mr-canoehead / vpn_client_gateway Goto Github PK

mr-canoehead your project is wonderful. And it works like a charm. But, for many reasons, I need to use the built-in wifi of Raspberry Pi 3 to share my Vpn Internet connection (through wifi, of course) to other devices.
I used that project to install the access point and it works very well: https://github.com/billz/raspap-webgui. The only problem is that the webgui has the same IP address so I can see only the last webgui installed.
But the big problem for me (I'm not a linux expert) is to configure iptables to forward connection from tun0 to wlan0 and create right Vpn Kill Switch rules, like in your project.
I tried to add to your rules these one:
-t nat -A POSTROUTING -o tun0 -j MASQUERADE
-A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o tun0 -j ACCEPT
but, together with your rules, they don't work.
But If I clear your rules through your script and manually I add these rules they work very good.
The problem is that, in this way, there is not any Vpn kill switch and I would like to have a fully functional Vpn (with kill switch) on my Pi to use as a gateway/dns server (as in your project) and a wireless access point. Could you help me? And thanks a lot for sharing your project.

Expected behaviour:
When VPN is in the 'disabled' state, clicking on a VPN server on the management web page should cause the VPN Client Gateway application to switch to the new VPN server, then enable the VPN service.

Observed behaviour:
Management web page displays "Changing VPN" message, but the VPN service is not enabled and the 'remote' setting in /etc/openvpn/server.conf is not updated with the new VPN server.

Workaround:
Enable VPN via the Admin page before selecting a new VPN server.

Hi there this is the third time I am trying to install the server, everything works so far and it connects on reboot (soft or hard) but the web server needs to be restarted for the web portal to work.

Is this normal?

create a script that monitors the status of the VPN Client Gateway and periodically writes the status to a file for consumption by other programs. The status will include:

• status of the openvpn service
• connection state and statistics for the current VPN connection (obtained via the openvpn management interface)
• status of the network (internet connection, dns queries)
• status of the server (memory usage, cpu usage, cpu temp)

The script will run at configurable intervals, and will write its output to a JSON file in the /tmp directory.

unit file is needed so that the status monitor can be run as a service and managed using the standard service commands, e.g. 'service status-monitor stop'

Code Freeze Notice

This project is currently frozen. Only Severity 1 issues will be considered. A Severity 1 issue is one that affects critical functionality or critical data, and does not have a workaround. Examples of a Severity 1 issue are: unsuccessful installation, complete failure of a major feature.

I tried to install the vpn gateway on a new Debian 10 installation (vm).

When i try to start it with sudo service vpncgw start and get a status with sudo service vpncgw status i get

● vpncgw.service - VPN Client Gateway
   Loaded: loaded (/etc/systemd/system/vpncgw.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2020-11-29 10:23:57 CET; 1s ago
  Process: 9602 ExecStartPre=/bin/mkdir /run/vpncgw (code=exited, status=0/SUCCESS)
  Process: 9603 ExecStartPre=/bin/chown -R www-data:www-data /run/vpncgw (code=exited, status=0/SUCCESS)
  Process: 9604 ExecStart=/usr/bin/env gunicorn vpncgw:application --worker-class eventlet --timeout 30 -w 1 --threads 12 -b 0.0.0.0:8000 --pid /run/vpncgw/vpncgw.pid (code=exited, status=3)
  Process: 9611 ExecStopPost=/bin/rm -rf /run/vpncgw (code=exited, status=0/SUCCESS)
 Main PID: 9604 (code=exited, status=3)

