Pen16x
Posts: 2
Joined: Thu Sep 12, 2019 1:12 am

PiVPN Double-Hop Setup: Almost but Something's Wrong

Thu Sep 12, 2019 1:42 am

PiVPN Double-Hop Setup: TLS Handshake Issues

Greetings:

I wanted to make a PiVPN so I followed this guy here https://www.comparitech.com/blog/vpn-pr ... ry-pi-vpn/ to the T on a Raspberry Pi 3 B+. Everything went smooth as butter; installing, tweaking and setting up the PiVPN. I created and exported an OVPN profile, imported it into OpenVPN on my android. I was able to connect to my home network from anywhere with my phone. Even have a PiVPN GUI which is nice.

Awesome, Right!?

Well I just had to go a step further and continue the tutorial to make the PiVPN send outbound traffic though another VPN service. A double-hop.

I have NordVPN so I gathered my choosen ovpn's (UDP)https://nordvpn.com/ovpn/, certificate and key fileshttps://downloads.nordcdn.com/configs/a ... ervers.zip and Nord's DNS server's https://support.nordvpn.com/General-inf ... resses.htm. Transferred them all through USB to /etc/openvpn/ . Changed Nord's ovpn to 'outgoing.conf' and also made a backup 'outgoing.conf.backup'

Before we move forward, here are my IP settings (from Google Drive): Local + Gateway/outer IP and DNS. https://drive.google.com/file/d/1m97xAL ... sp=sharing

As in the tutorial, I edited sudo nano /etc/openvpn/server.conf to, (I believe) give static names to the incoming connections and outgoing connections. Added/changed lines: Server.conf File https://drive.google.com/file/d/1YAKQte ... sp=sharing

Code: Select all

dev tun-incoming
dev-type tun
Did the same to 'outgoing.conf' Added/changed: Outgoing.conf File https://drive.google.com/file/d/1NYe39O ... sp=sharing

Code: Select all

dev tun-outgoing
dev-type tun
This is where the tutorial deviates from my situation. They are using IPVanish which makes you call on certificate files and key files. Whereas NordVPN has the encrypted certificate key built into the opvn. I did however create a 'nordvpnauth.txt' for the aut-login while also increasing permissions of reading and editing to keep from unwanted tampering.

Code: Select all

sudo chown +600 /etc/openvpn/nordvpnauth.txt
I was told to update my iptables by editing

Code: Select all

sudo nano /lib/dhcpcd/dhcpcd-hooks/40-routes
which did not actually exist until I created it. I added these lines and that is it:

Code: Select all

ip rule add from 192.168.1.207 lookup 101
ip route add default via 192.168.1.1 table 101
Then to stop DNS leaks, I further edited my 'etc/openvpn/server.conf':
Original

Code: Select all

push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
NordVPN's DNS server

Code: Select all

push “dhcp-option DNS 103.86.96.100”
push “dhcp-option DNS 103.86.99.100”
Now I should be ready to start the service and test it out correct? Ran

Code: Select all

sudo service openvpn@outgoing start
I get a 1 second delay and the prompt comes right back up as if nothing ran, no info no nothing. So I add this log-append /var/log/openvpn.log to get a more comprehensive look into the error. From what I can see the TLS handshake fails which the OpenVPN website briefly explains as a simple port mix-up, firewall block, bad ovpn conf settings but after I made a couple settings repairs I no longer get that error (still does not work) but I do find:

Code: Select all

Could not determine IPv4/IPv6 protocol. Using AF_INET
but most sources claim it admissible noise.

But as I am somewhat new to networking, I'm not sure what to look for. Here are the logs: OpenVPN-LOGS.txthttps://drive.google.com/file/d/1B61Fb5 ... sp=sharing

(I apologize for the length of the log file)

Also here is a screenshot of my network router: Google Network Settingshttps://drive.google.com/file/d/1PWt85S ... sp=sharing & Google Network PiVPN Settings https://drive.google.com/file/d/1TV8GWh ... sp=sharing

Does anybody see where I went wrong in the settings? I feel like its probably a silly mistake somewhere but I have been checking over these files and re-doing them for 2 days in an effort to figure it out but I am at my wits end.

