Jump to content
Not connected, Your IP: 3.147.51.75

Recommended Posts

1 hour ago, reversevpn said:

I wonder though, why do you hide the VPN's routing table entries instead of just not pulling them in at all? If they are hidden anyway, what good does it do for them to enter the routing table in the first place?


In the scripts I provide in the wiki the VPN routing table entries are suppressed entirely. But those call and configure the openvpn or wireguard client program directly. They don't use Eddie.

If someone wants to use Eddie without trying to control the openvpn or wireguard client inside it (i.e. just the way it comes), then the VPN will attempt to install its gateway as the default. You could just remove them afterwards. But a user may want to put them back again later in order to use the VPN with their browser. So you would need a script to remove and another to reinstall the VPN gateway.

Also, I prefer not to let the VPN be the default gateway even for a brief moment. If I hide the VPN gateway before I start the VPN, then it will never be the default. And this is how the Windows scripts I provided work. So it should be familiar to tranquivox69.
 

Share this post


Link to post
On 4/10/2023 at 9:40 AM, NaDre said:

Of course those came originally from the wiki I wrote on github.

I guess the scripts I posted there for Linux are not appealing because they do not use Eddie.

,,,

Then you could bind qbittorrent to the VPN interface for OpenVPN or to the VPN address for Wireguard.

...

I have tested these with OpenVPN with it trying to change the default gateway. Not Wireguard or Eddie though. Give them a try? vpn_gateway_route is the one that runs after the VPN is up and vpn_gateway_hide has been run, to set up source address routing.

EDIT: There is an updated version of these scripts here:
https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway

You can give them a quick test using curl:
curl -4 icanhazip.com
curl -4 --interface tun0 icanhazip.com

curl -6 icanhazip.com
curl -6 --interface tun0 icanhazip.com

vpn_gateway_hide
#!/bin/sh

# helper function
token () {
N=$1
shift
eval echo \$${N}
}

echo === adding routing table entries to hide VPN ...

echo
echo === IPv4 routing table before ...
ip -4 route

echo
echo === IPv6 routing table before ...
ip -6 route

echo
echo === scanning routing table to set gateway variables ...

echo
echo === IPv4 gateway ...
# determine IPv4 gateway IP address and interface name
ROUTE4=`ip -4 route show default`
#echo ROUTE4=$ROUTE4
GATEWAY_IP4=`token 3 $ROUTE4`
echo GATEWAY_IP4=$GATEWAY_IP4
GATEWAY_IF4=`token 5 $ROUTE4`
echo GATEWAY_IF4=$GATEWAY_IF4

echo
echo === IPv6 gateway ...
ROUTE6=`ip -6 route show default`
#echo ROUTE6=$ROUTE6
GATEWAY_IP6=`token 3 $ROUTE6`
echo GATEWAY_IP6=$GATEWAY_IP6
GATEWAY_IF6=`token 5 $ROUTE6`
echo GATEWAY_IF6=$GATEWAY_IF6

echo
echo === adding entries to IPv4 routing table ...

# to override standard IPv4 gateway entries
sudo ip -4 route add   0.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4
sudo ip -4 route add  64.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4
sudo ip -4 route add 128.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4
sudo ip -4 route add 192.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4

echo
echo === adding entries to IPv6 routing table ...

# to override standard IPv6 Wireguard gateway entries
sudo ip -6 route add     ::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 4000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 8000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add c000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6

# to override standard IPv6 OpenVPN gateway entries
sudo ip -6 route add     ::/4 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 1000::/4 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 2000::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 2800::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 3000::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add 3800::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add fc00::/8 via $GATEWAY_IP6 dev $GATEWAY_IF6
sudo ip -6 route add fd00::/8 via $GATEWAY_IP6 dev $GATEWAY_IF6

echo
echo === IPv4 routing table after ...
ip -4 route

echo
echo === IPv6 routing table after ...
ip -6 route
vpn_gateway_show
#!/bin/sh

echo === removing routing table entries to show VPN ...

sudo ip -4 route delete   0.0.0.0/2
sudo ip -4 route delete  64.0.0.0/2
sudo ip -4 route delete 128.0.0.0/2
sudo ip -4 route delete 192.0.0.0/2

sudo ip -6 route delete     ::/2
sudo ip -6 route delete 4000::/2
sudo ip -6 route delete 8000::/2
sudo ip -6 route delete c000::/2
sudo ip -6 route delete     ::/4
sudo ip -6 route delete 1000::/4
sudo ip -6 route delete 2000::/5
sudo ip -6 route delete 2800::/5
sudo ip -6 route delete 3000::/5
sudo ip -6 route delete 3800::/5
sudo ip -6 route delete fc00::/8
sudo ip -6 route delete fd00::/8

echo
echo === IPv4 routing table after ...
ip -4 route

echo
echo === IPv6 routing table after ...
ip -6 route
vpn_gateway_route
#!/bin/sh