Nov 29 10:23:57 vpngate2 env[9604]:   File "/usr/local/lib/python2.7/dist-packages/engineio/__init__.py", line 3, in <module>
Nov 29 10:23:57 vpngate2 env[9604]:     from .client import Client
Nov 29 10:23:57 vpngate2 env[9604]:   File "/usr/local/lib/python2.7/dist-packages/engineio/client.py", line 2, in <module>
Nov 29 10:23:57 vpngate2 env[9604]:     from json import JSONDecodeError
Nov 29 10:23:57 vpngate2 env[9604]: ImportError: cannot import name JSONDecodeError
Nov 29 10:23:57 vpngate2 env[9604]: [2020-11-29 10:23:57 +0000] [9609] [INFO] Worker exiting (pid: 9609)
Nov 29 10:23:57 vpngate2 env[9604]: [2020-11-29 10:23:57 +0000] [9604] [INFO] Shutting down: Master
Nov 29 10:23:57 vpngate2 env[9604]: [2020-11-29 10:23:57 +0000] [9604] [INFO] Reason: Worker failed to boot.
Nov 29 10:23:57 vpngate2 systemd[1]: vpncgw.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Nov 29 10:23:57 vpngate2 systemd[1]: vpncgw.service: Failed with result 'exit-code'.

i double checked every installation step - you have some idea where i can find a solution for this problem?

Working on UPNP for port forwarding. Tried the following with no luck:

sudo apt-get install linux-igd

sudo nano /etc/openvpn/tunnel.up

#!/bin/sh
/usr/sbin/upnpd tun0 eth0

sudo nano /etc/openvpn/tunnel.down

#!/bin/sh
/usr/bin/killall upnpd

Make the scripts executable:

sudo chmod +x /etc/openvpn/tunnel.up /etc/openvpn/tunnel.down

server.conf

# add up and down script for uPNP
script-security 2
up /etc/openvpn/tunnel.up
down /etc/openvpn/tunnel.down

sudo iptables -A INPUT -i eth0 -p udp -m multiport --dports 1900,5351,5353 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --dports 49152 -j ACCEPT
sudo netfilter-persistent save

Hackviking

Hi, Can you see if you can add torguard vpn with wireguard support please??

Hello,

I recently updated Pihole to the latest version and after that the Gateway Status part of the page never populates, just permanently loading. The gateway works, it just fails to load status (or rather loads it indefinitely).

I did notice that I had to update php in order to get the Pihole working properly, so I assume something on the VPN Gateway needs an update as well. Is it something similar to issue #49? I assume it's something trivial, but I'm out of ideas so decided to check if anyone else had this issue as well.

Thanks!

the new openvpn.zip includes new certs "ca.rsa.2048.crt" and "crl.rsa.2048.pem". The config files also uses new port. Please change

remote us-west.privateinternetaccess.com 1194
to
remote us-west.privateinternetaccess.com 1198

I also had to add
cipher aes-128-cbc

My final server.conf looks like this
client
dev tun0
proto udp
remote ca.privateinternetaccess.com 1198
resolv-retry infinite
keepalive 10 60
nobind
persist-key
redirect-gateway
cipher aes-128-cbc
ca ca.rsa.2048.crt
tls-client
remote-cert-tls server
auth-user-pass auth.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem

The commands to reboot / shutdown Alpine differ from other distros. Alpine uses reboot instead of shutdown -r now for reboots, and halt instead of shutdown -h now.

I followed this guide and was easily able to install vpn on my RPi 2 Debian Jessie -- these are fantastic tools and a wonderful guide you have provided here!!

Now I'm trying to install VPN on OSMC (20150929) but I can't seem to install any packages. I'm not interested in accepting requests from clients so I skipped "Install the DNS forwarder" step (I tried anyway and got the same error as below -- unable to locate package).

When I attempt the "Install openvpn" step and issue the sudo apt-get install openvpn command, this is what I see in my terminal:

osmc@RPi0-OSMC:~$ sudo apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package openvpn

I would greatly appreciate any help resolving this issue. Thank you!!