Any help would be greatly appreciated?

Thank You

rjl6789
Posts: 2
Joined: Sat Sep 28, 2019 7:13 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Sat Sep 28, 2019 7:22 pm

Hi, did you get any further with this?

I’m also using NordVPN and google Wifi router.

I managed to start the outgoing server by:

Code: Select all

Sudo systemctl enable openvpn@outgoing
then a reboot

I find I can connect to the vpn fine. I can visit internal ip’s ok however if I try to browse internet with my connected device (phone) I can’t.

Logging into the pi, (which has a visual desktop) I can see it is successfully connected to NordVPN I.e the public address is the NordVPN address and I can browse in chromium ok.

So something is funky with the route for connected devices. I have no idea what. I followed the tutorial and quadruple checked. All very frustrating, especially as if I disable the outgoing vpn I can connect and browse fine (as if connected to my local network as would be expected... but only single hop)

Anyway, if you or anyone else has made this work I’d be grateful of any tips !!!!!

h5c5
Posts: 3
Joined: Wed Oct 16, 2019 9:12 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Wed Oct 16, 2019 9:23 am

Hi, did either of you figure this out?

I have the exact same problem using privateinternetaccess as the VPN. My OpenVPN mobile client can connect but I get 'no internet' when trying to browse. If I stop the openvpn outgoing service on the pi the mobile client can connect to the internet, but of course, it's not using a double-hop but is just using the unsecured connection.

Using the browser on the raspberry pi itself with the outgoing/double-hop VPN service started, works fine. Very frustrating.

I guess it's the routing tables but I'm unsure what IP I need to re-route.

Any hints or tips much appreciated.

rjl6789
Posts: 2
Joined: Sat Sep 28, 2019 7:13 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Wed Oct 23, 2019 4:48 pm

Hi,

No - I didn't get this sorted. Your experience echo's mine.

I drove myself nuts googling and trying out various routing rules. (including the ones at the bottom of the comparitech article)

For my own sanity I had to stop. A double hop VPN remains a dream!

I don't possess the know how unfortunately. Maybe this is just too hard / impossible - certainly the article either misses off some vital info or as time has moved on it's become deprecated.

Oh well - can but dream of a neat , pi-based double hop solution

h5c5
Posts: 3
Joined: Wed Oct 16, 2019 9:12 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Thu Oct 24, 2019 4:52 pm

Yes same here, I had to abandon it for lack of time to teach myself Linux routing tables.

I assume it must have worked initially but now does not. I emailed the author and a couple of comments on the article report the same problem so perhaps he'll look again, get it working and update it.

If I ever find a pi double-hop solution I'll come back and share!

Pen16x
Posts: 2
Joined: Thu Sep 12, 2019 1:12 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Fri Oct 25, 2019 12:46 am

We should be able to figure it out together. I am pretty busy through the week but this weekend I am going to jump back into it.

I seem to be blocked on that side of things as I can connect on the incoming side no problem but I cant get traffic back to my device though the VPN/outgoing side. Are you guys having the same issue?

What VPN are you guys using? Im on NordVPN.

h5c5
Posts: 3
Joined: Wed Oct 16, 2019 9:12 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Fri Oct 25, 2019 3:59 pm

I was using privateinternetaccess (PIA) although I cancelled the subscription now. PIA's forum said they don't support the pi but I don't think that was the reason it didn't work because I was just using the ovpn files and it worked fine when I used the browser on the pi itself (I have it connected to a monitor).

Same as you, I was able to connect to the pi from a client on my mobile but could not then access the internet when connected. Frustratingly, if I actually went onto the pi via the monitor and opened the browser I always had no problems, with PIA's website telling me I was connected to their servers and protected. When I ran pivpn -d for debugging I could see no obvious problems.

