Force Torrent/user Traffic through VPN Split Tunnel on Ubuntu 16.04

split_tunnel_VPN.md

As per https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/, but with few upgrades.

Everything in one script: https://github.com/GAS85/pia/blob/master/split_tunnel_VPN.sh

Supported Systems:

• Ubuntu 16.04
• Ubuntu 18.04
• Ubuntu 20.04 - DNS issue, different mechanism, read comments.
• Ubuntu 22.04 - DNS issue, different mechanism, read comments.

Difference to Original:

1. Add random VPN Land change on start/restart.
2. Add IP Tables rules that avoid nginx reverse proxy usage.

Lets start

You have fullcontrol over which applications you want to route over VPN. You will have an Automatic Kill Switch implemented (using firewall rules) so if your VPN connection drops or breaks, your real IP address will not be revealed and torrent traffic will stop. DNS leaks are also prevented. Remote access to your Torrent client of choice (Transmission or Deluge) is possible with nginx reverse proxy.

Step 1. Install OpenVPN

If you are using Ubuntu Server 16.04 LTS we will install OpenVPN from the official OpenVPN repository. First import the public GPG key that is used to sign the packages.

wget https://swupdate.openvpn.net/repos/repo-public.gpg -O - | sudo apt-key add -

Add the OpenVPN repository

echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" | sudo tee -a /etc/apt/sources.list.d/openvpn.list

Install OpenVPN

sudo apt-get update
sudo apt-get install openvpn -y

Step 2. Create systemd Service for OpenVPN

Create the systemd service that will start the required OpenVPN configuration on system start

sudo nano /etc/systemd/system/[email protected]

This script will also restart OpenVPN service if the service was terminated for some reason, logs will be located in syslog (/var/log/syslog).

Copy and paste the following

[Unit]
# HTPC Guides - www.htpcguides.com
Description=OpenVPN connection to %i
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target

[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

Hit Ctrl+X, Y and Enter to save.

Now enable the [email protected] we just created

sudo systemctl enable [email protected]

Step 3. Create PIA Configuration File for Split Tunneling

The next step is to modify the configuration file provided by PIA to adjust it for the Split Tunneling. In this guide we will use the Sweden VPN server, but you can use any of the available servers – more on this later. For best VPN performance (especially for torrents) I strongly recommend using UDP protocol, and not TCP. Get the Required Certificates for PIA

If unzip is not installed on your server, just install with

sudo apt-get install unzip -y

Download the archive from PIA, we will need only the certificates

cd /tmp
sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip

Copy the required PIA certificates

sudo cp crl.rsa.2048.pem ca.rsa.2048.crt /etc/openvpn/

Step 4. Create Modified PIA Configuration File for Split Tunneling

We make the following changes to the default PIA configuration file:

• Add route-noexec to prevent the server from push “redirect-gateway” and make the client send all traffic over VPN by default.
  • This is required for Split Tunneling to work.
• Add auth-nocache to prevent caching passwords in memory.
• Add the call for login.txt file with the username and password to make automatic login possible.
• Add script-security 2 to allow client to call externals scripts (up and down).
• Call the first script, iptables.sh, to mark packets for the VPN user (OpenVPN allows only one up call).
• Add down script, update-resolv-conf, to restore DNS servers when disconnecting from VPN.

You can change the hostname highlighted in red to the server of your choice. For the list of available locations and hostnames look at PIA’s site and select the hostname of your choice.

We are editing the openvpn.conf file which is launched by the systemd service we created earlier ([email protected]). This way we ensure the up and down scripts we made are also executed with the OpenVPN systemd service is restarted.

Create the OpenVPN configuration file

sudo nano /etc/openvpn/openvpn.conf

Copy and paste the following, adjust the country you want to use by replacing xxxx.privateinternetaccess.com. In this example we will randomly connect CZ, NL ans SW networks on each start/restart.

client
dev tun
proto udp
remote czech.privateinternetaccess.com 1198
remote sweden.privateinternetaccess.com 1198
remote nl.privateinternetaccess.com 1198
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.txt
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
route-noexec

#up and down scripts to be executed when VPN starts or stops
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf

Hit Ctrl+X, Y and Enter to Save and Exit.