Hi,

I'm on python 2.7 and I can't get the program to run. Here's what i'm seeing:

May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16318] [INFO] Starting gunicorn 19.9.0 May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16318] [INFO] Listening at: http://0.0.0.0:8000 (16318) May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16318] [INFO] Using worker: eventlet May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16328] [INFO] Booting worker with pid: 16328 May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16328] [ERROR] Exception in worker process May 14 21:06:36 localhost env: Traceback (most recent call last): May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/arbiter.py", line 583, in spawn_worker May 14 21:06:36 localhost env: worker.init_process() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/workers/geventlet.py", line 102, in init_process May 14 21:06:36 localhost env: super(EventletWorker, self).init_process() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/workers/base.py", line 129, in init_process May 14 21:06:36 localhost env: self.load_wsgi() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/workers/base.py", line 138, in load_wsgi May 14 21:06:36 localhost env: self.wsgi = self.app.wsgi() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/app/base.py", line 67, in wsgi May 14 21:06:36 localhost env: self.callable = self.load() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/app/wsgiapp.py", line 52, in load May 14 21:06:36 localhost env: return self.load_wsgiapp() May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/app/wsgiapp.py", line 41, in load_wsgiapp May 14 21:06:36 localhost env: return util.import_app(self.app_uri) May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/gunicorn/util.py", line 350, in import_app May 14 21:06:36 localhost env: __import__(module) May 14 21:06:36 localhost env: File "/opt/vpncgw/vpncgw.py", line 1, in <module> May 14 21:06:36 localhost env: from flask import Flask, request, jsonify May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/flask/__init__.py", line 21, in <module> May 14 21:06:36 localhost env: from .app import Flask, Request, Response May 14 21:06:36 localhost env: File "/usr/lib/python2.7/site-packages/flask/app.py", line 23, in <module> May 14 21:06:36 localhost env: from werkzeug.routing import BuildError, Map, RequestRedirect, Rule May 14 21:06:36 localhost env: SyntaxError: unqualified exec is not allowed in function '_compile_builder' it contains a nested function with free variables (routing.py, line 948) May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16328] [INFO] Worker exiting (pid: 16328) May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16318] [INFO] Shutting down: Master May 14 21:06:36 localhost env: [2019-05-14 21:06:36 +0000] [16318] [INFO] Reason: Worker failed to boot. May 14 21:06:36 localhost systemd: vpncgw.service: main process exited, code=exited, status=3/NOTIMPLEMENTED May 14 21:06:39 localhost systemd: vpncgw.service: control process exited, code=exited status=7

Thanks for any pointers :)

Hi,

Is this compatible with python 3.6? I'm getting some errors when starting the vpncgw.

May 9 21:19:34 localhost env: File "/usr/local/lib/python3.6/site-packages/gunicorn/util.py", line 350, in import_app May 9 21:19:34 localhost env: __import__(module) May 9 21:19:34 localhost env: File "/opt/vpncgw/vpncgw.py", line 115 May 9 21:19:34 localhost env: except ValueError, e: May 9 21:19:34 localhost env: ^ May 9 21:19:34 localhost env: SyntaxError: invalid syntax May 9 21:19:34 localhost env: [2019-05-09 21:19:34 -0400] [14384] [INFO] Worker exiting (pid: 14384) May 9 21:19:34 localhost env: [2019-05-09 21:19:34 -0400] [14378] [INFO] Shutting down: Master May 9 21:19:34 localhost env: [2019-05-09 21:19:34 -0400] [14378] [INFO] Reason: Worker failed to boot. May 9 21:19:34 localhost systemd: vpncgw.service: main process exited, code=exited, status=3/NOTIMPLEMENTED

Thanks! Great project also :)

the current firewall config script doesn't work when connected to to a vpn over TCP. Only a predefined set of UDP ports are routed

For my setup, I need to connect over TCP over well defined ports like 443. As a quick fix, I have added a predefined set of common VPN TCP ports on a fork - 34659b3. The script handles cases when either port list is empty. If you want, I can send in a pull request

I was further thinking to further add an option to configuration tool to work out the protocol and port from the actual server.conf to tailor it to individual installs. That way, we won't have unnecessary ports configured in the firewall. Thoughts? I will give it a shot in coming days and can contribute a patch if it sounds sensible?