# helper function
token () {
N=$1
shift
eval echo \$${N}
}

echo
echo === scanning routing table to set VPN gateway variables ...
# determine VPN gateway IPv4 address and interface name
ROUTE4=`ip -4 route show 0.0.0.0/1`
#echo ROUTE4=$ROUTE4
GATEWAY_IP4=`token 3 $ROUTE4`
echo GATEWAY_IP4=$GATEWAY_IP4
GATEWAY_IF=`token 5 $ROUTE4`
echo GATEWAY_IF=$GATEWAY_IF

# determine VPN local IPv4 address
ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL4=`token 2 $ADDR4`
echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4
# determine VPN local IPv6 address
ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL6=`token 2 $ADDR6`
echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6

IP_TABLE=9999

echo

echo === deleting IPV4 route table $IP_TABLE ...
sudo ip -4 rule del table $IP_TABLE
sudo ip -4 route delete default table $IP_TABLE

echo === adding IPV4 default route for table $IP_TABLE ...
sudo ip -4 route add default via $GATEWAY_IP4 dev $GATEWAY_IF table $IP_TABLE

echo === adding IPV4 rule for VPN address for table $IP_TABLE ...
sudo ip -4 rule add from $GATEWAY_LOCAL4 table $IP_TABLE

echo === showing IPv4 rules for table $IP_TABLE
ip -4 rule list | grep $IP_TABLE

echo === showing IPv4 routing table for table $IP_TABLE
ip -4 route show table all | grep $IP_TABLE

echo

echo === deleting IPV6 route table $IP_TABLE ...
sudo ip -6 rule del table $IP_TABLE
sudo ip -6 route delete default table $IP_TABLE

echo === adding IPV6 default route for table $IP_TABLE ...
sudo ip -6 route add default dev $GATEWAY_IF table $IP_TABLE

echo === adding IPV6 rule for VPN address for table $IP_TABLE ...
sudo ip -6 rule add from $GATEWAY_LOCAL6 table $IP_TABLE

echo === showing IPv6 rules for table $IP_TABLE
ip -6 rule list | grep $IP_TABLE

echo === showing IPv6 routing table for table $IP_TABLE
ip -6 route show table all | grep $IP_TABLE


 

Share this post


Link to post

EDIT 3
Completely missed the last post where you actually provided scripts to try (THANK YOU!). i will test and report back. I thank you for the scripts I've been using these past years.
I note that route-nopull in OpenVPN directive does nothing.

Share this post


Link to post
@tranquivox69 , from my experiments with Eddie, I can confirm that indeed, Eddie does not honor the route-nopull directive. In my earlier experiments, I was using the standard openvpn binary(the one you can most likely download from your distro's repository), and wrongly assumed that just because the normal openvpn binary honors the route-nopull directive, so would Eddie. For that, I apologize.

Share this post


Link to post
1 hour ago, reversevpn said:
@tranquivox69 , from my experiments with Eddie, I can confirm that indeed, Eddie does not honor the route-nopull directive. In my earlier experiments, I was using the standard openvpn binary(the one you can most likely download from your distro's repository), and wrongly assumed that just because the normal openvpn binary honors the route-nopull directive, so would Eddie. For that, I apologize.
You really don't need to apologize. Thanks for helping out, as I said I really appreciate it.

For NaDre, after hours of testing I've understood that it's important to run the scripts as administrator. So I tried to follow the process manually.

I ran sudo vpn_gateway_hide.sh before connecting through Eddie.
After Eddie connected I ran sudo vpn_gateway_route.sh
And then I ran sudo vpn_gateway_show.sh

The result is some errors I don't understand but more or less it seemed to be working. Firefox connecting to IPleak was seeing my original IP, qBittorrent bound to the VPN was displaying the VPN address in its torrent check function.
DNS was always the one from AirVPN, though, even in Firefox.

I paste the results of the scripts running below:
 
$ sudo ./vpn_gateway_hide.sh
=== adding routing table entries to hide VPN ...

=== IPv4 routing table before ...
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table before ...
::1 dev lo proto kernel metric 256 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium

=== scanning routing table to set gateway variables ...

=== IPv4 gateway ...
GATEWAY_IP4=192.168.178.1
GATEWAY_IF4=enp88s0

=== IPv6 gateway ...
GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c
GATEWAY_IF6=enp88s0

=== adding entries to IPv4 routing table ...

=== adding entries to IPv6 routing table ...

