VPN out + OpenVPN in

Also, when I disconnect from the VPN (not the OpenVPN but the one I use to anonimyse traffic) the OpenVPN starts to work normally.

When I disconnect from VPN:

sudo ss -tunlp | grep vpn
udp    UNCONN   0        0                 0.0.0.0:1194           0.0.0.0:*      users:(("openvpn",pid=24436,fd=6))

dietpi@DietPi:~$ ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.31.254/24 brd 192.168.31.255 scope global eth0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.31.1 dev eth0 table 100 
default via 192.168.31.1 dev eth0 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.254 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.31.0 dev eth0 table local proto kernel scope link src 192.168.31.254 
local 192.168.31.254 dev eth0 table local proto kernel scope host src 192.168.31.254 
broadcast 192.168.31.255 dev eth0 table local proto kernel scope link src 192.168.31.254 
0:	from all lookup local 
16010:	from all sport 1194 lookup 100 
32766:	from all lookup main 
32767:	from all lookup default

Only the tun0 interface remains

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.254  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::2247:47ff:feed:9fea  prefixlen 64  scopeid 0x20<link>
        ether 20:47:47:ed:9f:ea  txqueuelen 1000  (Ethernet)
        RX packets 9548329  bytes 10711485755 (9.9 GiB)
        RX errors 0  dropped 2678  overruns 0  frame 0
        TX packets 5275915  bytes 1416320847 (1.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7200000-f7220000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 71641  bytes 18705391 (17.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 71641  bytes 18705391 (17.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::c85a:4eee:abc5:765  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 304 (304.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Do a ip route flush cache and try again.

Thank you trendy. The flush command does not seem to work

I guess I could ssh remotely, stop the vpn out and then use VPN in whenever I need to use it, not sure if leaving SSH connection open from outside is very secure…

Hang on, I’ll try it myself. I am doing all these manipulations on the router, but I don’t see why it cannot work on dietpi too.

Thank you again. I posted also this issue under reddit to check if this is related with the company that provides the vpn outgoing client : https://www.reddit.com/r/Windscribe/comments/melvxk/windscribe_free_for_outgoing_and_openvpn_for/?utm_medium=android_app&utm_source=share and I did receive a reply saying it is not possible to do

I also seen that with Dietpi the NordVPN option is available. Did any of you tied Nord outgoing and OpenVPN incoming?

Seems to be working fine for me.

dietpi@kakadu:[~]$ ip ru sh
0:      from all lookup local 
16000:  from all sport 1190 lookup 100 
32766:  from all lookup main 
32767:  from all lookup default 

dietpi@kakadu:[~]$ ip ro li tab 100
default via 172.30.30.1 dev eth0 

dietpi@kakadu:[~]$ ip ro li tab main
0.0.0.0/1 via 10.17.0.1 dev proton0 
default via 172.30.30.1 dev eth0 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.17.0.0/16 dev proton0 proto kernel scope link src 10.17.0.13 
107.152.101.211 via 172.30.30.1 dev eth0 
128.0.0.0/1 via 10.17.0.1 dev proton0 
172.30.30.0/24 dev eth0 proto kernel scope link src 172.30.30.2 

dietpi@kakadu:[~]$ sudo ss -anp | grep vpn
u_str ESTAB     0      0                                            * 9676028                                             * 0                                    users:(("openvpn",pid=10277,fd=2),("openvpn",pid=10277,fd=1))                  
u_dgr ESTAB     0      0                                            * 9676064                                             * 0                                    users:(("openvpn",pid=10277,fd=3))                                             
udp   UNCONN    0      0                                      0.0.0.0:38907                                         0.0.0.0:*                                    users:(("openvpn",pid=9785,fd=3))                                              
udp   UNCONN    0      0                                      0.0.0.0:1190                                          0.0.0.0:*                                    users:(("openvpn",pid=10277,fd=6))                                             

dietpi@kakadu:[~]$ sudo iptables-save -c
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 30 17:30:42 2021
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[407:32474] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
[121:10093] -A POSTROUTING -s 10.8.0.0/24 -o proton0 -m comment --comment proton-nat-rule -j MASQUERADE
COMMIT
# Completed on Tue Mar 30 17:30:42 2021


dietpi@kakadu:[~]$ sudo tcpdump -i any -evn icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:30:59.542795  In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 50, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.2 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.543084 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 49, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
    10.17.0.13 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.763061  In ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 49, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
    147.52.80.1 > 10.17.0.13: ICMP echo reply, id 1221, seq 1, length 64
17:30:59.763241 Out ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 48, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
    147.52.80.1 > 10.8.0.2: ICMP echo reply, id 1221, seq 1, length 64

I used 1190 in my case, but this doesn’t matter.
Openvpn server was created with pivpn package of dietpi. OpenVPN client is running with protonvpn profile.
One thing I had to do manually was to add the proton masquerade rule in iptables.
As you can see in tcpdump android phone client (10.8.0.2) sends an icmp echo request to dietpi over ISP, then dietpi (10.17.0.13) forwards it to protonvpn tunnel, receives the reply, and sends it to the android phone over eth0.