Open pastly opened 2 weeks ago
/etc/split-vpn/wireguard/mullvad/mullvad.conf
[Interface]
PrivateKey = [... censored ...]
Address = [ipv4]/32,[ipv6]/128
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey = [... censored ...]
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = something.something.mullvad.net:51820
/etc/split-vpn/wireguard/mullvad/vpn.conf
, without comments or empty lines.
The option EXEMPT_IPSETS
below used to be UBIOS_ADDRv4_eth8:dst
which caused errors in the log.
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# grep -v '^#' vpn.conf | grep -v '^$'
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.8.0/24 192.168.9.0/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""
FORCED_LOCAL_INTERFACE=""
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""
EXEMPT_SOURCE_IPV4_PORT="tcp-192.168.8.3-22 tcp-192.168.8.76-22"
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""
EXEMPT_DESTINATIONS_IPV4="192.168.0.3/32"
EXEMPT_DESTINATIONS_IPV6=""
FORCED_IPSETS=""
EXEMPT_IPSETS="UBIOS4ALL_ADDRv4_eth8:dst"
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""
DNS_IPV4_IP="192.168.0.2"
DNS_IPV4_PORT=53
DNS_IPV4_INTERFACE=""
DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""
KILLSWITCH=0
REMOVE_KILLSWITCH_ON_EXIT=1
REMOVE_STARTUP_BLACKHOLES=1
VPN_PROVIDER="external"
VPN_ENDPOINT_IPV4=""
VPN_ENDPOINT_IPV6=""
GATEWAY_TABLE="auto"
MSS_CLAMPING_IPV4=""
MSS_CLAMPING_IPV6=""
WATCHER_TIMER=1
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=mullvad
To stop the VPN manually for testing, I run this stop-vpn.sh
script
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# cat stop-vpn.sh
cd /data/split-vpn/wireguard/mullvad/
wg-quick down /data/split-vpn/wireguard/mullvad/mullvad.conf
And to start it, I run this run-vpn.sh
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# cat run-vpn.sh
#!/bin/sh
# Load configuration and run wireguard
cd /etc/split-vpn/wireguard/mullvad
. ./vpn.conf
# /etc/split-vpn/vpn/updown.sh ${DEV} pre-up >pre-up.log 2>&1
wg-quick up ./${DEV}.conf >wireguard.log 2>&1
cat wireguard.log
Here I switch back to the problematic EXEMPT_IPSETS
option so I can get the error messages.
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# ./stop-vpn.sh
[#] sh /etc/split-vpn/vpn/updown.sh mullvad down
[Wed Aug 28 09:30:54 CDT 2024] split-vpn: mullvad down: Loading configuration from /data/split-vpn/wireguard/mullvad/vpn.conf.
[#] ip link delete dev mullvad
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# vim vpn.conf
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# ./run-vpn.sh
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip -4 address add [ipv4]/32 dev mullvad
[#] ip -6 address add [ipv6]/128 dev mullvad
[#] ip link set mtu 1420 up dev mullvad
[#] ip -6 route add ::/1 dev mullvad table 101
[#] ip -6 route add 8000::/1 dev mullvad table 101
[#] ip -4 route add 128.0.0.0/1 dev mullvad table 101
[#] ip -4 route add 0.0.0.0/1 dev mullvad table 101
[#] sh /etc/split-vpn/vpn/updown.sh mullvad up
[Wed Aug 28 09:31:03 CDT 2024] split-vpn: mullvad up: Loading configuration from /etc/split-vpn/wireguard/mullvad/vpn.conf.
[Wed Aug 28 09:31:03 CDT 2024] split-vpn: Using IPv4 gateway from table 201: via [public home ipv4] dev eth8.
ipset v7.10: The set with the given name does not exist
ipset v7.10: The set with the given name does not exist
ERROR: Not adding UBIOS_ADDRv4_eth8 with unknown family: .
It's the ipset list "$ipset"
commands in add_ipset_rule()
in /etc/split-vpn/vpn/add-vpn-iptables-rules.sh
that throw the 2nd and 3rd to last lines above.
I ran ipset list | less
myself, narrowed the output down, and made a guess that one of the following is the correct replacement. Just a guess. The first one I tried (ALL, not KEY) worked. I don't know anything about what these are or where they come from.
root@DreamMachinePro:/etc/split-vpn/vpn# ipset list | grep -A 8 "Name.*4.*ADDRv4_eth8"
Name: UBIOS4ALL_ADDRv4_eth8
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 408
References: 2
Number of entries: 1
Members:
[public home ipv4]
--
Name: UBIOS4KEY_ADDRv4_eth8
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 408
References: 1
Number of entries: 1
Members:
[public home ipv4]
This issue grew from my comment in #211 because since making that comment I lost confidence that my issue is related to anybody else's.
Bottom line up front: I think UBIOS_ADDRv4_eth8 was renamed to UBIOS4ALL_ADDRv4_eth8.
I have a Dream Machine Pro UniFi OS 4.0.6.
I use mullvad and wireguard.
Further details are in my next comment.