Errr... can incorrect PiVPN setup block network access to DietPi? Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
User avatar
MichaIng
Site Admin
Posts: 3216
Joined: Sat Nov 18, 2017 6:21 pm

Re: Errr... can incorrect PiVPN setup block network access to DietPi?

Post by MichaIng »

Probably while DietPi was updated to v7.4, the killswitch was enabled on v7.3 (which is not touched, unless re-set via dietpi-vpn). However, good that SSH works now as expected.

That any other incoming packages, not related to SSH (which we included explicitly with v7.4) or to an established connection (initiated from the Pi), is blocked, is by design when using a killswitch. We discussed whether to allow more or even all inbound connections, when seeing the killswitch as a prevention for outbound connections accidentally bypassing the VPN, while leaving inbound connections a matter of port forwarding, firewall etc. But when checking other killswitch implementations, usually either all inbound connections are blocked, or only selected ones whitelisted, like we do with SSH.

I think there is no one solution that meets it all and we may add a selection instead, i.e. selecting ports from an ss -tulpn list and whether to whitelist it for LAN or even WAN (in cases where the VPN provider supports port forwarding).

For now you can use the Edit Up option to allow LMS connections after the VPN connection has been established. For this add the following line:

Code: Select all

iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
hoverdonkey
Posts: 30
Joined: Sun Jul 12, 2020 2:32 pm

Re: Errr... can incorrect PiVPN setup block network access to DietPi?

Post by hoverdonkey »

Joulinar wrote: Thu Sep 02, 2021 10:32 pm Yep that's working as designed if I'm not mistaken.

@MichaIng
Should we allow more access on local network if VPN/Killswitch is enabled? Or at least create a docs entry how to add more services to the whitelist for local access?
Thanks for confirming
hoverdonkey
Posts: 30
Joined: Sun Jul 12, 2020 2:32 pm

Re: Errr... can incorrect PiVPN setup block network access to DietPi?

Post by hoverdonkey »

MichaIng wrote: Fri Sep 03, 2021 10:41 am Probably while DietPi was updated to v7.4, the killswitch was enabled on v7.3 (which is not touched, unless re-set via dietpi-vpn). However, good that SSH works now as expected.

That any other incoming packages, not related to SSH (which we included explicitly with v7.4) or to an established connection (initiated from the Pi), is blocked, is by design when using a killswitch. We discussed whether to allow more or even all inbound connections, when seeing the killswitch as a prevention for outbound connections accidentally bypassing the VPN, while leaving inbound connections a matter of port forwarding, firewall etc. But when checking other killswitch implementations, usually either all inbound connections are blocked, or only selected ones whitelisted, like we do with SSH.

I think there is no one solution that meets it all and we may add a selection instead, i.e. selecting ports from an ss -tulpn list and whether to whitelist it for LAN or even WAN (in cases where the VPN provider supports port forwarding).

For now you can use the Edit Up option to allow LMS connections after the VPN connection has been established. For this add the following line:

Code: Select all

iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
Many thanks for your reply. I have just managed to try your suggested Edit Up line properly. With it I can access LMS with killswitch applied. Yay. However...

A new party-pooping issue appears. With killswitch enabled, LMS cannot see any players on the network. I have two players: PiCorePlayer running on another Pi3 (on wi-fi) and Squeezelite-X running on a Windows PC (on ethernet).

Further observations: If I disable Killswitch and hit Apply, LMS still does not see players. If I then reboot the DietPi machine it is then fine. If I then enable Killswitch and hit Apply, LMS can still see the players, but when I reboot it then cannot. VPN shows as connected for all of this. This raises another noob question - does this mean that killswitch is only effective after a reboot? VPN
hoverdonkey
Posts: 30
Joined: Sun Jul 12, 2020 2:32 pm

Re: Errr... can incorrect PiVPN setup block network access to DietPi?

Post by hoverdonkey »

hoverdonkey wrote: Sat Sep 04, 2021 8:18 pm
MichaIng wrote: Fri Sep 03, 2021 10:41 am Probably while DietPi was updated to v7.4, the killswitch was enabled on v7.3 (which is not touched, unless re-set via dietpi-vpn). However, good that SSH works now as expected.

That any other incoming packages, not related to SSH (which we included explicitly with v7.4) or to an established connection (initiated from the Pi), is blocked, is by design when using a killswitch. We discussed whether to allow more or even all inbound connections, when seeing the killswitch as a prevention for outbound connections accidentally bypassing the VPN, while leaving inbound connections a matter of port forwarding, firewall etc. But when checking other killswitch implementations, usually either all inbound connections are blocked, or only selected ones whitelisted, like we do with SSH.

I think there is no one solution that meets it all and we may add a selection instead, i.e. selecting ports from an ss -tulpn list and whether to whitelist it for LAN or even WAN (in cases where the VPN provider supports port forwarding).

For now you can use the Edit Up option to allow LMS connections after the VPN connection has been established. For this add the following line:

Code: Select all

iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
Many thanks for your reply. I have just managed to try your suggested Edit Up line properly. With it I can access LMS with killswitch applied. Yay. However...

A new party-pooping issue appears. With killswitch enabled, LMS cannot see any players on the network. I have two players: PiCorePlayer running on another Pi3 (on wi-fi) and Squeezelite-X running on a Windows PC (on ethernet).

Further observations: If I disable Killswitch and hit Apply, LMS still does not see players. If I then reboot the DietPi machine it is then fine. If I then enable Killswitch and hit Apply, LMS can still see the players, but when I reboot it then cannot. VPN shows as connected for all of this. This raises another noob question - does this mean that killswitch is only effective after a reboot? VPN


I have found another solution - I have worked out how set up VPN connection to Nord on my router (Asuswrt-Merlin) and assign my DietPi IP address to it. It is working fine with its killswitch enabled.

It would still be good to know if the killswitch on PiVPN is indeed a dead-end for me & LMS or not, as I thought it might be better to put the CPU load on the Pi, but I don't think it's really a huge deal either way.

Many thanks again for your help on this.
Post Reply