VPN out + OpenVPN in

Ah nice. So all packets from that port will be leaving on eth0, but that is fine since that port is for establishing the VPN connection only anyway, not for communication though the tunnel. That method should work pretty will for e.g. allowing remote connections to a BitTorrent server while it is connected to a VPN. Much easier than connection marks, many thanks for sharing :slight_smile:.

Thanks
Could you put an example of the command and where I can make it permanent?

An example would be:

ip route add to default via 10.10.10.1 table 100
ip rule add sport 1234 to default lookup 100 prio 16010

Change the ip to the one of the isp router and the port to the one you are using for the vpn server.
You can add it in rc.local to be permanent.

I have added

ip route add to default via 192.168.31.1 table 100
ip rule add sport 1194 to default lookup 100 prio 16010
ip rule add sport 443 to default lookup 100 prio 16010
ip rule add sport 943 to default lookup 100 prio 16010

Since the OpenVPN uses 443 and 943 TCP and 1194 UDP by default.

But I still have no luck connecting from outside to the internal VPN, it times out

First of all OpenVPN is udp/1194, the rest belong to other protocols. But which one are you using?
Also if you are adding multiple ports you should also change the sequence number, as now the first two are overwritten by the third.

Ok thank you. I tried at the beginning only with 1194 but ot didn’t connect so I added the other two which I thought they were also needed for Openvpn.

I am using the default installer from dietpi for Openvpn slño if 1194 UDP is enough i can leave the first one only.
Still it doesn’t get through

You can verify the port with ss -tunlp | grep vpn
Other than that post the following: ip -4 addr; ip -4 ro list table all; ip -4 ru

The fist command has no return, the second gives a lot of information

dietpi@DietPi:~$ ss -tunlp | grep vpn
dietpi@DietPi:~$ ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.31.254/24 brd 192.168.31.255 scope global eth0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.121.34.39/23 brd 10.121.35.255 scope global tun1
       valid_lft forever preferred_lft forever
default via 192.168.31.1 dev eth0 table 100 
0.0.0.0/1 via 10.121.34.1 dev tun1 
default via 192.168.31.1 dev eth0 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.121.34.0/23 dev tun1 proto kernel scope link src 10.121.34.39 
37.120.136.243 via 192.168.31.1 dev eth0 
128.0.0.0/1 via 10.121.34.1 dev tun1 
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.254 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 10.121.34.0 dev tun1 table local proto kernel scope link src 10.121.34.39 
local 10.121.34.39 dev tun1 table local proto kernel scope host src 10.121.34.39 
broadcast 10.121.35.255 dev tun1 table local proto kernel scope link src 10.121.34.39 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.31.0 dev eth0 table local proto kernel scope link src 192.168.31.254 
local 192.168.31.254 dev eth0 table local proto kernel scope host src 192.168.31.254 
broadcast 192.168.31.255 dev eth0 table local proto kernel scope link src 192.168.31.254 
0:	from all lookup local 
16010:	from all sport 1194 lookup 100 
32766:	from all lookup main 
32767:	from all lookup default

Not related, but I also have realised that thr no-ip ddns script is updating to the wrong ip even when I mark eth0 as the interface for updating.

What about this?
grep port /etc/openvpn/*

grep port /etc/openvpn/*
grep: /etc/openvpn/client: Is a directory
grep: /etc/openvpn/easy-rsa: Is a directory
grep: /etc/openvpn/server: Is a directory
/etc/openvpn/server.conf:port 1194

Also

netstat -putan | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           1240/openvpn

[/code]

netstat is not included in dietpi and is deprecated, ss is the successor. Anyway, we have established the openvpn server is running on udp/1194
Install tcpdump if you don’t have it already and run: sudo tcpdump -i eth0 -evn udp port 1194
Then try to connect from the client, let it capture a few packets, stop with Ctrl-c and paste here the output.

Probably it’s required to add “dev eth0” to the ip route, to force it using the right device as well.

It doesn’t hurt to add it, however the dietpi shouldn’t have any issues finding the 192.168.31.1 as it is directly connected to the eth0.

Where should I add the dev flag? What other things I can do?

Also, when I disconnect from the VPN (not the OpenVPN but the one I use to anonimyse traffic) the OpenVPN starts to work normally.