Step 5. Make OpenVPN Auto Login on Service Start

The username and password for PIA will be stored in a login.txt file, this way OpenVPN can auto connect on service start. Create the txt file

sudo nano /etc/openvpn/login.txt

Enter your PIA username and password

USERNAME
PASSWORD

Hit Ctrl+X, Y to Save and Exit.

Step 6. Configure VPN DNS Servers to Stop DNS Leaks

Next we are going to prevent DNS leak. DNS Leaks are often the main reason your real identity gets exposed even if using VPN. You can read more about DNS leaks here and test them here. The update-resolv-conf script that comes with OpenVPN will automatically apply the preferred DNS servers when OpenVPN connects.

This script will make sure that when using OpenVPN you are not subject to DNS leaks. We will use PIA’s DNS Servers (209.222.18.222 and 209.222.18.218) and Google’s (8.8.8.8) as a third option. You are free to use the DNS servers you trust and prefer. It is advised to change the local DNS to a public even if you are not using VPN. If you are behind a router (and you probably are), it is also a good practice to configure public DNS address on the router too.

Note: make sure you are using a static IP on your machine or reserved DHCP also known as static DHCP. Do not configure the static IP on your server, as resolvconf will not work then. You should set the static IP from your router!

Open the update-resolv-conf file

sudo nano /etc/openvpn/update-resolv-conf

Locate this part

# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

Replace the part highlighted in red, make sure you uncomment (remove the # from beginning) these 3 lines, and pay attention to the third line where your need to replace DOMAIN with DNS.

It should look exactly like this

foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'

Hit Ctrl+X, Y and Enter to Save.

Your DNS is configured for OpenVPN to prevent DNS leaks.

Split Tunneling with iptables and Routing Tables

We will use iptables to mark packets from a user (in our case the vpn user), and then use routing tables to route these marked packets through the OpenVPN interface, while allowing unmarked packets direct access to the Internet.

Step 7. Create vpn User

Create the user vpn. All of the applications you want tunneled over VPN will run as this user, especially your torrent client of choice (Transmission or Deluge). At the end of this guide you will see the links to our guides on how to configure Transmission and Deluge with Split Tunneling.

Create vpn user with no login option

sudo adduser --disabled-login vpn

I suggest to leave personal details blank, just proceed with Enter, and finally answer Y to create vpn user. We disabled login for the vpn user for security reasons, there is no need to log in to the system as the vpn user.

We are going to use the vpn user to run services (like Torrent client), it is recommended to add your regular user to the vpn group and vpn user to your regular user’s group to avoid any permission issues.

Replace username with the user you would like to add to the vpn group

sudo usermod -aG vpn username

Replace group with the group name of your regular user that you would like to add the vpn user to

sudo usermod -aG group vpn

Get Routing Information for the iptables Script

We need the local IP and the name of the network interface. Again, make sure you are using a static IP on your machine or reserved DHCP also known as static DHCP, but configured on your router!

ip route list

The output will be similar to this

default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.110

eth0 is the network interface (NETIF), and 192.168.1.110 is the local IP address (LOCALIP). You will need to enter these two into the following script, which we are going to create now.

If the PIA login credentials are not correct, then OpenVPN will not establish the VPN connection, therefore the firewall rules are not applied (since OpenVPN will execute up scripts only on successful connection). The result is not having the kill switch enabled (iptables rules loaded) and vpn user has direct access to Internet. To prevent this scenario, we will implement a permanent firewall rule to block vpn user’s access to Internet until the OpenVPN tunnel is up and functional, and the required scripts are started. This will prevent any IP leaks even if no connection to PIA is possible for any reason.

Flush current iptables rules

sudo iptables -F

Add the following rule, which will block vpn user’s access to Internet (except the loopback device). Note, if you configured Split Tunnel with different user then vpn, then change vpn marked in red to the user you used.

sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP

Now install iptables-persistent to save this single rule that will be always applied on each system start.

sudo apt-get install iptables-persistent -y

During the install, iptables-persistent will ask you to save current iptables rules to /etc/iptables/rules.v4 as seen on the screenshot, accept this with YES

Now when system starts, vpn user is not able to access Internet. If the OpenVPN service is started successfully, then this rule is flushed (only until the next system restart), and the Split Tunnel rules are applied.

Step 8. iptables Script for vpn User

The first script will mark the packets for vpn user, the second script will take care of proper routing.

