No internet

[jorge123255]

I followed the instructions and no internet on any of my devices spent 3 days trying to figure this out with no luck any help :)

[peacey]

Hi @jorge123255,

I'll be happy to help but I'll need some more information.

1. Which VPN provider are you setting this up with? WireGuard or OpenVPN or something else?
2. Can I see your vpn.conf?
3. Can you describe your network setup? Which UDM are you using?
4. When the script is running, are you able to ping 1.1.1.1 from a forced client? Are you able to ping google.com? Trying to see if it's DNS that's the issue or the connection.
5. Do you have any content restrictions/filters active on the forced network?

Thanks!

[jorge123255]

What sucks is I upgraded today to my folder for split tunnel is gone along with the script :(.

1. Mullvad Vpn
2. I’ll recreate
3. UniFi dream machine, a UniFi network switch Poe and a UniFi cloud gen key with 4 cameras also a UniFi AP that pretty sums up the network
4. Haven’t tried a force client but I tried different kind of setting on the vpn conf and some how I was able to ping from the router but could not ping from any devices on my network.
5. No

On Dec 29, 2021, 2:11 PM -0600, peacey @.***>, wrote:

Hi @jorge123255, I'll be happy to help but I'll need some more information.

1. Which VPN provider are you setting this up with? WireGuard or OpenVPN or something else?
2. Can I see your vpn.conf?
3. Can you describe your network setup?
4. When the script is running, are you able to ping 1.1.1.1 from a forced client? Are you able to ping google.com? Trying to see if it's DNS that's the issue or the connection.
5. Do you have any content restrictions/filters active on the forced network?

Thanks! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[peacey]

split-vpn shouldn't be deleted when you upgrade, unless you factory reset. It is still there under /mnt/data/split-vpn. If you're wondering about the /etc/split-vpn link you can recreate it by running /mnt/data/split-vpn/vpn/setup-split-vpn.sh at startup or by using the included boot script. So your files should still be there, please check again.

Please show me your vpn.conf and mullvad wireguard config you are using please. Make sure to remove the keys from the WireGuard config before you post it.

[jorge123255]

SPLIT VPN OPTIONS

Enter multiple entries separated by spaces.

Do not enter square brackets around the entries.

Force these sources through the VPN.

Format: [brX] for interface. [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.

FORCED_SOURCE_INTERFACE="br0" FORCED_SOURCE_IPV4="192.168.1.1/32" FORCED_SOURCE_IPV6="" FORCED_SOURCE_MAC=""

Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]

Maximum 15 ports per entry.

FORCED_SOURCE_IPV4_PORT="tcp-192.168.1.1-22,32400,80:90,443,55555" FORCED_SOURCE_IPV6_PORT="" FORCED_SOURCE_MAC_PORT=""

Force these destinations through the VPN.

These destinations will be forced regardless of source.

Format: [IP/nn]

FORCED_DESTINATIONS_IPV4="8.8.8.8" FORCED_DESTINATIONS_IPV6=""

Force local UDM traffic going out of these WAN interfaces to go through the

VPN instead for both IPv4 and IPv6 traffic.

This does not include routed traffic, only local traffic generated by the UDM.

Do not enable this unless you want to force UDM local traffic through the VPN.

For UDM-Pro, set to "eth8" for WAN1/Ethernet port, or "eth9" for WAN2/SFP+ port,

or "eth8 eth9" for both. For UDM Base, set to "eth1" for the WAN port.

This option might cause unintended problems, so disable it if you encounter any issues.

FORCED_LOCAL_INTERFACE=""

Exempt these sources from the VPN.

Format: [IP/nn] for IP. [xx:xx:xx:xx:xx:xx] for mac.

EXEMPT_SOURCE_IPV4="" EXEMPT_SOURCE_IPV6="" EXEMPT_SOURCE_MAC=""

Format: [tcp/udp/both]-[IP/MAC Source]-[port1,port2:port3,port4,...]

Maximum 15 ports per entry.

EXEMPT_SOURCE_IPV4_PORT="" EXEMPT_SOURCE_IPV6_PORT="" EXEMPT_SOURCE_MAC_PORT=""

Exempt these destinations from the VPN.

