VPN connects but no transfer after Bullseye

Having issues with your DietPi installation or found a bug? Post it here.
cotarelo
Posts: 31
Joined: Mon May 11, 2020 10:39 pm

VPN connects but no transfer after Bullseye

Post by cotarelo »

Hi!

I am not sure when it happened but VPN stopped routing traffic. I believe it happened in some recent update. I tried uninstalling and reinstalling the openvpn package but I had no luck. The VPN gateway is responding and openvpn connects correctly, but once connected I can't access interal servers or browse the web

I noticed that there are no rules in Iptables

Code: Select all

root@DietPi:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
And I also have noticed a new ethernet interface has appeared wg0 but I haven't installed any wiregard or other vpn, just openvpn

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.254  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::2247:47ff:feed:9fea  prefixlen 64  scopeid 0x20<link>
        ether 20:47:47:ed:9f:ea  txqueuelen 1000  (Ethernet)
        RX packets 1084368  bytes 139456012 (132.9 MiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 1141382  bytes 228541390 (217.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7200000-f7220000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 67315  bytes 10935186 (10.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 67315  bytes 10935186 (10.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::2f29:9252:877a:b204  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 610 (610.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.6.0.1  netmask 255.255.255.0  destination 10.6.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 5  dropped 0 overruns 0  carrier 0  collisions 0
EDIT: Apparently I had the wireguard package installed. I removed the package but the interface is still there
EDIT2: Uninstalling all wireguard packages and I don't see the interface or the routing entry

Here is my routing table

Code: Select all

root@DietPi:~# route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.31.1    0.0.0.0         UG    0      0        0 eth0
10.6.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
What am I missing? how can I solve it?
User avatar
trendy
Posts: 389
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN connects but no transfer after Bullseye

Post by trendy »

One thing is that the routing table shows that the default gateway is using .31.1, which I presume is your ISP router.
Second thing is that to use the vpn from other devices, traffic must be masqueraded on tun0 interface. Verify with iptables-save -c -t nat
Third, the forwarding must be enabled, verify with cat /proc/sys/net/ipv4/ip_forward
There is a route for the internal network .31.0/24, so you should be able to access the other devices in that lan.
cotarelo
Posts: 31
Joined: Mon May 11, 2020 10:39 pm

Re: VPN connects but no transfer after Bullseye

Post by cotarelo »

Code: Select all

dietpi@DietPi:~$ cat /proc/sys/net/ipv4/ip_forward
1
dietpi@DietPi:~$ sudo iptables-save -c -t nat
# Generated by xtables-save v1.8.2 on Sat Nov 20 17:23:39 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Nov 20 17:23:39 2021
I keep connecting but without browsing... the weird thing is that installing the wireguard package and pivpn package works perfectly both with wireguard and openvpn backend. The standalone openvpn does not

Code: Select all

sudo route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.31.1    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.254  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::2247:47ff:feed:9fea  prefixlen 64  scopeid 0x20<link>
        ether 20:47:47:ed:9f:ea  txqueuelen 1000  (Ethernet)
        RX packets 11471  bytes 1584619 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13037  bytes 1658943 (1.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7200000-f7220000

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1353  bytes 319265 (311.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1353  bytes 319265 (311.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::5ecd:f151:86ad:4c38  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 610 (610.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

It connects but doesn't browse...

I am trying to setup that a hardware router does use the openvpn connection and it only seems to connect if I am using the standalone openvpn package, wireguard is not supported and with pivpn there are some errors and the connection is not established
User avatar
trendy
Posts: 389
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN connects but no transfer after Bullseye

Post by trendy »

There is still something wrong with your configuration. The default gateway is the ISP router. Furthermore tun0 has 0 received (RX) packets, which means it is not working properly. Post the log from OpenVPN to see what the problem might be. Also verify which DNS is used.
cotarelo
Posts: 31
Joined: Mon May 11, 2020 10:39 pm

Re: VPN connects but no transfer after Bullseye

Post by cotarelo »

The connection from my mobile (in 4G) to the VPN is good, it connects. But I can't seem to reach the internal network. I think it's something related with iptables? as forwarding is enabled

Code: Select all

root@DietPi:/home/dietpi# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
(failed reverse-i-search)`echo': iptabl^C --list
root@DietPi:/home/dietpi# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
root@DietPi:/home/dietpi# /sbin/iptables-save > /etc/iptables/rules.v4
root@DietPi:/home/dietpi# route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.31.1    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@DietPi:/home/dietpi# /sbin/ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.254  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::2247:47ff:feed:9fea  prefixlen 64  scopeid 0x20<link>
        ether 20:47:47:ed:9f:ea  txqueuelen 1000  (Ethernet)
        RX packets 23571  bytes 3043694 (2.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26598  bytes 3539766 (3.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7200000-f7220000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1782  bytes 374097 (365.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1782  bytes 374097 (365.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::b28d:fecd:24dc:b079  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 450 (450.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 
From OpenVPN logs I can see only status.log which is blank

