No internet when connected to VPS using pIA

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nuentes
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 10, 2017 11:24 pm

No internet when connected to VPS using pIA

Post by nuentes » Mon Jul 10, 2017 11:36 pm

Ok, I'm not great with networking, but I'm trying to learn some things.

I got OpenVPN setup and Pi-Hole running on my Pi B+ by using https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation. This worked great! Pi-Hole was working, and I was able to load youtube videos on my laptop using the Pi as a gateway. My next step was to connect the Pi to my PIA VPN. I very nearly just installed the PIA app, and then realized that was silly, so I found https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/ that connects with PpenVPN (except obviously skipping over the bits I had already done). However, once I connected the Pi to PIA, my laptop was no longer able to load pages. Any time I disconnected from PIA, the laptop would begin working again. While connected to PIA, the Pi is able to load pages and I have a different external IP, so I know that end is working. Also, before connecting to PIA, Pi-hole was working as a DNS service. It blocked a bunch of stuff that I know I was only loading on the laptop. However, when the VPN is connected on the Pi and I set 192.168.1.11 (the local IP of my Pi-Hole) as my routers DNS server, my internet comes to a screeching halt, and I get DNS errors when trying to load basic (unblocked) pages.

I figured the issue was related to the "To Enable Forwarding" section of the 2nd guide, so I double, triple, and quadruple checked that "net.ipv4.ip_forward=1" was not commented out in the /etc/sysctl.conf file. I'm not really bright enough to know what I'm missing at this point, and so since I didn't see any guides that did BOTH of the things, I'm a bit at a loss now. Any ideas? Let me know if you need logs - I wouldn't even know where to start.

Also, I just realized after I rebooted the Pi, that my VPN connection to PIA is persistent now, and I realized I have absolutely no idea how to disconnect it without the active terminal open, and I figured that's something I should know...

nuentes
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 10, 2017 11:24 pm

Re: No internet when connected to VPS using pIA

Post by nuentes » Tue Jul 11, 2017 1:33 am

Code: Select all

$ uname -a
Linux PI-HOLE 4.9.35+ #1014 Fri Jun 30 14:34:49 BST 2017 armv6l GNU/Linux

Code: Select all

$ ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:df:85:0b  
          inet addr:192.168.1.11  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10452552 errors:0 dropped:2777 overruns:0 frame:0
          TX packets:2454046 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:414647273 (395.4 MiB)  TX bytes:452776263 (431.8 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:95646 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95646 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:6865093 (6.5 MiB)  TX bytes:6865093 (6.5 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::af3:163c:f4f7:bf17/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2086 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:764077 (746.1 KiB)  TX bytes:923276 (901.6 KiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.94.10.6  P-t-P:10.94.10.5  Mask:255.255.255.255
          inet6 addr: fe80::db1f:933d:f8ca:6a0e/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:71854 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36540 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:84254632 (80.3 MiB)  TX bytes:6133459 (5.8 MiB)

tun2      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.62.10.6  P-t-P:10.62.10.5  Mask:255.255.255.255
          inet6 addr: fe80::8321:d4b4:61ed:50fc/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:12456 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15713 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:8849883 (8.4 MiB)  TX bytes:2924975 (2.7 MiB)
server.conf

Code: Select all

port 1194
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: No internet when connected to VPS using pIA

Post by TinCanTech » Tue Jul 11, 2017 11:39 am

Openvpn cannot do what you want, you need more tools.

Google policy based routing for openvpn

nuentes
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 10, 2017 11:24 pm

Re: No internet when connected to VPS using pIA

Post by nuentes » Tue Jul 11, 2017 9:48 pm

Really? Perhaps you are misunderstanding what I want? I mean, I'll explain it in laymens terms, which is sadly my only choice:

I want to send my internal traffic passing through tun0 outside through tun1. Right now, when I have tun1 disabled, my traffice is being sent out through eth0. BUT, when tun1 is enabled, my traffic dead ends at the end of tun0. So OpenVPN cannot do this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: No internet when connected to VPS using pIA

Post by TinCanTech » Tue Jul 11, 2017 10:50 pm

nuentes wrote:I'll explain it in laymens terms, which is sadly my only choice:

I want to send my internal traffic passing through tun0 outside through tun1. Right now, when I have tun1 disabled, my traffice is being sent out through eth0. BUT, when tun1 is enabled, my traffic dead ends at the end of tun0. So OpenVPN cannot do this?
Exactly.
TinCanTech wrote:Google policy based routing for openvpn
And read about --redirect-gateway

nuentes
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 10, 2017 11:24 pm

Re: No internet when connected to VPS using pIA

Post by nuentes » Tue Jul 11, 2017 11:24 pm

Hm - so... is what I'm trying to do... um... atypical? Am I going about this all wrong? Again, I'm not that great with networking, and I figured what I was trying to do was pretty common.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: No internet when connected to VPS using pIA

Post by TinCanTech » Tue Jul 11, 2017 11:30 pm

It is a common question .. I have provided adequate pointers .. your turn.

There are some good books listed on this site for that kind of thing.

nuentes
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 10, 2017 11:24 pm

Re: No internet when connected to VPS using pIA

Post by nuentes » Wed Jul 12, 2017 11:06 pm

Would it be possible to do this with iptables? I've been playing around with that, and I definitely have them forwarding now, but it's still dead ending somewhere. Anyway, I realized the iptables I got from the 2nd guide I posted were incorrect for my situation, so I removed them all and then added the following:

Code: Select all

sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i tun0 -m comment --comment "In from Internal VPN" -j ACCEPT
sudo iptables -I OUTPUT -o tun1 -m comment --comment "Out to PIA" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o tun1 -m comment --comment "Internal VPN out to PIA" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
and then ran this on the client:

Code: Select all

$ curl http://google.com:22002
And tcpdump now shows this on the server:

Code: Select all

$ sudo tcpdump -tttnei tun0 port 22002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
 00:00:00.000000 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.219789 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:03.168813 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.006512 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:05.606792 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 65535, options [mss 1306,nop,nop,sackOK], length 0
 00:00:00.216793 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,nop,sackOK], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Code: Select all

$ sudo tcpdump -tttnei tun1 port 22002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
 00:00:00.000000 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.220061 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:03.168799 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.010287 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:05.602914 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 65535, options [mss 1306,nop,nop,sackOK], length 0
 00:00:00.216759 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,nop,sackOK], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
So the query is coming into the server from ip 10.8.0.2 in tun0, which is the IP address my client laptop has been assigned by openVPN, and it looks like that is trying to go directly to google. But then I see in tun1 the IP address assigned to the server, and that is being sent to google as well. I mean... it certainly looks promising to me. What's your take? Thanks for the help, by the way.

Post Reply