Page 1 of 2

[SOLVED] DietPi as VPN Gateway

Posted: Thu Aug 31, 2017 3:55 pm
by Sciamano
Hello, I've been trying to make a VPN Gateway based on DietPi.
I have installed DietPi on my Raspberry Pi because I want a very minimal system, and then I've followed this tutorial:

https://gist.github.com/superjamie/ac55b6d2c080582a3e64

Unfortunately it does not seem to work: I can manually start a VPN connection with the command:

Code: Select all

openvpn --config /etc/openvpn/config.conf
but that's it.
I can't make it start automatically as a service, and most of all, as soon as I get at the "Setup Routing and NAT" and "VPN Kill Switch" nothing works anymore.
After I reboot, the VPN connection won't be established, and it exits.

Here are a couple of logs:

Code: Select all

root@DietPi:~# systemctl status openvpn@de77.nordvpn.com.udp1194
‚óŹ openvpn@de77.nordvpn.com.udp1194.service - OpenVPN connection to de77.nordvpn.com.udp1194
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
   Active: failed (Result: exit-code) since Thu 2017-08-31 15:46:22 CEST; 6min ago
  Process: 452 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)

Aug 31 15:46:22 DietPi systemd[1]: openvpn@de77.nordvpn.com.udp1194.service: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit openvpn@de77.nordvpn.com.udp1194.service entered failed state.

Code: Select all

root@DietPi:~# journalctl -u openvpn@de77.nordvpn.com.udp1194
-- Logs begin at Thu 2017-08-31 15:46:12 CEST, end at Thu 2017-08-31 15:47:35 CEST. --
Aug 31 15:46:21 DietPi systemd[1]: Starting OpenVPN connection to de77.nordvpn.com.udp1194...
Aug 31 15:46:22 DietPi systemd[1]: openvpn@de77.nordvpn.com.udp1194.service: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit openvpn@de77.nordvpn.com.udp1194.service entered failed state.
[EDIT]
Here is something that might be useful... after following the "Setup Routing and NAT" and "VPN Kill Switch" sections, it seems like the pi is not able to establish a VPN connection anymore, as it outputs this error, even when I try to connect to the VPN manually:

Code: Select all

Thu Aug 31 17:19:52 2017 UDPv4 link remote: [AF_INET]185.143.230.230:1194
Thu Aug 31 17:19:52 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:54 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:58 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:20:06 2017 write UDPv4: Operation not permitted (code=1)
It looks to me that when I input the iptables rules, something goes wrong and this UDPv4 permission to write gets denied.
Any suggestions? Thanks

Re: DietPi as VPN Router

Posted: Thu Aug 31, 2017 5:53 pm
by Sciamano
OK, two findings so far, after checking step by step:

1. The section of the tutorial called "Enable VPN at boot" is useless and harmful, it must be skipped.

2. The section of the tutorial called "VPN Kill Switch" disrupts something, and the result is that the connection is not started and results in the infamous "write UDPv4: Operation not permitted (code=1)" error.

Summing it up, the tutorial works only partially, by skipping the sections "enable VPN at boot" and "VPN Kill Switch". Skipping these parts, the pi correctly connects to the VPN at boot, which is a good thing. :)

It would be nice if someone who understands iptables were able to solve this, as blocking all the outbound traffic if/when the VPN is not connected would be a GREAT security feature to be implemented.

Re: DietPi as VPN Router

Posted: Thu Aug 31, 2017 8:33 pm
by corun
i use PiVPN and it works like a charm, install is like 2 minutes, only the key generation takes some time. but once the crypted key is done generating all you have to do is generate as many "clients" as you want, then you get a OVPN file that you can use with pretty much any device :)

Re: DietPi as VPN Router

Posted: Fri Sep 01, 2017 12:02 am
by Sciamano
Thanks, but piVPN does a different thing: it creates an openvpn SERVER.
I want an always-on openvpn CLIENT connected to my VPN service, to be used as a gateway (so that other devices can use this gateway to access the internet through this secure connection).

Re: DietPi as VPN Router

Posted: Sun Sep 03, 2017 12:25 pm
by k-plan
Hi Sciamano,
Sciamano wrote:Thanks, but piVPN does a different thing: it creates an openvpn SERVER.
I want an always-on openvpn CLIENT connected to my VPN service, to be used as a gateway (so that other devices can use this gateway to access the internet through this secure connection).
Have you read or try this? Tunnel DietPi through VPN

and : Running OpenVPN client process as daemon after boot
Sciamano wrote:Any suggestions? Thanks
I don't know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.

Re: DietPi as VPN Router

Posted: Thu Sep 21, 2017 2:24 pm
by Sciamano
Sorry for the long delay, I was enjoying my long due holidays... thanks for the links, I'll check them out.
Sciamano wrote:Any suggestions? Thanks
I don't know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.
I don't think it's any different than any other VPN services, they have lots of servers and you just need to choose the correspondent .ovpn file.

EDIT: I've gone through the links you posted, and basically they achieve the same goal as the tutorial I was following. So, basically, the tutorial I've followed reached the same goals in a slightly different way. What I would like to do, though, is to stop every internet traffic when/if the VPN connection drops, in order to avoid "unprotected" traffic.
The part of the tutorial that should achieve this is not working... any chance to find a way to achieve this?
Thanks.

Re: [SOLVED] DietPi as VPN Router

Posted: Tue Oct 03, 2017 4:27 pm
by Sciamano
For anyone interested, the tutorial linked in the first post works, but a few modifications need to be made.

When you get to this part:

SETUP VPN KILL-SWITCH

check and edit the IP address to your subnet, and the ports to those used by your VPN Provider. For my network and my VPN provider (NordVPN) these were the right settings:

Code: Select all

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
Also, the following rule needs to be added to the above code, otherwise the kill-switch won't work:

Code: Select all

iptables -I FORWARD -i eth0 ! -o tun0 -j DROP
And save so these iptables rules get applied at reboot:

Code: Select all

netfilter-persistent save
(in case you don't have netfilter-persistent installed, just apt-get install netfilter-persistent)

That's it.
Now if the VPN connection drops, all internet traffic passing through this VPN gateway will stop too.

Re: [SOLVED] DietPi as VPN Router

Posted: Thu Oct 05, 2017 6:05 am
by WarHawk
Yup..piVPN took me a while due to it compiling the 2048 bit key, but once done...works like a champ!!!
Installed it on a Nano Pi NEO

Re: [SOLVED] DietPi as VPN Gateway

Posted: Thu Oct 05, 2017 8:57 am
by Sciamano
I'm sure piVPN works perfectly, but please note that this tutorial has the purpose of creating a VPN Gateway so that other computers of your local network can access the internet using the Pi as a gateway, being protected by the VPN service.
This is not a tutorial to setup an OpenVPN server.

Re: [SOLVED] DietPi as VPN Gateway

Posted: Mon Oct 09, 2017 2:43 am
by WarHawk
Sciamano wrote:I'm sure piVPN works perfectly, but please note that this tutorial has the purpose of creating a VPN Gateway so that other computers of your local network can access the internet using the Pi as a gateway, being protected by the VPN service.
This is not a tutorial to setup an OpenVPN server.
Right...I see that you were using your PiVPN as a way to connect to a external system..then route all traffic thru that...and if the VPN drops...block all traffic to ensure something doesn't get out by accident

My appologies for not reading fully the entire thread and just a few of the last posts

Very cool on your iptables howto/walkthru...great job!