[SOLVED] DietPi as VPN Gateway

Having issues with your DietPi installation, or, found a bug? Post it here.
User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

[SOLVED] DietPi as VPN Gateway

Post by Sciamano »

Hello, I've been trying to make a VPN Gateway based on DietPi.
I have installed DietPi on my Raspberry Pi because I want a very minimal system, and then I've followed this tutorial:

https://gist.github.com/superjamie/ac55b6d2c080582a3e64

Unfortunately it does not seem to work: I can manually start a VPN connection with the command:

Code: Select all

openvpn --config /etc/openvpn/config.conf
but that's it.
I can't make it start automatically as a service, and most of all, as soon as I get at the "Setup Routing and NAT" and "VPN Kill Switch" nothing works anymore.
After I reboot, the VPN connection won't be established, and it exits.

Here are a couple of logs:

Code: Select all

[email protected]:~# systemctl status [email protected][email protected] - OpenVPN connection to de77.nordvpn.com.udp1194
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled)
   Active: failed (Result: exit-code) since Thu 2017-08-31 15:46:22 CEST; 6min ago
  Process: 452 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=1/FAILURE)

Aug 31 15:46:22 DietPi systemd[1]: [email protected]: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit [email protected] entered failed state.

Code: Select all

[email protected]:~# journalctl -u [email protected]
-- Logs begin at Thu 2017-08-31 15:46:12 CEST, end at Thu 2017-08-31 15:47:35 CEST. --
Aug 31 15:46:21 DietPi systemd[1]: Starting OpenVPN connection to de77.nordvpn.com.udp1194...
Aug 31 15:46:22 DietPi systemd[1]: [email protected]: control process exited, code=exited status=1
Aug 31 15:46:22 DietPi systemd[1]: Failed to start OpenVPN connection to de77.nordvpn.com.udp1194.
Aug 31 15:46:22 DietPi systemd[1]: Unit [email protected] entered failed state.
[EDIT]
Here is something that might be useful... after following the "Setup Routing and NAT" and "VPN Kill Switch" sections, it seems like the pi is not able to establish a VPN connection anymore, as it outputs this error, even when I try to connect to the VPN manually:

Code: Select all

Thu Aug 31 17:19:52 2017 UDPv4 link remote: [AF_INET]185.143.230.230:1194
Thu Aug 31 17:19:52 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:54 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:19:58 2017 write UDPv4: Operation not permitted (code=1)
Thu Aug 31 17:20:06 2017 write UDPv4: Operation not permitted (code=1)
It looks to me that when I input the iptables rules, something goes wrong and this UDPv4 permission to write gets denied.
Any suggestions? Thanks

User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

Re: DietPi as VPN Router

Post by Sciamano »

OK, two findings so far, after checking step by step:

1. The section of the tutorial called "Enable VPN at boot" is useless and harmful, it must be skipped.

2. The section of the tutorial called "VPN Kill Switch" disrupts something, and the result is that the connection is not started and results in the infamous "write UDPv4: Operation not permitted (code=1)" error.

Summing it up, the tutorial works only partially, by skipping the sections "enable VPN at boot" and "VPN Kill Switch". Skipping these parts, the pi correctly connects to the VPN at boot, which is a good thing. :)

It would be nice if someone who understands iptables were able to solve this, as blocking all the outbound traffic if/when the VPN is not connected would be a GREAT security feature to be implemented.

User avatar
corun
Posts: 14
Joined: Wed Aug 16, 2017 11:10 pm

Re: DietPi as VPN Router

Post by corun »

i use PiVPN and it works like a charm, install is like 2 minutes, only the key generation takes some time. but once the crypted key is done generating all you have to do is generate as many "clients" as you want, then you get a OVPN file that you can use with pretty much any device :)

User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

Re: DietPi as VPN Router

Post by Sciamano »

Thanks, but piVPN does a different thing: it creates an openvpn SERVER.
I want an always-on openvpn CLIENT connected to my VPN service, to be used as a gateway (so that other devices can use this gateway to access the internet through this secure connection).

