PiVPN only working after debug has been run, after DietPi reboot?


I’ve recently installed PiVPN with dietpi-software on my Raspberry Pi 4b where it runs beside AdGuard Home, and generally it works fine. I’ve established successful remote VPN connections to my “home lab” with it.

However, each time I reboot DietPi, it stops working?

When I run systemctl status wg-quick@wg0.service to check whether Wireguard gets launched on start up, it states that it’s indeed active.

Now, when I run pivpn -d to debug, I each time get the same error:

:: [ERR] Ufw input rule is not set, attempt fix now? [Y/n]

When I confirm with Y, it skips everything and simply relaunches Ufw, which I use as firewall:

Skipping inserting existing rule
Skipping adding existing rule (v6)
Firewall reloaded

It already did all the changes previously, but I get this error each time I reboot DietPi and run pivpn -d.
Now, after it has skipped the Ufw changes and relaunched the firewall, the VPN service magically starts to work? I don’t get why.

Here’s the output from cat /etc/pivpn/wireguard/setupVars.conf:

ALLOWED_IPS=“, ::0/0”

Here’s the ufw status output:

51820/udp ALLOW Anywhere ← PiVPN
SSH ALLOW Anywhere
WWW Full ALLOW Anywhere
AdGuard Home Full ALLOW Anywhere
AdGuard Home Web Panel ALLOW Anywhere
8090/tcp ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)
AdGuard Home Full (v6) ALLOW Anywhere (v6)
AdGuard Home Web Panel (v6) ALLOW Anywhere (v6)
8090/tcp (v6) ALLOW Anywhere (v6)
51820/udp (v6) ALLOW Anywhere (v6) ← PiVPN

Anywhere on eth0 ALLOW FWD on wg0 ← PiVPN

I usually login as root, but have installed PiVPN for another user pivpn, who currently doesn’t have sudo privileges.

Any help is appreciated!

did you tried to give sudo permission to the pivpn user? And you could ask on PiVPN GitHub for the reason why PiVPN is not starting using a ufw firewall. As well, did you checked the status of ufw service after reboot? Or have a look into into system log journalctl after reboot for error messages.

1 Like

Do you try disable ufw and restart adguard and then enable ufw again? because i need to do that with pihole always when i reboot my pi because when i reboot my pi then pivpn doesnt work

1 Like

Yes, I tried that yesterday, but it didn’t really change anything.

Yes, that’s what I posted above. Sorry for not being clearer.

I have now. Right after reboot there doesn’t seem to anything out of the ordinary. There’s no mention of anything related to Ufw.
When I run pivpn -d, conform to proceed with the Ufw changes that have already been previously inserted, and re-run journctl, it outputs this:

[UFW BLOCK] IN=eth0 OUT= MAC=… SRC= DST= LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=28618 DF PROTO=2
[UFW BLOCK] IN=eth0 OUT= MAC=… SRC= DST= LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=50362 DF PROTO=2

It’s a little hard for me to say, whether that’s okay or not, to be honest. (I’ve omitted the MAC addresses.)

I did just now, and after that PiVPN started to work, just like when I run dietpi -d which doesn’t do anything, except also relaunching Ufw.
However, the problem re-emerges once I reboot DietPit.

Yes, reload ufw seems to do the trick in my case. After that the VPN works fine! Curious…

hmm maybe ufw is starting to early and could not success? Looking to system log, do you see ufw starting somewhere during the boot process?

Anyway maybe it would be good to ask on this behavior on PiVPN GitHub

Regarding PiHole (even if not related to this issue), it is important to set the interface to Permit all origins

This way PiHole was working on a reboot for VPN clients as well.

How can I do that on DietPi?

you already did :wink: Usually you should see the services starting.


same as on other Debian based systems.

1 Like

Haha, my bad. Thanks. :slight_smile:

Hm, I can’t seem to find ufw here. Wireguard, AdGuard home, etc. are all listed though.

Uninstalling iptables-persistent and its dependencies solved the issue for me:

sudo apt remove iptables-persistent
sudo apt autoremove

I found the solution here, but am unsure about the repercussions of doing this.

Thanks for all your help @Joulinar and @Ake2!

Usually iptables-persistent is used to restore iptables configuration on reboot. But not sure of this is needed for PiVPN to work together with ufw.

1 Like

OK, I hope I haven’t exposed a vulnerability, but it solved the VPN problem.
Thanks for pointing out what iptables-persistent is about.

iptables-persistent and ufw are conflicting. They basically do the same: Store the iptables on shutdown and restore on boot. If they run concurrently: havoc!

The PiVPN installer actually detects ufw and installs iptables-persistent only if no ufw is present.

However, removing iptables-persistent is hence the right solution.