Create the iptables script

sudo nano /etc/openvpn/iptables.sh

Copy the following to the iptables.sh script, and make sure you enter the network interface and the local IP we identified and marked with red and blue respectively.

You can see the comments for each section about the function of the given part of the script. If you are interested in more details about iptables, a good starting point is the Official Ubuntu Documentation.

Remember, this script will flush your existing iptables rules (UFW included), therefore you need to append your own rules into this script if you need any additional firewall rules.

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.110"
export NETIF="eth0"

# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
# Added Local Open Ports Like Aria2 RPC, Torrent GUI
iptables -t mangle -A OUTPUT --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0
# Continue marking
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark

# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT

# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT

# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE

# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT

#ADD YOUR RULES HERE

# Start routing script
/etc/openvpn/routing.sh

exit 0

Hit Ctrl+X, Y and Enter to save and exit.

Make the iptables script executable

sudo chmod +x /etc/openvpn/iptables.sh

In this script important line is

iptables -t mangle -A OUTPUT --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0

This will unmark whole traffic to ports 6800 und 7777, so you can run e.g. aria2 RPC, or torrent GUI on port 6800 and 7777 and you will be able to access them via network.

To limit it to the local network only, pleas added following lines after "ADD YOUR RULES HERE":

iptables -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443
iptables -A INPUT -p tcp -m tcp -m multiport -m state --state ESTABLISHED,RELATED -j ACCEPT --sports 22,53,80,443,8080,6800,7777
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dports 6800,7777 -j ACCEPT
iptables -A INPUT -j DROP

It will (line by line):

1. open SSH and HTTP(S) connections
2. enable answers on SSH, HTTP(S), DNS, your ports 6800 and 7777
3. enable localhost traffic
4. limit you ports to local network only (192.168.0.0/24)
5. drop the rest.

Step 9. Routing Rules Script for the Marked Packets

With the routing rules we configure the route for the packets we just marked with the first script. You can read more about the routing tables at the following link.

Create the routing script

sudo nano /etc/openvpn/routing.sh

Paste the following script which makes the default route after the VPN the loopback interface, effectively nulling the traffic if the VPN connection goes down.

#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com

VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache

# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf

exit 0

Hit Ctrl+X, Y and Enter to Save and Exit.

Finally, make the script executable

sudo chmod +x /etc/openvpn/routing.sh

Step 10. Configure Split Tunnel VPN Routing

We will need a routing table by adding the table name to the rt_tables file (in our case it is vpn). Open rt_tables

sudo nano /etc/iproute2/rt_tables

Add the vpn user table at the bottom of the file

200     vpn

It should look similar to this:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
200     vpn

Hit Ctrl + X, Y and Enter to save and exit.

Step 11. Change Reverse Path Filtering

Finally, we need to change the default level of reverse path filtering to ensure the kernel routes the traffic correctly. By default it is set to value of 1 that is “strict mode”. It is not necessary to disable reverse path filtering completely (setting to “0”), but we need to set it to level 2, “loose mode”.

Create a reverse path filter file for the vpn user

sudo nano /etc/sysctl.d/9999-vpn.conf

Copy the following, make sure you use the correct network interface name in the third line marked with red (remember the ip route list command from before and the output, in our case it was eth0)

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2

Hit Ctrl + X, Y and Enter to save and exit.

To apply new sysctl rules run:

sudo sysctl --system

Testing the VPN Split Tunnel

I recommend a system restart, and if everything was configured properly, you should have a running OpenVPN service enabled for the vpn user and all the other users on your server should have direct access to Internet. Now lets check if everything is correct.

Test OpenVPN service

Login as your regular user over SSH, and check OpenVPN service status

sudo systemctl status [email protected]

This should return something like this

[email protected] - OpenVPN connection to client
 Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
 Active: active (running) since Mon 2016-09-05 11:25:18 CEST; 1 day 4h ago
 Docs: man:openvpn(8)
 https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
 https://community.openvpn.net/openvpn/wiki/HOWTO
 Process: 3223 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn
 Main PID: 3266 (openvpn)
 CGroup: /system.slice/system-openvpn.slice/[email protected]
 └─3266 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn

Sep 05 11:25:21 server ovpn-client[3266]: OPTIONS IMPORT: route options modified
Sep 05 11:25:21 server ovpn-client[3266]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Systemd gives a very nice overview about the service state. In the above example you can see that the service is Active (running), just as we need.

