Can't browse internet after connecting to PIA w/OpenVPN on Raspberry PI 3B+ - seeking help
Hi,
How I set up the Pi:
Did the following:
user12345678
MyGreatPassword
Changed the permissions on this file so only the root user can read it:
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem
To this:
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem
Connected successfully with "sudo openvpn --config /etc/openvpn/Singapore.conf"
--------
[email protected]:/etc/openvpn $ sudo openvpn --config /etc/openvpn/Singapore.conf
Sun Jun 3 12:33:56 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sun Jun 3 12:33:56 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sun Jun 3 12:33:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:56 2018 UDP link local: (not bound)
Sun Jun 3 12:33:56 2018 UDP link remote: [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:56 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jun 3 12:33:57 2018 [*** stuff omitted ***] Peer Connection Initiated with [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:58 2018 TUN/TAP device tun0 opened
Sun Jun 3 12:33:58 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 3 12:33:58 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 3 12:33:58 2018 /sbin/ip addr add dev tun0 local 10.13.10.6 peer 10.13.10.5
Sun Jun 3 12:33:58 2018 Initialization Sequence Completed
--------
curl of ipinfo.io shows my IP has been changed to one from Singapore's VPN:
--
}[email protected]:/ $ curl ipinfo.io
{
"ip": "196.52.34.10",
"hostname": "ip-10-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
}[email protected]:
--
/etc/resolv.conf just contains my default gateway, 192.168.1.1 (this is my router):
--
}[email protected]:/ $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.1.1
[email protected]:/ $
--
ping and nslookup work fine from terminal.
--
[email protected]:/ $ ping -c 2 google.com
PING google.com (216.58.193.78) 56(84) bytes of data.
64 bytes from sea15s07-in-f78.1e100.net (216.58.193.78): icmp_seq=1 ttl=52 time=361 ms
64 bytes from sea15s07-in-f78.1e100.net (216.58.193.78): icmp_seq=2 ttl=52 time=361 ms
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 361.494/361.746/361.999/0.652 ms
[email protected]:/ $
[email protected]:/ $ nslookup raspberrypi.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: raspberrypi.org
Address: 93.93.128.230
Name: raspberrypi.org
Address: 93.93.130.214
[email protected]:/ $
--
I verified via ifconfig that I have a tun0 interface active and working.
--
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.78.10.6 netmask 255.255.255.255 destination 10.78.10.5
inet6 fe80::2e05:3dd5:4643:5a7e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
--
However, when I try to get content from google.com via curl, it just sits there.
--
[email protected]:/ $ curl http://www.google.com
--
I then loaded chromium-browser from terminal. When I try to visit any site, such as http://www.google.com, http://raspberrypi.org, I am advised:
--
This site can't be reached
www.google.com took too long to respond.
Try:
* Checking the connection
* Checking the proxy and the firewall
ERR_TIMED_OUT
--
This is a brand new installation of raspbian. I am not using any firewalls I know of. Checked iptables; nothing seems to be set.
--
[email protected]:/ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[email protected]:/ $
--
As soon as I terminate the OpenVPN connection, I am able to retrieve websites from curl & chromium browser is able to render
sites without any difficulty.
I then found this link which talks about updating resolv.conf to use VPN's nameservers when link goes up/down -
https://permortensen.com/pia-on-a-pi/.
So I updated the Singapore.conf config to incorporate the settings.
--
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
--
Now when I attempt a connection with openvpn this is shown near the end of the log.
--
Sun Jun 3 12:52:22 2018 TUN/TAP device tun0 opened
Sun Jun 3 12:52:22 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 3 12:52:22 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 3 12:52:22 2018 /sbin/ip addr add dev tun0 local 10.24.11.6 peer 10.24.11.5
Sun Jun 3 12:52:22 2018 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.24.11.6 10.24.11.5 init
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
Too few arguments.
Too few arguments.
