peacey / split-vpn Goto Github PK

View Code? Open in Web Editor NEW

803.0 28.0 56.0 16.65 MB

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.

License: GNU General Public License v3.0

Shell 100.00%

vpn-script vpn-client ipv6-support split-tunnel policy-based-routing udm-pro udm wireguard openvpn vpn

split-vpn's People

Contributors

Stargazers

Watchers

split-vpn's Issues

bug: packets not routed when trying to access remote vpn ip address from vpn's network

Note, IPs are made up

Situation:
I have a VPN server running on public ip (142.250.64.238)
A UDM VPN client sets up a VLAN (42)/subnet (10.42.42.0/24) to transparently proxy all traffic via VPN server 142.250.64.238

Problem:
Cannot access other services (http/ssh) running on 142.250.64.238

Diagnosis attempted:
Ran tcpdump on VPN servers's tun interface. Ping'd 1.1.1.1 - saw packets. Ping's server's public address (142.250.64.238) - no packets received
Ran tcpdump on UDM VPN clients tun interface. Ping'd 1.1.1.1 - saw packets. Pinged Ping's server's public address (142.250.64.238) - no packets received.

My suspicion is that there is a missing route, or maybe packets aren't being marked correctly, and non-VPN packets destined for the VPN server itself (but not the VPN service) are not being routed properly.

Edit:
Found my pings were being sent to interface switch0 (on the UDM client) but there were no replies.

RTNETLINK answers: No route to host

Hi.
I've been trying to setup an OpenVPN connection to Mullvad.
I've followed all the instructions, the only problem is that i don't understand what to put in ROUTE_TABLE= in the vpn.conf file.
If I leave the default, I get RTNETLINK answers: No route to host.
I understood that I need to create a routing rule in the UDM table, but i don't know how to do it. What i'm trying to do is to connect every interface to the OpenVPN network (so basically every traffic going out from the UDM will go to the OpenVPN network)

Configure NAT reflection

Hi,

I have port forwarding setup for my OpenVPN server. Everything works fine.

But recently I faced problem of NAT reflection. I am unable to access websites that are pointed to my VPN server (and port forwarded) from server which hosts whose websites (and is in LAN that is under VPN).

Is there a way to make it work?

"Another app is currently holding the xtables lock"

Thanks so much for making this script, it's fantastic! I was thinking I might have to get additional hardware for equivalent functionality. The documentation is very thorough and clear, it was very easy to set up.

I had it all up and running with 3 OpenVPN clients on a UDM two days ago.

Yesterday I decided to add some extra clients for a total of 7, but after uploading and running:

killall -TERM openvpn
find /etc/split-vpn/ -type f -iname "*.sh" -exec chmod +x {} \;
/etc/split-vpn/run-vpn.sh

Now only one or two clients start, with at least three others throwing an error like this in openvpn.log:

...
2021-12-22 16:07:32 VERIFY OK: depth=1, CN=OpenVPN CA
2021-12-22 16:07:32 VERIFY OK: nsCertType=SERVER
2021-12-22 16:07:32 VERIFY OK: depth=0, CN=OpenVPN Server
2021-12-22 16:07:32 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-12-22 16:07:32 [OpenVPN Server] Peer Connection Initiated with [AF_INET]20.200.200.200:1000
2021-12-22 16:07:32 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 192.168.1.1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 8.8.8.8,register-dns,block-ipv6,ifconfig 192.168.1.12 255.255.240.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
2021-12-22 16:07:32 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.5.2)
2021-12-22 16:07:32 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.5.2)
2021-12-22 16:07:32 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.5.2)
2021-12-22 16:07:32 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-12-22 16:07:32 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-12-22 16:07:32 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-12-22 16:07:32 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.5.2)
2021-12-22 16:07:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-12-22 16:07:32 OPTIONS IMPORT: timers and/or timeouts modified
2021-12-22 16:07:32 OPTIONS IMPORT: explicit notify parm(s) modified
2021-12-22 16:07:32 OPTIONS IMPORT: compression parms modified
2021-12-22 16:07:32 OPTIONS IMPORT: --ifconfig/up options modified
2021-12-22 16:07:32 OPTIONS IMPORT: route options modified
2021-12-22 16:07:32 OPTIONS IMPORT: route-related options modified
2021-12-22 16:07:32 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-12-22 16:07:32 OPTIONS IMPORT: peer-id set
2021-12-22 16:07:32 OPTIONS IMPORT: adjusting link_mtu to 1625
2021-12-22 16:07:32 OPTIONS IMPORT: data channel crypto options modified
2021-12-22 16:07:32 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-12-22 16:07:32 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-12-22 16:07:32 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-12-22 16:07:32 net_route_v4_best_gw query: dst 0.0.0.0
2021-12-22 16:07:32 net_route_v4_best_gw result: via 0.0.0.0 dev 
2021-12-22 16:07:32 ROUTE_GATEWAY 0.0.0.0
2021-12-22 16:07:32 TUN/TAP device tun103 opened
2021-12-22 16:07:32 net_iface_mtu_set: mtu 1500 for tun103
2021-12-22 16:07:32 net_iface_up: set tun103 up
2021-12-22 16:07:32 net_addr_v4_add: 192.168.1.12/20 dev tun103
2021-12-22 16:07:32 /etc/split-vpn/vpn/updown.sh tun103 1500 1553192.168.1.12 255.255.240.0 init
Wed Dec 22 16:07:32 2021 split-vpn up: Loading configuration from /mnt/data/split-vpn/openvpn/MyVPN/vpn.conf.
Wed Dec 22 16:07:32 2021 split-vpn: Using IPv4 gateway from table 201: via 192.168.0.1 dev eth4.
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
2021-12-22 16:07:32 WARNING: Failed running command (--up/--down): external program exited with error status: 4
2021-12-22 16:07:32 Exiting due to fatal error

Unfortunately I noticed a mistake I made in all of my .conf files – for the custom table/chains I input a unique 3 digit number instead of a hex, e.g. MARK=101

I corrected the files, but then only the first entry in the master run-vpn.sh started, while the others threw the above error.
I rebooted and did the install again, but this did not fix the issue – now the third-last and last clients start, while the others fail.

