search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
809 stars 56 forks source link

UBIOS_ADDRv4_eth8 seemingly renamed upstream #212

Open pastly opened 2 weeks ago

pastly commented 2 weeks ago

This issue grew from my comment in #211 because since making that comment I lost confidence that my issue is related to anybody else's.

Bottom line up front: I think UBIOS_ADDRv4_eth8 was renamed to UBIOS4ALL_ADDRv4_eth8.

I have a Dream Machine Pro UniFi OS 4.0.6.

I use mullvad and wireguard.

Further details are in my next comment.

pastly commented 2 weeks ago

/etc/split-vpn/wireguard/mullvad/mullvad.conf

[Interface]
PrivateKey = [... censored ...]
Address = [ipv4]/32,[ipv6]/128
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101

[Peer]
PublicKey = [... censored ...]
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = something.something.mullvad.net:51820

/etc/split-vpn/wireguard/mullvad/vpn.conf, without comments or empty lines.

The option EXEMPT_IPSETS below used to be UBIOS_ADDRv4_eth8:dst which caused errors in the log.

root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# grep -v '^#' vpn.conf | grep -v '^$'
FORCED_SOURCE_INTERFACE=""
FORCED_SOURCE_IPV4="192.168.8.0/24 192.168.9.0/24"
FORCED_SOURCE_IPV6=""
FORCED_SOURCE_MAC=""
FORCED_SOURCE_IPV4_PORT=""
FORCED_SOURCE_IPV6_PORT=""
FORCED_SOURCE_MAC_PORT=""
FORCED_DESTINATIONS_IPV4=""
FORCED_DESTINATIONS_IPV6=""
FORCED_LOCAL_INTERFACE=""
EXEMPT_SOURCE_IPV4=""
EXEMPT_SOURCE_IPV6=""
EXEMPT_SOURCE_MAC=""
EXEMPT_SOURCE_IPV4_PORT="tcp-192.168.8.3-22 tcp-192.168.8.76-22"
EXEMPT_SOURCE_IPV6_PORT=""
EXEMPT_SOURCE_MAC_PORT=""
EXEMPT_DESTINATIONS_IPV4="192.168.0.3/32"
EXEMPT_DESTINATIONS_IPV6=""
FORCED_IPSETS=""
EXEMPT_IPSETS="UBIOS4ALL_ADDRv4_eth8:dst"
PORT_FORWARDS_IPV4=""
PORT_FORWARDS_IPV6=""
DNS_IPV4_IP="192.168.0.2"
DNS_IPV4_PORT=53
DNS_IPV4_INTERFACE=""
DNS_IPV6_IP=""
DNS_IPV6_PORT=53
DNS_IPV6_INTERFACE=""
BYPASS_MASQUERADE_IPV4=""
BYPASS_MASQUERADE_IPV6=""
KILLSWITCH=0
REMOVE_KILLSWITCH_ON_EXIT=1
REMOVE_STARTUP_BLACKHOLES=1
VPN_PROVIDER="external"
VPN_ENDPOINT_IPV4=""
VPN_ENDPOINT_IPV6=""
GATEWAY_TABLE="auto"
MSS_CLAMPING_IPV4=""
MSS_CLAMPING_IPV6=""
WATCHER_TIMER=1
ROUTE_TABLE=101
MARK=0x169
PREFIX="VPN_"
PREF=99
DEV=mullvad

To stop the VPN manually for testing, I run this stop-vpn.sh script

root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# cat stop-vpn.sh 
cd /data/split-vpn/wireguard/mullvad/
wg-quick down /data/split-vpn/wireguard/mullvad/mullvad.conf

And to start it, I run this run-vpn.sh

root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# cat run-vpn.sh 
#!/bin/sh

# Load configuration and run wireguard
cd /etc/split-vpn/wireguard/mullvad
. ./vpn.conf
# /etc/split-vpn/vpn/updown.sh ${DEV} pre-up >pre-up.log 2>&1
wg-quick up ./${DEV}.conf >wireguard.log 2>&1
cat wireguard.log

Here I switch back to the problematic EXEMPT_IPSETS option so I can get the error messages.

root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# ./stop-vpn.sh 
[#] sh /etc/split-vpn/vpn/updown.sh mullvad down
[Wed Aug 28 09:30:54 CDT 2024] split-vpn: mullvad down: Loading configuration from /data/split-vpn/wireguard/mullvad/vpn.conf.
[#] ip link delete dev mullvad
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# vim vpn.conf 
root@DreamMachinePro:/etc/split-vpn/wireguard/mullvad# ./run-vpn.sh 
[#] ip link add mullvad type wireguard
[#] wg setconf mullvad /dev/fd/63
[#] ip -4 address add [ipv4]/32 dev mullvad
[#] ip -6 address add [ipv6]/128 dev mullvad
[#] ip link set mtu 1420 up dev mullvad
[#] ip -6 route add ::/1 dev mullvad table 101
[#] ip -6 route add 8000::/1 dev mullvad table 101
[#] ip -4 route add 128.0.0.0/1 dev mullvad table 101
[#] ip -4 route add 0.0.0.0/1 dev mullvad table 101
[#] sh /etc/split-vpn/vpn/updown.sh mullvad up
[Wed Aug 28 09:31:03 CDT 2024] split-vpn: mullvad up: Loading configuration from /etc/split-vpn/wireguard/mullvad/vpn.conf.
[Wed Aug 28 09:31:03 CDT 2024] split-vpn: Using IPv4 gateway from table 201: via [public home ipv4] dev eth8.
ipset v7.10: The set with the given name does not exist
ipset v7.10: The set with the given name does not exist
ERROR: Not adding UBIOS_ADDRv4_eth8 with unknown family: .

It's the ipset list "$ipset" commands in add_ipset_rule() in /etc/split-vpn/vpn/add-vpn-iptables-rules.sh that throw the 2nd and 3rd to last lines above.

I ran ipset list | less myself, narrowed the output down, and made a guess that one of the following is the correct replacement. Just a guess. The first one I tried (ALL, not KEY) worked. I don't know anything about what these are or where they come from.

root@DreamMachinePro:/etc/split-vpn/vpn# ipset list | grep -A 8 "Name.*4.*ADDRv4_eth8"
Name: UBIOS4ALL_ADDRv4_eth8
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 408
References: 2
Number of entries: 1
Members:
[public home ipv4]
--
Name: UBIOS4KEY_ADDRv4_eth8
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 408
References: 1
Number of entries: 1
Members:
[public home ipv4]