As you mentioned in your first post, it seems like a problem with the handshake between the client and the outgoing service. I'll check my log files to see if I can find any clues.
I can also sign up to another VPN provider to see if that helps and hopefully figure this out.

Did you use TCP for your client connection and UDP for your outgoing connection as the article describes? I assumed this might cause issues, transferring between the protocols, but the author states it won't work with UDP to UDP either.

Edit: does this provide some clues with the handshake errors in your logs? https://openvpn.net/faq/tls-error-tls-k ... nectivity/

Boterham31415
Posts: 1
Joined: Sat Nov 30, 2019 10:20 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Sat Nov 30, 2019 10:43 pm

Had the exact same question.
I was wondering if the solution could be to set up the 2nd hop to NordVpn on your home router, rather than on the pi.

I suppose this would avoid the handshake issue, since it would be moved to the router and your pivpn in any case needs to pass via the router to access internet.
Inbound traffic to pivpn should still work, since you known the ip adress of your isp modem.

Depending on which router you have, it might be possible to configure it so that all outbound traffic goes via NordVPN https://support.nordvpn.com/Connectivit ... ordVPN.htm.

Haven't tested it yet, but maybe it can help...
What are your thoughts?

chets
Posts: 1
Joined: Mon Dec 02, 2019 3:59 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Mon Dec 02, 2019 4:20 pm

Hello Guys,

I am not too sure that this will work for you...but i have experienced exactly the same problems after following the instructions with precision.

:P :P Solution :P :P
Try adding the Raspberry pi in the DMZ of your router (add the raspberry interface ip address as a dmz server on your isp router). If you got one of this very restrictive broadband providers. That will allow all traffic to the VPN server.

Install tcpdump i believe its something like: "apt-get install tcpdump" and run (tcpdump -i tun-outgoing | grep "port" ) replace port with your chosen port and interface with the name of the interface you want to monitor. the command should allow you to see all the packets hat is tx and rx from the interface using the tcp/udp port.

NB:

open two ssh sessions if possible so you can see the packets on one and carry-on working from the other. - just my opinion, its not a must.

Despite the joy of getting a connection from my remote device, i am still troubleshooting why i am not able to receive traffic :lol: :lol: ....its following the right path. i.e from my remote device to my pivpn, then through to ipvanish.

So yea.....i will post an update if i have any joy from poking around. :!: :!: :!: hit me up if anyone found an answer :D

chets

Regards

unspoken101
Posts: 1
Joined: Mon Dec 16, 2019 1:27 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Mon Dec 16, 2019 1:33 pm

My friend was also having the same issue. She was not able to stop the leaks from her PC. Then our mutual friend suggested using this service from which she was very much satisfied. She then subscribed to this https://www.purevpn.com/features/dns-leak-protection service and to our amaze, her problem was resolved!

harzelino
Posts: 2
Joined: Tue Feb 25, 2020 12:23 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Tue Feb 25, 2020 12:43 pm

Hi there, I am working on the same set-up. I got the outgoing connection working (through PureVPN) and I got the incoming connection working. However the incoming (server.conf) connection works only, if the outgoing connection is down. So I haven't got both directions mutually up and running. A few things that I saw in the provided config files: I guess outgoing and incoming are twisted, the server.conf should be the incoming and the NordVPN should be the outgoing connection, hence dev-tun outgoing. It seems NordVPN did not acknowledge the connection. I removed in my outgoing.conf file all incorporated certs and keys and substituted them with the provided ca.crt and Wdc.key file. That is all. Ah and the route at the end, I guess it should be "route 192.168.1.0 255.255.255.0 192.168.1.1" instead of 192.168.1.207. As I got everything up and running, I assume I need to solve some routing issues to get it done. I will keep you posted, in case I should succeed.

alpine_mudder
Posts: 2
Joined: Sun Apr 05, 2020 7:58 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Sun Apr 05, 2020 8:40 am

I have been working on this all weekend. I have looked at the tute provided by Comparitech and ProxyRack.com

Like others in this post I have followed them precisely. What I have found is that I am getting asymmetric routing.
I used a fresh install of Raspbian, installed PiVPN as per each tute. Everything works fine. Specifically I am testing with a device that is on cellular network as the client so it is an external network. As soon as I connect the outgoing VPN, what I can see is the OpenVPN TCP connection comes in via the boradband router, hits the raspberrypi and then due to the route tables the syn-ack goes out via the outgoing VPN.