Errors include

...
Wed Dec 22 16:51:08 2021 split-vpn: Using IPv4 gateway from table 201: via 192.168.0.1 dev eth4.
ip6tables v1.6.2: Couldn't load target `103POSTROUTING':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
2021-12-22 16:51:08 WARNING: Failed running command (--up/--down): external program exited with error status: 2
2021-12-22 16:51:08 Exiting due to fatal error

and

...
2021-12-22 16:51:07 net_addr_v4_add: 192.168.1.12/20 dev tun114
2021-12-22 16:51:07 /etc/split-vpn/vpn/updown.sh tun114 1500 1553 192.168.1.12 255.255.240.0 init
Wed Dec 22 16:51:07 2021 split-vpn up: Loading configuration from /mnt/data/split-vpn/openvpn/MyVPN2/vpn.conf.
Wed Dec 22 16:51:07 2021 split-vpn: Using IPv4 gateway from table 201: via 192.168.0.1 dev eth4.
iptables v1.6.2: Couldn't load target `114PREROUTING':No such file or directory

and

...
2021-12-22 17:00:15 net_iface_up: set tun113 up
2021-12-22 17:00:15 net_addr_v4_add: 192.168.1.13/20 dev tun113
2021-12-22 17:00:15 /etc/split-vpn/vpn/updown.sh tun113 1500 1553 172.27.224.13 255.255.240.0 init
Wed Dec 22 17:00:15 2021 split-vpn up: Loading configuration from /mnt/data/split-vpn/openvpn/MyVPN3/vpn.conf.
Wed Dec 22 17:00:15 2021 split-vpn: Using IPv4 gateway from table 201: via 192.168.0.1 dev eth4.
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
2021-12-22 17:00:15 WARNING: Failed running command (--up/--down): external program exited with error status: 4
2021-12-22 17:00:15 Exiting due to fatal error

The UDM also happened to auto-update to 1.11.0 last night, maybe this is related?

Unfortunately I'm already a bit out of my comfort zone here, and I'm not sure what the entries in the IP tables really mean.

Would you happen to know what's going on?

Troubleshot expressVPN configuration

Hello guys. I was trying with my expressVPn configuration. I perform the manual steps similar to nordvpn explained in readme but after setup, I run the test and my public IP persists the same. not sure how to troubleshoot what could be wrong on my side.

Appreciate any comment here.

Devide: UDM

# openvpn --config expressvpn_miami_udp.ovpn --auth-user-pass username_password.txt --route-noexec --redirect-gateway def1 --up /mnt/data/spli
t-vpn/vpn/updown.sh --down /mnt/data/split-vpn/vpn/updown.sh --script-security 2
Mon Jul 12 18:07:25 2021 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Mon Jul 12 18:07:25 2021 WARNING: file 'username_password.txt' is group or others accessible
Mon Jul 12 18:07:25 2021 OpenVPN 2.4.4 aarch64-buildroot-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 25 2021
Mon Jul 12 18:07:25 2021 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Mon Jul 12 18:07:25 2021 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Jul 12 18:07:25 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 12 18:07:25 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jul 12 18:07:25 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jul 12 18:07:25 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]193.36.224.73:1195
Mon Jul 12 18:07:25 2021 Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Mon Jul 12 18:07:25 2021 UDP link local: (not bound)
Mon Jul 12 18:07:25 2021 UDP link remote: [AF_INET]193.36.224.73:1195
Mon Jul 12 18:07:25 2021 TLS: Initial packet from [AF_INET]193.36.224.73:1195, sid=a249fb4c 69fa3cef
Mon Jul 12 18:07:25 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 12 18:07:25 2021 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, [email protected]
Mon Jul 12 18:07:25 2021 VERIFY OK: nsCertType=SERVER
Mon Jul 12 18:07:25 2021 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3445-1a, [email protected]
Mon Jul 12 18:07:25 2021 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3445-1a, [email protected]
Mon Jul 12 18:07:25 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Jul 12 18:07:25 2021 [Server-3445-1a] Peer Connection Initiated with [AF_INET]193.36.224.73:1195
Mon Jul 12 18:07:26 2021 SENT CONTROL [Server-3445-1a]: 'PUSH_REQUEST' (status=1)
Mon Jul 12 18:07:26 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.14.0.1,comp-lzo no,route 10.14.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.14.1.102 10.14.1.101,peer-id 17,cipher AES-256-GCM'
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: compression parms modified
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: route options modified
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: peer-id set
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: adjusting link_mtu to 1629
Mon Jul 12 18:07:26 2021 OPTIONS IMPORT: data channel crypto options modified
Mon Jul 12 18:07:26 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Jul 12 18:07:26 2021 NCP: overriding user-set keysize with default
Mon Jul 12 18:07:26 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 12 18:07:26 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jul 12 18:07:26 2021 ROUTE: default_gateway=UNDEF
Mon Jul 12 18:07:26 2021 TUN/TAP device tun0 opened
Mon Jul 12 18:07:26 2021 TUN/TAP TX queue length set to 100
Mon Jul 12 18:07:26 2021 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 12 18:07:26 2021 /usr/sbin/ip link set dev tun0 up mtu 1500
Mon Jul 12 18:07:26 2021 /usr/sbin/ip addr add dev tun0 local 10.14.1.102 peer 10.14.1.101
Mon Jul 12 18:07:26 2021 /mnt/data/split-vpn/vpn/updown.sh tun0 1500 1557 10.14.1.102 10.14.1.101 init
Mon Jul 12 18:07:26 2021 split-vpn up: Loading configuration from /mnt/data/split-vpn/openvpn/expressvpn/vpn.conf.
Mon Jul 12 18:07:26 2021 split-vpn: Using IPv4 gateway from table 201: via 192.168.0.1 dev eth4.
Mon Jul 12 18:07:28 2021 Initialization Sequence Completed

Force local traffic for specific port through VPN

Hi there!

Thanks for the awesome work on this package, I'm using it to set up VoIP (UniFi Talk) through a CG-NAT connection (Starlink) and it's almost working perfectly.

I've managed to get port forwarding working over a Wireguard VPN so inbound traffic works great.

However, I'm struggling a bit more with getting outbound traffic to route through the VPN. Essentially what I'm trying to do is force traffic from/to SIP and signaling ports (5060, 5061, and 6767) to go through the VPN, but leave media traffic intact.

I'm using the following rule:

FORCED_SOURCE_IPV4_PORT="both-localhost-5060,5061,6767 both-192.168.1.1-5060,5061,6767 both-10.0.0.0/8-5060,5061,6767"

Should I be doing something differently?

Also, I'd be happy to sponsor the awesome work you've been doing @peacey, are you planning on setting up GitHub Sponsors?

bc: not found

I followed the instructions for OpenVPN but when I start the VPN it on the UDM, I get this:

/mnt/data/split-vpn/vpn/updown.sh: line 353: bc: not found
/mnt/data/split-vpn/vpn/updown.sh: line 353: bc: not found

Any plans on porting this for use with wireguard?

This works great and it would be nice if this could be ported for use with wireguard.

delay systemctl service

I am using a UDMPSE. the split-van is working fine when invoked manually.
I am now trying to start it upon boot but the systemctl service fail indicating the interface isn't available. I think this is because it tries to run and before the Site-to-site establish connection creating the interface.
is there any ways to delay the systemctl service run-van for like minute or so till the S2S starts and create its interface?

Same Destination address for different tun devices.

Hi peacey,

Thanks for your contribution!. I'm using it on UDM (not pro) where I intend to set a multiple client (using nordvpn as server) in which each vlan is connected to a different vpn server. With up to 3 clients I seldom see it but with 4 clients the problem is always there.

What I observe when this happens: clients of some of the vlans dont have access to internet or they are forwarded to a wrong vpn-server.