When I disconnect from VPN:

sudo ss -tunlp | grep vpn
udp    UNCONN   0        0                 0.0.0.0:1194           0.0.0.0:*      users:(("openvpn",pid=24436,fd=6))



dietpi@DietPi:~$ ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.31.254/24 brd 192.168.31.255 scope global eth0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.31.1 dev eth0 table 100 
default via 192.168.31.1 dev eth0 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.254 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.31.0 dev eth0 table local proto kernel scope link src 192.168.31.254 
local 192.168.31.254 dev eth0 table local proto kernel scope host src 192.168.31.254 
broadcast 192.168.31.255 dev eth0 table local proto kernel scope link src 192.168.31.254 
0:	from all lookup local 
16010:	from all sport 1194 lookup 100 
32766:	from all lookup main 
32767:	from all lookup default

Only the tun0 interface remains

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.254  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::2247:47ff:feed:9fea  prefixlen 64  scopeid 0x20<link>
        ether 20:47:47:ed:9f:ea  txqueuelen 1000  (Ethernet)
        RX packets 9548329  bytes 10711485755 (9.9 GiB)
        RX errors 0  dropped 2678  overruns 0  frame 0
        TX packets 5275915  bytes 1416320847 (1.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7200000-f7220000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 71641  bytes 18705391 (17.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 71641  bytes 18705391 (17.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::c85a:4eee:abc5:765  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 304 (304.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Do a ip route flush cache and try again.

Thank you trendy. The flush command does not seem to work

I guess I could ssh remotely, stop the vpn out and then use VPN in whenever I need to use it, not sure if leaving SSH connection open from outside is very secure…

Hang on, I’ll try it myself. I am doing all these manipulations on the router, but I don’t see why it cannot work on dietpi too.

Thank you again. I posted also this issue under reddit to check if this is related with the company that provides the vpn outgoing client : https://www.reddit.com/r/Windscribe/comments/melvxk/windscribe_free_for_outgoing_and_openvpn_for/?utm_medium=android_app&utm_source=share and I did receive a reply saying it is not possible to do :man_shrugging:

I also seen that with Dietpi the NordVPN option is available. Did any of you tied Nord outgoing and OpenVPN incoming?

Seems to be working fine for me.

dietpi@kakadu:[~]$ ip ru sh
0:      from all lookup local 
16000:  from all sport 1190 lookup 100 
32766:  from all lookup main 
32767:  from all lookup default 

dietpi@kakadu:[~]$ ip ro li tab 100
default via 172.30.30.1 dev eth0 

dietpi@kakadu:[~]$ ip ro li tab main
0.0.0.0/1 via 10.17.0.1 dev proton0 
default via 172.30.30.1 dev eth0 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.17.0.0/16 dev proton0 proto kernel scope link src 10.17.0.13 
107.152.101.211 via 172.30.30.1 dev eth0 
128.0.0.0/1 via 10.17.0.1 dev proton0 
172.30.30.0/24 dev eth0 proto kernel scope link src 172.30.30.2 

dietpi@kakadu:[~]$ sudo ss -anp | grep vpn
u_str ESTAB     0      0                                            * 9676028                                             * 0                                    users:(("openvpn",pid=10277,fd=2),("openvpn",pid=10277,fd=1))                  
u_dgr ESTAB     0      0                                            * 9676064                                             * 0                                    users:(("openvpn",pid=10277,fd=3))                                             
udp   UNCONN    0      0                                      0.0.0.0:38907                                         0.0.0.0:*                                    users:(("openvpn",pid=9785,fd=3))                                              
udp   UNCONN    0      0                                      0.0.0.0:1190                                          0.0.0.0:*                                    users:(("openvpn",pid=10277,fd=6))                                             

dietpi@kakadu:[~]$ sudo iptables-save -c
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 30 17:30:42 2021
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[407:32474] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
[121:10093] -A POSTROUTING -s 10.8.0.0/24 -o proton0 -m comment --comment proton-nat-rule -j MASQUERADE
COMMIT
# Completed on Tue Mar 30 17:30:42 2021


dietpi@kakadu:[~]$ sudo tcpdump -i any -evn icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:30:59.542795  In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 50, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.2 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.543084 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 49, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
    10.17.0.13 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.763061  In ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 49, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
    147.52.80.1 > 10.17.0.13: ICMP echo reply, id 1221, seq 1, length 64
17:30:59.763241 Out ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 48, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
    147.52.80.1 > 10.8.0.2: ICMP echo reply, id 1221, seq 1, length 64

I used 1190 in my case, but this doesn’t matter.
Openvpn server was created with pivpn package of dietpi. OpenVPN client is running with protonvpn profile.
One thing I had to do manually was to add the proton masquerade rule in iptables.
As you can see in tcpdump android phone client (10.8.0.2) sends an icmp echo request to dietpi over ISP, then dietpi (10.17.0.13) forwards it to protonvpn tunnel, receives the reply, and sends it to the android phone over eth0.