PiVPN only working after debug has been run, after DietPi reboot?

blimchen · June 18, 2022, 1:09pm

Hi,

I’ve recently installed PiVPN with dietpi-software on my Raspberry Pi 4b where it runs beside AdGuard Home, and generally it works fine. I’ve established successful remote VPN connections to my “home lab” with it.

However, each time I reboot DietPi, it stops working?

When I run systemctl status wg-quick@wg0.service to check whether Wireguard gets launched on start up, it states that it’s indeed active.

Now, when I run pivpn -d to debug, I each time get the same error:

:: [ERR] Ufw input rule is not set, attempt fix now? [Y/n]

When I confirm with Y, it skips everything and simply relaunches Ufw, which I use as firewall:

Skipping inserting existing rule
Skipping adding existing rule (v6)
Firewall reloaded

It already did all the changes previously, but I get this error each time I reboot DietPi and run pivpn -d.
Now, after it has skipped the Ufw changes and relaunched the firewall, the VPN service magically starts to work? I don’t get why.

Here’s the output from cat /etc/pivpn/wireguard/setupVars.conf:

PLAT=Debian
OSCN=bullseye
USING_UFW=1
IPv4dev=eth0
IPv6dev=eth0
dhcpReserv=1
IPv4addr=192.168.178.18/24
IPv4gw=192.168.178.1
install_user=pivpn
install_home=/home/pivpn
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.62.95.1
pivpnDNS2=
pivpnHOST=83.99.12.148
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.62.95.0
subnetClass=24
pivpnenableipv6=1
pivpnNETv6=“fd11:5ee:bad:c0de::”
subnetClassv6=64
ALLOWED_IPS=“0.0.0.0/0, ::0/0”
UNATTUPG=0
INSTALLED_PACKAGES=()

Here’s the ufw status output:

51820/udp ALLOW Anywhere ← PiVPN
SSH ALLOW Anywhere
WWW Full ALLOW Anywhere
AdGuard Home Full ALLOW Anywhere
AdGuard Home Web Panel ALLOW Anywhere
8090/tcp ALLOW Anywhere
SSH (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)
AdGuard Home Full (v6) ALLOW Anywhere (v6)
AdGuard Home Web Panel (v6) ALLOW Anywhere (v6)
8090/tcp (v6) ALLOW Anywhere (v6)
51820/udp (v6) ALLOW Anywhere (v6) ← PiVPN

Anywhere on eth0 ALLOW FWD 10.62.95.0/24 on wg0 ← PiVPN

I usually login as root, but have installed PiVPN for another user pivpn, who currently doesn’t have sudo privileges.

Any help is appreciated!

Joulinar · June 18, 2022, 7:34pm

did you tried to give sudo permission to the pivpn user? And you could ask on PiVPN GitHub for the reason why PiVPN is not starting using a ufw firewall. As well, did you checked the status of ufw service after reboot? Or have a look into into system log journalctl after reboot for error messages.

Ake2 · June 18, 2022, 11:47pm

Do you try disable ufw and restart adguard and then enable ufw again? because i need to do that with pihole always when i reboot my pi because when i reboot my pi then pivpn doesnt work

blimchen · June 19, 2022, 6:02am

Yes, I tried that yesterday, but it didn’t really change anything.

Yes, that’s what I posted above. Sorry for not being clearer.

I have now. Right after reboot there doesn’t seem to anything out of the ordinary. There’s no mention of anything related to Ufw.
When I run pivpn -d, conform to proceed with the Ufw changes that have already been previously inserted, and re-run journctl, it outputs this:

[UFW BLOCK] IN=eth0 OUT= MAC=… SRC=192.168.178.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=28618 DF PROTO=2
[UFW BLOCK] IN=eth0 OUT= MAC=… SRC=192.168.178.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=50362 DF PROTO=2

It’s a little hard for me to say, whether that’s okay or not, to be honest. (I’ve omitted the MAC addresses.)

blimchen · June 19, 2022, 6:16am

I did just now, and after that PiVPN started to work, just like when I run dietpi -d which doesn’t do anything, except also relaunching Ufw.
However, the problem re-emerges once I reboot DietPit.

Yes, reload ufw seems to do the trick in my case. After that the VPN works fine! Curious…

Joulinar · June 19, 2022, 8:21am

hmm maybe ufw is starting to early and could not success? Looking to system log, do you see ufw starting somewhere during the boot process?

Anyway maybe it would be good to ask on this behavior on PiVPN GitHub

Regarding PiHole (even if not related to this issue), it is important to set the interface to Permit all origins

This way PiHole was working on a reboot for VPN clients as well.

blimchen · June 19, 2022, 9:18am

How can I do that on DietPi?

Joulinar · June 19, 2022, 9:24am

you already did Usually you should see the services starting.

journalctl

same as on other Debian based systems.

blimchen · June 19, 2022, 9:37am

Haha, my bad. Thanks.

Hm, I can’t seem to find ufw here. Wireguard, AdGuard home, etc. are all listed though.

blimchen · June 19, 2022, 11:31am

Uninstalling iptables-persistent and its dependencies solved the issue for me:

sudo apt remove iptables-persistent
sudo apt autoremove

I found the solution here, but am unsure about the repercussions of doing this.

Thanks for all your help @Joulinar and @Ake2!

Joulinar · June 19, 2022, 5:26pm

Usually iptables-persistent is used to restore iptables configuration on reboot. But not sure of this is needed for PiVPN to work together with ufw.

blimchen · June 19, 2022, 7:40pm

OK, I hope I haven’t exposed a vulnerability, but it solved the VPN problem.
Thanks for pointing out what iptables-persistent is about.

MichaIng · June 20, 2022, 5:53am

iptables-persistent and ufw are conflicting. They basically do the same: Store the iptables on shutdown and restore on boot. If they run concurrently: havoc!

The PiVPN installer actually detects ufw and installs iptables-persistent only if no ufw is present.

However, removing iptables-persistent is hence the right solution.