User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 4:28 pm

Re: DietPi as VPN Router

Post by k-plan »

Hi Sciamano,
Sciamano wrote:Thanks, but piVPN does a different thing: it creates an openvpn SERVER.
I want an always-on openvpn CLIENT connected to my VPN service, to be used as a gateway (so that other devices can use this gateway to access the internet through this secure connection).
Have you read or try this? Tunnel DietPi through VPN

and : Running OpenVPN client process as daemon after boot
Sciamano wrote:Any suggestions? Thanks
I don't know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.

User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

Re: DietPi as VPN Router

Post by Sciamano »

Sorry for the long delay, I was enjoying my long due holidays... thanks for the links, I'll check them out.
Sciamano wrote:Any suggestions? Thanks
I don't know much about nordvpn.com or try to use it.
But it will be a good idea, to start from the scratch, after you has done some unsuccessful tries with at all what untested tutorial.
I don't think it's any different than any other VPN services, they have lots of servers and you just need to choose the correspondent .ovpn file.

EDIT: I've gone through the links you posted, and basically they achieve the same goal as the tutorial I was following. So, basically, the tutorial I've followed reached the same goals in a slightly different way. What I would like to do, though, is to stop every internet traffic when/if the VPN connection drops, in order to avoid "unprotected" traffic.
The part of the tutorial that should achieve this is not working... any chance to find a way to achieve this?
Thanks.

User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

Re: [SOLVED] DietPi as VPN Router

Post by Sciamano »

For anyone interested, the tutorial linked in the first post works, but a few modifications need to be made.

When you get to this part:

SETUP VPN KILL-SWITCH

check and edit the IP address to your subnet, and the ports to those used by your VPN Provider. For my network and my VPN provider (NordVPN) these were the right settings:

Code: Select all

iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m comment --comment "icmp" -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -o eth0 -m comment --comment "lan" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -o eth0 -j DROP
Also, the following rule needs to be added to the above code, otherwise the kill-switch won't work:

Code: Select all

iptables -I FORWARD -i eth0 ! -o tun0 -j DROP
And save so these iptables rules get applied at reboot:

Code: Select all

netfilter-persistent save
(in case you don't have netfilter-persistent installed, just apt-get install netfilter-persistent)

That's it.
Now if the VPN connection drops, all internet traffic passing through this VPN gateway will stop too.

User avatar
WarHawk
Posts: 555
Joined: Thu Jul 20, 2017 7:55 am

Re: [SOLVED] DietPi as VPN Router

Post by WarHawk »

Yup..piVPN took me a while due to it compiling the 2048 bit key, but once done...works like a champ!!!
Installed it on a Nano Pi NEO

User avatar
Sciamano
Posts: 264
Joined: Sat Oct 15, 2016 11:18 am
Location: Italy

Re: [SOLVED] DietPi as VPN Gateway

Post by Sciamano »

I'm sure piVPN works perfectly, but please note that this tutorial has the purpose of creating a VPN Gateway so that other computers of your local network can access the internet using the Pi as a gateway, being protected by the VPN service.
This is not a tutorial to setup an OpenVPN server.

User avatar
WarHawk
Posts: 555
Joined: Thu Jul 20, 2017 7:55 am

Re: [SOLVED] DietPi as VPN Gateway

Post by WarHawk »

Sciamano wrote:I'm sure piVPN works perfectly, but please note that this tutorial has the purpose of creating a VPN Gateway so that other computers of your local network can access the internet using the Pi as a gateway, being protected by the VPN service.
This is not a tutorial to setup an OpenVPN server.
Right...I see that you were using your PiVPN as a way to connect to a external system..then route all traffic thru that...and if the VPN drops...block all traffic to ensure something doesn't get out by accident

My appologies for not reading fully the entire thread and just a few of the last posts

Very cool on your iptables howto/walkthru...great job!

Post Reply