search

eventure / hide.client.linux

Hide.me CLI VPN client for Linux
https://hide.me
GNU General Public License v2.0
90 stars 35 forks source link

Can't access local sites (192.168.0.x) #2

Closed reback00 closed 3 years ago

reback00 commented 3 years ago

Thanks for the client for linux with killswitch built in. It made my life so much easier.

Although I faced an issue recently. 192.168.0.1 is my router admin and 192.168.0.180 is a local machine that I have some important sites that I seldom need visiting. I can visit them just fine when not connected with the client. But when connected, I can't access them.

I found in the readme that DHCP traffic is allowed, but I can't access these local IPs. Is this expected?

I don't mind if local site access is disabled by default (for security I guess.) But an option would be nice to allow access to them when I want to. Is split tunnelling going to help me? If so, how can I allow these local IPs to not go over the VPN?

tcohar commented 3 years ago

DHCP traffic is broadcast traffic, so the client enables communication towards 255.255.255.255 in order to make it work properly. As you suggested, you need split tunneling (option -s). You may invoke hide.me like this:

hide.me -s 192.168.0.0/24 connect "some hide.me server"

192.168.0.0/24 won't be routed through the VPN then and you'll be able to access your local services. Everything else will use the tunnel though.

You may even specify just a few IPs in order to target those particular IPs, for example:

hide.me -s 192.168.0.1,192.168.0.180 connect "some hide.me server"

This works for IPv6 too

reback00 commented 3 years ago

@tcohar Well, this helped me a little bit. I can access 192.168.0.1, but not 192.168.0.180.

Tried with ./hide.me -s 192.168.0.1,192.168.0.180 connect <server> but it raised this error:

...
Link: Wireguard device vpn configured
Link: [ERR] Parsing the split tunnel network 192.168.0.1 failed, invalid CIDR address: 192.168.0.1
Main: [ERR] RPDB rules failed, invalid CIDR address: 192.168.0.1
Link: Interface vpn deactivated

It seems it needs the CIDR part. No problem. So tried ./hide.me -s 192.168.0.1/24,192.168.0.180/24 connect <server> and it let me access the router ip but not the 192.168.0.180 ip. btw... when I run the command, it has an error in the output which may be helpful in solving this:

...
Link: Wireguard device vpn configured
Link: Split tunnel rule for 192.168.0.0/24 added
Link: [ERR] Split tunnel rule addition for  192.168.0.0/24 failed, file exists
Link: IPv4 DHCP VPN bypass RPDB rule added
...

Ping results:

$ ping -c2 192.168.0.180
PING 192.168.0.180 (192.168.0.180) 56(84) bytes of data.
From 192.168.0.100 icmp_seq=1 Destination Host Unreachable
From 192.168.0.100 icmp_seq=2 Destination Host Unreachable

--- 192.168.0.180 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1057ms
pipe 2
tcohar commented 3 years ago

Oh, yeah, you need to use the CIDR format, my mistake. The problem with your example is that you try to add the same network as an exception twice. 192.168.0.1/24 and 192.168.0.180/24 are, basically, in the same network, 192.168.0.0/24. The client tries to add the exception rules for the same network, twice, and the second attempt fails, of course. The following will work for you:

./hide.me -s 192.168.0.1/32,192.168.0.180/32 connect <server>

reback00 commented 3 years ago

./hide.me -s 192.168.0.1/32,192.168.0.180/32 connect <server> worked like a charm. Both ips are now accessible. Thanks a lot!