No internet when connected to VPS using pIA
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jul 10, 2017 11:24 pm
No internet when connected to VPS using pIA
Ok, I'm not great with networking, but I'm trying to learn some things.
I got OpenVPN setup and Pi-Hole running on my Pi B+ by using https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation. This worked great! Pi-Hole was working, and I was able to load youtube videos on my laptop using the Pi as a gateway. My next step was to connect the Pi to my PIA VPN. I very nearly just installed the PIA app, and then realized that was silly, so I found https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/ that connects with PpenVPN (except obviously skipping over the bits I had already done). However, once I connected the Pi to PIA, my laptop was no longer able to load pages. Any time I disconnected from PIA, the laptop would begin working again. While connected to PIA, the Pi is able to load pages and I have a different external IP, so I know that end is working. Also, before connecting to PIA, Pi-hole was working as a DNS service. It blocked a bunch of stuff that I know I was only loading on the laptop. However, when the VPN is connected on the Pi and I set 192.168.1.11 (the local IP of my Pi-Hole) as my routers DNS server, my internet comes to a screeching halt, and I get DNS errors when trying to load basic (unblocked) pages.
I figured the issue was related to the "To Enable Forwarding" section of the 2nd guide, so I double, triple, and quadruple checked that "net.ipv4.ip_forward=1" was not commented out in the /etc/sysctl.conf file. I'm not really bright enough to know what I'm missing at this point, and so since I didn't see any guides that did BOTH of the things, I'm a bit at a loss now. Any ideas? Let me know if you need logs - I wouldn't even know where to start.
Also, I just realized after I rebooted the Pi, that my VPN connection to PIA is persistent now, and I realized I have absolutely no idea how to disconnect it without the active terminal open, and I figured that's something I should know...
I got OpenVPN setup and Pi-Hole running on my Pi B+ by using https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation. This worked great! Pi-Hole was working, and I was able to load youtube videos on my laptop using the Pi as a gateway. My next step was to connect the Pi to my PIA VPN. I very nearly just installed the PIA app, and then realized that was silly, so I found https://www.novaspirit.com/2017/06/22/raspberry-pi-vpn-router-w-pia/ that connects with PpenVPN (except obviously skipping over the bits I had already done). However, once I connected the Pi to PIA, my laptop was no longer able to load pages. Any time I disconnected from PIA, the laptop would begin working again. While connected to PIA, the Pi is able to load pages and I have a different external IP, so I know that end is working. Also, before connecting to PIA, Pi-hole was working as a DNS service. It blocked a bunch of stuff that I know I was only loading on the laptop. However, when the VPN is connected on the Pi and I set 192.168.1.11 (the local IP of my Pi-Hole) as my routers DNS server, my internet comes to a screeching halt, and I get DNS errors when trying to load basic (unblocked) pages.
I figured the issue was related to the "To Enable Forwarding" section of the 2nd guide, so I double, triple, and quadruple checked that "net.ipv4.ip_forward=1" was not commented out in the /etc/sysctl.conf file. I'm not really bright enough to know what I'm missing at this point, and so since I didn't see any guides that did BOTH of the things, I'm a bit at a loss now. Any ideas? Let me know if you need logs - I wouldn't even know where to start.
Also, I just realized after I rebooted the Pi, that my VPN connection to PIA is persistent now, and I realized I have absolutely no idea how to disconnect it without the active terminal open, and I figured that's something I should know...
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jul 10, 2017 11:24 pm
Re: No internet when connected to VPS using pIA
Code: Select all
$ uname -a
Linux PI-HOLE 4.9.35+ #1014 Fri Jun 30 14:34:49 BST 2017 armv6l GNU/Linux
Code: Select all
$ ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:df:85:0b
inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10452552 errors:0 dropped:2777 overruns:0 frame:0
TX packets:2454046 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:414647273 (395.4 MiB) TX bytes:452776263 (431.8 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:95646 errors:0 dropped:0 overruns:0 frame:0
TX packets:95646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:6865093 (6.5 MiB) TX bytes:6865093 (6.5 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
inet6 addr: fe80::af3:163c:f4f7:bf17/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2086 errors:0 dropped:0 overruns:0 frame:0
TX packets:2770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:764077 (746.1 KiB) TX bytes:923276 (901.6 KiB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.94.10.6 P-t-P:10.94.10.5 Mask:255.255.255.255
inet6 addr: fe80::db1f:933d:f8ca:6a0e/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:71854 errors:0 dropped:0 overruns:0 frame:0
TX packets:36540 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:84254632 (80.3 MiB) TX bytes:6133459 (5.8 MiB)
tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.62.10.6 P-t-P:10.62.10.5 Mask:255.255.255.255
inet6 addr: fe80::8321:d4b4:61ed:50fc/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:12456 errors:0 dropped:0 overruns:0 frame:0
TX packets:15713 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:8849883 (8.4 MiB) TX bytes:2924975 (2.7 MiB)
Code: Select all
port 1194
proto tcp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No internet when connected to VPS using pIA
Openvpn cannot do what you want, you need more tools.