Update the wiki with documentation for the status monitor - installation & configuration, usage, etc.

Alpine uses OpenRC rather than systemd, so the commands to start, stop, disable, and enable services
do not work. On Alpine systems the following commands should be used:
start service:
sudo service <service name> start
stop service:
sudo service <service name> stop
disable service:
sudo rc-update del <service name>
enable service:
sudo rc-update add <service name>

Hi,

If BOX1 connects to the VPNCGW and opens a tunnel, can BOX2 connect to the VPNCGW and select a different TUNNEL?

Essentially, i'm looking to have 2 different boxes connected to the same VPNCGW, but with 2 different tunnels.

Thanks :)

nginx web server installation / configuration conflicts with the lighttpd service installed by Pi-hole. The VPN Client Gateway cannot be run on the same Raspberry Pi as Pi-hole. A revised configuration and corresponding installation instructions needs to be developed and tested.

Hi,

it would be great if you could add a simple example of how to add port-forwarding through the firewall.

Thanks

J.

Hi,

Thanks for this excellent project. I'm using nordvpn. The nord scripts and schema needed some tinkering in order to work.

I'm opening this issue as per the contributing guidelines to avoid a surprise pull request.

Please see my commit: f9a24e9 which would form the basis of the pull request. I'm not precious - please feel free to make changes yourself as you see fit.

Cheers

if there are blank lines in /etc/openvpn/server.conf, get_current_server throws an error:
Jul 21 14:01:48 raspberrypi env[2856]: if line_tokens[0] == 'remote':
Jul 21 14:01:48 raspberrypi env[2856]: IndexError: list index out of range

The function should be modified to ignore blank lines.

The guide makes no mention of what happens when the VPN connection goes down or is not active. Ideally I would like internet connectivity to drop out when not connected via the VPN so that no unsecured traffic goes out over the ISP connection. Is this something you could consider adding.

Before i start i have to bring my respect for the amazing guide, awesome work, thank you for doing this mr-canoehead.

I followed the guide too the letter, and i cant get my head around the message Service unavailable Attempting to contact server on the VPN client gateway management page, i can see all the ticks green but cant acces anything cause the page is greyed out, also the current vpn server is not loading, is stayes on requesting data, i looked in the logs and see this popping by from time to time:

Aug 20 19:09:14 PI env[521]: reraise(exc_type, exc_value, tb)
Aug 20 19:09:14 PI env[521]: File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1949, in full_dispatch_request
Aug 20 19:09:14 PI env[521]: rv = self.dispatch_request()
Aug 20 19:09:14 PI env[521]: File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1935, in dispatch_request
Aug 20 19:09:14 PI env[521]: return self.view_functionsrule.endpoint
Aug 20 19:09:14 PI env[521]: File "/opt/vpncgw/vpncgw.py", line 545, in request_handler
Aug 20 19:09:14 PI env[521]: return jsonify(function_map(request.args.get('request'))())
Aug 20 19:09:14 PI env[521]: File "/opt/vpncgw/vpncgw.py", line 183, in get_current_server
Aug 20 19:09:14 PI env[521]: countryname = server_details['countryname']
Aug 20 19:09:14 PI env[521]: KeyError: 'countryname'

My knowledge is very poor on this part, i have no idea what this means?
I am on raspbian_lite-2019-04-09 and have a rasp pi 2b, with Purevpn and a simmelair config as the server.conf as stated on page 2.
Openvpn is connected and all is working great except the vpn management page.

Could someone point me in the right direction where i need to look to fix this?

Cheers ;-)

Install vpnmgmt in subfolder /var/www/html/vpnmgmt
after changing vpn Pi-hole says Website Blocked
since vpnmgmt wants to go back to the root folder.

