Closed peacey closed 1 year ago
peacey
commented
1 year ago Hey @Anon0511,
Is your AdGuard installed on the UDM itself or on another computer? If you're running it on the UDM and used the instructions from udm-utilities, then the interface you should use for DNS_IPV4_INTERFACE is actually br5.mac and not br5.
Anon0511
commented
1 year ago No it's on a dedicated Homeserver which is part of multiple VLAN's but all DNS settings in the UDM Pro are set to 10.50.0.2.
peacey
commented
1 year ago Okay, in that case, can you first test by removing the DNS forcing options (or commenting them out).
Then after turning on the VPN, do the following tests from a forced VPN client (preferably Linux or Mac since they have the dig tool, for windows you will have to download the dig tool).
ping 10.50.0.2
dig @10.50.0.2 google.com AFirst we test if we can ping the DNS server from a forced VPN client, then we test if we can get a DNS response with the dig tool.
Also, on your UDM network, you don't have any of the content filtering active in the forced network's options, right? That will redirect your DNS to Ubiquiti
One more thing, can you also change your MARK to MARK=0x169? 0x9X was found to conflict with some UDM functions. This won't fix anything since it's already working, but just a precaution.
Anon0511
commented
1 year ago Right. MARK=0x169 was changed.
Content Filtering isn't turned on anywhere, my tons of Adguard Filter lists would do that way better I suppose.
So I commented DNS_IPV4_* out and tested with a local MobaXterm Shell from my PC:
Ping wird ausgeführt für 10.50.0.2 mit 32 Bytes Daten:
Antwort von 10.50.0.2: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.50.0.2: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.50.0.2: Bytes=32 Zeit<1ms TTL=64
Antwort von 10.50.0.2: Bytes=32 Zeit<1ms TTL=64
Ping-Statistik für 10.50.0.2:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
(0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms
29/10/2022 18:48.56 /home/mobaxterm dig @10.50.0.2 google.com A
; <<>> DiG 9.11.5-P4 <<>> @10.50.0.2 google.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53972
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 10 IN A 142.250.184.206
;; Query time: 11 msec
;; SERVER: 10.50.0.2#53(10.50.0.2)
;; WHEN: Sa Okt 29 18:48:57 2022
;; MSG SIZE rcvd: 55Great, it's working.
Can you SSH into the UDM and run this test?
ping -I br5 10.50.0.2If that works, then re-add the VPN forcing options in vpn.conf, turn on the VPN, and test the ping/dig tests from your forced client again.
Anon0511
commented
1 year ago # ping -I br5 10.50.0.2
PING 10.50.0.2 (10.50.0.2): 56 data bytes
64 bytes from 10.50.0.2: seq=0 ttl=64 time=0.192 ms
64 bytes from 10.50.0.2: seq=1 ttl=64 time=0.171 ms
64 bytes from 10.50.0.2: seq=2 ttl=64 time=0.234 ms
64 bytes from 10.50.0.2: seq=3 ttl=64 time=0.178 ms
^C
--- 10.50.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.171/0.193/0.234 msAnd the ping and dig tests work from PC and Server too.
peacey
commented
1 year ago Oh, if everything is working, then you should be able to load websites. You're not able to load any websites with this configuration now? Can you try to run ping yahoo.com on your forced client?
Anon0511
commented
1 year ago Oh jeez damn. Yes I'm stupid. Probably the behavior is intended?
All curl and ping timeout....
But curl -vvv4 and ping -4 work. IPv6 is in priority above IPv4. But Surfshark doesn't offer IPv6, so I thought it's enough to just set REJECT for IPv6 DNS in vpn.conf. I don't want to disable IPv6 for all the networks because soon or later I'd need to do the settings again. If there is no quick workaround I'll probably need to search for a new VPN...
peacey
commented
1 year ago Aah, you had IPv6 enabled on your network by SurfShark doesn't use IPv6. Unfortunately there's no solution other than disabling IPv6 on your device or network, or using a VPN with IPv6 support. You can't redirect IPv4 to IPv6 so that's why it's not possible.
Anon0511
commented
1 year ago Well then thanks! At least I know it works now :D
Anon0511
commented
1 year ago Hey, I'm back with IPv6.
