PIA OVPN broke need help with new setup (NextGen)

Help and Support Vero 4K / Vero 4K +
21

same thing on the other device

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP
-A OUTPUT -o eth0 -j DROP
osmc@osmc:/etc/openvpn$ curl https://ipinfo.io/ip
46.246.xxx.xxx

22

HI,

Ok all looks good then.

Nothing to worry about if it its working, but iptables doesn’t need this double entry:

Feel free to ignore being as its working, but you can remove one with:

sudo iptables -D OUTPUT -o eth0 -j DROP
sudo netfilter-persistent save

Thanks Tom.

23

Alright does it still function as a killswitch (no eth0, just tun0) in the following setups then

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

and

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -j DROP

(vpn seems to have dropped in the last configuration, no connection).

24

Hi,

When the VPN drops or is disconnected are you still able to connect to the internet?

Thanks Tom.

25

I don’t know, is there a way to manually test that?

Also I rember having a set on fail function in the auto start or something (it’s been a long time ago, sorry I don’t exectly remember how but I’m pretty sure you helped me with it).
That worked half of the times, but I often had to reboot to get connection again.

26

Hi,

Whats the output from:

curl https://ipinfo.io/ip ?

This should all still be place, if you continue to use the same name for the .conf for openvpn.

Thanks Tom.

27

VPN IP

I did, but it doesn’t work as it should, it doesn’t infinitly try to reconnect, it kills sometimes (say a few times a week) and I have to reboot and it works fine again (testing with DNSleaktest program inside OSMC).

28

Hi,

Could try a systemd timer watchdog:

Thanks Tom.

29 
/etc/systemd/system/openvpn-watchdog.timer
-bash: /etc/systemd/system/openvpn-watchdog.timer: No such file or directory

Is that not included in OSMC? if not do you know what package to download?

30

You need to create these files yourself.

1 Like
31

How? I can’t find any guide for that.

32

https://wiki.archlinux.org/index.php/Systemd/Timers

1 Like
33

Lol awesome, you start with an SSH guide, then move on to a beginners guide to nano (know how that works) and then move on to the highly advanced timers guide.
That’s like step 1, 2, 100005 haha,

I have no idea what to do, I tried reading it but I don’t understand.

34

Hi,

The third guide is just extra info on systemd timers, not essential reading. With the 2 other links provided and the post I linked about the watchdog timer, you should have everything you need to set it up. If not please let us know which point you are stuck at.

First step would be:

sudo nano /etc/systemd/system/openvpn-watchdog.timer

Thanks Tom.

Than

35

I’m in that file but what to set. The timers guide kind of confused me. I just want it for ovpn.

36

Hi,

Whats the name of your of openvpn conf file?

Thanks Tom.

37

I’m doing two instances right now but the name of the (ovpn files) RO,conf and SW.conf

38

Hi,

It would be easier if you only have one conf file, and just changing the remote line in the conf when you want to change server, for example mine looks like this:

remote uk-london.privacy.network 501
#remote uk-manchester.privacy.network 501

Anyway for the timer if we use RO.conf as an example.

sudo nano /etc/systemd/system/openvpn-watchdog.service:

[Unit]
Description=OpenVPN Watchdog service
ConditionPathExists=!/proc/sys/net/ipv4/conf/tun0

[Service]
ExecStart=/bin/systemctl restart openvpn@RO

[Install]
WantedBy=multi-user.target

/etc/systemd/system/openvpn-watchdog.timer is as written in the linked post.

Thanks Tom.

39

I was talking about two instances of OSMC running, one with RO.conf and the other with SW.conf :stuck_out_tongue:

I tried adding it in an empty file at the location you gave me on both devices, I did not restart my RO one yet but I added the same lines to the other device (I just changed openvpn@RO to openvpn@SW) and I restarted.

It seems like there is no internet at all now.
But I have no idea why…

osmc@osmc:~$ curl https://ipinfo.io/ip
curl: (7) Failed to connect to ipinfo.io port 443: Connection timed out
osmc@osmc:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT

Edit: I think it might just be the ovpn port (should be the same as my other devices, which I think is 1197 instead of 1198 reading up, but i’m not sure) and I don’t exactly know how to delete this with the comment lines in them and add the right lines again.

40

Hi,

Maybe easier to work on one device at a time.

The same as above, comments make no difference:

sudo iptables -D OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT

Tom.