=== IPv4 routing table after ...
0.0.0.0/2 via 192.168.178.1 dev enp88s0 
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
64.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/2 via 192.168.178.1 dev enp88s0 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.0.0.0/2 via 192.168.178.1 dev enp88s0 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table after ...
::1 dev lo proto kernel metric 256 pref medium
::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium

$ sudo ./vpn_gateway_route.sh

=== scanning routing table to set VPN gateway variables ...
GATEWAY_IP4=eddie
GATEWAY_IF=link
Device "link" does not exist.
GATEWAY_LOCAL4=
Device "link" does not exist.
GATEWAY_LOCAL6=

=== deleting IPV4 route table 9999 ...
RTNETLINK answers: No such file or directory
Error: FIB table does not exist.
=== adding IPV4 default route for table 9999 ...
Error: inet address is expected rather than "eddie".
=== adding IPV4 rule for VPN address for table 9999 ...
Error: inet prefix is expected rather than "table".
=== showing IPv4 rules for table 9999
=== showing IPv4 routing table for table 9999

=== deleting IPV6 route table 9999 ...
RTNETLINK answers: No such file or directory
Error: FIB table does not exist.
=== adding IPV6 default route for table 9999 ...
Cannot find device "link"
=== adding IPV6 rule for VPN address for table 9999 ...
Error: inet6 prefix is expected rather than "table".
=== showing IPv6 rules for table 9999
=== showing IPv6 routing table for table 9999

$ sudo ./vpn_gateway_show.sh
                         
=== removing routing table entries to show VPN ...
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process

=== IPv4 routing table after ...
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table after ...
::1 dev lo proto kernel metric 256 pref medium
Hope you can make sense of what happens.

I've also tried the application that was suggested previously but it does not build: https://github.com/Intika-Linux-Firewall/App-Route-Jail/issues/1

Looking around I've found this solution with Network Netspaces but it's 4 in the morning and I really, really must get some sleep.
 

Share this post


Link to post
On 4/10/2023 at 8:14 PM, tranquivox69 said:
...

Hope you can make sense of what happens.
...

EDIT: There is an updated version of these scripts here:
https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway

I installed eddie. It appears that the output of "ip -4 route show" is different with eddie than with openvpn or wg-quick directly. So the scan for the VPN interface name failed. Try this script instead of vpn_gateway_route:

vpn_gateway_route_eddie
#!/bin/sh

# helper function
token () {
N=$1
shift
eval echo \$${N}
}

echo
echo === scanning routing table to set VPN gateway variables ...

# determine VPN gateway IPv4 address and interface name
ip -4 route show
ROUTE4=`ip -4 route show 0.0.0.0/1`
#echo ROUTE4=$ROUTE4
GATEWAY_IF=`token 3 $ROUTE4`
echo GATEWAY_IF=$GATEWAY_IF

# determine VPN local IPv4 address
ip -4 addr show dev $GATEWAY_IF
ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL4=`token 2 $ADDR4`
echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4
ip -6 addr show dev $GATEWAY_IF
# determine VPN local IPv6 address
ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL6=`token 2 $ADDR6`
echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6

IP_TABLE=9999

echo

echo === deleting IPV4 route table $IP_TABLE ...
sudo ip -4 rule del table $IP_TABLE
sudo ip -4 route delete default table $IP_TABLE

echo === adding IPV4 default route for table $IP_TABLE ...
sudo ip -4 route add default dev $GATEWAY_IF table $IP_TABLE

echo === adding IPV4 rule for VPN address for table $IP_TABLE ...
sudo ip -4 rule add from $GATEWAY_LOCAL4 table $IP_TABLE

echo === showing IPv4 rules for table $IP_TABLE
ip -4 rule list | grep $IP_TABLE

echo === showing IPv4 routing table for table $IP_TABLE
ip -4 route show table all | grep $IP_TABLE

echo

echo === deleting IPV6 route table $IP_TABLE ...
sudo ip -6 rule del table $IP_TABLE
sudo ip -6 route delete default table $IP_TABLE

echo === adding IPV6 default route for table $IP_TABLE ...
sudo ip -6 route add default dev $GATEWAY_IF table $IP_TABLE

echo === adding IPV6 rule for VPN address for table $IP_TABLE ...
sudo ip -6 rule add from $GATEWAY_LOCAL6 table $IP_TABLE

echo === showing IPv6 rules for table $IP_TABLE
ip -6 rule list | grep $IP_TABLE

echo === showing IPv6 routing table for table $IP_TABLE
ip -6 route show table all | grep $IP_TABLE

Share this post


Link to post
7 hours ago, NaDre said:

I installed eddie. It appears that the output of "ip -4 route show" is different with eddie than with openvpn or wg-quick directly. So the scan for the VPN interface name failed. Try this script instead of vpn_gateway_route:

vpn_gateway_route_eddie

Ok, tried this new one. I paste the results below. I reactivated IPv6 in Eddie, so as to avoid confusion on that side.
$ sudo ./vpn_gateway_hide.sh
        
=== adding routing table entries to hide VPN ...

=== IPv4 routing table before ...
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table before ...
::1 dev lo proto kernel metric 256 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium

=== scanning routing table to set gateway variables ...

=== IPv4 gateway ...
GATEWAY_IP4=192.168.178.1
GATEWAY_IF4=enp88s0

=== IPv6 gateway ...
GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c
GATEWAY_IF6=enp88s0

=== adding entries to IPv4 routing table ...

=== adding entries to IPv6 routing table ...