Sun Jun 3 12:52:23 2018 Initialization Sequence Completed
--
Here is the full config from Singapore.conf:
--
[email protected]:/ $ sudo cat /etc/openvpn/Singapore.conf
client
dev tun
proto udp
remote sg.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
[email protected]:/ $ [email protected]:/ $
--
Looks like the same behavior as before, after the VPN connection is established:
I have tried using various iptable settings and such to get this working, but I'm stumped. Also tried manually editing
/etc/dhcpcd.conf to force-set my static IP and only set Google DNS nameservers (8.8.8.8, 8.8.4.4) just in case my local
router (192.168.1.1) was causing things to break; that didn't work either. Same behavior. Not sure what else to check here.
Just in case all that tweaking/hacking further complicated things, I tried a fresh installation of Raspbian on an 8GB microsd card this
morning, following the above steps, and I'm at the same point as before - can't connect to websites after the VPN is established.
I am able to use Private Internet Access (PIA) fine on my Windows servers, including the server which is also connected directly to my
router, as well as another that is connected wirelessly to my wi-fi network. I'm also able to use the OpenVPN app on my iPhone to connect
to PIA with no issues, whether my iPhone is connected to my wireless network or cellular network, so I know that my login/pass works fine.
Hoping to get VPN working so I can benefit from VPN privacy from my Raspberry Pi, just like on my Windows servers. I would greatly
appreciate any pointers or help here.. not sure what else to try.
Thank you.
I'm trying to get the Private Internet Access (PIA) VPN service working on my Raspberry Pi 3 B +, running the latest version of Raspbian.
I can connect successfully to PIA, but then no matter what I've tried, I can't browse websites outside my network (ping and nslookup work fine, though). Just to clarify, I'm not interested in setting up my Pi to be a VPN server; I just want to use it as a client, so I can establish and use a VPN connection to PIA from my Pi, using OpenVPN.
Apologies for the long post, but I've tried quite a few things over 2 days and I want to ensure I include as much detail as possible, to help folks identify what I may have missed or what else I should try. Any suggestions greatly appreciated!
How I set up the Pi:
- Downloaded Raspbian Stretch w/Desktop from https://www.raspberrypi.org/downloads/raspbian/
- Extracted and wrote the image file to a microSD card using https://etcher.io/
- Plugged in Pi to TV, plugged microSD card into Pi, hooked up USB mouse & keyboard, powered up Pi.
- Enabled SSH for remote management.
- Powered down Pi (sudo shutdown now).
- Plugged Pi into my router with wired ethernet connection, powered up, and confirmed I could access it remotely w/SSH via assigned IP address.
- Set up TightVNC and rebooted Pi to ensure VNC starts upon bootup. Am now accessing Pi remotely (headless) from my Windows PC via TightVNC viewer or SSH.
- Netgear Nighthawk R7000 wifi router w/4 ethernet ports & running DHCP server.
- Local network (LAN) of 192.168.1.0/24.
- I have reserved an IP address in the router for the Raspberry Pi, assigned automatically based on the Pi's wired/ethernet (eth0) MAC address.
- The Pi is plugged directly into my router. I verified it is assigned the reserved IP address I have specified & it shows up via ifconfig on the Pi.
Did the following:
- sudo apt-get install openvpn
- wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
- sudo apt-get install unzip
- unzip openvpn.zip -d openvpn
- sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/
- sudo cp openvpn/Singapore.ovpn /etc/openvpn/Singapore.conf
user12345678
MyGreatPassword
Changed the permissions on this file so only the root user can read it:
- sudo chmod 600 /etc/openvpn/login
ca ca.rsa.2048.crt
auth-user-pass
crl-verify crl.rsa.2048.pem
To this:
ca /etc/openvpn/ca.rsa.2048.crt
auth-user-pass /etc/openvpn/login
crl-verify /etc/openvpn/crl.rsa.2048.pem
Connected successfully with "sudo openvpn --config /etc/openvpn/Singapore.conf"
--------
[email protected]:/etc/openvpn $ sudo openvpn --config /etc/openvpn/Singapore.conf
Sun Jun 3 12:33:56 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sun Jun 3 12:33:56 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sun Jun 3 12:33:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:56 2018 UDP link local: (not bound)
Sun Jun 3 12:33:56 2018 UDP link remote: [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:56 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jun 3 12:33:57 2018 [*** stuff omitted ***] Peer Connection Initiated with [AF_INET]216.185.103.139:1198
Sun Jun 3 12:33:58 2018 TUN/TAP device tun0 opened
Sun Jun 3 12:33:58 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 3 12:33:58 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 3 12:33:58 2018 /sbin/ip addr add dev tun0 local 10.13.10.6 peer 10.13.10.5
Sun Jun 3 12:33:58 2018 Initialization Sequence Completed
--------
curl of ipinfo.io shows my IP has been changed to one from Singapore's VPN:
--
}[email protected]:/ $ curl ipinfo.io
{
"ip": "196.52.34.10",
"hostname": "ip-10-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
}[email protected]:
--
/etc/resolv.conf just contains my default gateway, 192.168.1.1 (this is my router):
--
}[email protected]:/ $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.1.1
[email protected]:/ $
--
ping and nslookup work fine from terminal.