If the service is not running you can check if there is a log of the error in /var/log/syslog . For troubleshooting you can set output verbosity in the openvpn.conf file to a higher level. Set it to 3 and check the syslog again. You can always ask for help in the forum section. Remember to set verbosity level back to 1 if you don’t need more detailed logs anymore.

Check IP address

Using the SSH session for the regular user, check the IP address

curl ipinfo.io

It will return your IP and depending on how much information is provided, the country should be listed in each case. Obviously, it should be your ISP now and your location.

Now check the IP address of the vpn user with

sudo -u vpn -i -- curl ipinfo.io

If everything went fine, it should return the IP address and the country of the VPN server you selected. If you used Sweden server, then the country should be “SE”. It is very important that the IP address for user vpn should be different then your regular user’s IP.

In my case for user vpn and using Sweden PIA server I have the following output

{
  "ip": "X.XXX.XXX.XX",
  "hostname": "No Hostname",
  "city": "",
  "region": "",
  "country": "SE",
  "loc": "59.3294,18.0686",
  "org": "AS57858 Inter Connects Inc"

Obviously, the “x.xxx.xxx.xx” part is my assigned VPN IP address which is different then my public IP, and you can see the country as SE which is Sweden.

Check DNS Server

Finally, check if the DNS for VPN is properly configured, type

sudo -u vpn -i -- cat /etc/resolv.conf

The output should be

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 8.8.8.8

If you see the above DNS servers then your DNS for VPN is configured correctly.

To be honest I moved from this complicated solution to simple transmission in Docker --> https://github.com/haugene/docker-transmission-openvpn You can attach to this container any other container that needs to work via VPN, or use tiny proxy of this container to utilize VPN traffic, transmission self is not mandatory to use . Very nice.

@GAS85 Thank you for your effort in putting this together.
I read the document of this docker solution. The author says that all traffic goes through VPN. If I want to access the torrent web UI remotely, without being able to open a port by the VPN service provider, I still need to split tunnel?
If I want to remote access the torrent web UI to manage torrent downloading tasks, I will need the split tunnel anyways? I am trying to figure how to do this and just started learning.

Theoretically if you have good experience, you can run both, but I would say, no - you do not need to have split tunnel for this.

Ether you use this Split tunnel, or you simply open port in container to get access to WebUI via point 1. Optionally you can use HTTP Proxy with other applications point 2, or add them to the same container to make use of VPN only. I made a small diagram for U.

For a container VPN you have to bind port for WebUI (point 1) for a split tunnel you have to enable this port in Firewall (point 3)

Theoretically if you have good experience, you can run both, but I would say, no - you do not need to have split tunnel for this.

Ether you use this Split tunnel, or you simply open port in container to get access to WebUI via point 1. Optionally you can use HTTP Proxy with other applications point 2, or add them to the same container to make use of VPN only. I made a small diagram for U.

For a container VPN you have to bind port for WebUI (point 1) for a split tunnel you have to enable this port in Firewall (point 3)

@GAS85 Thank you so much for the detailed explanation! It is much more clear to me now. I will try the split tunnel first on a virtual machine. I might give a try of the container method you described as well. Thank you!

For those like me who have some issues with DNS resolution, I post here the solution as it took me quite some time to figure this out.
The sudo -u vpn -i -- curl ipinfo.io command was timing out. I realized that it was a DNS resolution problem and my VPN user was still using my router DNS (so not accessible). I suspected a resolvconf issue.
Then I found this solution : https://askubuntu.com/a/1036209

Ubuntu 18.04 uses systemd-resolved, so all you have to do is install the openvpn helper script for systemd-resolved via

sudo apt install openvpn-systemd-resolved
or with these GitHub instructions

I've had this up and running great for awhile and then all of a sudden, it just stopped. Open VPN appears to be working. The tun0 network device shows up. But there is zero traffic in or out of deluge. No errors I. Openvpn log, no errors In system log. Everything that doesn't run on the VPN user is still working fine. Anyone point me in a correct direction? Worked through this write up again. Grabbed a new pia server to connect to, just doesn't want to work.

You have to dig into it.