=== IPv4 routing table after ...
0.0.0.0/2 via 192.168.178.1 dev enp88s0 
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
64.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/2 via 192.168.178.1 dev enp88s0 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.0.0.0/2 via 192.168.178.1 dev enp88s0 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table after ...
::1 dev lo proto kernel metric 256 pref medium
::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium
c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium




$ sudo ./vpn_gateway_route.sh

=== scanning routing table to set VPN gateway variables ...
0.0.0.0/2 via 192.168.178.1 dev enp88s0 
0.0.0.0/1 dev eddie scope link 
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
10.24.230.0/24 dev eddie proto kernel scope link src 10.24.230.243 
64.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/1 dev eddie scope link 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.0.0.0/2 via 192.168.178.1 dev enp88s0 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 
213.152.161.25 dev eddie scope link 
213.152.161.27 via 192.168.178.1 dev enp88s0 
GATEWAY_IF=eddie
4: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.24.230.243/24 scope global eddie
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL4=10.24.230.243/24
4: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet6 fde6:7a:7d20:14e6::10f1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::895b:5113:eb:6da8/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL6=fde6:7a:7d20:14e6::10f1/64

=== deleting IPV4 route table 9999 ...
Error: argument "9999" is wrong: invalid table ID

Error: FIB table does not exist.
./vpn_gateway_route.sh: 38: : not found
=== adding IPV4 default route for table 9999 ...
=== adding IPV4 rule for VPN address for table 9999 ...
Error: inet prefix is expected rather than "OCAL4".
=== showing IPv4 rules for table 9999
=== showing IPv4 routing table for table 9999
default dev eddie table 9999 scope link 

=== deleting IPV6 route table 9999 ...
RTNETLINK answers: No such file or directory
Error: FIB table does not exist.
./vpn_gateway_route.sh: 56: : not found
=== adding IPV6 default route for table 9999 ...
=== adding IPV6 rule for VPN address for table 9999 ...
=== showing IPv6 rules for table 9999
./vpn_gateway_route.sh: 65: : not found
=== showing IPv6 routing table for table 9999
default dev eddie table 9999 metric 1024 pref medium




$ sudo ./vpn_gateway_show.sh

=== removing routing table entries to show VPN ...

=== IPv4 routing table after ...
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table after ...
::1 dev lo proto kernel metric 256 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
Still some errors on the "route" script, apparently. Still AirVPN DNS being used (don't know if that's normal, I mention it because that was not the case with your scripts in Windows).

Edit: tried looking at the scripts... you declare the $IP_TABLE variable to be 9999 but immediately after that 9999 is refused as an invalid table ID. Unfortunately here is where I really get lost. 😕

Share this post


Link to post
3 hours ago, tranquivox69 said:
...
l some errors on the "route" script, apparently. Still AirVPN DNS being used (don't know if that's normal, I mention it because that was not the case with your scripts in Windows).

Are you sure the script you have exactly matches the one I provided. The "OCAL4" message suggests that something went wrong in transcription. What Linux variant are you using if you run "ip" or "grep" without the full file name does it work?

That script definitely works with Eddie for me. Your output does show that it determined the VPN interface name and IP addresses OK. Something must have gotten mangled in the rest of the script when you copied it. The line numbers are blank lines in my copy.

For DNS you need to tell Eddie not to change the DNS. You must have done that in Windows. But if the DNS is not reachable via AirVPN (e.g. your ISP blocks outside access) then when you "show" the VPN gateway domain name resolution will fail. You could set the DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) or Google (8.8.8.8).

 

Share this post


Link to post
1 minute ago, NaDre said:

Are you sure the script you have exactly matches the one I provided. The "OCAL4" message suggests that something went wrong in transcription. What Linux variant are you using if you run "ip" or "grep" without the full file name does it work?

That script definitely works with Eddie for me. Your output does show that it determined the VPN interface name and IP addresses OK. Something must have gotten mangled in the rest of the script when you copied it. The line numbers are blank lines in my copy.

For DNS you need to tell Eddie not to change the DNS. You must have done that in Windows. But if the DNS is not reachable via AirVPN (e.g. your ISP blocks outside access) then when you "show" the VPN gateway domain name resolution will fail. You could set the DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) or Google (8.8.8.8).

 
I suspected problems in copying and I double checked. But I will triple check because I slept less than five hours and that's not conducive to doing things well.
I'll report back.

Share this post


Link to post

I installed a Kdiff3 to compare the script I was using to a new cut and paste from here.

There was no text difference but the program was still showing 5 differences in empty spaces... I redid the cut and paste and now it appears to be working. This will probably remain a mystery to me, as I did exactly the same thing before... 😕

Here's the result, I don't know what to make of those RTNETLINK answers... don't know if they could signal a problem or what. From my point of view, things seem to be working ok.

Now I "just" need to understand why Eddie isn't executing scripts as sudo, considering there's a service giving it elevated privileges... and find a way to bind apps that don't have the option to do it to the VPN interface. At least Firefox for anonymous (close to) navigation would be nice.


$ sudo ./vpn_gateway_hide.sh
=== adding routing table entries to hide VPN ...

=== IPv4 routing table before ...
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table before ...
::1 dev lo proto kernel metric 256 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium

=== scanning routing table to set gateway variables ...