--
[email protected]:/ $ ping -c 2 google.com
PING google.com (216.58.193.78) 56(84) bytes of data.
64 bytes from sea15s07-in-f78.1e100.net (216.58.193.78): icmp_seq=1 ttl=52 time=361 ms
64 bytes from sea15s07-in-f78.1e100.net (216.58.193.78): icmp_seq=2 ttl=52 time=361 ms
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 361.494/361.746/361.999/0.652 ms
[email protected]:/ $
[email protected]:/ $ nslookup raspberrypi.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: raspberrypi.org
Address: 93.93.128.230
Name: raspberrypi.org
Address: 93.93.130.214
[email protected]:/ $
--
I verified via ifconfig that I have a tun0 interface active and working.
--
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.78.10.6 netmask 255.255.255.255 destination 10.78.10.5
inet6 fe80::2e05:3dd5:4643:5a7e prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
--
However, when I try to get content from google.com via curl, it just sits there.
--
[email protected]:/ $ curl http://www.google.com
--
I then loaded chromium-browser from terminal. When I try to visit any site, such as http://www.google.com, http://raspberrypi.org, I am advised:
--
This site can't be reached
www.google.com took too long to respond.
Try:
* Checking the connection
* Checking the proxy and the firewall
ERR_TIMED_OUT
--
This is a brand new installation of raspbian. I am not using any firewalls I know of. Checked iptables; nothing seems to be set.
--
[email protected]:/ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[email protected]:/ $
--
As soon as I terminate the OpenVPN connection, I am able to retrieve websites from curl & chromium browser is able to render
sites without any difficulty.
I then found this link which talks about updating resolv.conf to use VPN's nameservers when link goes up/down -
https://permortensen.com/pia-on-a-pi/.
So I updated the Singapore.conf config to incorporate the settings.
--
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
--
Now when I attempt a connection with openvpn this is shown near the end of the log.
--
Sun Jun 3 12:52:22 2018 TUN/TAP device tun0 opened
Sun Jun 3 12:52:22 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 3 12:52:22 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Jun 3 12:52:22 2018 /sbin/ip addr add dev tun0 local 10.24.11.6 peer 10.24.11.5
Sun Jun 3 12:52:22 2018 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.24.11.6 10.24.11.5 init
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
Too few arguments.
Too few arguments.
Sun Jun 3 12:52:23 2018 Initialization Sequence Completed
--
Here is the full config from Singapore.conf:
--
[email protected]:/ $ sudo cat /etc/openvpn/Singapore.conf
client
dev tun
proto udp
remote sg.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
[email protected]:/ $ [email protected]:/ $
--
Looks like the same behavior as before, after the VPN connection is established:
- curl ipinfo.io shows I have a Singapore VPN address
- I can ping and nslookup servers from terminal
- I can't access www.google.com & other sites from curl or chromium browser
- As soon as I stop the VPN connection I am able to access & browse anywhere
I have tried using various iptable settings and such to get this working, but I'm stumped. Also tried manually editing
/etc/dhcpcd.conf to force-set my static IP and only set Google DNS nameservers (8.8.8.8, 8.8.4.4) just in case my local
router (192.168.1.1) was causing things to break; that didn't work either. Same behavior. Not sure what else to check here.