Here some of the commands that might help

# route -n
Kernel IP routing table
Destination       Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.0          0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.0.0          0.0.0.0         255.255.255.0   U     0      0        0 tun3
10.8.1.0          0.0.0.0         255.255.255.0   U     0      0        0 tun1
10.8.1.0          0.0.0.0         255.255.255.0   U     0      0        0 tun2
xxx.xxx.xxx.xxx   0.0.0.0         255.255.254.0   U     0      0        0 eth1
aaa.aaa.aaa.aaa   0.0.0.0         255.255.255.0   U     0      0        0 br1
bbb.bbb.bbb.bbb   0.0.0.0         255.255.255.0   U     0      0        0 br2
ccc.ccc.ccc.ccc   0.0.0.0         255.255.255.0   U     0      0        0 br3
ddd.ddd.ddd.ddd   0.0.0.0         255.255.255.0   U     0      0        0 br4

# ip rule show
0:	from all lookup local
96:	from all fwmark 0x6 lookup 104
97:	from all fwmark 0x7 lookup 103
98:	from all fwmark 0x8 lookup 102
99:	from all fwmark 0x9 lookup 101
32000:	from all lookup main
32500:	from xxx.xxx.xxx.xxx lookup 201
32766:	from all lookup 201
32767:	from all lookup default
# ip route show table 201
default via xxx.xxx.xxx.xxx dev eth1 proto dhcp
# ip route show table 202
#

Please let me know if you need other information.

Thanks in advance!

Best,

diego

vpn-slice in openconnect?

Thanks for providing split-vpn!
Still I have a feature request.

I'm using vpn-slice to reduce traffic through my VPN provider.
Would be nice to have this capability on my udmp router instead of only a single machine.
I assume this involves modifying the Dockerfile for udm-openconnect and maybe using a different way than vpn.conf for configuration. Optionally I can try out myself based on your Dockerfile.
Maybe it is not compatible with other VPN clients?

On my linux box I'm using something like:

$ sudo openconnect \
     --background \
     --quiet \
     --authgroup=2 \
     --user=username \
     --script='...../bin/vpn-slice \
	 domain1.com \
	 domain2.com \
     	 x.x.0.0/16' \
     https://vpnprovider.com/

So that only domain[12] and x.x.0.0/16 are routed through the VPN.

I would like to move this functionality to the udmp and have one or two other machines using that same VPN connection.
Is something like that doable?

Thanks!

UpDown Error: Invalid Gateway Address

I have been using split-vpn on my UDM Pro for almost a year now and it has been working fine until recently. The VPN is no longer connecting on boot. I tried manually running the openvpn command and the same error occurs. My openvpn.log file looks like this.

2021-12-27 15:14:23 DEPRECATED OPTION: --cipher set to 'aes-256-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-256-cbc' to --data-ciphers or change --cipher 'aes-256-cbc' to --data-ciphers-fallback 'aes-256-cbc' to silence this warning.     
2021-12-27 15:14:23 OpenVPN 2.5.2 aarch64-buildroot-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 21 2021
2021-12-27 15:14:23 library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.10
2021-12-27 15:14:23 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-12-27 15:14:23 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
<REDACTED>
-----END X509 CRL-----

2021-12-27 15:14:23 RESOLVE: Cannot resolve host address: us-newyorkcity.privacy.network:1197 (Temporary failure in name resolution)
2021-12-27 15:14:23 RESOLVE: Cannot resolve host address: us-newyorkcity.privacy.network:1197 (Temporary failure in name resolution)
2021-12-27 15:14:23 Could not determine IPv4/IPv6 protocol
2021-12-27 15:14:23 SIGUSR1[soft,init_instance] received, process restarting
2021-12-27 15:14:28 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-12-27 15:14:28 TCP/UDP: Preserving recently used remote address: [AF_INET]138.199.13.132:1197
2021-12-27 15:14:28 UDP link local: (not bound)
2021-12-27 15:14:28 UDP link remote: [AF_INET]138.199.13.132:1197
2021-12-27 15:14:28 [newyork419] Peer Connection Initiated with [AF_INET]138.199.13.132:1197
2021-12-27 15:14:28 sitnl_send: rtnl: generic error (-101): Network is unreachable
2021-12-27 15:14:28 TUN/TAP device tun0 opened
2021-12-27 15:14:28 net_iface_mtu_set: mtu 1500 for tun0
2021-12-27 15:14:28 net_iface_up: set tun0 up
2021-12-27 15:14:28 net_addr_v4_add: 10.1.110.116/24 dev tun0
2021-12-27 15:14:28 /mnt/data/split-vpn/vpn/updown.sh tun0 1500 1553 10.1.110.116 255.255.255.0 init
Mon Dec 27 15:14:28 2021 split-vpn up: Loading configuration from /mnt/data/split-vpn/openvpn/pia/vpn.conf.
Error: Invalid gateway address.
2021-12-27 15:14:29 WARNING: Failed running command (--up/--down): external program exited with error status: 2
2021-12-27 15:14:29 Exiting due to fatal error

Blackhole example?

What would be an example blackhole rule?

I want to make sure br500 (VLAN500) cannot use internet without being VPN'd, even if the script doesn't run on boot for any reason.

can't execute 'openvpn': Permission denied

When I try execute
nohup openvpn --config .....
or just
openvpn --config ....

Have the msg: can't execute 'openvpn': Permission denied
UDM Pro 1.10

What I do wrong?

error after unifi update

iptables v1.6.1: host/network 1.0.0.0.1' not found Try iptables -h' or 'iptables --help' for more information.

vpn wont start after I updated unifi, I did update the wireguard modules

client-to-client routing

Split-vpn is working great and it connects to my openVPN server and I can use the internet in a safe way.
I would like to use it also to link site-to-site or user-to-site. This means that I would like that within the OpenVPN servers network (e.g. 10.10.X.X) everybody can communicate. Especially I would like to export also the networks connected to the UDP-Pro to the OpenVPN.

If I ping from another user/site connected to the OpenVPN network the ICMP packet enters the UDM and leaves through the normal WAN interface and gets lost of course.
I tried to add a OPENVPN_NET_IPV4 env variable (would contain "10.10.0.0/16") and create a mangle rule with -d ${ip} but had no success.

Any help .. tips?

FORCED_SOURCE_MAC not working

Hello,
I'd like to move from FORCED_SOURCE_IP to FORCED_SOURCE_MAC in vpn.conf.
FORCED_SOURCE_IP is working fine. I included the whole IP subnet in the config file (10.x.x.0/24)
But due to some changes in my network I have to user FORCED_SOURCE_MAC. When I add my iPhone's MAC address there, it's not working (private Wi-Fi address is of course turned off on my iPhone so the real MAC address is being used).
I have a L3 switch configuration where switching is done on my main switch and not on the UDM-Pro. But I guess that should not be an issue since the UDM-Pro also recognizes the MACs of the devices.
Do you have any recommendations what I could try?
Thank you!

ExpressVPN on UDM Pro

Hi,
I recently replaced my old router, etc. with UDM Pro, which is running
Network Version 6.2.25/Firmware Version 1.9.3

I was also running ExpressVPN on my old system.