=== IPv4 gateway ...
GATEWAY_IP4=192.168.178.1
GATEWAY_IF4=enp88s0

=== IPv6 gateway ...
GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c
GATEWAY_IF6=enp88s0

=== adding entries to IPv4 routing table ...

=== adding entries to IPv6 routing table ...

=== IPv4 routing table after ...
0.0.0.0/2 via 192.168.178.1 dev enp88s0 
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
64.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/2 via 192.168.178.1 dev enp88s0 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.0.0.0/2 via 192.168.178.1 dev enp88s0 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 

=== IPv6 routing table after ...
::1 dev lo proto kernel metric 256 pref medium
::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium
2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium
2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium
c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium
default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium



$ sudo ./vpn_gateway_route.sh

=== scanning routing table to set VPN gateway variables ...
0.0.0.0/2 via 192.168.178.1 dev enp88s0 
0.0.0.0/1 dev eddie scope link 
default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 
10.24.230.0/24 dev eddie proto kernel scope link src 10.24.230.243 
64.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/2 via 192.168.178.1 dev enp88s0 
128.0.0.0/1 dev eddie scope link 
169.254.0.0/16 dev enp88s0 scope link metric 1000 
192.0.0.0/2 via 192.168.178.1 dev enp88s0 
192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 
213.152.161.25 dev eddie scope link 
213.152.161.27 via 192.168.178.1 dev enp88s0 
GATEWAY_IF=eddie
8: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.24.230.243/24 scope global eddie
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL4=10.24.230.243/24
8: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet6 fde6:7a:7d20:14e6::10f1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::aecf:1543:e75d:47a8/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL6=fde6:7a:7d20:14e6::10f1/64

=== deleting IPV4 route table 9999 ...
RTNETLINK answers: No such process
=== adding IPV4 default route for table 9999 ...
=== adding IPV4 rule for VPN address for table 9999 ...
=== showing IPv4 rules for table 9999
32765:	from 10.24.230.243/24 lookup 9999
=== showing IPv4 routing table for table 9999
default dev eddie table 9999 scope link 

=== deleting IPV6 route table 9999 ...
RTNETLINK answers: No such file or directory
=== adding IPV6 default route for table 9999 ...
=== adding IPV6 rule for VPN address for table 9999 ...
=== showing IPv6 rules for table 9999
32765:	from fde6:7a:7d20:14e6::10f1/64 lookup 9999
=== showing IPv6 routing table for table 9999
default dev eddie table 9999 metric 1024 pref medium

Share this post


Link to post
18 minutes ago, tranquivox69 said:

...
Here's the result, I don't know what to make of those RTNETLINK answers... don't know if they could signal a problem or what. From my point of view, things seem to be working ok.

Now I "just" need to understand why Eddie isn't executing scripts as sudo, considering there's a service giving it elevated privileges... and find a way to bind apps that don't have the option to do it to the VPN interface. At least Firefox for anonymous (close to) navigation would be nice.

...


The RTNETLINK messages are because the script removes anything left over from a previous run first. Expected on first run.


Those scripts expect your user ID to be able to "sudo" without a prompt. In Debian you can set this up by running the following as root:

echo "user_name  ALL = NOPASSWD: ALL" > /etc/sudoers.d/allow_user_name
chmod 0440 /etc/sudoers.d/allow_user_name
Replace "user_name" with the user ID.  Use "man sudo.conf" and poke around in /etc to see where the config files for sudo are. You may have to modify that.

Some people may feel that is too broad. Ubuntu does this by default. Or used to anyway.

I have an LD_PRELOAD script that I use to force things to bind:

https://github.com/tool-maker/forceIP

But for a browser you can run squid bound to the VPN interface and then have the browser use squid as an HTTP proxy. There is an example script for running squid this way at the end of this:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway



 

Share this post


Link to post
16 minutes ago, NaDre said:

The RTNETLINK messages are because the script removes anything left over from a previous run first. Expected on first run.


Those scripts expect your user ID to be able to "sudo" without a prompt. In Debian you can set this up by running the following as root:


echo "user_name  ALL = NOPASSWD: ALL" > /etc/sudoers.d/allow_user_name
chmod 0440 /etc/sudoers.d/allow_user_name
Replace "user_name" with the user ID.  Use "man sudo.conf" and poke around in /etc to see where the config files for sudo are. You may have to modify that.

Some people may feel that is too broad. Ubuntu does this by default. Or used to anyway.

I have an LD_PRELOAD script that I use to force things to bind:

https://github.com/tool-maker/forceIP

But for a browser you can run squid bound to the VPN interface and then have the browser use squid as an HTTP proxy. There is an example script for running squid this way at the end of this:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway

You previously mentioned users willing to learn and I just ended configuring my user (which Eddie uses) to be able to use those scripts with sudo privileges, through sudo visudo configuration: tranquivox ALL=/home/tranquivox/Documents/VPNscripts/vpn_gateway_hide.sh

Three lines with the three scripts, launched Eddie through the terminal (which shows what happens with Events) and everything went flawlessly.

