Can't SSH after enabling dietpi-vpn killswitch Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
vbarter
Posts: 19
Joined: Mon Feb 17, 2020 10:15 am

Can't SSH after enabling dietpi-vpn killswitch

Post by vbarter »

Hey the new dietpi-vpn addition to v7.2 is great but I'm having issues with the killswitch.

I am able to enable it after it automatically installs iptables, but upon a reboot I'm unable to connect to my Raspberry Pi 4. I see it successfully connect to my router, but it is unresponsive via SSH after turning on killswitch and rebooting. What settings should I be changing to allow SSH? I'm assuming I need to adjust iptables? I'm trying to do a headless setup
User avatar
trendy
Posts: 340
Joined: Tue Feb 25, 2020 2:54 pm

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by trendy »

Are you running ssh daemon on the regular port 22 or some custom port?
vbarter
Posts: 19
Joined: Mon Feb 17, 2020 10:15 am

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by vbarter »

Should be port 22, I did a fresh install of dietpi and went straight to configuring dietpi-vpn
vbarter
Posts: 19
Joined: Mon Feb 17, 2020 10:15 am

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by vbarter »

trendy wrote: Mon May 31, 2021 9:45 am Are you running ssh daemon on the regular port 22 or some custom port?
Should be port 22, I did a fresh install of dietpi and went straight to configuring dietpi-vpn
User avatar
trendy
Posts: 340
Joined: Tue Feb 25, 2020 2:54 pm

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by trendy »

@MichaIng I think the current killswitch is lacking ssh for remote administration.
@vbarter edit /var/lib/dietpi/dietpi-vpn/killswitch.rules and add:

-A INPUT -s 192.168.0.0/16 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -m conntrack --ctstate NEW -p tcp --dport 22 -j ACCEPT


before the last line with COMMIT
User avatar
ravenclaw900
Posts: 19
Joined: Sat Jan 09, 2021 4:05 pm

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by ravenclaw900 »

The killswitch should allow any requests coming from the LAN. @vbarter, could you post the output of:

Code: Select all

hostname -i
vbarter
Posts: 19
Joined: Mon Feb 17, 2020 10:15 am

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by vbarter »

ravenclaw900 wrote: Mon May 31, 2021 7:15 pm The killswitch should allow any requests coming from the LAN. @vbarter, could you post the output of:

Code: Select all

hostname -i
root@DietPi:~# hostname -i
127.0.1.1



Should make those edits to killswitch file in the comment above?
User avatar
ravenclaw900
Posts: 19
Joined: Sat Jan 09, 2021 4:05 pm

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by ravenclaw900 »

Sorry, my bad. Could you post:

Code: Select all

hostname -I
instead? Those edits probably won't change anything, but if you want to try you can.
vbarter
Posts: 19
Joined: Mon Feb 17, 2020 10:15 am

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by vbarter »

ravenclaw900 wrote: Mon May 31, 2021 8:11 pm Sorry, my bad. Could you post:

Code: Select all

hostname -I
instead? Those edits probably won't change anything, but if you want to try you can.
root@DietPi:~# hostname -I
192.168.1.108 10.8.8.11

The first IP is my local IP on my network, 2nd is the VPN external IP



Pi works fine with SSH with killswitch turned off so I don't dare turn it on for now.
User avatar
MichaIng
Site Admin
Posts: 3089
Joined: Sat Nov 18, 2017 6:21 pm

Re: Can't SSH after enabling dietpi-vpn killswitch

Post by MichaIng »

It is all as intended (while probably not as wanted):

Code: Select all

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -d $VPN_SERVER -p $PROTOCOL --dport $VPN_PORT -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
So incoming packets are only allowed from the loopback interface (so the system can connect to locally running servers) and from established connections. With this is impossible to initiate a connection from anywhere else.

The killswitch's major task is to prevent the system from doing WAN connections as fast as the VPN tunnel is down. Wouldn't it hence be okay to simply allow ANY incoming packet? For LAN connections there is generally no issue with this, is it? For WAN connections, as long as the VPN is up, the system is anyway forced by routes to "answer" through the tunnel, hence practically also inbound www connections are only possible through the tunnel, which most VPN providers do no support (port forwarding through the VPN), but some do, which is then great to have support for. As fast as the VPN is down, the iptables OUTPUT rules still prevent the system from answering to WAN, so while incoming packets can arrive, they do not lead to working connections? Or would this imply paths to bypass the killswitch, or weaken it otherwise?
Post Reply