I can also see this with trace route. When I run netstat I can see the cell device connected to OpenVPN established , with a syn-recv.

Before outgoing VPN activated:

Code: Select all

pi@raspberryVPN:~ $ netstat -an |grep 1194
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.15:1194       1.136.108.213:46886     ESTABLISHED
After outgoing vpn activated:

Code: Select all

pi@raspberryVPN:~ $ netstat -an |grep 1194
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.15:1194       1.136.108.213:63263     SYN_RECV
Because the route table has a default route of the tun-outgoing interface, the cell TCP session gets split with replies going out the outbound tunnel instead of back through eth0, the return path to the broadband router:

Code: Select all

pi@raspberryVPN:~ $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.197.0.93     128.0.0.0       UG    0      0        0 tun-outgoing
default         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
10.0.0.0        192.168.0.1     255.0.0.0       UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun-incoming
10.197.0.1      10.197.0.93     255.255.255.255 UGH   0      0        0 tun-outgoing
10.197.0.93     0.0.0.0         255.255.255.255 UH    0      0        0 tun-outgoing
128.0.0.0       10.197.0.93     128.0.0.0       UG    0      0        0 tun-outgoing
172.16.0.0      192.168.0.1     255.240.0.0     UG    0      0        0 eth0
173.239.198.135 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
192.168.0.0     192.168.0.1     255.255.0.0     UG    0      0        0 eth0
I am still trying to work out what is going on, as I have added another route

Code: Select all

sudo ip route add 1.128.0.0/9 via 192.168.0.1

and it still doesn't work. Any help or advice would be brilliant right now.

wotuzu17
Posts: 1
Joined: Sun Apr 05, 2020 7:55 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Sun Apr 05, 2020 7:58 pm

I got the same problem as the creator of this thread. I'm also using NordVPN as outgoing provider, so possibly it has got something to do with that.

alpine_mudder
Posts: 2
Joined: Sun Apr 05, 2020 7:58 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Mon Apr 06, 2020 9:03 am

So a little more time with this today.

In the Comparitech article, it says to add these two lines to the route table:

Code: Select all

sudo ip rule add from 192.168.0.15 lookup 101
sudo ip route add default via 192.168.0.1 table 101
I found these to be useless in my scenario - Mobile device to PiVPN, then ExpressVPN back out to Internet. VPN access to private network, ExpressVPN to all public networks from Rpi and Mobile device.

This is far more effective:

Code: Select all

sudo iptables -A OUTPUT -t mangle -p tcp --sport 1194 -j MARK --set-mark 1
sudo ip rule add fwmark 1 table 101
sudo ip route add table 101 default via 192.168.0.1 dev eth0
The first line marks all packets coming from OpenVPN server on port 1194 - you will need to change this number if you are listening on something else. This also stops the default routes from taking over and pushing tun-incoming straight out tun-outgoing and causing asymmetric routing.
The second line, is an IP policy rule that says if the packet is marked with a '1' then lookup the route table 101.
The third line is a route rule that makes the packets route out eth0 back to the broadband router, back to the mobile device.

This now allows me to VPN in from the mobile device while the ExpressVPN tunnel is up and running. However it does not allow me to route from tun-incoming to tun-outgoing for ExpressVPN internet.