Since the structure was not changed, just one level deeper, vpnmgmt should pull it's path dynamic.
Not return home but then one level deeper.

Path to index.php is /var/www/html/vpnmgmt/index.php.

Hi. I built the Pi Router with the web interface and a PureVPN service. Apparently the router is working fine but NETFLIX on the Apple TV recognise that a VPN service is running so it locks any media streaming. Anyway the project is really well explained and it works really well. This info is to let You update the section regarding the Apple TV.
Thank You.
Claudio

Hello,

First of all, thank you for this excellent guide, great to see clear instructions explained in a simple way.

Not sure if this falls under "Severity 1", issue, but I've been having an issue with Client Gateway after install. The VPN (Mullvad) is automatically connected on every boot, PiHole is working fine (although it does pop some errors, but I'm working on it), but when I open the Client Gateway it just says "requesting data" under Current VPN Server and Choose New VPN Server. Everything is empty with a blue loading cog in the middle spinning forever.

I followed the guide to the letter except two things:

1. I installed OpenVPN via PiVPN.
2. Mullvad removed Mullvad_crl.pem from their files, so I removed it from a server.conf, because it doesn't need it to connect anymore.

I've been trying to figure this one out for days now and can't seem to figure it out. Also, for some reason when I create a client profile (i.e. for my laptop), it doesn't connect, but instead reports "TLS Error: TLS key negotiation failed to occur within 60 seconds" even though I forwarded UDP port on my router and removed all firewall configuration. Any idea what I might be doing wrong? What information should I post that would help track down the issue? Not so much for the 2nd problem, it's the 1st one I'm trying to crack.

Thanks in advance!

After disabling VPN (via Admin->Disable VPN on the management web page), the tun0 postrouting rule is still listed. It should be deleted by disablevpn.php and re-added by enablephp.vpn

After disabling VPN:

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  267 34338 MASQUERADE  all  --  *      tun0    0.0.0.0/0            0.0.0.0/0           
   17   956 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0  

I have issues getting the VPN Client Gateway to start. It gives me the following error after running command "sudo service vpncgw start":

Job for vpncgw.service failed. See 'systemctl status vpncgw.service' and 'journalctl -xn' for details.

Output from the errors:

-- Logs begin at Fri 2019-03-08 18:12:13 CET, end at Fri 2019-03-08 18:50:16 CET. --
Mar 08 18:50:07 raspberrypi sudo[3189]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Mar 08 18:50:08 raspberrypi systemd[1]: Starting VPN Client Gateway...
-- Subject: Unit vpncgw.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit vpncgw.service has begun starting up.
Mar 08 18:50:13 raspberrypi systemd[1]: PID file /run/vpncgw/vpncgw.pid not readable (yet?) after start-post.
Mar 08 18:50:13 raspberrypi systemd[1]: vpncgw.service: main process exited, code=exited, status=3/NOTIMPLEMENTED
Mar 08 18:50:13 raspberrypi systemd[1]: vpncgw.service never wrote its PID file. Failing.
Mar 08 18:50:13 raspberrypi systemd[1]: Failed to start VPN Client Gateway.
-- Subject: Unit vpncgw.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit vpncgw.service has failed.

-- The result is failed.
Mar 08 18:50:13 raspberrypi systemd[1]: Unit vpncgw.service entered failed state.
Mar 08 18:50:13 raspberrypi sudo[3189]: pam_unix(sudo:session): session closed for user root
Mar 08 18:50:16 raspberrypi sudo[3255]: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/journalctl -xn
Mar 08 18:50:16 raspberrypi sudo[3255]: pam_unix(sudo:session): session opened for user root by pi(uid=0)

I installed pi-hole prior to installing vpncgw, though I uninstalled lighttpd to avoid any conflicts.

Any tips?

