[SOLVED] DietPi as VPN Gateway

Troubleshooting
1

Hello, I’ve been trying to make a VPN Gateway based on DietPi.
I have installed DietPi on my Raspberry Pi because I want a very minimal system, and then I’ve followed this tutorial:

https://gist.github.com/superjamie/ac55b6d2c080582a3e64

Unfortunately it does not seem to work: I can manually start a VPN connection with the command:

openvpn --config /etc/openvpn/config.conf

but that’s it.
I can’t make it start automatically as a service, and most of all, as soon as I get at the “Setup Routing and NAT” and “VPN Kill Switch” nothing works anymore.
After I reboot, the VPN connection won’t be established, and it exits.

Here are a couple of logs:

root@DietPi:~# systemctl status openvpn@de77.nordvpn.com.udp1194
● openvpn@de77.nordvpn.com.udp1194.service - OpenVPN connection to de77.nordvpn.com.udp1194
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: failed (Result: exit-code) since Thu 2017-08-31 15:46:22 CEST; 6min ago
  Process: 452 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)

Aug 31 15:46:22 DietPi systemd[1]: openvpn@de77.nordvpn.com.udp1194.service: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit openvpn@de77.nordvpn.com.udp1194.service entered failed state.




root@DietPi:~# journalctl -u openvpn@de77.nordvpn.com.udp1194
-- Logs begin at Thu 2017-08-31 15:46:12 CEST, end at Thu 2017-08-31 15:47:35 CEST. --
Aug 31 15:46:21 DietPi systemd[1]: Starting OpenVPN connection to de77.nordvpn.com.udp1194...
Aug 31 15:46:22 DietPi systemd[1]: openvpn@de77.nordvpn.com.udp1194.service: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit openvpn@de77.nordvpn.com.udp1194.service entered failed state.

[EDIT]
Here is something that might be useful… after following the “Setup Routing and NAT” and “VPN Kill Switch” sections, it seems like the pi is not able to establish a VPN connection anymore, as it outputs this error, even when I try to connect to the VPN manually:

Thu Aug 31 17:19:52 2017 UDPv4 link remote: [AF_INET]185.143.230.230:1194
Thu Aug 31 17:19:52 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:54 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:58 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:20:06 2017 write UDPv4: Operation not permitted (code=1)

It looks to me that when I input the iptables rules, something goes wrong and this UDPv4 permission to write gets denied.
Any suggestions? Thanks

2

OK, two findings so far, after checking step by step:

  1. The section of the tutorial called “Enable VPN at boot” is useless and harmful, it must be skipped.

  2. The section of the tutorial called “VPN Kill Switch” disrupts something, and the result is that the connection is not started and results in the infamous “write UDPv4: Operation not permitted (code=1)” error.

Summing it up, the tutorial works only partially, by skipping the sections “enable VPN at boot” and “VPN Kill Switch”. Skipping these parts, the pi correctly connects to the VPN at boot, which is a good thing. :slight_smile:

It would be nice if someone who understands iptables were able to solve this, as blocking all the outbound traffic if/when the VPN is not connected would be a GREAT security feature to be implemented.

3

i use PiVPN and it works like a charm, install is like 2 minutes, only the key generation takes some time. but once the crypted key is done generating all you have to do is generate as many “clients” as you want, then you get a OVPN file that you can use with pretty much any device :slight_smile:

4

Thanks, but piVPN does a different thing: it creates an openvpn SERVER.
I want an always-on openvpn CLIENT connected to my VPN service, to be used as a gateway (so that other devices can use this gateway to access the internet through this secure connection).

5

Hi Sciamano,

Have you read or try this? Tunnel DietPi through VPN

and : Running OpenVPN client process as daemon after boot

I don’t know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.

6

Sorry for the long delay, I was enjoying my long due holidays… thanks for the links, I’ll check them out.

[quote=“Sciamano”]
Any suggestions? Thanks
[/quote]

I don’t know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.

I don’t think it’s any different than any other VPN services, they have lots of servers and you just need to choose the correspondent .ovpn file.

EDIT: I’ve gone through the links you posted, and basically they achieve the same goal as the tutorial I was following. So, basically, the tutorial I’ve followed reached the same goals in a slightly different way. What I would like to do, though, is to stop every internet traffic when/if the VPN connection drops, in order to avoid “unprotected” traffic.
The part of the tutorial that should achieve this is not working… any chance to find a way to achieve this?
Thanks.

7

For anyone interested, the tutorial linked in the first post works, but a few modifications need to be made.

When you get to this part:

SETUP VPN KILL-SWITCH

check and edit the IP address to your subnet, and the ports to those used by your VPN Provider. For my network and my VPN provider (NordVPN) these were the right settings:

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP

Also, the following rule needs to be added to the above code, otherwise the kill-switch won’t work:

iptables -I FORWARD -i eth0 ! -o tun0 -j DROP

And save so these iptables rules get applied at reboot:

netfilter-persistent save

(in case you don’t have netfilter-persistent installed, just apt-get install netfilter-persistent)

That’s it.
Now if the VPN connection drops, all internet traffic passing through this VPN gateway will stop too.

8

Yup…piVPN took me a while due to it compiling the 2048 bit key, but once done…works like a champ!!!
Installed it on a Nano Pi NEO

9

I’m sure piVPN works perfectly, but please note that this tutorial has the purpose of creating a VPN Gateway so that other computers of your local network can access the internet using the Pi as a gateway, being protected by the VPN service.
This is not a tutorial to setup an OpenVPN server.

10

Right…I see that you were using your PiVPN as a way to connect to a external system…then route all traffic thru that…and if the VPN drops…block all traffic to ensure something doesn’t get out by accident

My appologies for not reading fully the entire thread and just a few of the last posts

Very cool on your iptables howto/walkthru…great job!

11

Thanks, but I don’t deserve any credit.
I have just used a ready-made tutorial for the Raspberry Pi and applied it with DietPi as a “base” instead of Raspbian.
Superjamie deserves to get the full credit for this.

12

I hope this inst’ a dead post yet… my question concerning the killswitch mentioned, how do you use this when trying to install software on dietpi? Part of their update process is to kill running service to include OpenVPN which in turn activates the kill switch and thus I can’t download updates.

I’m using PIA too.

Thoughts?

13

Unfortunately you’ll have to delete the iptables rules included in the killswitch part of the tutorial, update DietPi and then follow the killswitch tutorial again.
Or, you use a dedicated machine and never update it :wink:

14

you can add the commands for iptables to add or remove on vpn login and vpn logout, automagically, in dietpi-launcher/ dietpi-vpn settings. Just below the killswitch option