Format: [IP/nn]

EXEMPT_DESTINATIONS_IPV4="" EXEMPT_DESTINATIONS_IPV6=""

Force/exempt these IP sets

IP sets need to be created before this script is run or the script will error.

IP sets can be updated externally and will be matched dynamically.

Each IP set entry consists of the IP set name and whether to match on source

or destination. src/dst needs to be specified for each IP set field.

#

Enable NAT hairpin by exempting UBIOS_ADDRv4_ethX:dst for IPv4 or

UBIOS_ADDRv6_ethX:dst for IPv6 (where X = 8 for RJ45, or 9 for SFP+ WAN).

For IPv6 prefix delegation, exempt UBIOS_ADDRv6_brX, where X = VLAN number (0 = LAN).

#

To allow communication with your VLAN subnets without hardcoding the subnets,

exempt the UBIOS_NETv4_brX:dst ipset for IPv4 or UBIOS_NETv6_brX:dst for IPv6.

#

Format: [IPSet Name]:[src/dst,src/dst,...]

FORCED_IPSETS=dst" EXEMPT_IPSETS=dst UBIOS_ADDRv4_eth8:dst UBIOS_ADDRv6_br0:dst UBIOS_NETv4_br4:dst"

VPN port forwards.

Format: [tcp/udp/both]-[VPN Port]-[Forward IP]-[Forward Port]

PORT_FORWARDS_IPV4=""tcp-21674-192.168.1.1-50001"" PORT_FORWARDS_IPV6=""

Redirect IPv4 and IPv6 DNS to these addresses for VPN-destined traffic.

Note that many VPN providers redirect DNS going through their VPN network

to their own DNS servers. Redirection to other IPs might not work on all providers,

except for DNS redirects to a local address, or rejecting DNS traffic completely.

#

IPV4 Format: [IP] to redirect to IP, "DHCP" if using OpenVPN or OpenConnect to obtain

DNS from DHCP options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on

other VPN types like wireguard/external.

#

Example: Get DNS from DHCP

DNS_IPV4_IP=193.138.218.74 DNS_IPV4_PORT=53

Set this to the interface (brX) the DNS is on if it is a local IP. Leave blank for

non-local IPs. Local DNS redirects will not work without specifying the interface.

DNS_IPV4_INTERFACE=""

IPV6 Format: [IP] to redirect to IP, or "REJECT" to reject IPv6 DNS traffic completely.

IPV6 Format: [IP] to redirect to IP, "DHCP" if using OpenConnect to obtain DNS from DHCP

options, or "REJECT" to reject all DNS traffic. "DHCP" is not supported on

other VPN types.

DNS_IPV6_IP="" DNS_IPV6_PORT=53 DNS_IPV6_INTERFACE=""

Bypass masquerade (SNAT) for these source IPs. This option should only be used if your

VPN server is setup to know how to route the subnet you do not want to masquerade

(e.g.: the "iroute" option in OpenVPN).

Set these options to ALL to disable masquerading completely.

Format: [IP/nn] or "ALL"

BYPASS_MASQUERADE_IPV4="ALL" BYPASS_MASQUERADE_IPV6="ALL"

Enabling kill switch drops VPN-destined traffic that doesn't go through the VPN.

KILLSWITCH=0

Enable this only if you are testing or you don't care about your real IP leaking

when the vpn client restarts or exits.

REMOVE_KILLSWITCH_ON_EXIT=1

Enable this if you added blackhole routes in the Unifi Settings to prevent Internet

access at system startup before the VPN script runs. This option removes the blackhole

routes to restore Internet access after the killswitch has been enabled.

If you do not set this to 1, openvpn will not be able to connect at startup, and your

Internet access will never be enabled until you manually remove the blackhole routes.

Set this to 0 only if you did not add any blackhole routes.

REMOVE_STARTUP_BLACKHOLES=1

Set the VPN provider.

"openvpn" for OpenVPN (default), "openconnect" for OpenConnect, "external" for wireguard,

or "nexthop" for an external VPN client.

VPN_PROVIDER="external"

If using "external" for VPN_PROVIDER, set this to the VPN endpoint IP so that the

gateway route can be automatically added for the VPN endpoint.

OpenVPN passes the VPN endpoint IP to the script and will override these values.

These must be defined if using VPN_PROVIDER="nexthop".