I am administrating the UDM Pro via windows 10

My questions are:
1 - how can I run ExpressVPN on the UDM Pro?
2 - Being new to the UDM and not familiar with UDM Utilities Boot Script is there any detailed information on how to run the utility.
3 - How bullet proof is the installation process?

Thank you

dual vpn

Im trying to use 2 connections with the same provider
[#] ip -4 address add 10.13.128.81/24 dev wg1
[#] ip link set mtu 1420 up dev wg1
RTNETLINK answers: Address already in use

Im sure its something dumb but got any advice

Attach to a UDM Pro VPN

Hi,

I've got the OpenVPN script running, (so up to step 6) but there are no instructions how to add this as a network VPN (so I can see it in the web interface and attach clients to it) or attach s specific IP address to it - can you help with more instructions?

Edit - figured it out.

Create a new VPN and attach the VPN ID it to the vpn.conf script (ie FORCED_SOURCE_INTERFACE="br31") for LAN ID 31

Very low Wireguard-go speeds

I went through the wireguard-go setup knowing that it's not going to be the fastest connection, however I have a feeling that I'm getting much worse performance than i should on the UDM-Pro. On my 1 gig connection I'm averaging 170 kbps download speed on fast.com and websites load very slowly. I just wanted to check if this is normal/expected?

update-resolv-conf missing

Hello,
thank you for this wonderful script! I followed your instructions but at step 6 I get the following error:
Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2)
Options error: Please correct this error.
Use --help for more information.

I use ProtonVPN, and the .ovpn file includes these lines:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

My UDM-Pro is running on 1.9.0
Any idea how to fix this?
Thank you very much in advance! :)

EDIT:
Got it working!
removed those lines from the config file, now it's working!

Help Wanted: Dedicated port to VPN?

Huge thanks for the work on this project.

I'm a bit of a newbie if it comes to ip tables so I hope I can get some help this way.
I have setup the split vpn successful via wire-guard (mullvad).
Now I have a client on a dedicated network port on my udm pro which is connected to a vlan, how do I "connect" this vlan/port to the vpn?

does this work with Cisco AnyConnect Linux client?

does anyone know if this will work with the Cisco AnyConnect client? I think it uses OpenVPN on the backend...??

Something amiss with password login

First of all a huge thanks for this amazing tool! I've run into something I'm doing wrong. I've followed all the steps and can get Nord VPN to run perfect in the foreground wherein it asks for me to key in my login and password - that works perfect. Things start to fall apart when I try to run it in the background. Per step 3 I've saved my username and passowrd in a file called username_password.txt, and modified the nordvpn.ovpn by adding auth-user-pass username_password.txt . However, when I run the app in the background it prompts me to # Enter Auth Username:Enter Auth Password: What could I be doing wrong? Thanks!

Unable to get IPv6 working through OpenVPN

So, my VDS server has IPv6 address and I want to use it for OpenVPN.
UDM Pro gets a IPv6 address from OpenVPN server, but when I try to curl -6 ifconfig.co from device in my LAN I get a curl error.
Device's ifconfig output:

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.8.42  netmask 255.255.255.0  broadcast 192.168.8.255
        inet6 fe80::d63d:7eff:febf:6fa  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::d63d:7eff:febf:6fa  prefixlen 64  scopeid 0x20<link>

So what is wrong?

Here is my configuration:

server.conf (OpenVPN server)

proto udp

dev tun

ca ca.crt
cert server.crt
key server.key 

dh dh2048.pem

topology subnet

server 10.8.8.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

client-config-dir ccd

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120

tls-auth ta.key 0

cipher AES-256-CBC

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 3

explicit-exit-notify 1

# IPv6 config
server-ipv6 2001:0db8:ee00:abcd::/64
tun-ipv6
push tun-ipv6

ccd/client (OpenVPN Server)

ifconfig-push 10.8.8.6 255.255.255.0
ifconfig-ipv6-push 2001:0db8:ee00:abcd::4

client.ovpn (UDM Pro)

client

dev tun

proto udp

remote IP 1194

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server

cipher AES-256-CBC

verb 3

// Certificates go here...

vpn.conf (UDM Pro)

FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.8.0/24"
FORCED_SOURCE_IPV6="fe80::b4e2:28ff:feb2:4ee/64"
FORCED_SOURCE_MAC=""

EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""

EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""

EXEMPT_DESTINATIONS_IPV4="192.168.1.0/24 192.168.8.0/24"
EXEMPT_DESTINATIONS_IPV6="fe80:0000:0000:0000:0000:0000:0000:0000/16"

PORT_FORWARDS_IPV4="tcp-80-192.168.8.42-80 tcp-443-192.168.8.42-443"
PORT_FORWARDS_IPV6=""

DNS_IPV4_IP="DHCP"
DNS_IPV4_PORT=53
DNS_IPV4_INTERFACE=""

DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""

KILLSWITCH=0

REMOVE_KILLSWITCH_ON_EXIT=1

REMOVE_STARTUP_BLACKHOLES=1

ROUTE_TABLE=104
MARK=0x6
PREFIX="VPNUC_"
PREF=96
DEV=tun3

can't access docker macvlan container with split-vpn

I have a docker container with the following network

version: "2.3"
services:
   ...
    networks:
      macvlan0:
        ipv4_address: 192.168.1.245
    restart: unless-stopped

networks:
  macvlan0:
    name: macvlan0
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24

Then in my vpn.conf I have

FORCED_SOURCE_IPV4="192.168.1.245/32"

Which works very well

The container (192.168.1.245) is reachable from within my home network.

However when I log in via a VPN (either wireguard or UDM's LT2P), the container is unreachable

I've tried to put in some of the routing rules as suggested here, but this breaks split-VPN...

Any pointers on how to route so I can still reach the container from an incoming VPN ?

ipset: command not found

I am using OpenConnect as a client, everything on that side seems okay. I want to apply rules with forced/exempt domains, but this error keeps coming up when trying to use it.

# cat openconnect.log
POST https://xx.xx/
Connected to xx.xx.xx.xx:443
SSL negotiation with xx.xx
Connected to HTTPS on xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
POST https://xx.xx/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as xx.xx.xx.xx, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Thu Sep 16 07:54:04 2021 split-vpn up: Loading configuration from /etc/split-vpn/config/vpn.conf.
Thu Sep 16 07:54:04 2021 split-vpn: Using IPv4 gateway from table 201: via xx.xx.xx.xx dev eth8.
/etc/split-vpn/vpn/add-vpn-iptables-rules.sh: line 99: ipset: command not found
/etc/split-vpn/vpn/add-vpn-iptables-rules.sh: line 108: ipset: command not found
ERROR: Not adding VPN_FORCED with unknown family: .
/etc/split-vpn/vpn/add-vpn-iptables-rules.sh: line 99: ipset: command not found
/etc/split-vpn/vpn/add-vpn-iptables-rules.sh: line 108: ipset: command not found
ERROR: Not adding VPN_EXEMPT with unknown family: .

