP router
Do lan hosts have also IPv6 configured or only IPv4?
Both ipv4 and ipv6
Does the VPN tunnel client offer IPv6 as well or only IPv4?
Only ipv4 it’s private Internet access with there VPN files