1. Is port reported as open on Deluge?
2. Is it registered on Trackers?
3. Did you performed those checks https://gist.github.com/GAS85/4e40ece16ffa748e7138b9aa4c37ca52#check-ip-address and https://gist.github.com/GAS85/4e40ece16ffa748e7138b9aa4c37ca52#check-dns-server?
4. Check if you still have iptables installed, but not ufw, or something else that overtake those settings.
5. Check if your configured iptables rules are active, e.g. by command sudo iptables -vL

I started having problems also. It's been working for me since it came out, Over the last week it has started acting up and now won't allow any connections to transmission. I'm not sure if it's related to Debian 11, but I also don't have any errors. Just no connections.
Tuppidsay did you manage to figure it out?

Is https://gist.github.com/GAS85/4e40ece16ffa748e7138b9aa4c37ca52#testing-the-vpn-split-tunnel still working for you, all tests?
Is Transmission online?
It could be also that PIA has some changes, not sure if those configs are still valid, they have had few migrations.

I wasn't using PIA from the start. I did modify my openvpn config slightly to get my vpn providers to function but nothing I couldn't manage to work through.
I have started to do a backtrack to versions and settings that would still work but no luck yet. I did however manage to move everything over to namespaced-openvpn.
By following Alyx on the OMSC forums with the following instructions.
OMSC Forums Link
Bit of a re-learn and I've had a couple outages without being able to trace why it stopped, but back in business.

How can this be implemented using OpenVPN on a Digital Ocean droplet?

Seems they have some info how to get VPN running: https://www.digitalocean.com/community/questions?q=VPN. I have no Services there and couldn't try it.

Seems they have some info how to get VPN running: https://www.digitalocean.com/community/questions?q=VPN. I have no Services there and couldn't try it.

I have the VPN setup and running on DO. My question is would I change the PIA IPs within your script to my DO VPN droplet? Thank you

In step 9, you would need to change
ifconfig
to
ip addr show

to make the script run on more recent versions of ubuntu and debian.

ifconfig was deprecated and removed

Was working on Ubuntu 18.04, but never test it with 20.04. If you can run it with only this change - cool, I will update the docu.

I followed the tutorial using my wlan0 (using a raspberry pi) but I would like to keep the wired connection (eth0) working. How can I do that?
I don't know much about networks and stuff.

This guide is wonderful and it is what I have been using (adapted to my own vpn) for some time. Nevertheless, I have recently found some problems. I do not know if this is the correct place to post this, but maybe someone could give some light.

Recently I updated to ubuntu 22.10. Everything seemed to work properly, but I started to find problems with my streaming services in Kodi 20 (with regular user and not vpn). After some struggling of what was happening I found that the problem comes from the step 6. Editing the file routing.sh and commenting the last line
/etc/openvpn/update-resolv-conf
makes that everything works.
It may be related to what @axeloz reported, but the solution he gave did not work for me.
I tried also the solution proposed by https://blog.syddel.uk/?p=253
It seems to work because I am not executing now the part of the file routing.sh. If I include that part, the problem persits.
In particular it is the line
ip route replace default via $GATEWAYIP table $VPNUSER
which gives me problems
I am not an expert here and I am not completely sure what the script is doing and if it is really preventing DNS leaks. I suppose not if I remove that part
So, any help would be appretiated

[In particular it is the line ip route replace default via $GATEWAYIP table $VPNUSER which gives me problems] There's a chance that this is actually from the code a couple of lines above. GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) Needs to be changed to GATEWAYIP=$(ip addr show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1) The ifconfig doesn't exist anymore in recent versions of Ubuntu and Debian.