Some VPN providers do not use the same port number for all their servers. This means that when switching servers the openvpn service may not be able to connect because it currently uses the same port for all servers. The vpnservers.xml schema needs to be expanded to include an optional port value for each server. If the port value is present, it should be used when switching to that server. If it is not present, the existing port should be used. Existing vpnservers.xml files should not be affected by this change.

Alpine runs from a ramdisk; configuration changes (changing VPN servers, enabling / disabling VPN) are lost when a reboot occurs. Alpine includes a local backup command (lbu commit) that must be run to commit changes to the physical disk so that they persist across reboots.

Title reflects the issue: vpncgw_monitor.py spams Pi-Hole with DNS queries for www.example.com at the rate of ~7 per 7-9 seconds. This makes the Dashboard cluttered. Given that filtering of the Dashboard is limited given that these are considered "legitimate" in the eyes of the developers (see numerous requests for this feature and resistance to it by searching for "pihole exclude particular domain from dashboard"), is there an option to do so when calling vpncgw_monitor.py?

Thank you in advance!!

Hello, do you have any idea to route the tun0 traffic to wlan0 traffic through TOR, on demand?
This is the configuration I would like to create:

wlan0 ---> TOR --->OpenVpn(tun0) ---> eth0 and vice versa.

So I would like to use mr-canoehead wonderful vpn project for everyday connection and sometime add a more step of security layer through TOR, on demand, everything protected through vpn kill switch.
I'm not able to route the vpn traffic through TOR to wlan0 (maybe because VPN doesn't have a static IP?), even if I delete every vpnkillswith rules. There is something I don't know to do that. I don't know how to configure torcc file with Vpn too.
I would like to add something like this for TOR on demand to activate TOR and, in the same time, add to iptables the right rules to let it works and then remove then when turned off to come back to fully working vpn:

START TOR AND ADD IPTABLES RULES

#!/bin/bash
# /home/pi/toron.sh
/etc/init.d/tor start
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

STOP TOR AND REMOVE IPTABLES RULES

#!/bin/bash
# /home/pi/toroff.sh
/etc/init.d/tor stop
sudo iptables -t nat -D PREROUTING -i wlan0 -p tcp --dport 22 -j REDIRECT --to-ports 22
sudo iptables -t nat -D PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
sudo iptables -t nat -D PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040
sudo iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -D FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -D FORWARD -i wlan0 -o tun0 -j ACCEPT

maybe there could be something to change /etc/sudoers too. Credits to brunotvaz for that.

Could you help me?
Thanks and thanks again for improving this project more and more!

Just installed VPN Client Gateway on an ODroid C4 running Ubuntu 20.04 along with Pi-Hole and nearly everything is working as expected (thank you for this great app). Only aspect that seems to be not working as expected is Tools -> Get IP address geolocation, were all fields are undefined. Looking over vpncgw.py, I saw that http://www.geoplugin.net/json.gp should be providing that service. However, attempting to connect to that URL or, from geoplugin's example page, http://www.geoplugin.net/json.gp?ip=xx.xx.xx.xx (with the xx.xx.xx.xx being replaced with my public IP) returns "www.geoplugin.net refused to connect" any browser. Can someone confirm that the service is also down for them? Thank you in advance.

Given that geoplugin seems to have low activity (at least from looking at their forums), perhaps moving to a different service like:

http://www.ip-api.com/json?callback=?

Might be optimal?

Thank you in advance!!

Can you add support for socks5 proxy server? It would be great for getting specific applications to go through the vpn.

The "sudo pip install lxml" command at here didn't complete building for 2+ hrs on my Pi. So, while looking for an alternative solution, I found one here, which is pre-built package. Did the job for me. Might be worth looking into. Cheers.

Private Internet Access is migrating to their new Next Generation Network servers. The legacy servers will be decommissioned on Oct 31 2020. To continue using your existing VPN Client Gateway system with PIA you'll need to patch your system by following the instructions on the page PIA Next Generation Network.