I've bought OVPN and migrated everything. So far it works as much as before, IPv6 DNS fails.
dig @fd05::6e9 google.de A
; <<>> DiG 9.11.5-P4 <<>> @fd05::6e9 google.de A
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
## SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.
# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE="br0 br2 br3 br4 br10"
FORCED_SOURCE_IPV4=""
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""
# IMPORTANT: Only forward HTTP and HTTPS traffic
#CUSTOM_FORCED_RULES_IPV4="
# -p udp --dport 80
# -p tcp --dport 80
# -p udp --dport 443
# -p tcp --dport 443
#"
# Force these destinations through the VPN.
# These destinations will be forced regardless of source.
# Format: [IP/nn]
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""
# Force local UDM traffic going out of these WAN interfaces to go through the
# VPN instead for both IPv4 and IPv6 traffic.
# This does not include routed traffic, only local traffic generated by the UDM.
# For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port,
# or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port.
FORCED_LOCAL_INTERFACE=""
# Exempt these sources from the VPN.
# Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""
# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""
# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4=""
EXEMPT_DESTINATIONS_IPV6=""
# Force/exempt these IP sets
# IP sets need to be created before this script is run or the script will error.
# IP sets can be updated externally and will be matched dynamically.
# Each IP set entry consists of the IP set name and whether to match on source
# or destination. src/dst needs to be specified for each IP set field.
#
# You can also use this option to allow NAT hairpin to work while on the VPN
# by adding the Unifi IP sets for the interface to the EXEMPT_IPSETS variable.
# For example, for eth8 WAN, IP sets are UBIOS_ADDRv4_eth8 and UBIOS_ADDRv6_eth8.
# For prefix delegation, IPv6 WAN addresses are stored in the bridge interfaces,
# not eth interfaces.
#
# Format: [IPSet Name]:[src/dst,src/dst,...]
FORCED_IPSETS=""
EXEMPT_IPSETS="UBIOS_NETv4_br10:dst UBIOS_NETv4_br5:dst UBIOS_NETv6_br5:dst UBIOS_NETv4_br4:dst UBIOS_NETv4_br2:dst"
# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""
# Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic.
# Note that many VPN providers redirect DNS going through their VPN network
# to their own DNS servers. Redirection to other IPs might not work on all providers,
# except for DNS redirects to a local address, or rejecting DNS traffic completely.
#
# IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain
# DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types like wireguard/external.
#
# Example: Get DNS from DHCP
DNS_IPV4_IP="10.50.0.2"
DNS_IPV4_PORT=53
# Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for
# non-local IPs. Local DNS redirects will not work without specifying the interface.
DNS_IPV4_INTERFACE="br5"
# IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely.
# IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP
# options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types.
DNS_IPV6_IP="fd05::6e9"
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE="br5"
# Bypass masquerade (SNAT) for these source IPs. This option should only be used if your
# VPN server is setup to know how to route the subnet you do not want to masquerade
# (e.g.: the "iroute" option in OpenVPN).
# Set these options to ALL to disable masquerading completely.
# Format: [IP/nn] or "ALL"
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""
# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=0
# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
REMOVE_KILLSWITCH_ON_EXIT=1
# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1
# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"
# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4=""
VPN_ENDPOINT_IPV6=""
# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table are "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" for nexthop option to connect to a LAN computer.
GATEWAY_TABLE="auto"
# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1
# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_1_"
PREF=99
DEV=wg0I correct, IPv6 is probably not working at all. ping -6 fails too.
Anon0511
commented
1 year ago I'm able to nc -vz fd05::6e9 53 from the UDM pro and from the server itself. But not from my PC which is br10
-A VPN_1_FORWARD -d 10.50.0.2/32 -p udp -m mark --mark 0x169 -m udp --dport 53 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_FORWARD -d 10.50.0.2/32 -p tcp -m mark --mark 0x169 -m tcp --dport 53 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_PREROUTING -i br0 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -i br2 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -i br3 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -i br4 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -i br5 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -i br10 -j MARK --set-xmark 0x169/0xffffffff
-A VPN_1_PREROUTING -m set --match-set UBIOS_NETv4_br10 dst -m mark --mark 0x169 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_PREROUTING -m set --match-set UBIOS_NETv4_br5 dst -m mark --mark 0x169 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_PREROUTING -m set --match-set UBIOS_NETv4_br4 dst -m mark --mark 0x169 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_PREROUTING -m set --match-set UBIOS_NETv4_br2 dst -m mark --mark 0x169 -j MARK --set-xmark 0x0/0xffffffff
-A VPN_1_PREROUTING -d 10.14.0.2/32 -m mark --mark 0x169 -j MARK --set-xmark 0x0/0xffffffffCan I see the output of the following on the UDM? You can hide the first couple parts of any public IPv6 subnets so you don't expose your public IPv6 subnet.
ip addr show dev br5
ip addr show dev br10Then with the VPN off, can you do these pings from your br10 computer?
ping -6 fd05::6e9
ping -6 2001:4860:4860::8888Then please turn on the VPN and repeat the pings from that same br10 computer.