I will now read about the solutions you mention for binding programs to a specific interface.
I don't know how to express my gratitude. If you have a PayPal somewhere, which I could donate to, I'd like to offer you at least a beer. Thanks, really.

Share this post


Link to post
46 minutes ago, tranquivox69 said:
...
Three lines with the three scripts, launched Eddie through the terminal (which shows what happens with Events) and everything went flawlessly.
...
I will now read about the solutions you mention for binding programs to a specific interface.
..

Maybe you should explain where you plugged the scripts into Eddie events for the benefit of others who may be following this.

The output from the LD_PRELOAD shim may be a bit ugly. It is really a work in progress. And always will be. I want information from it about the behavior of a program I apply it to.
 

Share this post


Link to post
43 minutes ago, NaDre said:

Maybe you should explain where you plugged the scripts into Eddie events for the benefit of others who may be following this.

The output from the LD_PRELOAD shim may be a bit ugly. It is really a work in progress. And always will be. I want information from it about the behavior of a program I apply it to.
Sorry, I am sure I wrote about Events but I can sum it up (maybe it got deleted when I removed tonight's stream of consciousness).

Under Eddie Settings/Events I put

vpn_gateway_hide.sh under Session Start
vpn_gateway_route.sh under VPN Up
vpn_gateway_show.sh under Session End

As mentioned, I needed to grant my user permissions to execute those scripts without password (they contain sudo instructions). I did that through sudo visudo, adding three lines I mentioned in this post (substitute user name with yours).

Now I'm kinda fighting with squid and your script. Instructions are not newbie friendly.
I installed squid but when I try to run it to see options it states that it's already running. From what I understand, your script it's an executable bash script where we have to put in our relevant values. But it's not very clear what the values are... I mean, for regular connection my gateway is my router address at 192.168.178.1 but how can I find out the IPv6 gateway and how can I find the gateways for AirVPN IPv4 and IPv6? I suppose for IPv4 it could be 10.24.230.0.

And I would expect the gateway to be relevant for the script, while, from your example, you put in there 10.44.0.2 and fc00:44::2 which seem to me the IP addresses the VPN assigns and not the gateway. Since those change potentially at every connection, it would mean needing to update the script every time. But that doesn't seem to be what you refer to.

After this, I suppose you run the script and then run a browser where you configured squid as proxy. But searches for "configuring proxy firefox squid" are not much productive, so far. And now I sound like a whiny baby... 😞

EDIT
I think I understand some more. Your script creates a configuration file for squid. It places it in a temporary directory and then pushes it to squid, first killing it and the relaunching it, if I get it right.
The mystery remains as to where the addresses in the four outgoing addresses entries come from.

And also, is this something we need to launch every time or, with squid being a service, once it's configured it will work with those parameters until we change them, for whatever reason?

As for Firefox... I found this

image.thumb.png.2fd189348eeb51d5e8f470a4ec509a8e.png

Which leads me back to what addresses to use...

Share this post


Link to post
28 minutes ago, tranquivox69 said:
...

Now I'm kinda fighting with squid and your script. Instructions are not newbie friendly.
I installed squid but when I try to run it to see options it states that it's already running. From what I understand, your script it's an executable bash script where we have to put in our relevant values. But it's not very clear what the values are... I mean, for regular connection my gateway is my router address at 192.168.178.1 but how can I find out the IPv6 gateway and how can I find the gateways for AirVPN IPv4 and IPv6? I suppose for IPv4 it could be 10.24.230.0.

And I would expect the gateway to be relevant for the script, while, from your example, you put in there 10.44.0.2 and fc00:44::2 which seem to me the IP addresses the VPN assigns and not the gateway. Since those change potentially at every connection, it would mean needing to update the script every time. But that doesn't seem to be what you refer to.

After this, I suppose you run the script and then run a browser where you configured squid as proxy. But searches for "configuring proxy firefox squid" are not much productive, so far. And now I sound like a whiny baby... 😞

The script was meant to be used with the framework the scripts in that wiki page established. Those scripts set up alias addresses for the VPN interface so that they appear to never change. I could probably expand the vpn_gateway_route script to incorporate that. Then I could include all of this stuff in that page. But I won't be able to do this for a few hours.

The alternative would be to add stuff to the squid script that detects the addresses to use first. At this moment this does not appeal to me. Maybe you want to give it a try? The code at the start of the vpn_gateway_route script does this.

For now how about just "show" the VPN gateway when you want to browse via the VPN. And then "hide" it when you are done?

It says that squid is running because it is running. When installed it probably set up a daemon that runs at boot. In Debian I do this after I install squid:
sudo ps -ef | grep squid -

# takes 30 seconds
sudo systemctl stop squid

sudo ps -ef | grep squid -

sudo systemctl disable squid
After that the daemon will not be running and won't start at boot. I don't know if that will work in your distro.