If I start OpenVPN via command line and connect from mobile this happens

Code: Select all

root@DietPi:/etc/openvpn# /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Sun Nov 21 00:54:43 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Sun Nov 21 00:54:43 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sun Nov 21 00:54:43 2021 Diffie-Hellman initialized with 2048 bit key
Sun Nov 21 00:54:43 2021 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=eth0 HWADDR=20:47:47:ed:9f:ea
Sun Nov 21 00:54:43 2021 TUN/TAP device tun0 opened
Sun Nov 21 00:54:43 2021 TUN/TAP TX queue length set to 100
Sun Nov 21 00:54:43 2021 /sbin/ip link set dev tun0 up mtu 1500
Sun Nov 21 00:54:43 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Nov 21 00:54:43 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Nov 21 00:54:43 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Nov 21 00:54:43 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Nov 21 00:54:43 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Nov 21 00:54:43 2021 UDPv4 link remote: [AF_UNSPEC]
Sun Nov 21 00:54:43 2021 GID set to nogroup
Sun Nov 21 00:54:43 2021 UID set to nobody
Sun Nov 21 00:54:43 2021 MULTI: multi_init called, r=256 v=256
Sun Nov 21 00:54:43 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Nov 21 00:54:43 2021 Initialization Sequence Completed
Sun Nov 21 00:54:52 2021 176.80.133.166:51866 TLS: Initial packet from [AF_INET]176.80.133.166:51866, sid=f846d120 d9f17d44
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=1, CN=ChangeMe
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 VERIFY OK: depth=0, CN=DietPi_OpenVPN_Client
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_VER=3.git::662eae9a:Release
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PLAT=android
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_NCP=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_TCPNL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_PROTO=2
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_LZO_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUB=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_COMP_STUBv2=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_AUTO_SESS=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_SSO=openurl
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 peer info: IV_BS64DL=1
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Nov 21 00:54:53 2021 176.80.133.166:51866 [DietPi_OpenVPN_Client] Peer Connection Initiated with [AF_INET]176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: Learn: 10.8.0.6 -> DietPi_OpenVPN_Client/176.80.133.166:51866
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 MULTI: primary virtual IP for DietPi_OpenVPN_Client/176.80.133.166:51866: 10.8.0.6
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 PUSH: Received control message: 'PUSH_REQUEST'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 SENT CONTROL [DietPi_OpenVPN_Client]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Nov 21 00:54:53 2021 DietPi_OpenVPN_Client/176.80.133.166:51866 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
User avatar
trendy
Posts: 389
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN connects but no transfer after Bullseye

Post by trendy »

So the problem is on a VPN server, not client to a commercial VPN. This was not clear in the description.
The server is not pushing the local network to the client, only the vpn subnet.

Code: Select all

SENT CONTROL [DietPi_OpenVPN_Client]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
cotarelo
Posts: 31
Joined: Mon May 11, 2020 10:39 pm

Re: VPN connects but no transfer after Bullseye

Post by cotarelo »

Any hints in how to fix it or where do I add this config in OpenVPN?

This is the routing table from my mobile phone when I connect to the vpn

Code: Select all

$ /system/bin/ip route
10.8.0.4/30 dev tun0 proto kernel scope link src 10.8.0.6
10.121.65.0/24 dev rmnet0 proto kernel scope link src 10.121.65.192
User avatar
trendy
Posts: 389
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN connects but no transfer after Bullseye

Post by trendy »

Yeah, this is lacking the necessary routes.
One option is to configure the server to push a specific route:

Code: Select all

push "route 192.168.31.0 255.255.255.0"
The other is to push the default gateway to the client so everything is routed via the tunnel.

Code: Select all

push "redirect-gateway def1 bypass-dhcp"
cotarelo
Posts: 31
Joined: Mon May 11, 2020 10:39 pm

Re: VPN connects but no transfer after Bullseye

Post by cotarelo »

Thank you! Pushing the route in the server.conf works. I wonder why this worked in earlier versions of DietPi and I needed to add manually now.

I don't get what you mean in

Code: Select all

push "redirect-gateway def1 bypass-dhcp"
so everything is routed by the tunnel. Isn't everything routed by the vpn tunnel when the client is connected? The idea of using this tunnel is faking that the location where I am conecting to internet is from my home instead of the place I am actually connecting ( I am using a wifi router with the vpn client enabled)
User avatar
trendy
Posts: 389
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN connects but no transfer after Bullseye

Post by trendy »

This option is not something new, I remember it for more than 15 years, so if it wasn't there, it certainly couldn't have worked.
Isn't everything routed by the vpn tunnel when the client is connected?
Not by default. You can have a split tunnel (specific networks over vpn, others over regular internet) or full tunnel (all over vpn). The redirect-gateway option is for the full tunnel, which is applicable in your usecase.
Post Reply