In Alpine, the output generated by the command sudo service openvpn status is different from other systems, so the code is not able to check the service status. The output of the command on Alpine is:
service is running & inactive:
status: inactive
service is running & active:
status: started
service is disabled:
status: stopped

Some users may wish to connect using ports other than 1194 (e.g. Private Internet Access supports 8080, 9201, and 53). Currently the switcher script manage_openvpn.php ignores the port value specified in server.conf.template and uses a hardcoded value of 1194.

The script should be modified so that the port value specified in server.conf.template is copied to server.conf.

A workaround is to modify the hardcoded port value in manage_openvpn.php, e.g.:

$vpnshellcmd= 'sed "s/remote .*/remote ' . $vpnserver . ' 8080/" < /etc/openvpn/server.conf.template > /etc/openvpn/server.conf';

Unfortunately this workaround breaks the "Current VPN server" section of the Basic view, so the user can't see which server they are currently connected to.

Debian 9 introduced "Predictable Network Interface Names" which means that network interfaces are no longer named eth0, eth1 etc. Instead, the interface names include the MAC address of the interface (e.g. 'enxb827eb123456') and will be different from one machine to the next. Since all the firewall scripts in this project are hard-coded to use 'eth0' as the LAN interface they no longer work with the new naming scheme.

A short-term workaround is to rename the network interface to 'eth0' via a udev rule, this workaround has been tested and I've added it to the installation instructions.

The long term solution to this issue is to remove all hard-coded references to the network interface name from the VPN Client Gateway scripts.

One approach is to use custom iptables rule chains that are established by the firewall configuration script. The VPN Client Gateway scripts that currently refer to 'eth0' will instead refer to the custom rule chain names. These names will remain consistent regardless of which machine the gateway is installed on. The network adapter name will need to be configured when the firewall configuration script is run, perhaps by detecting all available interfaces and allowing the user to choose which one is the primary interface.

newshosting moved their vpn service to privado vpn. Maybe someone already figured out a workaround or fix for the config files?

I'm looking into getting started with this project. Does every client device need to be configured somehow before connecting or they will automatically connect via VPN automatically? Could someone elaborate?

In certain use cases where the gateway is being managed by multiple browser sessions the nat postrouting table may end up with multiple entries. This can cause the gateway to stop forwarding traffic.

Reproducing the issue: access the management page in two separate browser tabs. In the first tab, go to the Admin menu and click 'Disable VPN'. The page should update and show that VPN is now disabled. Now go to the second tab, and again go to the Admin menu and click 'Disable VPN' (this option is still shown because the browser data is stale), then view the nat postrouting table. It will show two postrouting entries. Various combinations of enabling/disabling VPN in multiple browser tabs will reproduce the issue.

Workarounds are to either reload the iptables rules (by running the vpn_client_gw_script.fw script provided in the release), or to manually edit the nat postrouting table to correct it.

I’d like to try and add support for protonvpn. I’ll be running the gateway on an odroid c2, but the basics should be the same.

Has anyone already tried adding protonvpn? Any tips or things I should look out for?

Management scripts fail to execute in the latest Raspbian Jessie release. The following error is encountered when attempting to diagnose the problem by running the scripts from the command line:
"Failed to open /dev/tty: No such device or address"

The logrotate configuration is incomplete, so log files accumulate in /var/log (syslog, messages, daemon.log etc.). Need to figure out how to configure logrotate properly and update the wiki.

In testing with the latest Raspbian release (2019-06-20-raspbian-buster-lite) I noticed that the 'Gateway status' section of the management web page is never populated, it only shows the 'loading' icon (spinning wheel).
The status json file /var/run/vpncgw/vpncgw_status.json is being updated at the expected intervals, so this seems to be an issue of the status message not being sent via websockets to the web clients. Have tried both Chrome and Firefox browsers on a Linux PC and Android phone, both show the same issue.