VPN_ENDPOINT_IPV4="66.63.167.162" VPN_ENDPOINT_IPV6=""

Set this to the route table that contains the gateway route, "auto", or "disabled".

The Ubiquiti route table is "201" if you're using Ethernet, "202" for SFP+, and

"203" for U-LTE.

Default is "auto" which works with WAN failover and automatically changes the endpoint

via gateway route when the WAN or gateway routes changes.

Set to "disabled" if you are using the nexthop option to connect to a VPN on your LAN.

GATEWAY_TABLE="auto"

Set the MSS clamping on packets going out the VPN tunnel. Usually, it is not needed to

set this manually, but some VPN connections stall if the MSS clamping is not set correctly.

Typical values range from 1240 to 1460, but it could be lower.

MSS_CLAMPING_IPV4="1240" MSS_CLAMPING_IPV6=""

Set this to the timer to use for the rule watcher (in seconds).

The script will wake up every N seconds to re-add rules if they're deleted by

the system, or change gateway routes if they changed. Default is 1 second.

WATCHER_TIMER=1

Options for custom table and chains.

These options need to be unique for each instance of openvpn if running multiple.

ROUTETABLE=101 MARK=0x9 PREFIX="VPN" PREF=99 DEV=tun0

To execute commands when the VPN connects or disconnects, you can use the

callback functions hooks_pre_up, hooks_up, hooks_down, and

hooks_force_down. These functions will be invoked in response to VPN events

pre-up, up, down, and force-down respectively.

#

For an example on using these hooks, please see vpn.conf.filled.sample.

Vpn.conf tryed every settning lol

[Interface] PrivateKey = Address = 10.67.201.201/32,fc00:bbbb:bbbb:bb01::4:c9c8/128 DNS = 193.138.218.74 PostUp = sh /etc/split-vpn/vpn/updown.sh %i up PreDown = sh /etc/split-vpn/vpn/updown.sh %i down

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE**

Table = 101 [Peer] PublicKey =

AllowedIPs = 192.168.1.1/24

AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1 Endpoint = 66.63.167.162:3436

[jorge123255]

wow big font sorry about that

[peacey]

Thanks George! What is 192.168.1.1? Is that the IP of your computer? And you want to force all your main LAN/br0?

Few issues with your vpn.conf (some wrong settings). Let's start simple with an empty vpn.conf. Copy the sample vpn.conf.sample and only change these settings:

• Set FORCED_SOURCE_IPV4="192.168.1.1"
• Set VPN_PROVIDER="external"
• Set DEV="wg0" (NOTE: needs to be the same as your WireGuard config name without .conf)

Then your wireguard config needs to be called the same as DEV. So in this case, make sure your WireGuard config is named wg0.conf. Also please comment out the DNS= line in your wg0.conf. The rest of your wg0.conf is correct.

After that, bring up the VPN tunnel in the configuration directory like this:

wg-quick up ./wg0.conf

If it is successful, try to ping 1.1.1.1 directly through the WireGuard interface in SSH on the UDM:

ping -I wg0 1.1.1.1

If that works, then from your forced client (192.168.1.1), try to open a command line and run:

ping 1.1.1.1
ping google.com

See if either works on your forced client.

If something is not working, please show me the output of wg-quick up.

Let's try it step by step and see what happens!

[jorge123255]

aaa ok the 192.168.1.1 is my UMD router IP ill change that to one of the PC ill be testing

[jorge123255]

Yay its working, after the test I changed it to /24, the only thing now is DNS leaks.

[peacey]

Great @jorge123255! For DNS, please set DNS_IPV4_IP="193.138.218.74" in your vpn.conf (or whatever DNS you want your forced clients to use). Then bring down the tunnel and back up again and see if DNS is still leaking.

Do you have any IPv6 setup on that network?

[jorge123255]

No I disabled IPV6 on my network, @peacey thank you very much for your help, felt lost :)

[jorge123255]

Let me buy you a coffee :)

[peacey]

No worries, George. My pleasure. Play around with it for a bit and see if you need to change anymore settings like for inter-VLAN access or something isn't working right. Feel free to ask if you have anymore questions, or close this issue if you're happy with everything!

[peacey]

Closing this now, but if you have any more issues feel free to open another one!