I have verified that ipset is installed, and does work on normal CLI. My configuration shows:
PREFIX="VPN_"

FORCED_IPSETS="VPN_FORCED:dst"
EXEMPT_IPSETS="VPN_EXEMPT:dst"

CLI Output:

# ipset list VPN_FORCED
Name: VPN_FORCED
Type: list:set
Revision: 3
Header: size 8
Size in memory: 176
References: 2
Number of entries: 2
Members:
VPN_FORCED4
VPN_FORCED6

When setting the log to verbose, the command being executed appears to be correct:

+ ipset=VPN_FORCED
++ echo VPN_FORCED:dst
++ cut -d: -f2
+ map=dst
++ ipset list VPN_FORCED
/etc/split-vpn/vpn/add-vpn-iptables-rules.sh: line 99: ipset: command not found

Force L3 switch VLAN through VPN not working

Hello,

I am currently using an UDM-Pro + USW-24 Pro (Gen 2) switch. The routing is done by the L3 switch.
Is it possible, that FORCED_SOURCE_INTERFACE will not work in this configuration?
I want to force VLAN 20 through the VPN, but I can not find the interface "br20" via ifconfig.
Only br0 and br4040 (VLAN for Inter-VLAN switching) are present.

Do you see any other way in doing this? It would be tedious to force every MAC in this VLAN.

Thank you!

Error: any valid prefix is expected rather than "vpn.endpoint.net:51822".

I've got everything working (thank you !) to force a single IPv4 address on my network through a VPN.

However on startup I get the error

Error: any valid prefix is expected rather than "vpn.endpoint.net:51822".

The tunnel is up and all working, but not sure why it's logging this error ?

The client .conf file for this service is

[Interface]
PrivateKey = ***
Address = 10.11.4.50/16
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = vpn.endpoint.net:51822:51822

Killswitch with multiple tun devices.

Hi peacey,

Thanks for your work! I am using the UDM-Pro (FW. 1.9.2) with internet connection over PPoE.
When i use your script with only a single VPN-Tunnel on tun0 it works fine.
However, I want to route various clients to different VPN servers.
At the moment i am using 2 NordVPN Servers, one at tun101 and one at tun102.

With this configuration the clients aren´t able to connect to the internet (killswitch is turned on)
I think there is a issue with your killswitch rules.

With iptables -S i get:

-A VPN_CH_KILLSWITCH ! -o tun0 -m mark --mark 0x8 -j REJECT --reject-with icmp-port-unreachable
-A VPN_CH_KILLSWITCH ! -o tun102 -m mark --mark 0x8 -j REJECT --reject-with icmp-port-unreachable
-A VPN_GN_KILLSWITCH ! -o tun0 -m mark --mark 0x9 -j REJECT --reject-with icmp-port-unreachable
-A VPN_GN_KILLSWITCH ! -o tun101 -m mark --mark 0x9 -j REJECT --reject-with icmp-port-unreachable

The tun interfaces with route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tun101
10.8.3.0        0.0.0.0         255.255.255.0   U     0      0        0 tun102

As you can see there is some "-o tun0" but i don´t have a running tunnel on tun0.

Please let me know if you need other information.

Thanks in advance!

EXEMPT_DESTINATIONS_IPV4 not working on nexthop on VLAN

I am new to UDM PRO (migrating from USG), and also a git noob, so sorry in advance if this issue breaks some etiquette rule...

I had FORCED_SOURCE_IPV4="192.168.XXX.0/24" to route a specific part of my /22 VLAN through a nexthop VPN gateway, and noticed that EXEMPT_DESTINATIONS_IPV4=192.168.0.0/16 was not working - traffic destined to my other VLANs was being routed through the VPN, as if there was no exemption.

The exemption gets applied on the following piece of code in add-vpn-iptables-rules.sh:

for dest in ${EXEMPT_DESTINATIONS_IPV4}; do
    add_rule IPV4 mangle "PREROUTING ! -i ${dev} -d ${dest} -m mark --mark ${MARK} -j MARK --set-xmark 0x0"
done

The ! -i ${dev} bit was excluding packets from my VLAN interface from the exemption rule. Removing that part fixed the problem.

What's the purpose of excluding the DEV interface from the exemption matching? Is there a better way of excluding my other VLANs from the VPN or is this a bug in the code?

script doesn't work when the WAN connection is ppp0?

Hi peacey,

I have successfully tested your script on my UDM base when my WAN is connected to my modem while its configured as DHCP.

But when I have my modem configured in bridged mode the WAN connections is "ppp0" and script bombs out because it can't find a valid IP address.

Loading configuration from /mnt/data/openvpn/expressvpn_uk/vpn.conf. Error: inet address is expected rather than "ppp0". Mon Mar 1 20:42:25 2021 WARNING: Failed running command (--up/--down): external program exited with error status: 1 Mon Mar 1 20:42:25 2021 Exiting due to fatal error

Is this pebkac or does the script not allow for a PPPoE WAN connection?

Cheers,
AC

can't open './vpn.conf': No such file or directory

# /mnt/data/openvpn/updown.sh tun0 force-down
Loading configuration from /mnt/data/on_boot.d/vpn.conf.
/mnt/data/openvpn/updown.sh: source: line 138: can't open './vpn.conf': No such file or directory

# /mnt/data/openvpn/updown.sh tun0 force-down
Loading configuration from /mnt/data/openvpn/vpn.conf.
/mnt/data/openvpn/add-vpn-iptables-rules.sh: source: line 234: can't open './vpn.conf': No such file or directory

Adjusted lines 138 and 234 from ./vpn.conf to /mnt/data/openvpn/nordvpn/vpn.conf. Ran #/mnt/data/openvpn/updown.sh tun0 force-down and then started on boot script for vpn, and then all is working properly. Very odd but this seems to have only happened after I updated my UDM to 1.8.6.

Routing issue between VLANs

Thanks for the excellent work!

Is it possible to configure a single VPN for multiple VLANs and retain interVLAN routing?

For example:

VLAN 1: 10.0.1.0/24
VLAN 2: 10.0.2.0/24

vpn.conf is set as FORCED_SOURCE_INTERFACE="br1 br2"

When the vpn is running, ping 10.0.2.x from any client on VLAN 1 returns "Destination Host Unreachable" as traffic is routed through the vpn.

When the vpn is stopped, the ping works properly.

dns multiple

is there a way to set multiple dns servers

VPN Connects however clients not routed through vpn

I followed the guide and got stuck at step 7. The connection is working however no client is going through the vpn (the killswitch isn't being respected either).

I figured i must have something wrong in the vpn.conf so i added all my vlans not just the one i want in forced source interface as well as the ip of my device i test in forced source ipv4.

Anything specific i should lookout for?

Routing VPN through second WAN ?

Is it possible to route VPN traffic exclusively through second WAN port of UDM Pro?

Unable to get port forwarding to work

Hi, first of all, I would like to thank you for this as this was exactly what I have been looking for to allow access to a couple of services from outside my network on carrier grade NAT.

I am having an issue with getting port forwarding to work. The VPN is connected, and if I go to my Dedicated PureVPN IP with Port forwarding, I am able to load port 80 which seems to be directed to the UDM pro. But any port forwarding I put in vpn.conf doesnt seem to be working. I am thinking I am just not understanding some instructions but would appreciate a bit of help on it.