Hello,
I'm installing a new version from scratch on a new SD Card to replace my older version. I tried 2 times, one with PiHole and other without it, but I always have the requesting data on the web interface.
I entered all the installation lines as per the step-by-step. On both I have this error on syslog:

piavpn env[5415]: The client is using an unsupported version of the Socket.IO or Engine.IO protocols (further occurrences of this error will be logged with level INFO)

I tried older versions manually and just crashed even more with "not implemented" errors.
Tried to install some modules but in the end just ended being worse with more erros. After the install I don't have any erros I can understand related to vpncgw.

Dec 27 23:56:33 piavpn env[6007]: Traceback (most recent call last):
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/arbiter.py", line 583, in spawn_worker
Dec 27 23:56:33 piavpn env[6007]: worker.init_process()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/workers/geventlet.py", line 102, in init_process
Dec 27 23:56:33 piavpn env[6007]: super(EventletWorker, self).init_process()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/workers/base.py", line 129, in init_process
Dec 27 23:56:33 piavpn env[6007]: self.load_wsgi()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/workers/base.py", line 138, in load_wsgi
Dec 27 23:56:33 piavpn env[6007]: self.wsgi = self.app.wsgi()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/app/base.py", line 67, in wsgi
Dec 27 23:56:33 piavpn env[6007]: self.callable = self.load()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/app/wsgiapp.py", line 52, in load
Dec 27 23:56:33 piavpn env[6007]: return self.load_wsgiapp()
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/app/wsgiapp.py", line 41, in load_wsgiapp
Dec 27 23:56:33 piavpn env[6007]: return util.import_app(self.app_uri)
Dec 27 23:56:33 piavpn env[6007]: File "/usr/lib/python3/dist-packages/gunicorn/util.py", line 375, in import_app
Dec 27 23:56:33 piavpn env[6007]: import(module)
Dec 27 23:56:33 piavpn env[6007]: File "/opt/vpncgw/vpncgw.py", line 20, in
Dec 27 23:56:33 piavpn env[6007]: from flask_socketio import SocketIO, emit
Dec 27 23:56:33 piavpn env[6007]: File "/usr/local/lib/python3.7/dist-packages/flask_socketio/init.py", line 26, in
Dec 27 23:56:33 piavpn env[6007]: from .namespace import Namespace
Dec 27 23:56:33 piavpn env[6007]: File "/usr/local/lib/python3.7/dist-packages/flask_socketio/namespace.py", line 1, in
Dec 27 23:56:33 piavpn env[6007]: from socketio import Namespace as _Namespace
Dec 27 23:56:33 piavpn env[6007]: ImportError: cannot import name 'Namespace' from 'socketio' (/usr/local/lib/python3.7/dist-packages/socketio/init.py)

Thank you for the help and all the work!

Test:

1. disable VPN via management web page (Admin -> Disable VPN)
2. verify that the openvpn service is stopped:

~$ sudo service openvpn status
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
   Active: inactive (dead) since Wed 2015-11-11 09:35:56 PST; 11s ago
 Main PID: 284 (code=exited, status=0/SUCCESS)

3. verify that traffic is forwarded via eth0 (1st line of traceroute output is our network router):

~$ traceroute www.google.com
traceroute to www.google.com (209.52.144.89), 30 hops max, 60 byte packets
 1  unknown (10.1.2.1)  0.515 ms  0.465 ms  0.342 ms

4. reboot
5. see that the openvpn service has restarted:

~$ sudo service openvpn status
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
   Active: active (exited) since Wed 2015-11-11 09:41:36 PST; 9min ago
  Process: 272 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 272 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/openvpn.service

6. see that traffic is forwarded via tun0 (1st line of traceroute output is vpn tunnel IP):

~$ traceroute www.google.com
traceroute to www.google.com (209.52.144.123), 30 hops max, 60 byte packets
 1  10.192.1.1 (10.192.1.1)  62.122 ms  61.673 ms  61.408 ms

VPN forwarding should remain disabled after a reboot.