…

On Sat, Apr 8, 2023, 7:59 PM Tomás Morales de Luna ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ This guide is wonderful and it is what I have been using (adapted to my own vpn) for some time. Nevertheless, I have recently found some problems. I do not know if this is the correct place to post this, but maybe someone could give some light. Recently I updated to ubuntu 22.10. Everything seemed to work properly, but I started to find problems with my streaming services in Kodi 20 (with regular user and not vpn). After some struggling of what was happening I found that the problem comes from the step 6. Editing the file routing.sh and commenting the last line /etc/openvpn/update-resolv-conf makes that everything works. It may be related to what @axeloz <https://github.com/axeloz> reported, but the solution he gave did not work for me. So, this is what I did to get it working again, based on https://blog.syddel.uk/?p=253 I downloaded the file https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved into /etc/openvpn/scripts I edited it and placed all the contents of iptables.sh at the beginning of the script (except for the last part after ADD YOUR RULES HERE) Then, I modified the conf file in /etc/openvpn so the last part is up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre Now it seems that everything works as it should. Nevertheless, I am not an expert there and I am not completely sure what the script is doing and if it is really preventing DNS leaks. So, any help would be appretiated — Reply to this email directly, view it on GitHub <https://gist.github.com/GAS85/4e40ece16ffa748e7138b9aa4c37ca52#gistcomment-4530460> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQN7DTOKBL4PDOOZFP26UILXAFAJPBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TCNBVGM4DQNNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Thank you @slycordinator . I tried it, but the problem persists
Executing tcpdump -i tun0 -vvv tells me that there are connections of the streaming addons from kodi that are going through this interface. So it seems that I have some problems with the routing as those packets should go through the regular interface
I tried playing with the routing, but without success

[In particular it is the line ip route replace default via $GATEWAYIP table $VPNUSER which gives me problems] There's a chance that this is actually from the code a couple of lines above. GATEWAYIP=$(ifconfig $VPNIF | egrep -o '([0-9]{1,3}.){3}[0-9]{1,3}' | egrep -v '255|(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | tail -n1) Needs to be changed to GATEWAYIP=$(ip addr show $VPNIF | egrep -o '([0-9]{1,3}.){3}[0-9]{1,3}' | egrep -v '255|(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | tail -n1) The ifconfig doesn't exist anymore in recent versions of Ubuntu and Debian.

Thank you @slycordinator . I tried it, but the problem persists Executing tcpdump -i tun0 -vvv tells me that there are connections of the streaming addons from kodi that are going through this interface. So it seems that I have some problems with the routing as those packets should go through the regular interface I tried playing with the routing, but without success

[In particular it is the line ip route replace default via GATEWAYIPtable(ifconfig VPNIF|egrep−o′([0−9]1,3.)3[0−9]1,3′|egrep−v′255|(127.[0−9]1,3.[0−9]1,3.[0−9]1,3)′|tail−n1)NeedstobechangedtoGATEWAYIP=(ip addr show $VPNIF | egrep -o '([0-9]{1,3}.){3}[0-9]{1,3}' | egrep -v '255|(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | tail -n1) The ifconfig doesn't exist anymore in recent versions of Ubuntu and Debian.

The code I wrote was in error
Try it with
GATEWAYIP=$(ip addr show $VPNIF | grep "inet " | awk '{print $2}' | cut -d/ -f1)
instead

Please give a hint if it works at the end, and we can update a tutorial to be working with ubuntu 22.04+.

Unfortunately, no.
In fact it seems a problem that is not easy to detect. My guess is that some packets of the stream service, for some reason, are going out through the vpn. Then, it would depend on the vpn server that you use. The former sever I used worked sometimes. I changed now to another server that works better, because I suppose the streaming service is not blocking it.
In any case, usign tcpdump -i tun0 -vvv I still see things that I would not expect to go there as they do not belong to vpn user:
For instance, I detect things like
[udp sum ok] 25368 q: A? disney.content.edge.bamgrid.com. 5/0/1 disney.content.edge.bamgrid.com
I would say that it is not something specific of this plugin, it is just that I did not detect it before.
Even when surfing in the web, I detect things in tun0 and I would not expect anything to go there as I am not using the vpn user:

[udp sum ok] 2581 q: A? api.accounts.firefox.com
[udp sum ok] 7088 q: A? youtube-ui.l.google.com

Am I doing the correct interpretation?
Could it be something related to udp that is not correctly set?

Please give a hint if it works at the end, and we can update a tutorial to be working with ubuntu 22.04+.

I've had this working for quite a while now, but all of a sudden this week it stopped. No traffic is going over the vpn. I run the sudo -u vpn -i -- curl ipinfo.io test and it just hangs. Running that from my normal user returns info for my ISP, but it times out running as vpn user. I did start the vpn without the route-noexec option just to see if the vpn worked at all and it did. Without that option, all traffic successfully passes over the vpn and the curl ipinfo.io command returns the info for my vpn. I just cannot get it to work the original way.
I do not know where to begin looking. I'm wondering if the packets are being marked properly or if they are, why are they not being sent over the vpn connection.
Any help or advice in troubleshooting this is greatly appreciated.