Anon0511
commented
1 year ago Nvm looks like the hardcoded path in the run-vpn.sh wasn't changed.
peacey
commented
1 year ago Oh, so everything including IPv6 is working now?
Anon0511
commented
1 year ago Well, basically yes. But many things are having issues. Reddit doesn't load, https://unifi.ui.com/ isn't working, https://askubuntu.com/ isn't loading, Github is extremely slow causing Home Assistant Component updates to fail. Everything feels extremely slow although my Speedtests are actually fine, 20ms Ping and 350Mbit of 500. Most DNS queries are below 1ms. Error on these pages are ERR_TIMED_OUT.
I just cross-tested that with the OVPN Client on my smartphone connected to the same location and Reddit works, askubuntu works, Unifi UI works and everything is blazing fast.
Not really much of an idea right now
peacey
commented
1 year ago Sounds like an MSS clamping issue. Can you try to set these in your vpn.conf? If the options don't exist, just add them anywhere.
MSS_CLAMPING_IPV4=1200
MSS_CLAMPING_IPV6=1200See if that helps.
Anon0511
commented
1 year ago Yeah! That feels much better! Thank you!
One thing I'm curious about, would splitting into multiple tunnels improve anything bandwidth/performance related? Like OVPN allows 5 simultaneous connections and I would have 4 server to choose from that are near my location.
peacey
commented
1 year ago You can only force one device/network to one VPN (there is no load balancing support for multiple VPN connections). If you mean forcing different devices to different VPN servers, then yes you can do that. And you could probably get better performance if you're maxing out a single server, but I can't really say how much better it would be since the VPN is maxed out at 700Mbps-1 Gnps anyways.
Anon0511
commented
1 year ago Hey,
I'm wondering, how would I get domain exemptions to work with this kind of setup?
peacey
commented
1 year ago Hey @Anon0511,
For domain forcing, you have to use ipsets and an extra script to set up the domains. See here for instructions.
BenJule
commented
1 year ago Same here. I can ping my wg ip but the server is not reachable. Ping to Domain name is not working.
[Interface]
PrivateKey = <my whole pvt key>
ListenPort = 51820
Address = 10.13.13.4/32
DNS = 10.13.13.1
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey = <my whole pub key>
PresharedKey = <my whole preshare key>
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = <wg server ip>:51820### SPLIT VPN OPTIONS ###
# Enter multiple entries separated by spaces.
# Do not enter square brackets around the entries.
# Force these sources through the VPN.
# Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
FORCED_SOURCE_INTERFACE="br10"
FORCED_SOURCE_IPV4=""
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""
# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""
# Force these destinations through the VPN.
# These destinations will be forced regardless of source.
# Format: [IP/nn]
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""
# Force local UDM traffic going out of these WAN interfaces to go through the
# VPN instead for both IPv4 and IPv6 traffic.
# This does not include routed traffic, only local traffic generated by the UDM.
# Do not enable this unless you want to force UDM local traffic through the VPN.
# For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port,
# or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port.
# This option might cause unintended problems, so disable it if you encounter any issues.
FORCED_LOCAL_INTERFACE=""
# Exempt these sources from the VPN.
# Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""
# Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]
# Maximum 15 ports per entry.
EXEMPT_SOURCE_IPV4_PORT=""
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""
# Exempt these destinations from the VPN.
# Format: [IP/nn]
EXEMPT_DESTINATIONS_IPV4=""
EXEMPT_DESTINATIONS_IPV6=""
# Force/exempt these IP sets
# IP sets need to be created before this script is run or the script will error.
# IP sets can be updated externally and will be matched dynamically.
# Each IP set entry consists of the IP set name and whether to match on source
# or destination. src/dst needs to be specified for each IP set field.
#
# Enable NAT hairpin by exempting UBIOS_ADDRv4_ethX:dst for IPv4 or
# UBIOS_ADDRv6_ethX:dst for IPv6 (where X = 8 for RJ45, or 9 for SFP+ WAN).
# For IPv6 prefix delegation, exempt UBIOS_ADDRv6_brX, where X = VLAN number (0 = LAN).
#
# To allow communication with your VLAN subnets without hardcoding the subnets,
# exempt the UBIOS_NETv4_brX:dst ipset for IPv4 or UBIOS_NETv6_brX:dst for IPv6.
#
# Format: [IPSet Name]:[src/dst,src/dst,...]
FORCED_IPSETS=""
EXEMPT_IPSETS="UBIOS_NETv4_br10:dst"
# VPN port forwards.
# Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""
# Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic.