A bit about my setup:

PureVPN with Dedicated Port Forwarding (StrongSwan)
All ports are open on PureVPN side for debugging currently (dont worry, I will limit that when I am up and running)
I have 2 servers that I will port forward to that I will need access to from outside the network through the VPN as well as direct local access. (A media server on port 32400, a reverse proxy with Home Assistant and a couple other services behind it on port 80 and 443)

Below is my vpn.conf, please let me know if you need any other additional information. I can clean up my other configuration files if needed but as I do see that the VPN is connected and port 80 is open (to the wrong device), my thought is that it is an issue with how I setup vpn.conf.

Quick note on the below vpn.conf:
I am not forcing the server through the VPN as I do still need to access it on the local network as well. I have tried it with the single device forced through the VPN as well and I get the same results as above.
If I do need to force traffic through the VPN, do you have a way to be able to access it on the local network as well?

### SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.

# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4=""
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""

# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""

# Force these destinations through the VPN.
# These destinations will be forced regardless of source.
# Format: [IP/nn]
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""

# Force local UDM traffic going out of these WAN interfaces to go through the
# VPN instead for both IPv4 and IPv6 traffic.
# This does not include routed traffic, only local traffic generated by the UDM.
# Do not enable this unless you want to force UDM local traffic through the VPN.
# For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port,
# or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port.
# This option might cause unintended problems, so disable it if you encounter any issues.
FORCED_LOCAL_INTERFACE=""

# Exempt these sources from the VPN.
# Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""

# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""

# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4=""
EXEMPT_DESTINATIONS_IPV6=""

# Force/exempt these IP sets
# IP sets need to be created before this script is run or the script will error.
# IP sets can be updated externally and will be matched dynamically.
# Each IP set entry consists of the IP set name and whether to match on source
# or destination. src/dst needs to be specified for each IP set field.
#
# Enable NAT hairpin by exempting UBIOS_ADDRv4_ethX:dst for IPv4 or
# UBIOS_ADDRv6_ethX:dst for IPv6 (where X = 8 for RJ45, or 9 for SFP+ WAN).
# For IPv6 prefix delegation, exempt UBIOS_ADDRv6_brX, where X = VLAN number (0 = LAN).
#
# To allow communication with your VLAN subnets without hardcoding the subnets,
# exempt the UBIOS_NETv4_brX:dst ipset for IPv4 or UBIOS_NETv6_brX:dst for IPv6.
#
# Format: [IPSet Name]:[src/dst,src/dst,...]
FORCED_IPSETS=""
EXEMPT_IPSETS=""

# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4="both-32400-192.168.1.121-32400 both-80-192.168.1.121-80 both-443-192.168.1.121-443 both-81-192.168.1.121-81"
PORT_FORWARDS_IPV6=""

# Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic.
# Note that many VPN providers redirect DNS going through their VPN network
# to their own DNS servers. Redirection to other IPs might not work on all providers,
# except for DNS redirects to a local address, or rejecting DNS traffic completely.
#
# IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain
# DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types like wireguard/external.
#
# Example: Get DNS from DHCP
DNS_IPV4_IP="DHCP"
DNS_IPV4_PORT=53
# Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for
# non-local IPs. Local DNS redirects will not work without specifying the interface.
DNS_IPV4_INTERFACE=""

# IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely.
# IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP
# options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types.
DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""

# Bypass masquerade (SNAT) for these source IPs. This option should only be used if your
# VPN server is setup to know how to route the subnet you do not want to masquerade
# (e.g.: the "iroute" option in OpenVPN).
# Set these options to ALL to disable masquerading completely.
# Format: [IP/nn] or "ALL"
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""

# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=0

# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=1

# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1

# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"

# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
#VPN_ENDPOINT_IPV4=""
#VPN_ENDPOINT_IPV6=""

# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.
GATEWAY_TABLE="auto"

# Set the MSS clamping on packets going out the VPN tunnel. Usually, it is not needed to
# set this manually, but some VPN connections stall if the MSS clamping is not set correctly.
# Typical values range from 1240 to 1460, but it could be lower.
MSS_CLAMPING_IPV4=""
MSS_CLAMPING_IPV6=""

# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1

# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x9
PREFIX="VPN_"
PREF=99
DEV=vti255

# To execute commands when the VPN connects or disconnects, you can use the
# callback functions hooks_pre_up, hooks_up, hooks_down, and
# hooks_force_down. These functions will be invoked in response to VPN events
# pre-up, up, down, and force-down respectively.
#
# For an example on using these hooks, please see vpn.conf.filled.sample.

Here is some other information you may find useful. I have redacted my IP addresses from these.

iptables-ipRule-ipRoute.txt
podman log.txt

Request: restart crashed openvpn process

First off, THANK YOU for putting this script together. I had cobbled up something like this, but nowhere near as full featured as what you got here. I'm going to be using this from now on.

I'm not sure if I'm alone in this, but I found that my openvpn process crashes occasionally. I basically put my openvpn command in a loop.

i.e.

#!/bin/sh
set -e
rm -f /mnt/data/on_boot.d/vpn_log.log
while true; do
    openvpn /mnt/data/on_boot.d/vpn.conf >> /mnt/data/on_boot.d/vpn_log.log 2>&1
    echo "Server crashed with exit code $?. Respawning.." >> /mnt/data/on_boot.d/vpn_log.log
    sleep 1
done

However, since I saw your script runs in the background, I was wondering if maybe you could ping an address (or the remote router) to check if the connection is alive, and restart it. I have sometimes found that the openvpn process was not terminated, but running, but in some kind of stuck state. It would be awesome if we could create a little watchdog script to make sure the other end of the script is available, and if it isn't - then bounce the server. Would this be something you could add?

Restart Tunnel without rebooting the system

I have been trying to figure out which .ovpn file is best for my use case but after setting everything I still need to occasionally swap .ovpn files.

I have configured this to be quite straight forwards but cannot figure out how to kill all the associated openvpn processes. Is it possible for a script to go through and restart the process (so it will pull a new configuration) without having to restart the UDM?

Bad argument `DOMAIN' add-vpn-iptables-rules.sh

Hi,

having dhcp-options

dhcp-option DOMAIN example.domain.ex
dhcp-option DNS 1.2.3.4

throws an error:
Bad argument `DOMAIN'

Looks like sed always return a value - changing add-vpn-iptables-rules.sh line 67 to
dns=$(echo "${foreign_option_i}" | sed -En s/".*dhcp-option DNS ([0-9\.]+).*"/"\1"/p)
works for me.

Error: inet address is expected rather than "dev".

Hi, I've been trying to diagnose this problem when connecting to NordVPN:

openvpn --config nordvpn.ovpn \

    --route-noexec \
    --up /mnt/data/split-vpn/vpn/updown.sh \
    --down /mnt/data/split-vpn/vpn/updown.sh \
    --script-security 2

vpn.conf:

nordvpn.ovpn:

Sorry for the images, couldn't figure out the markdown.

updown.sh stuck in ip route loop

Hi,
Tried to follow the README with my mullvad vpn config but it seems the the updown.sh script gets stuck in a loop (see openvpn.log snippet).
Any ideas on what might cause this?

