search

pschmitt / pia-tools

Shell script to automate privateinternetaccess port forwarding and starting/stopping transmission when connected/disconnected and other stuff
https://aur.archlinux.org/packages/pia-tools
GNU General Public License v3.0
132 stars 23 forks source link

Unable to connect to pia after blocking non-VPN traffic #36

Open saponace opened 7 years ago

saponace commented 7 years ago

Hi, I just discovered pia-tools (which is, in my opinion, the best pia-helper out there). I encountered an issue when trying to block all non-VPN traffic with the option --disallow

The scenario is :

Here are systemd logs

Aug 15 13:53:17 raclette systemd[1]: Started PIA OpenVPN connection to Sweden. Aug 15 13:53:17 raclette openvpn@Sweden[12752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known) Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known) Aug 15 13:53:17 raclette openvpn@Sweden[12752]: Could not determine IPv4/IPv6 protocol Aug 15 13:53:17 raclette openvpn@Sweden[12752]: SIGUSR1[soft,init_instance] received, process restarting

And it will loop in this state until I disable ufw, and OpenVPN can connect to pia's VPNs. I can then re-enable ufw and it keeps working.

Would it be possible to whitelist all private internet access IP's in ufw since we have the list from pia itself when installing pia-tools ?

By the way, the quick help pia-tools -h outputs -a: Block non VPN traffic (iptables) -d: Unblock non VPN traffic (iptables) but should output -a: Allow non VPN traffic (iptables) -d: Block non VPN traffic (iptables) (The manpage is right).

Thanks

pschmitt commented 7 years ago

That's a great idea. Mind opening a PR for this?

saponace commented 7 years ago

Sure, but I'm super busy at the moment, so it might take some time before I actually start working on it (especially since I know nothing about ufw), but I'll do it with pleasure.

There is something I don't get though : Has this functionality ever worked ? I doubt since the interface is fully blacklisted from ufw, then OpenVPN cannot resolve xxxxx.privateinternetaccess.com DNS name. Am I right ?