Just in case all that tweaking/hacking further complicated things, I tried a fresh installation of Raspbian on an 8GB microsd card this
morning, following the above steps, and I'm at the same point as before - can't connect to websites after the VPN is established.
I am able to use Private Internet Access (PIA) fine on my Windows servers, including the server which is also connected directly to my
router, as well as another that is connected wirelessly to my wi-fi network. I'm also able to use the OpenVPN app on my iPhone to connect
to PIA with no issues, whether my iPhone is connected to my wireless network or cellular network, so I know that my login/pass works fine.
Hoping to get VPN working so I can benefit from VPN privacy from my Raspberry Pi, just like on my Windows servers. I would greatly
appreciate any pointers or help here.. not sure what else to try.
Thank you.
Comments
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.46.10.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.46.10.1 10.46.10.5 255.255.255.255 UGH 0 0 0 tun0
10.46.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.46.10.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
216.185.103.139 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.10.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.2.10.1 10.2.10.5 255.255.255.255 UGH 0 0 0 tun0
10.2.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
119.81.66.207 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.2.10.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
[email protected]:/ $
{
"ip": "196.52.34.19",
"hostname": "ip-19-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.41 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::4531:6c25:7c4b:974e prefixlen 64 scopeid 0x20<link>
ether [ETHERNET-CARD-MAC-ADDRESS] txqueuelen 1000 (Ethernet)
RX packets 11283 bytes 1154876 (1.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8587 bytes 16814327 (16.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.2.10.6 netmask 255.255.255.255 destination 10.2.10.5
inet6 fe80::56c9:f634:ffa4:f3a7 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 10 bytes 1378 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 58 bytes 5716 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[email protected]:/ $
Especially interested in comparing with another user on raspbian. But any working config is appreciated for analysis.
Hope that helps!
How do I get PIA working with OpenVPN??? Is the team working on an installer for Raspberry Pi, since it is such a popular platform?
I really enjoy PIA on everything else I use, and just want it working on my Pi, too. A simple PIA installer/app created for Raspbian (the Unix OS used by Raspberry Pi) would make this a lot more user friendly. Thank you.
If you can curl ipinfo.io and it shows a PIA IP, then for all intents and purposes you are successfully connected to PIA. Odd that other sites doesn't seem to work.
Have you tried connecting to a different region in case this specific region has issues?
-I freshly installed Raspbian onto the Pi from raspberrypi.org (used etcher to write to the Pi's SD card).
-Plugged Pi into my TV, enabled SSH via raspi-config. Shut down Pi.
-Unplugged Pi from TV and plugged into my router with ethernet cable. Then SSH'd in.
-Installed TightVNC server and accessed remotely so I could use Chromium browser.
-"route -n" shows no tunnel configured when I login.
-Started some terminals to run the below commands.
Used "sudo apt-get install dnsutils" to install nslookup, etc. so I can make sure nslookup, ping works later when VPN connected.
Followed directions you suggested here to install OpenVPN, through step 5: https://www.privateinternetaccess.com/helpdesk/guides/desktop/linux/linux-openvpn-terminal-connection
Checked with route to make sure no tunnel shows up.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
-=-=-=-=-=-=-=-=-=-=-=-=
Now ran step #6 of the above guide, to run the command sudo openvpn 'config-filename-goes-here.ovpn' (I used Singapore.ovpn). It connected successfully per the log message ("Initialization Sequenced Completed").
Used curl to verify I have the Singapore IP.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:~ $ curl ipinfo.io
{
"ip": "196.52.34.25",
"hostname": "ip-25-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
}[email protected]:~ $
-=-=-=-=-=-=-=-=-=-=-=-=
Checked the route; now it shows the tunnel.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.74.10.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.74.10.1 10.74.10.5 255.255.255.255 UGH 0 0 0 tun0
10.74.10.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.74.10.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
216.185.103.140 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
[email protected]:/ $
-=-=-=-=-=-=-=-=-=-=-=-=
Ran some nslookups and a ping with the VPN connection active. No issues here.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.3.206
[email protected]:/ $ nslookup raspberrypi.org
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: raspberrypi.org
Address: 93.93.128.230
Name: raspberrypi.org
Address: 93.93.130.214
[email protected]:/ $ ping -c 2 google.com
PING google.com (172.217.3.206) 56(84) bytes of data.