Redacted my public IP for obvious reasons 😉

Wed May 19 03:42:45 2021 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Wed May 19 03:42:45 2021 Multiple --up scripts defined.  The previously configured script is overridden.
Wed May 19 03:42:45 2021 Multiple --down scripts defined.  The previously configured script is overridden.
Wed May 19 03:42:45 2021 WARNING: file 'mullvad_userpass.txt' is group or others accessible
Wed May 19 03:42:45 2021 OpenVPN 2.4.4 aarch64-buildroot-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr  1 2021
Wed May 19 03:42:45 2021 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Wed May 19 03:42:45 2021 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 19 03:42:45 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]193.138.218.135:443
Wed May 19 03:42:45 2021 Socket Buffers: R=[87380->1048576] S=[87380->1048576]
Wed May 19 03:42:45 2021 Attempting to establish TCP connection with [AF_INET]193.138.218.135:443 [nonblock]
Wed May 19 03:42:46 2021 TCP connection established with [AF_INET]193.138.218.135:443
Wed May 19 03:42:46 2021 TCP_CLIENT link local: (not bound)
Wed May 19 03:42:46 2021 TCP_CLIENT link remote: [AF_INET]193.138.218.135:443
Wed May 19 03:42:46 2021 TLS: Initial packet from [AF_INET]193.138.218.135:443, sid=059f3bf6 578a5791
Wed May 19 03:42:46 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 19 03:42:46 2021 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, [email protected]
Wed May 19 03:42:46 2021 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v3, [email protected]
Wed May 19 03:42:46 2021 VERIFY KU OK
Wed May 19 03:42:46 2021 Validating certificate extended key usage
Wed May 19 03:42:46 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 19 03:42:46 2021 VERIFY EKU OK
Wed May 19 03:42:46 2021 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=se-mma-005.mullvad.net, [email protected]
Wed May 19 03:42:47 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1560'
Wed May 19 03:42:47 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Wed May 19 03:42:47 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed May 19 03:42:47 2021 [se-mma-005.mullvad.net] Peer Connection Initiated with [AF_INET]193.138.218.135:443
Wed May 19 03:42:48 2021 SENT CONTROL [se-mma-005.mullvad.net]: 'PUSH_REQUEST' (status=1)
Wed May 19 03:42:49 2021 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.5.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.5.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:443::1000/64 fdda:d0d0:cafe:443::,ifconfig 10.5.0.2 255.255.0.0,peer-id 0,cipher AES-256-GCM'
Wed May 19 03:42:49 2021 OPTIONS IMPORT: compression parms modified
Wed May 19 03:42:49 2021 OPTIONS IMPORT: --socket-flags option modified
Wed May 19 03:42:49 2021 Socket flags: TCP_NODELAY=1 succeeded
Wed May 19 03:42:49 2021 OPTIONS IMPORT: --ifconfig/up options modified
Wed May 19 03:42:49 2021 OPTIONS IMPORT: route options modified
Wed May 19 03:42:49 2021 OPTIONS IMPORT: route-related options modified
Wed May 19 03:42:49 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May 19 03:42:49 2021 OPTIONS IMPORT: peer-id set
Wed May 19 03:42:49 2021 OPTIONS IMPORT: adjusting link_mtu to 1626
Wed May 19 03:42:49 2021 OPTIONS IMPORT: data channel crypto options modified
Wed May 19 03:42:49 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed May 19 03:42:49 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 19 03:42:49 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May 19 03:42:49 2021 ROUTE: default_gateway=UNDEF
Wed May 19 03:42:49 2021 GDG6: remote_host_ipv6=n/a
Wed May 19 03:42:49 2021 ROUTE6: default_gateway=UNDEF
Wed May 19 03:42:49 2021 TUN/TAP device tun5 opened
Wed May 19 03:42:49 2021 TUN/TAP TX queue length set to 100
Wed May 19 03:42:49 2021 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Wed May 19 03:42:49 2021 /usr/sbin/ip link set dev tun5 up mtu 1500
Wed May 19 03:42:49 2021 /usr/sbin/ip addr add dev tun5 10.5.0.2/16 broadcast 10.5.255.255
Wed May 19 03:42:49 2021 /usr/sbin/ip -6 addr add fdda:d0d0:cafe:443::1000/64 dev tun5
Wed May 19 03:42:49 2021 /mnt/data/openvpn/updown.sh tun5 1500 1554 10.5.0.2 255.255.0.0 init
+ '[' -z  ]
+ echo 'Loading configuration from /mnt/data/openvpn/mullvad/vpn.conf.'
Loading configuration from /mnt/data/openvpn/mullvad/vpn.conf.
+ source ./vpn.conf
+ FORCED_SOURCE_INTERFACE=br6
+ FORCED_SOURCE_IPV4=
+ FORCED_SOURCE_IPV6=
+ FORCED_SOURCE_MAC=
+ EXEMPT_SOURCE_IPV4=
+ EXEMPT_SOURCE_IPV6=
+ EXEMPT_SOURCE_MAC=
+ EXEMPT_SOURCE_IPV4_PORT=
+ EXEMPT_SOURCE_IPV6_PORT=
+ EXEMPT_SOURCE_MAC_PORT=
+ EXEMPT_DESTINATIONS_IPV4=
+ EXEMPT_DESTINATIONS_IPV6=
+ PORT_FORWARDS_IPV4=
+ PORT_FORWARDS_IPV6=
+ DNS_IPV4_IP=DHCP
+ DNS_IPV4_PORT=53
+ DNS_IPV4_INTERFACE=
+ DNS_IPV6_IP=
+ DNS_IPV6_PORT=53
+ DNS_IPV6_INTERFACE=
+ KILLSWITCH=0
+ REMOVE_KILLSWITCH_ON_EXIT=1
+ REMOVE_STARTUP_BLACKHOLES=1
+ ROUTE_TABLE=101
+ MARK=0x9
+ PREFIX=VPN_
+ PREF=99
+ DEV=tun5
+ dirname /mnt/data/openvpn/updown.sh
+ iptables_script=/mnt/data/openvpn/add-vpn-iptables-rules.sh
+ ip_rule='fwmark 0x9 lookup 101 pref 99'
+ startup_blackholes='0.0.0.0/1 128.0.0.0/1 ::/1 8000::/1'
+ '[[' 1500 '=' force-down ]]
+ '[[' 1500 '=' pre-up ]]
+ '[[' up '=' up ]]
+ add_blackhole_routes
+ ip route replace blackhole default table 101
+ ip -6 route replace blackhole default table 101
+ add_vpn_routes
+ delete_vpn_routes
+ ip route show table 101
+ grep -v blackhole
+ xargs '-I{}' sh -c 'ip route del {} table 101'
+ ip -6 route show table 101
+ xargs '-I{}' sh -c 'ip -6 route del {} table 101'
+ grep -v blackhole
+ get_gateway
+ '[' -z  ]
+ '[' -z  ]
+ ip route show table 201
+ sed -E 's/.* via ([0-9\.]+) .*/\1/g'
+ grep 'default.*via'
+ route_net_gateway_ip=[REDACTED]
+ ip route show table 201
+ sed -E 's/.* dev ([^ ]+) .*/\1/g'
+ grep 'default.*dev'
+ route_net_gateway_dev=eth8
+ '[' -n [REDACTED] ]
+ break
+ '[' -z [REDACTED] ]
+ ip route replace 0.0.0.0/1 via 10.5.0.1 dev tun5 table 101
+ ip route replace 128.0.0.0/1 via 10.5.0.1 dev tun5 table 101
+ ip -6 route replace ::/1 dev tun5 table 101
+ ip -6 route replace 8000::/1 dev tun5 table 101
+ seq 1 1000
+ eval echo '$route_network_1'
+ echo
+ route_network_i=
+ eval echo '$route_gateway_1'
+ echo
+ route_gateway_i=
+ eval echo '$route_netmask_1'
+ echo
+ route_netmask_i=
+ '[' -z  ]
+ break
+ cut '-d=' -f2
+ env
+ grep route_ipv6_network_
+ ip -6 route replace ::/2 dev tun5 table 101
+ ip -6 route replace 4000::/2 dev tun5 table 101
+ ip -6 route replace 8000::/2 dev tun5 table 101
+ ip -6 route replace c000::/2 dev tun5 table 101
+ '[' -n 193.138.218.135 ]
+ '[' -n [REDACTED] ]
+ '[' -n eth8 ]
+ ip route replace 193.138.218.135/32 via [REDACTED] dev eth8 table 101
+ sh /mnt/data/openvpn/add-vpn-iptables-rules.sh up tun5
+ run_rule_watcher
+ kill_rule_watcher
+ basename /mnt/data/openvpn/updown.sh
+ pgrep -f '/bin/sh.*updown.sh tun5'
+ '[' 1429 '!=' 1874 ]
+ kill -9 1429
+ '[' 1874 '!=' 1874 ]
+ ip rule del fwmark 0x9 lookup 101 pref 99
+ ip -6 rule del fwmark 0x9 lookup 101 pref 99
+ :
Wed May 19 03:42:49 2021 Initialization Sequence Completed
+ ip rule show fwmark 0x9
+ grep 0x9
+ ip rule add fwmark 0x9 lookup 101 pref 99
+ date
+ echo '[Wed May 19 03:42:49 CEST 2021] Readded IPv4 rule.'
+ ip -6 rule show fwmark 0x9
+ grep 0x9
+ ip -6 rule add fwmark 0x9 lookup 101 pref 99
+ date
+ echo '[Wed May 19 03:42:49 CEST 2021] Readded IPv6 rule.'
+ '[' 1 '=' 1 ]
+ ip route del blackhole 0.0.0.0/1
+ ip route del blackhole 128.0.0.0/1
+ ip route del blackhole ::/1
+ ip route del blackhole 8000::/1
+ sleep 1
+ :
+ ip rule show fwmark 0x9
+ grep 0x9
+ grep 0x9
+ ip -6 rule show fwmark 0x9
+ '[' 1 '=' 1 ]
+ ip route del blackhole 0.0.0.0/1
+ ip route del blackhole 128.0.0.0/1
+ ip route del blackhole ::/1
+ ip route del blackhole 8000::/1
+ sleep 1
+ :
+ ip rule show fwmark+  0x9
grep 0x9
+ ip -6 rule show fwmark 0x9+ 
grep 0x9
+ '[' 1 '=' 1 ]
+ ip route del blackhole 0.0.0.0/1
+ ip route del blackhole 128.0.0.0/1
+ ip route del blackhole ::/1
+ ip route del blackhole 8000::/1
+ sleep 1
+ :