For firefox network settings this looks about right:

https://support.mozilla.org/en-US/kb/connection-settings-firefox

You might want a separate profile for using squid. This looks good:

https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles

Share this post


Link to post
1 hour ago, NaDre said:

The script was meant to be used with the framework the scripts in that wiki page established. Those scripts set up alias addresses for the VPN interface so that they appear to never change. I could probably expand the vpn_gateway_route script to incorporate that. Then I could include all of this stuff in that page. But I won't be able to do this for a few hours.

The alternative would be to add stuff to the squid script that detects the addresses to use first. At this moment this does not appeal to me. Maybe you want to give it a try? The code at the start of the vpn_gateway_route script does this.

Got family dinner in an hour or so. My tries would be probably hilarious 😃. Which does not mean I couldn't try, I actually don't exclude that, I'm too stubborn for my own good but, in this case... I come to Linux after thirty years+ of Windows, I'm way, way, way over my head, believe me.
1 hour ago, NaDre said:

For firefox network settings this looks about right:

https://support.mozilla.org/en-US/kb/connection-settings-firefox

Oh, so squid "becomes" the system proxy. I thought it required specific addresses in that space.
1 hour ago, NaDre said:

ou might want a separate profile for using squid. This looks good:

https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles

This is a good suggestion, I might take it into consideration. In Windows I used Firefox only through VPN (launching it with ForceBindIP) and Chrome for the rare occasions when I wanted to go outside (or websites, sadly, misbehaved with FF).
1 hour ago, NaDre said:

For now how about just "show" the VPN gateway when you want to browse via the VPN. And then "hide" it when you are done?

With a 24/7 (hopefully) torrent client going, that's not something I could do. Or... hmmm... don't know how I could combine the scripts. I mean, the VPN would stay up, torrent client is bound to it, so no, I wouldn't be exposing my IP. But after i run gateway_route can I run gateway_show while VPN is still up? And if I later run gateway_hide it hides it once more for the whole system? Is that how it works?

Share this post


Link to post
1 hour ago, NaDre said:

After that the daemon will not be running and won't start at boot. I don't know if that will work in your distro.


Yes, it installed a daemon. And I thought the bash script interacted with that. Instead, from what you state, it just launches the binary. But then how would I stop it? In any case,  I stopped it and disabled it.

Share this post


Link to post

I said I was stubborn... and you prompted me in a useful direction.

So I looked at the results of vpn_gateway_route and I saw the values I needed for gateway.

Resulting squid_vpn script:
 

#!/bin/bash

PORT=$1
if [ "$PORT" == "" ]; then PORT=3128; fi

NAME=squid_vpn_${PORT}

mkdir -p ~/tmp > /dev/null

cat <<EOF >~/tmp/${NAME}.conf
tcp_outgoing_address 10.24.230.243
tcp_outgoing_address fde6:7a:7d20:14e6::10f1
udp_outgoing_address 10.24.230.243
udp_outgoing_address fde6:7a:7d20:14e6::10f1
# quad9 DNS
#dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
# Cloudflare DNS
dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
# Google DNS
#dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
http_port 127.0.0.1:${PORT}
pid_filename $HOME/tmp/${NAME}.pid
acl localnet src 127.0.0.1
http_access allow localnet
shutdown_lifetime 1 seconds
buffered_logs off
access_log stdio:/dev/stdout
cache_log /dev/stdout
netdb_filename none
via off
forwarded_for delete
EOF

cat ~/tmp/${NAME}.conf

pushd ~/tmp > /dev/null
SQUID_BIN=/usr/sbin/squid
echo SQUID_RUN=$SQUID_BIN
$SQUID_BIN -f ~/tmp/${NAME}.conf -N -k kill
$SQUID_BIN -f ~/tmp/${NAME}.conf -N -n SQUID${PORT}
popd > /dev/null
I ran it through the terminal, to see how it reacted. This is the output:
 