64 bytes from sea15s12-in-f14.1e100.net (172.217.3.206): icmp_seq=1 ttl=49 time=374 ms
64 bytes from sea15s12-in-f14.1e100.net (172.217.3.206): icmp_seq=2 ttl=49 time=376 ms
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 374.852/375.504/376.156/0.652 ms
[email protected]:/ $
-=-=-=-=-=-=-=-=-=-=-=-=
ifconfig also shows the tunnel is up and active (tun0), with an assigned IP.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.41 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ebe3:2f2f:a171:cb65 prefixlen 64 scopeid 0x20<link>
ether [MY-WIRED-ETHERNET-MAC-ADDRESS] txqueuelen 1000 (Ethernet)
RX packets 38380 bytes 13196943 (12.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37192 bytes 18046255 (17.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 234 (234.0
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 234 (234.0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.74.10.6 netmask 255.255.255.255 destination 10.74.10.5
inet6 fe80::3990:9a6f:c9b:76da prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 11 bytes 1916 (1.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32 bytes 3237 (3.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether [MY-WIFI-ETHERNET-MAC-ADDRESS] txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[email protected]:/ $
-=-=-=-=-=-=-=-=-=-=-=-=
However, when I try to connect to www.google.com using Chromium browser, I get the timeout again.
-=-=-=-=-=-=-=-=-=-=-=-=
This site can't be reached
The connection was reset.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_RESET
-=-=-=-=-=-=-=-=-=-=-=-=
This is a new Pi w/Raspbian, I haven't configured a proxy or firewall.
Stop VPN connection, route shows tunnel has gone away.
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
[email protected]:/ $
-=-=-=-=-=-=-=-=-=-=-=-=
ifconfig also shows no more tunnel (no tun0).
-=-=-=-=-=-=-=-=-=-=-=-=
[email protected]:/ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.41 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ebe3:2f2f:a171:cb65 prefixlen 64 scopeid 0x20<link>
ether [MY-WIRED-ETHERNET-MAC-ADDRESS] txqueuelen 1000 (Ethernet)
RX packets 39379 bytes 13263716 (12.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38001 bytes 18595747 (17.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 234 (234.0
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 234 (234.0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether [MY-WIRELESS-ETHERNET-MAC-ADDRESS] txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[email protected]:/ $
-=-=-=-=-=-=-=-=-=-=-=-=
So, we are no longer seeing the "phantom tunnel" when VPN isn't connected, but I still can't get it working using the default configs (https://www.privateinternetaccess.com/openvpn/openvpn.zip).
My next step is going to be to try each of the remaining configs listed at https://www.privateinternetaccess.com/helpdesk/guides/desktop/linux/linux-openvpn-terminal-connection. As it says there:
-=-=-=-=-=-=-=-=-=-=-=-=
Some networks are configured to be more restrictive than others, which can sometimes interfere with VPN connections. In the event the default files do not work, please try redoing the config file portion of the OpenVPN install and replace the https://www.privateinternetaccess.com/openvpn/openvpn.zip file with one of the URLs listed below; please try each set until one of them works:
https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip
https://www.privateinternetaccess.com/openvpn/openvpn-ip-lport.zip
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip
https://www.privateinternetaccess.com/openvpn/openvpn-ip-tcp.zip
-=-=-=-=-=-=-=-=-=-=-=-=
I will try to test the rest of those this weekend, no more time to test tonight. Thanks for all the suggestions so far!
inet 10.2.10.6 netmask 255.255.255.255 destination 10.2.10.5
inet6 fe80::a409:8ca6:b401:772f prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100
{
"ip": "196.54.55.24",
"hostname": "ip-24-55-54-196.fr.amsterdamresidential.com",
"city": "Paris",
"region": "ÃŽle-de-France",
"country": "FR",
"loc": "48.8628,2.3292",
"postal": "75001",
"org": "AS20473 Choopa, LLC"
}[email protected]:/ $
--
{
"ip": "82.102.21.98",
"city": "Milan",
"region": "Lombardia",
"country": "IT",
"loc": "45.4643,9.1895",
"postal": "20132",
"org": "AS9009 M247 Ltd"
--2018-06-09 03:21:46-- http://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.194.196, 2607:f8b0:4005:805::2004
Connecting to www.google.com (www.google.com)|216.58.194.196|:80... connected.
