Hi, I’d like to setup a VPN for WAN traffic only (if possible for some specific applications only) but if not possible, I’d be ok with all WAN out traffic.
My VPN provider offers: Ubuntu, Fedora and CentOS configs, but I believe that none of those fit with DietPI distro (correct me if I’m wrong). Anyway, I can always use a manual OpenVPN config as workaround.
Also, I need to keep SSH on the local network otherwise I’d loose access to my server.
Is this something possible? Thank you.
dietpi-vpn supports ovpn files for config.
To exlude local traffic you need to modify your open vpn config. private / locale IP ranges go through your default interface and the rest is routed through the virtual VPN interface.
See the following link for information:
https://stackoverflow.com/questions/70224509/exclude-ip-from-openvpn-route
It’s also possible to route only app specific traffic through the VPN interface, but it needs some work.
If the app runs on it’s own port you can mark this kind of traffic and then route all marked traffic through the VPN. This can be down with iptable rules, see:
https://www.privateproxyguide.com/using-iptables-to-route-specific-traffic-through-a-vpn/
Ok, first things first, I’m trying to get all traffic to go through the VPN and so far, I seemed to have accomplished it with the config that I added these 3 lines that should let the LOCAL traffic (these are my vlans) out of it:
route 10.0.2.0 255.255.255.0 net_gateway
route 10.0.3.0 255.255.255.0 net_gateway
route 192.168.2.0 255.255.255.0 net_gateway
However, after applying and doing so, I could see that WAN in the server is in fact using the VPN and I’m still able to maintain the local SSH connection to it (great). But… none of my server services are reachable at this point and I don’t get why.
I’m using the exact same host that is accessing through SSH, but for some reason I can’t reach any of my local servers through the web browser. Not even FTP or SMB. Any clue?
Also, I’d like to know how to disable the VPN, because I’ve tried turning off and running service dietpi-vpn stop and even so, I still can’t reach anything. It’s like if the VPN settings (killswitch) were still applied.
It’s like if the dietpi-vpn changed the iptables configs and didn’t revert back when I stopped the VPN. I can see that most of connections are set to DROP (probably due to the killswitch setting, which I then toggled off).
I’m afraid at this point of logging out from SSH and losing access to my server.
I guess the answer is not coming through the same interface which got the request.
Can you check a route to a local client, it should show dev eth0
ip route get <CLIENT_IP>
And do you maybe have any DROP rules in your iptables?
iptables -L -v -n
I guess you need to deactivate the kill switch and not jsut stop the service. These DROP rules you see come from the kill switch, it only allows connections throught the VPN
I fixed the DROP but “reseting” the settings in dietpi-vpn. However, now again, with the right config applied (kill switch on, start on boot etc) and the exceptions posted above, I can’t access any of the hosted services. This is the iptables:
Chain INPUT (policy DROP 174 packets, 9036 bytes)
pkts bytes target prot opt in out source destination
289 82906 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
395 92135 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 42 packets, 2520 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 22 packets, 1953 bytes)
pkts bytes target prot opt in out source destination
289 82906 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
224 79848 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.0/16
133 7139 ACCEPT all -- * * 0.0.0.0/0 172.16.0.0/12
43 17605 ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/8
246 93742 ACCEPT udp -- * * 0.0.0.0/0 181.214.206.12 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 191.96.168.25 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 195.78.54.47 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 195.78.54.119 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 181.214.206.17 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 181.214.206.28 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 191.96.168.115 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 191.96.168.121 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 195.78.54.38 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 191.96.168.10 udp dpt:443
FYI: This is a DMZ’d device that has only “return traffic” rule as accepted in the router. But this shouldn’t be an issue since it works without the VPN. This means that I can’t start connections from server → client in my LAN. Not sure if this has any relevance to the matter.
Everything gets dropped except interface lo (loopback interface), port 22 and already established connections, because:
Only connections through the VPN are now allowed, you would need to deactivate the killswitch to allow local connections.
Or you add some rules to allow incomming traffic via eth0
So, how can I always allow LAN communication while preserving the WAN OUT kill switch (which I really want to)? Can I add persistent rules to the iptables that won’t be overridden?
Edit: I disabled the killswitch and the iptables remain the same. Do I need to reboot?
Hm not completely sure, but a reboot should clear it. But you can also do this, to reset everyting:
iptables -F
iptables -t nat -F
iptables -t mangle -F
To allow incoming traffic you can do
iptables -I INPUT 1 -s 192.168.0.0/16 -j ACCEPT
But dietpi-cpn will override the rules when it starts, so you would need to apply this into your ovpn config.