Google policy based routing for openvpn
Google policy based routing for openvpn
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jul 10, 2017 11:24 pm
Re: No internet when connected to VPS using pIA
Really? Perhaps you are misunderstanding what I want? I mean, I'll explain it in laymens terms, which is sadly my only choice:
I want to send my internal traffic passing through tun0 outside through tun1. Right now, when I have tun1 disabled, my traffice is being sent out through eth0. BUT, when tun1 is enabled, my traffic dead ends at the end of tun0. So OpenVPN cannot do this?
I want to send my internal traffic passing through tun0 outside through tun1. Right now, when I have tun1 disabled, my traffice is being sent out through eth0. BUT, when tun1 is enabled, my traffic dead ends at the end of tun0. So OpenVPN cannot do this?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No internet when connected to VPS using pIA
Exactly.nuentes wrote:I'll explain it in laymens terms, which is sadly my only choice:
I want to send my internal traffic passing through tun0 outside through tun1. Right now, when I have tun1 disabled, my traffice is being sent out through eth0. BUT, when tun1 is enabled, my traffic dead ends at the end of tun0. So OpenVPN cannot do this?
And read about --redirect-gatewayTinCanTech wrote:Google policy based routing for openvpn
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jul 10, 2017 11:24 pm
Re: No internet when connected to VPS using pIA
Hm - so... is what I'm trying to do... um... atypical? Am I going about this all wrong? Again, I'm not that great with networking, and I figured what I was trying to do was pretty common.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No internet when connected to VPS using pIA
It is a common question .. I have provided adequate pointers .. your turn.
There are some good books listed on this site for that kind of thing.
There are some good books listed on this site for that kind of thing.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Jul 10, 2017 11:24 pm
Re: No internet when connected to VPS using pIA
Would it be possible to do this with iptables? I've been playing around with that, and I definitely have them forwarding now, but it's still dead ending somewhere. Anyway, I realized the iptables I got from the 2nd guide I posted were incorrect for my situation, so I removed them all and then added the following:
and then ran this on the client:
And tcpdump now shows this on the server:
So the query is coming into the server from ip 10.8.0.2 in tun0, which is the IP address my client laptop has been assigned by openVPN, and it looks like that is trying to go directly to google. But then I see in tun1 the IP address assigned to the server, and that is being sent to google as well. I mean... it certainly looks promising to me. What's your take? Thanks for the help, by the way.
Code: Select all
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i tun0 -m comment --comment "In from Internal VPN" -j ACCEPT
sudo iptables -I OUTPUT -o tun1 -m comment --comment "Out to PIA" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o tun0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o tun1 -m comment --comment "Internal VPN out to PIA" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Code: Select all
$ curl http://google.com:22002
Code: Select all
$ sudo tcpdump -tttnei tun0 port 22002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
00:00:00.000000 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.219789 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:03.168813 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.006512 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:05.606792 ip: 10.8.0.2.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 65535, options [mss 1306,nop,nop,sackOK], length 0
00:00:00.216793 ip: 10.8.0.2.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,nop,sackOK], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
Code: Select all
$ sudo tcpdump -tttnei tun1 port 22002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
00:00:00.000000 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.220061 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:03.168799 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.010287 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0
00:00:05.602914 ip: 192.168.1.11.61472 > 172.217.12.206.22002: Flags [S], seq 2773229053, win 65535, options [mss 1306,nop,nop,sackOK], length 0
00:00:00.216759 ip: 192.168.1.11.61474 > 172.217.12.206.22002: Flags [S], seq 3890823237, win 8192, options [mss 1306,nop,nop,sackOK], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel