Reply
Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

So that grep line shows you have one instance of openvpn running. You would get one line for each running instance.

 

The group nobody is apparently not defined. Use cat or less to look at /etc/group and see if there is an entry beginning with no like nogroup or some such. nogroup is used on the ERL. So use group nogroup if that is the proper group for Ubuntu in the ovpn.

 

The iptables is for the server. It is to put a masquerade rule on the vpn tun0 interface as that is a path to the internet at large just like you have a masquerade rule on the ERL for the WAN interface. Same with the other iptables rules for est/rel which allows for receipt of packets on the vpn as responses to streams initiated on the local network. This is just like the WAN_IN and WAN_LOCAL rules on the ERL but for the server and vpn.

 

As for the iptables rules I supplied, you can put the exact contents in a file. They can be loaded with iptables-restore and there is an iptables-save which is how the file was created. If you put the file contents in /etc/iptables/iptables.rules it should load at boot, at least that is so on Arch linux. Verify for Ubuntu. Note you only showed the est/rel and drop rules and not the masquerade which was also in my post.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

Ok well thats good to know that I only have 1 instance running. I did run less /etc/group and found that I do have an entry labeled nogroup, so I went ahead and put group nogroup on my server client file. 

As for the iptables, I found this link for installing persistant IPTable rules on Ubuntu server https://ubuntu101.co.za/security/iptables-firewall/iptables-persistent-ubuntu-16-xenial/ 

I am thinking just follow the tutorial but rather than copy and pasting their script, I just use the one that you provided, does that sound like it should be good before I go ahead and do it?

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

If you look through that link, you will see that it ends up putting the file in /etc/iptables just like I said for Arch linux. So just create the file with the contents I gave you. Make sure ownership is root:root and permissions 644.

 

Reboot and see if they have been defined with

 

iptables -S

 

and iptables -S -t nat

 

You may need sudo in front of those commands depending on the current user.

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

Note that in the ps grep you ran before, the line started with root which is the user running the process. After you restart the vpn or reboot, doing the ps grep again should show the user as nobody.

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

I just took another quick look at the link for iptables. You may not have iptables-restore and iptables-save unless you do the apt-get. I don't know what Ubuntu defaultly has loaded. And I do not know for sure whether the /etc/iptables files get loaded without that apt-get. But you can create the file as I described, reboot, and check as I described and if the rules are there, you are good. Otherwise try the apt-get and then reboot and test again.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

We finally have liftoff!!!

Apparently the iptables config that you had me put into my server was the missing link! After enabling the static routes on the ERL I ran a traceroute on my home pc and confirmed..

Spoiler
C:\WINDOWS\system32>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1    <1 ms    <1 ms     1 ms  192.168.1.1
  2    <1 ms    <1 ms    <1 ms  HOME-SERVER [192.168.1.111]
  3    48 ms    47 ms    47 ms  10.47.10.1
  4    47 ms    48 ms    48 ms  ip-254-232-239-173.texas.us.northamericancoax.com [173.239.232.254]
  5    47 ms    48 ms    48 ms  server1.itechosting.net [104.200.142.68]
  6    49 ms    47 ms    46 ms  104.200.142.36
  7    48 ms    47 ms    48 ms  eqix-da1.google.com [206.223.118.137]
  8    48 ms    49 ms    48 ms  108.170.252.129
  9    49 ms    48 ms    49 ms  108.170.227.59
 10    48 ms    47 ms    47 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

I ran a speedtest and with this server it looks like I am getting around 120Mbps down and 45Mbps up, so certainly worth the trouble in going this route rather than simply using the ERL as my openvpn server. You had mentioned that I may want to remove the PBR and just put the subnet of this server on my ERL, do you still suggest that I do that? And one last question, when I want to connect to my VPN from outside my LAN, do you suggest that I use the OpenVPN connect app, or use the PIA app? Thank you so much!

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

Definitely keep the PBR to protect the underlying PIA stream. The subnet approach is more vulnerable as the ip addrs for the PIA server may change.

 

Don't forget that your table 1 route to the WAN gateway ip addr is vulnerable to change whenever your public ip addr from your ISP changes. I presume like most you have a dynamic rather than static ip addr. They usually do not change often but if it changes such that your gateway addr changes, you will have to update for that. You could write a watchdog script to monitor the gateway for change and notify you. It could even repair table 1 automatically.

 

Test that your other 192.168.XXX.0/24 subnets work.

 

You cannot use your PIA vpn for remote access. But first, remember that if you want remote access, you would be well advised to change your local subnets away from the common ones starting with 192.168. Use something starting with 10.XXX.YYY.0/24 where the YYY matches your current 1, 2, 10 and the XXX is something obscure enough you are not likely to encounter it elsewhere such as 94 or 176 or whatever like 10.94.1.0/24, 10.94.2.0/24, etc. Do that soon as the longer you leave the current set up, the more invested you tend to get in it.

 

As for remote access, you could use an OpenVPN server in TUN/routed mode which would have its own subnet eg 10.94.20.0/24 and run it on your server. Or you could try Wireguard which is what I use. You can run Wireguard on the server and there are clients for android phones (which I use) and I think also for iPhones but I am less sure as I don't use that. Also for Mac and Windows and Linux. Wireguard is still considered alpha level and there are warnings about taking care but many are using it. It is much easier to set up than OpenVPN, it is faster, and it does not drain battery on phones. I leave my phone connected to my home network 24/7 so everything on my phone goes thru wireguard to my home network and if necessary out to the internet from there. It is robust for roaming meaning that if the underlying ip address of the client changes, no worries, it auto updates for that. I can go from home WIFi to LTE to remote WiFi and it just continues to work, even for streams in progress. Plus it gives my phone a consistent ip address on my home network namely the one from the vpn subnet. So I can rsync files from my home PC to my phone direclty (I do run an rsync and ssh server on my phone). In either case, OpenVPN or Wireguard, you have to DNAT and firewall to give access to the vpn server, which ever you choose. I prefer DNAT and explict firewall rather than port forward. The remote client needs to reference the home network either by WAN public ip addr or some domain name that points to that addr. If you want to have easy swtich between local WiFi, then you need hairpin nat as well.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

Yes, that is correct, I do have a dynamic IP address from my ISP so that is a concern of mine with it changing. I will have to do some research on how to write a watchdog script to do this. I am trying to learn how to do a bit of programming, just trying to sift through the information to find a good tutorial. 

I have tested my other subnets and all of them are connecting throught the VPN as they should. 

 

Now that I have got things to work with the VPN, I do plan on changing the IP before I get more invested with anything else, since I already have many things running on that server. So installing OpenVPN acces server on my ubuntu server wouldnt create a problem with tun0 as having another instance of OpenVPN running? I havee not heard of Wireguard yet, but after looking at thier webpage it looks to be faily straight foward, with support for mnay distros. I will give them a try after looking into the installation and setup a bit. Thanks again!

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

You can run multiple OpenVPN instances on the same machine. You have to give them different parameters of course. You would for example use dev tun1 for the second instance, a different interface than tun0. And you have to be careful of ports. Since PIA is a client to PIA server, it is PIA that uses port 1198 and your client is some random port OpenVPN chooses. If you setup an OpenVPN server, then you need to select a fixed port which could be 1198 also although sometimes you choose a port that is more likely to get thru firewalls on remote WiFi's as some public WiFi's filter ports for security. I am currently trying port 500 for Wireguard as that is a port generally used for IPsec vpn and so will probably not be blocked anywhere or at least most places. So far it has been working well.

 

I absolutely love wireguard. Being able to stay connected to my home network on my cell phone 24/7 is awesome. It is just like being on my home WiFi no matter where in the world I am. I do have gigabit FiOS so that helps. I sync my phone for contacts and calendar to my own sync server so no sharing that with google or apple or whoever and it can always sync. I can make VoIP calls via my Obi ATA so from my phone I can call out thru wireguard to my obi and then out either thru my FiOS Digital Voice line, or my google voice numbers. And incoming calls to my home also ring my cell phone thru wireguard. I can securely access my opengarage IoT door opener to check the garage door state, open or close it, and get notified if it is open too long or too late. And I can access my home lighting to turn on or off various lights in my house no matter where I am. I do that by running a little web server using nodejs that is accessible thru wireguard and the web page has checkboxes for all my controllable lights and buttons for on/off/dim/brighten/status etc.

 

I also have wireguard on my MacBook and I can use my cell phone as a hotspot to get my MacBook internet access over LTE and then run wireguard on the MacBook. One gotcha I figured out is that I cannot connect to my cell hotspot if it is currently running wireguard. I have to swtich wireguard off on the phone, connect the MacBook to the hotspot and run wireguard on it, and then I can turn wireguard back on the cell phone and both work. It is just the intiail connection to the hotspot to watch out for. But turning wireguard on/off on the cell is just a couple of taps so not a problem as long as you know to do it.

 

I actually run an OpenVPN access server on my ERL just in case something should go wrong with wireguard on my linux server. That gives me an alternate path to get access to fix things.

 

If i did not mention it before, it you run the remote access server, whichever one, on the Ubuntu server, you have to add its subnet to a route on the ERL to the Ubuntu server.

 

Technology is so cool.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

I havent had a whole lot of time over the weekend to play around with my networking toys, but I did do some research on wireguard and I am sold on using that as my VPN. I am in the process of trying to figure out which tutorial I should follow for setting it up on my ubuntu server. Other than the quick start guide on wireguards website, I came across these tutorials which explain a bit more in depth for setting up things on the server itself..

https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/

https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

Do either one of these look like a pretty good guide?

 

I did manage to find the time yesterday to change the local addresses of my LAN, so now my LAN1 is 10.86.1.1/24, so it should be a good start for setting up the VPN.

 

Its funny you mention a VoIP phone and a IoT garage door opener because my next project to start is going to be installing FreePBX on a Raspberry Pi so that I have a landline with a local number from google voice, instead of a cellphone number from out of state. And the IoT garage door opener is something I have been needing because I dont know how many times I will go out to the garage in the morning and see that the door had been left open all night! 

 

I have been thinkning about what you said about writing a watchdog script to monitor my WAN address, and I think I have the basis of what it should say, but I dont know exactly how the router would want it to read. I was thinking something like..

IF interface dev eth0 address 50.26.116.1 =FALSE

THEN edit protocols static table 1

set route 0.0.0.0/0 next-hop "echo eth0"

 

I dont know! Maybe something along those lines!?

 

Anyways, more about the wireguard vpn. I found the app for iOS and downloaded it on my phone, so I'm assuming I can get generate a client.conf file just like any other client and make my phones IP static, and input the IP of my phone as allowed IPs on the server config? Then once I have the client config, I just drop that file into the app and load the app from that file. 

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

My wireguard server config (/etc/wireguard/wg0.conf) looks like the following with the values filled in:

 

[Interface]
PrivateKey = <server private key>
ListenPort = 500
SaveConfig = false
Address = 10.XXX.YYY.1/24

[Peer]
PublicKey = <peer public key>
AllowedIPs = 10.XXX.YYY.2/32

[Peer]
PublicKey = <peer public key>
AllowedIPs = 10.XXX.YYY.3/32

I was just at a building with available WiFi where I have had trouble with wireguard before and thought port 500 might work but no go. It is the only place I have not found a soltuion. Turned off the WiFi and back on LTE and it worked just fine.

 

Note of course that wireguard needs its own subnet. If your peers are routers with other subnets behind them, you need to add those subnets to the peer AllowedIPs. The peer configs generally want AllowedIPs to be 0.0.0.0/0 if you want everything on the peer to come thru the server.

 

I really like the opengarage device. It uses ultrasound rangefinders for detecting door state which is by far the most clever solution I have seen. It also distinguishes whether the car is there when the door is closed. Works best with rollup sectional doors. Don't know about other kinds.

 

Your watchdog script pseudo code is roughly right. I would use a bash or vbash script. Check the gateway with route -n and use awk or cut or some such to get desired field. Save the existing gateway in a way that it can be updated too when changed for future comparison.

 

I don't know about iPhone but on android, the app has a config page where you fill in the fields. Pretty easy. The ip address you configure both on the phone app and the server config as the AllowedIPs will be static and can be used which is great. The underlying ip addr will change. The endpoint on the client needs to be an ip addr or domain name pointing to your ERL public WAN addr. You will need a DNAT rule to forward to the server and a firewall rule in WAN_IN to permit the packet access. If you want it to work on home WIFI, you need a DNAT rule on the interface for the WiFi subnet pointing wan addr to server addr and if that is the same subnet as the server then you also need an SNAT masquerade rule on that interface wtih a source constraint that is that subnet and dest addr of the wan addr. Note you can define ERL config rules referencing the WAN ip addr with an address-group name ADDRv4_eth0.

 

Don't forget to kudo my useful posts and mark the thread as solved (Options menu) on one or more of my posts that provided the solution.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

[ Edited ]

@karog

I had a little bit of time to play around with wireguard and my ERL this morning and made a little bit of progress connecting my iPhone, however, when the VPN is enabled on my phone I no longer have internet access on my phone. I added the DNAT, SNAT, and a hairpin NAT in the ERL, heres my current config..

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 10 {
            action modify
            description PIA
            destination {
                port 1198
            }
            modify {
                table 1
            }
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description PIA
            destination {
                port 1198
            }
            log disable
            protocol udp
        }
        rule 22 {
            action accept
            description Wireguard
            destination {
                port 500
            }
            log disable
            protocol udp
            source {
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            description PIA
            destination {
                port 1198
            }
            log enable
            protocol udp
        }
        rule 51 {
            action accept
            description Wireguard
            destination {
                port 500
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.86.1.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify OPENVPN_ROUTE
            }
        }
        speed auto
        vif 10 {
            address 10.86.10.1/24
            description "Guest VLAN"
        }
    }
    ethernet eth2 {
        address 10.86.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        route 128.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        table 1 {
            route 0.0.0.0/0 {
                next-hop 50.26.116.1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest_VLAN {
            authoritative disable
            subnet 10.86.10.0/24 {
                default-router 10.86.10.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                lease 86400
                start 10.86.10.100 {
                    stop 10.86.10.254
                }
            }
        }
        shared-network-name Home {
            subnet 10.86.1.0/24 {
                default-router 10.86.1.1
                dns-server 1.1.1.1
                dns-server 1.0.0.1
                start 10.86.1.100 {
                    stop 10.86.1.254
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.254
                }
                static-mapping home-server {
                    ip-address 192.168.1.111
                    mac-address 70:85:c2:86:06:c0
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on vtun0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description WG500
            destination {
                address 50.26.116.1
                port 500
            }
            inbound-interface eth0
            inside-address {
                address 10.86.1.111
                port 500
            }
            log disable
            protocol udp
            type destination
        }
        rule 2 {
            description hairpin500
            destination {
                address 50.26.116.1
                port 500
            }
            inbound-interface eth1
            inside-address {
                address 10.86.1.111
                port 500
            }
            log disable
            protocol udp
            type destination
        }
        rule 5000 {
            description WAN
            log disable
            outbound-interface eth0
            protocol all
            source {
            }
            type masquerade
        }
        rule 5001 {
            description hairpin
            destination {
                address 10.86.1.111
                port 500
            }
            log disable
            outbound-interface eth1
            protocol udp
            source {
                address 10.86.1.0/24
            }
            type masquerade

And heres the config for /etc/wireguard/wg0.conf

Spoiler
[Interface]
Address = 10.86.1.111/24
SaveConfig = false
[Peer] PublicKey AllowedIPs = 10.86.1.112/32

I configured the allowed IPs on my phone as 0.0.0.0/0

 

I just realized you had said that the wireguard server needs to be on its own subnet.. So if my local LAN is on 10.86.1.0/24, are you saying it needs to be on possibly a VLAN of say a 10.86.5.0/24? I also had a thought for the /etc/wireguard/wg0.conf config.. Rather than listing individual allowed IPs, what if I just put allowed IPs of 10.86.0.0./32, so that it would allow all my devices with a 10.86.xx.yy subnet? Just a thought, let me know what you think!