At this point it is worth checking the iptables NAT table using:

Code: Select all

sudo iptables -t nat -L --line-numbers

pi@raspberryVPN:~ $ sudo iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  10.8.0.0/24          anywhere             /* openvpn-nat-rule */ 
I only had one NAT rule for some reason. If you have both in and out covered with a NAT, you can forget the next command.
The last step was to get the tun-outgoing to route packets back to tun-incoming:

Code: Select all

sudo iptables -t nat -A POSTROUTING -o tun-outgoing -j MASQUERADE
Now my mobile device routes all traffic inside a tunnel back to my RPi, then back out ExpressVPN. All traffic from my RPi goes direct through the ExpressVPN tunnel.

Test both of these scenarios with 'whatismyipaddress.com' to make sure you are definitely tunneling.

The other quirk I found is that my RPi was visible using the IPv6 address. Make sure you either have a VPN outbound config that supports IPv6 tunneling or your outbound VPN provider disables IPv6 to prevent IPv6 leaking with the connection tool. ExpressVPN has preferences that can be configured on the command line.

Code: Select all

pi@raspberryVPN:~ $ expressvpn preferences
auto_connect            false
desktop_notifications   true
disable_ipv6            true
force_vpn_dns           true
network_lock            on
preferred_protocol      tcp
send_diagnostics        true

anonmp
Posts: 1
Joined: Sun Aug 02, 2020 5:31 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Sun Aug 02, 2020 5:42 am

Just wanted to post after following @alpine_mudder's suggestions (my setup is also client -> Pi -> Expressvpn) that I was able to get the setup working (modified eth0 to wlan0 since I am running on wifi). One strange behavior I was experiencing, that I see some others made reference to, was the client connection working when the Pi server was up and external vpn service was down but getting TLS error (some kind of tls-crypt error regarding Bad Packets) when both services were up. A comment on the Comparitech article made note of a possible issue with both channels being on UDP. Sure enough, changing my Client -> Pi connection to TCP and running the Pi -> Expressvpn as was on UDP resolved my issues. Posting in case anyone else comes across this issue.

5torza
Posts: 5
Joined: Thu May 14, 2020 6:01 am

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Fri Aug 21, 2020 4:46 am

@alpine_mudder, @anonmp i am attempting to do the same as you described, what are the steps you used after getting pivpn operational to incoporate expressvpn?
did you download the usual raspbian 32bit download from expressvpn or or you doing something different?
also have you considered adding pihole to the setup?

harzelino
Posts: 2
Joined: Tue Feb 25, 2020 12:23 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Tue Feb 09, 2021 1:49 pm

Hi,

I got it running after struggling as well for quite a while. My setup is pretty simple and follows basically the instructions on the comparitech website: LAN with a Netgear Router to the Internet. Raspberry 4 with PiVPN and Pihole. tun-outgoing connects to Purevpn FRA via UDP, tun-incoming listens on tcp. The Raspberry works as a router, so that all devices that use the Pi as gateway, will route their traffic through tun-outgoing. I basically use this setup to manually configure my apple-TV with the raspberry gateway and DNS (I am living abroad and want to see German live TV).
My main problems were a) that udp used concurrently on both interfaces, incoming and outgoing simply does not work, at least one direction needs to be tcp. b) I did not manage to get the raspberry act as a router. What helped me with the latter was the project https://github.com/mr-canoehead/vpn_client_gateway. I just used the iptable rules as generated by the script and adapted them to my situation. Now everything seems to be fine. I believe the mentioned project would be a good starting point as well to start installation from zero. He covers a number of VPN providers and even has a graphical UI. All needed in addition is the incoming connection and to open some incoming rules.

tsueseres
Posts: 1
Joined: Thu Mar 25, 2021 6:07 pm

Re: PiVPN Double-Hop Setup: Almost but Something's Wrong

Thu Mar 25, 2021 6:10 pm

alpine_mudder wrote:
Mon Apr 06, 2020 9:03 am
So a little more time with this today.....

Thanks a lot I´ve been stuck trying to make all this double hop thing working for so long. And your post really helped me to finally connect everything.

Return to “Networking and servers”