Howdy, not sure if the DNS leak protection is working correctly. I followed the guide, and with ubuntu 22.04 it does not use the resolv.conf file, its managed through a different process. when I start the vpn connect, the tun0 gets DNS and can see what it needs to, but the main eth connection cannot resolve names at all...... any ideas?

basically it looks like it is setting DNS correct when tun0 establishes, just cannot resolve any names on the primary eth connection

:/run/systemd/resolve# resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp0s25)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
DNS Domain: fritz.box

Link 7 (tun0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 209.222.18.222 209.222.18.218 8.8.8.8 10.0.0.243
DNS Domain: ~.

Any tips to check? Firewall rules?

Howdy, not sure if the DNS leak protection is working correctly. I followed the guide, and with ubuntu 22.04 it does not use the resolv.conf file, its managed through a different process. when I start the vpn connect, the tun0 gets DNS and can see what it needs to, but the main eth connection cannot resolve names at all...... any ideas?

This is indeed the case and if someone knows how to do it properly in recent versions of Ubuntu, it would be much appreciated. In my case it seems that it is working, but not sure what DNS it is using. I assume the one I established in my router.

Yeah looks like later versions of ubuntu using resolvctl daemon for dns settings, so not systemd like previous...  so definately some differences......So if any gurus out there, would be appreciated lolSent on the go with Vodafone                                                

For now (not sure if it breaks DNS protection) have removed the systembolic link on /etc/resolve.conf and just made it a normal file. seems to still allow DNS on link when VPN up and DNS works on VPN link as well, just not sure if it breaks anything.

Howdy, did some searching and came across this article: https://askubuntu.com/questions/1464051/how-can-i-force-ubuntu-22-04-server-to-use-only-the-dns-servers-listed-in-etc-s

One thing It suggested was to:
sudo apt install openvpn-systemd-resolved

Then in the openvpn configurations to set to call these scripts instead:
/etc/openvpn/update-systemd-resolved

one other little thing I did with my playing around, was to:

sudo ln -s /usr/bin/resolvectl /usr/bin/systemd-resolve

So that might be helping with the combination of the install above.

I have rebooted my machine with that applied, with the /etc/resolve.conf as a symbolic link back to the original location and I am able to ping internet hosts from both connections. Not sure if this resolves it or not...... but it appears working for me atm

Someone else want to give it a go?

Unfortunately, no. In fact it seems a problem that is not easy to detect. My guess is that some packets of the stream service, for some reason, are going out through the vpn. Then, it would depend on the vpn server that you use. The former sever I used worked sometimes. I changed now to another server that works better, because I suppose the streaming service is not blocking it. In any case, usign tcpdump -i tun0 -vvv I still see things that I would not expect to go there as they do not belong to vpn user: For instance, I detect things like [udp sum ok] 25368 q: A? disney.content.edge.bamgrid.com. 5/0/1 disney.content.edge.bamgrid.com I would say that it is not something specific of this plugin, it is just that I did not detect it before. Even when surfing in the web, I detect things in tun0 and I would not expect anything to go there as I am not using the vpn user:

[udp sum ok] 2581 q: A? api.accounts.firefox.com
[udp sum ok] 7088 q: A? youtube-ui.l.google.com

Am I doing the correct interpretation? Could it be something related to udp that is not correctly set?

Please give a hint if it works at the end, and we can update a tutorial to be working with ubuntu 22.04+.

In case anyone is interested in this. I could not load Netflix or Disney+ while the openvpn tunel was up, although I was using a browser with my regular user (not the one defined for VPN). It seems that some information is leaked from the VPN to the regular user.
I ended up using as an alternative namespaces based mainly in:
https://github.com/rakshasa/rtorrent/wiki/VPN-with-Traffic-Splitting
https://discourse.osmc.tv/t/openvpn-split-tunneling-specify-apps-that-go-through-vpn-tunnel/15034/24
Now everything seems to work as it should. No more problems when surfing out of the vpn namespace.

Hi all. This guide works fine except the DNS Leak part. when running the sudo -u vpn -i -- cat /etc/resolv.conf it does not show the dns servers I've included in the resolve script. Any hints on this? Thank you.