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

First, DO NOT publish your security keys, especially your private keys. You should immediately generate new ones and repalce them.

 

Yes, wireguard needs its own subnet. But it has nothing to do with VLANs. Just pick a new subnet say 10.86.5.0/24 and use that for your ip addrs in the server and the clients. For example, in the wg config for the server, make its address be 10.86.5.111/24 and make the iphone be 10.86.5.112/32. You only need these ip addrs in the wg configs.

 

Your last question about 10.86.0.0/32 I am not sure what you are asking. If you are asking, why do I list the individual ip addrs for the clients, it is because they are separate peers which should have distinct public/private key pairs. This is how wg knows who to send packets to. You MUST do it this way.

 

I also noticed in your ERL config that in the dhcp-server, all of the subnets set the dns server to 1.1.1.1 and 1.0.0.1 rather than the ERL address for each subnet eg 10.86.1.1 which means you are never using the dns forwarder of the router. Each device is going directly to 1.1.1.1 etc.

 

In WAN_IN, you do not need rule 21. You are connecting to PIA on that port and that is outgoing, not incoming. And rule 22 should have a destination addr of 10.86.1.111. You do not want to open up the firewall more than necessary. Your rule allows packets in to any ip on port 500.

 

You don't really need the destination clause in the NAT rule 5001. Most packets exiting to eth1 will not have source address of eth1's subnet which are only packets sent from eth1 with a DNAT rule that directs them back out. It does not really hurt other than minimal performance for having to check that constraint when it is not necessary.

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

Also just noticed your NAT rules 1 and 2 are wrong.

 

 

On both rules, change the destination address to group address-group ADDRv4_eth0.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

AH I cant believe I posted my private keys on here, I knew better than that! But anyways, I changed them to new ones already so we are all good now. 

 

I understand what you mean with the different subnet for my wireguard, and have set them appropriately, as you can see from this config..

Spoiler
[Interface]
Address = 10.86.5.111/24
SaveConfig = false
ListenPort = 500
PrivateKey = [hidden]
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = [hidden]
AllowedIPs = 10.86.5.112/32

PersistentKeepalive = 25

As you can see, I did add some Post up and Post down iptable rules into the config to see if it would help. Note: I added these iptables and Persistent KeepAlive AFTER I corrected the issues with my ERL config, but still couldnt connect to the VPN on my phone. Here is my updated ERL config.

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify OPENVPN_ROUTE {
        rule 10 {
            action modify
            description PIA
            destination {
                port 1198
            }
            modify {
                table 1
            }
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            description Wireguard
            destination {
                address 10.86.1.111
            }
            log disable
            protocol udp
            source {
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            description PIA
            destination {
                port 1198
            }
            log enable
            protocol udp
        }
        rule 51 {
            action accept
            description Wireguard
            destination {
                port 500
            }
            log disable
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.86.1.1/24
        description Local
        duplex auto
        firewall {
            in {
                modify OPENVPN_ROUTE
            }
        }
        speed auto
        vif 10 {
            address 10.86.10.1/24
            description "Guest VLAN"
        }
    }
    ethernet eth2 {
        address 10.86.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        route 128.0.0.0/1 {
            next-hop 10.86.1.111 {
            }
        }
        table 1 {
            route 0.0.0.0/0 {
                next-hop 50.26.116.1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest_VLAN {
            authoritative disable
            subnet 10.86.10.0/24 {
                default-router 10.86.10.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 10.86.10.100 {
                    stop 10.86.10.254
                }
            }
        }
        shared-network-name Home {
            subnet 10.86.1.0/24 {
                default-router 10.86.1.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                start 10.86.1.100 {
                    stop 10.86.1.254
                }
            }
        }
        shared-network-name LAN1 {
            authoritative enable
            disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.254
                }
                static-mapping home-server {
                    ip-address 192.168.1.111
                    mac-address 70:85:c2:86:06:c0
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 10.86.1.1
                dns-server 1.1.1.1
                lease 86400
                start 192.168.2.100 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            listen-on vtun0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 1 {
            description WG500
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            inbound-interface eth0
            inside-address {
                address 10.86.1.111
                port 500
            }
            log disable
            protocol udp
            type destination
        }
        rule 2 {
            description hairpin500
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            inbound-interface eth1
            inside-address {
                address 10.86.1.111
                port 500
            }
            log disable
            protocol udp
            type destination
        }
        rule 5000 {
            description WAN
            log disable
            outbound-interface eth0
            protocol all
            source {
            }
            type masquerade
        }
        rule 5001 {
            description hairpin
            destination {
            }
            log disable
            outbound-interface eth1
            protocol udp
            source {
                address 10.86.1.0/24
            }
            type masquerade