# Note that many VPN providers redirect DNS going through their VPN network
# to their own DNS servers. Redirection to other IPs might not work on all providers,
# except for DNS redirects to a local address, or rejecting DNS traffic completely.
#
# IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain
# DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types like wireguard/external.
#
# Example: Get DNS from DHCP
DNS_IPV4_IP="DHCP"
DNS_IPV4_PORT=53
# Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for
# non-local IPs. Local DNS redirects will not work without specifying the interface.
DNS_IPV4_INTERFACE=""
# IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely.
# IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP
# options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on
# other VPN types.
DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""
# Bypass masquerade (SNAT) for these source IPs. This option should only be used if your
# VPN server is setup to know how to route the subnet you do not want to masquerade
# (e.g.: the "iroute" option in OpenVPN).
# Set these options to ALL to disable masquerading completely.
# Format: [IP/nn] or "ALL"
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""
# Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.
KILLSWITCH=0
# Enable this only if you are testing or you don't care about your real IP leaking
# when the vpn client restarts or exits.
#REMOVE_KILLSWITCH_ON_EXIT=1
# Enable this if you added blackhole routes in the Unifi Settings to prevent Internet
# access at system startup before the VPN script runs. This option removes the blackhole
# routes to restore Internet access after the killswitch has been enabled.
# If you do not set this to 1, openvpn will not be able to connect at startup, and your
# Internet access will never be enabled until you manually remove the blackhole routes.
# Set this to 0 only if you did not add any blackhole routes.
REMOVE_STARTUP_BLACKHOLES=1
# Set the VPN provider.
# "openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,
# or "nexthop" for an external VPN client.
VPN_PROVIDER="external"
# If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the
# gateway route can be automatically added for the VPN endpoint.
# OpenVPN passes the VPN endpoint IP to the script and will override these values.
# These must be defined if using VPN_PROVIDER="nexthop".
VPN_ENDPOINT_IPV4=""
VPN_ENDPOINT_IPV6=""
# Set this to the route table that contains the gateway route, "auto", or "disabled".
# The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and
# "203" for U-LTE.
# Default is "auto" which works with WAN failover and automatically changes the endpoint
# via gateway route when the WAN or gateway routes changes.
# Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.
GATEWAY_TABLE="auto"
# Set the MSS clamping on packets going out the VPN tunnel. Usually, it is not needed to
# set this manually, but some VPN connections stall if the MSS clamping is not set correctly.
# Typical values range from 1240 to 1460, but it could be lower.
MSS_CLAMPING_IPV4=""
MSS_CLAMPING_IPV6=""
# Set this to the timer to use for the rule watcher (in seconds).
# The script will wake up every N seconds to re-add rules if they're deleted by
# the system, or change gateway routes if they changed. Default is 1 second.
WATCHER_TIMER=1
# Options for custom table and chains.
# These options need to be unique for each instance of openvpn if running multiple.
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=wg0
# To execute commands when the VPN connects or disconnects, you can use the
# callback functions hooks_pre_up, hooks_up, hooks_down, and
# hooks_force_down. These functions will be invoked in response to VPN events
# pre-up, up, down, and force-down respectively.
#
# For an example on using these hooks, please see vpn.conf.filled.sample.
DISABLE_BLACKHOLE=1Hi @Anon0511,
This issue has become stale to I'm closing it. If you are still figuring this out, feel free to re-open and ask more questions!
@BenJule, please open your own topic and explain your issue, I would be happy to help.
Originally posted by @Anon0511 in https://github.com/peacey/split-vpn/issues/132#issuecomment-1295880114
I've never got it to work in over half a year and just now I found a little bit of time to debug again. Gladly Surfshark is providing Wireguard configs by now and ironically I had (1) setup worthwhile too.
So my Adguard is on 10.50.0.2 in it's own Subnet/VLAN br5 and this is the vpn.conf:
For simplicity this is also the only Wireguard VPN I'm trying to run. Ping and direct IP connections work. Just the DNS is dead. Adguard isn't showing log of any of the domains I try to reach.