Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to pia after blocking non-VPN traffic #36

Open
saponace opened this issue Aug 15, 2017 · 2 comments
Open

Unable to connect to pia after blocking non-VPN traffic #36

saponace opened this issue Aug 15, 2017 · 2 comments

Comments

@saponace
Copy link

Hi,
I just discovered pia-tools (which is, in my opinion, the best pia-helper out there).
I encountered an issue when trying to block all non-VPN traffic with the option --disallow

The scenario is :

  • I configure pia-tools
  • I am not connected to pia yet
  • I run pia-tools -d
  • My interface gets denied in ufw
  • I try to start OpenVPN via systemctl start pia@Sweden
  • OpenVPN can not resolve privateinternetaccess dns names because my interface is blocked by ufw.

Here are systemd logs

Aug 15 13:53:17 raclette systemd[1]: Started PIA OpenVPN connection to Sweden.
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known)
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: RESOLVE: Cannot resolve host address: sweden.privateinternetaccess.com:1198 (Name or service not known)
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: Could not determine IPv4/IPv6 protocol
Aug 15 13:53:17 raclette openvpn@Sweden[12752]: SIGUSR1[soft,init_instance] received, process restarting

And it will loop in this state until I disable ufw, and OpenVPN can connect to pia's VPNs.
I can then re-enable ufw and it keeps working.

Would it be possible to whitelist all private internet access IP's in ufw since we have the list from pia itself when installing pia-tools ?

By the way, the quick help pia-tools -h outputs
-a: Block non VPN traffic (iptables) -d: Unblock non VPN traffic (iptables)
but should output
-a: Allow non VPN traffic (iptables) -d: Block non VPN traffic (iptables)
(The manpage is right).

Thanks
@pschmitt
Copy link
Owner

That's a great idea. Mind opening a PR for this?

@saponace
Copy link
Author

Sure, but I'm super busy at the moment, so it might take some time before I actually start working on it (especially since I know nothing about ufw), but I'll do it with pleasure.

There is something I don't get though : Has this functionality ever worked ?
I doubt since the interface is fully blacklisted from ufw, then OpenVPN cannot resolve xxxxx.privateinternetaccess.com DNS name. Am I right ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pschmitt @saponace