bc not found - issue on UDM Pro SE

Hi,

I successfully installed on a UDMP, but trying the same on the UDMPSE, I'm not finding bc.

The version of the OS is

uname -a
Linux Olla-UDM-Pro 4.19.152-ui-alpine #4.19.152 SMP Wed Aug 4 12:51:31 CST 2021 aarch64 GNU/Linux

note:

/usr/bin/bc -h
-bash: /usr/bin/bc: No such file or `directory`

I fixed it by downloading the command:

sudo apt-get install bc

Reload rules?

I may be missing something in the documentation but after updating vpn.conf, how can we reload the split-vpn configuration without a reboot?

License

Hi, could you please add a license to the repo?

Thanks :)

Entries in EXEMPT_SOURCE_MAC stay even after removal

When I add an entry to EXEMPT_SOURCE_MAC and restart openvpn it is correctly exempted. However, if I then remove that same entry and kill and restart openvpn it is not removed and stays as exempted when it should now be included.

So, everything is going over VPN, exempt a MAC and the device is exempted, remove that exemption but the device stays exempted.

If I completely restart the UDMP then the device with the MAC that was added and then removed is included in the VPN once more. It must not be clearing out a route somewhere.

Doc: Need to specify route_vpn_gateway when remote openvpn server doesn't use DHCP

My remote openvpn server doesn't use DHCP to push default routes. As such, the ${route_vpn_gateway} variable is not passed to the updown.sh script. I was able to manually set this to the value I specify in my openvpn.conf. In my case, I set route_vpn_gateway="10.99.99.6"

I would say, maybe make a note of it, or maybe check for empty route_vpn_gateway before using it in the script, to help with debugging and pointing users to an easy way to correct it.

Client's openvpn config....

# cat openvpn.conf
verb 3
proto udp
dev-type tun
dev tun_VPN_USA
lport 1196
mode p2p
ifconfig 10.99.99.6 10.99.99.5
remote SECRET.SERVER.DOMAIN 1196
ping-restart 20
ping 4
auth-nocache
script-security 2
up-restart
up-delay
up /mnt/data/on_boot.d/vpn/updown.sh
down /mnt/data/on_boot.d/vpn/updown.sh
route-noexec
management 127.0.0.1 1126
float
cipher AES-256-CBC
<secret>
SECRET!!!!
</secret>

Server's openvpn config

# cat openvpn.conf
verb 3
proto udp
dev-type tun
dev tun300
lport 1196
mode p2p
ifconfig 10.99.99.5 10.99.99.6
remote SECRET.CLIENT.DOMAIN 1196
ping-restart 20
ping 4
auth-nocache
script-security 2
up-restart
up /mnt/data/on_boot.d/vpn-up
down-pre
down /mnt/data/on_boot.d/vpn-down
up-delay
route-nopull
management 127.0.0.1 1126
float
cipher AES-256-CBC
<secret>
SECRET!!!!
</secret>

Wifi Network Connections

is it possible to route all clients on a particular wifi network through the vpn? if so how can i config this?

peacey / split-vpn Goto Github PK

split-vpn's People

Contributors

Stargazers

Watchers

Forkers

split-vpn's Issues

Here is my configuration:

openvpn --config nordvpn.ovpn \

Recommend Projects

Recommend Topics

Recommend Org