I am wondering if there is some firewall dropping packets from the wg0 interface because when I run ifconfig wg on my server i can see the following..

Spoiler
kevin@home-server:~$ ifconfig wg
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.86.5.111  P-t-P:10.86.5.111  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:125 dropped:250 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

Get rid of the PostUp and PostDown iptables rules. This is not the same as being a client to a vpn service like PIA.

 

In the ERL config, nat rule 1 & 2 both need destination port 500.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

Alright so I removed those iptable rules and added tge destination port 500 to rule 1 and 2. Reloaded wireguard on my server and on my phone and it looks like it should be working, but when I am connected to the vpn on my phone (wifi or LTE) I no longer have any internet. Here is what it shows when I run sudo wg show..

Spoiler
kevin@home-server:~$ sudo wg
interface: wg0
  public key: [hidden]
  private key: (hidden)
  listening port: 500

peer: [hidden]
  endpoint: 10.86.1.112:500
  allowed ips: 10.86.5.112/32
  latest handshake: 1 second ago
  transfer: 33.14 KiB received, 33.70 KiB sent
  persistent keepalive: every 25 seconds

and on my ifconfig wg

Spoiler
kevin@home-server:~$ ifconfig wg
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.86.5.111  P-t-P:10.86.5.111  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:101 errors:0 dropped:0 overruns:0 frame:0
          TX packets:187 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:34196 (34.1 KB)  TX bytes:34776 (34.7 KB)

it looks like packets should be transferring as there are no errors this time. I am going to try to install on my Macbook and see if I encounter the same issue.

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

[ Edited ]

@kwr41230

 

Get rid ot the endpoint in the server config. First, it cannot be a tunnel ip. The other endpoint is whatever the client happens to be on locally. And that will vary by location so you cannot specify the endpoint in the server.

 

ETA: Oh, I now see that the endpoint appears in the wg output and that shows the connection was made and I see that it is the local net ip of the phone on WiFi, right?

 

The endpoint on the iphone should be your erl wan public ip or a domain name that resolves to that.

 

If you are not already, you should be testing this on LTE rather than WiFi. Once that works you can test WiFi which requires the hairping nat - which looked ok but test easier case first.

 

Show your iphone wg config.

Established Member
Posts: 1,619
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: PIA questions with ERLite

@kwr41230

 

Again, try simple test first.

 

Can you ping 10.86.5.112 from the server?

 

Can you ping 10.86.5.111 from your phone?

 

That will show you have tunnel connectivity. If that much works, then the rest is routing problems.

New Member
Posts: 33
Registered: ‎11-03-2018

Re: PIA questions with ERLite

@karog

I didnt have an endpoint in the server config, but I did have an endpoint on my iPhone config, which is now pointed to the ERL public IP. I created the tunnel on my iPhone on the app's gui when I clicked start from scratch so I'll just type out what I see when I hit edit configuration.

Spoiler
[Interface]
Name: Home
Private key : [hidden]
Public key [hidden]
Addresses: 10.86.5.112/32
Listen port: 500
MTU: (Automatic)
DNS servers: (Optional)

[Peer]
Public key: [hidden]
Preshared key: (Optional)
Endpoint: 50.26.116.1:500
Allowed IPs: 0.0.0.0/0
Persistent keepalive: 25

With these configurations I no longer have a handshake on wg0 on my server started getting dropped packets and errors again.

Reply