HTTP request sent, awaiting response...
--
--2018-06-09 03:23:46-- http://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.194.196, 2607:f8b0:4005:805::2004
Connecting to www.google.com (www.google.com)|216.58.194.196|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 11.23K --.-KB/s in 0.007s
2018-06-09 03:23:47 (1.57 MB/s) - ‘index.html’ saved [11496]
[email protected]:~ $
--
https://www.privateinternetaccess.com/openvpn/openvpn-ip-lport.zip
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip
https://www.privateinternetaccess.com/openvpn/openvpn-ip-tcp.zip
{
"ip": "196.52.34.15",
"hostname": "ip-15-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
}[email protected]:~ $ curl https://ipinfo.io
{
"ip": "196.52.34.15",
"hostname": "ip-15-34-52-196.sg.asianpacifictelephone.com",
"city": "Singapore",
"region": "Central Singapore Community Development Council",
"country": "SG",
"loc": "1.2931,103.8560",
"org": "AS36351 SoftLayer Technologies Inc."
}[email protected]:~ $ wget https://www.google.com
--2018-06-09 03:48:52-- https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.194.196, 2607:f8b0:4005:805::2004
Connecting to www.google.com (www.google.com)|216.58.194.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
index.html [ <=> ] 11.42K 65.7KB/s in 0.2s
2018-06-09 03:48:55 (65.7 KB/s) - ‘index.html’ saved [11694]
[email protected]:~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.31.1.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 202 0 0 eth0
10.31.1.1 10.31.1.5 255.255.255.255 UGH 0 0 0 tun0
10.31.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
119.81.31.31 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.31.1.5 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
[email protected]:~ $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The differences between each set of config files is detailed below.
OPENVPN CONFIGURATION FILES (DEFAULT) -- These files connect over UDP port 1198 with AES-128-CBC+SHA1, using the server name to connect.
OPENVPN CONFIGURATION FILES (IP) -- These files connect over UDP port 1198 with AES-128-CBC+SHA1, and connect via an IP address instead of the server name.
OPENVPN CONFIGURATION FILES (STRONG) -- These files connect over UDP port 1197 with AES-256-CBC+SHA256, using the server name to connect.
OPENVPN CONFIGURATION FILES (TCP) -- These files connect over TCP port 502 with AES-128-CBC+SHA1, using the server name to connect.
OPENVPN CONFIGURATION FILES (STRONG-TCP) -- These files connect over TCP port 501 with AES-256-CBC+SHA256, using the server name to connect.
All the configs have slightly different settings for different use cases, but they all should be valid. The only differences between them is the certificate, host/ip, port, cipher and auth hash.
I can't explain that one, but I'm glad you got it working!
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
fe80::/64 :: U 256 1 0 eth0
::/0 :: !n -1 1 1 lo
::1/128 :: Un 0 6 149 lo
fe80::bf10:9bb8:b0d9:4b4c/128 :: Un 0 2 0 eth0
ff00::/8 :: U 256 5 112 eth0
::/0 :: !n -1 1 1 lo
[email protected]:/ $
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
fe80::/64 :: U 256 1 0 eth0
fe80::/64 :: U 256 1 0 tun0
::/0 :: !n -1 1 1 lo
::1/128 :: Un 0 6 148 lo
fe80::b36e:b15e:eee8:52a1/128 :: Un 0 2 0 tun0
fe80::bf10:9bb8:b0d9:4b4c/128 :: Un 0 2 0 eth0
ff00::/8 :: U 256 5 112 eth0
ff00::/8 :: U 256 1 0 tun0
::/0 :: !n -1 1 1 lo