SQUID_RUN=/usr/sbin/squid
2023/04/11 19:51:59| FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid: (2) No such file or directory
    exception location: File.cc(190) open
2023/04/11 19:51:59| Current Directory is /home/tranquivox/tmp
2023/04/11 19:51:59| Starting Squid Cache version 5.2 for x86_64-pc-linux-gnu...
2023/04/11 19:51:59| Service Name: SQUID3128
2023/04/11 19:51:59| Process ID 19401
2023/04/11 19:51:59| Process Roles: master worker
2023/04/11 19:51:59| With 1024 file descriptors available
2023/04/11 19:51:59| Initializing IP Cache...
2023/04/11 19:51:59| DNS Socket created at [fde6:7a:7d20:14e6::10f1], FD 8
2023/04/11 19:51:59| Adding nameserver 1.1.1.1 from squid.conf
2023/04/11 19:51:59| Adding nameserver 1.0.0.1 from squid.conf
2023/04/11 19:51:59| Adding nameserver 2606:4700:4700::1111 from squid.conf
2023/04/11 19:51:59| Adding nameserver 2606:4700:4700::1001 from squid.conf
2023/04/11 19:51:59| Logfile: opening log stdio:/dev/stdout
2023/04/11 19:51:59| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023/04/11 19:51:59| Store logging disabled
2023/04/11 19:51:59| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/04/11 19:51:59| Target number of buckets: 1008
2023/04/11 19:51:59| Using 8192 Store buckets
2023/04/11 19:51:59| Max Mem  size: 262144 KB
2023/04/11 19:51:59| Max Swap size: 0 KB
2023/04/11 19:51:59| Using Least Load store dir selection
2023/04/11 19:51:59| Current Directory is /home/tranquivox/tmp
2023/04/11 19:51:59| Finished loading MIME types and icons.
2023/04/11 19:51:59| HTCP Disabled.
2023/04/11 19:51:59| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/04/11 19:51:59| Pinger socket opened on FD 12
2023/04/11 19:51:59| Squid plugin modules loaded: 0
2023/04/11 19:51:59| Adaptation support is off.
2023/04/11 19:51:59| Accepting HTTP Socket connections at conn2 local=127.0.0.1:3128 remote=[::] FD 10 flags=9
2023/04/11 19:51:59| pinger: Initialising ICMP pinger ...
2023/04/11 19:51:59| pinger: ICMP socket opened.
2023/04/11 19:51:59| pinger: ICMPv6 socket opened
2023/04/11 19:52:00| storeLateRelease: released 0 objects
2023/04/11 19:54:17| idnsSendQuery FD -1: sendto: (0) No error.
    current master transaction: master53

Final line repeats periodically. Now... like this, fatal error notwithstanding, it doesn't work with FF configured with system proxy but it does work (apparently) with manual configuration to 127.0.0.1 and port 3128. IPleak says I have VPN address in FF and normal  ISP address in Chromium (with no proxy configured). AirVPN website sees me connected to VPN as well.

Now this is not automated in any way and I don't even know how I could stop it from running if I launched it normally and not through terminal. Plus the fatal error, warnings, etc. But it seems a step in the right direction.

Edit: I'm also suspecting DNS leaks, as IPleak shows DNS from all over the place, both VPN, my original country, another country... a wild mix.

Forgot to say, while the script is running in terminal I have these two processes running, don't know if that's the expected behavior:

image.png.097c5bf9523ed355b4aa9f07e4f9cd82.png



 

Share this post


Link to post
1 hour ago, tranquivox69 said:

I said I was stubborn... and you prompted me in a useful direction.

So I looked at the results of vpn_gateway_route and I saw the values I needed for gateway.

Resulting squid_vpn script:
...
it through the terminal, to see how it reacted. This is the output:

...
Final line repeats periodically. Now... like this, fatal error notwithstanding, it doesn't work with FF configured with system proxy but it does work (apparently) with manual configuration to 127.0.0.1 and port 3128. IPleak says I have VPN address in FF and normal  ISP address in Chromium (with no proxy configured). AirVPN website sees me connected to VPN as well.

Now this is not automated in any way and I don't even know how I could stop it from running if I launched it normally and not through terminal. Plus the fatal error, warnings, etc. But it seems a step in the right direction.

Edit: I'm also suspecting DNS leaks, as IPleak shows DNS from all over the place, both VPN, my original country, another country... a wild mix.

Forgot to say, while the script is running in terminal I have these two processes running, don't know if that's the expected behavior:

...

It looks about right to me.

The warning about suid is OK. A squid idiosyncrasy .

Those DNS servers are probably all Cloudflare exit points. Do "whois" on a few of them.

Ctrl-c will stop squid more gracefully than closing the terminal window. Why does it need to launch automatically and run all of the time?' Why not run it just when you want to browse via the VPN? What is wrong with it being in a terminal window? You want it to be invisible? This could be done using "screen". It could even be launched from Eddie. But why? Maybe just keep it simple?

I also encouraged you to take the code from vpn_gateway_route that detects the VPN addresses and put it in the squid script. Then $GATEWAY_LOCAL4 and $GATEWAY_LOCAL6 go where the hard-coded addresses are right now.
 

Share this post


Link to post
3 hours ago, NaDre said:

The warning about suid is OK. A squid idiosyncrasy .


Even this?
FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid: (2) No such file or directory
    exception location: File.cc(190) open
 
3 hours ago, NaDre said:

Those DNS servers are probably all Cloudflare exit points. Do "whois" on a few of them.


Indeed they are, IPLeak openly states so. The "strange" thing is that while under VPN "normally" I only see DNSs from the country the VPN exits to, whereas using squid they're from all over Europe.
 
3 hours ago, NaDre said:

Ctrl-c will stop squid more gracefully than closing the terminal window. Why does it need to launch automatically and run all of the time?' Why not run it just when you want to browse via the VPN? What is wrong with it being in a terminal window? You want it to be invisible? This could be done using "screen". It could even be launched from Eddie. But why? Maybe just keep it simple?


I don't know, simple aesthetics... life is confusing enough without an extra window on my desktop which I need to be careful about.
In any case, I've modified the squid daemon to use the generated .conf file, re-enabled it and everything works. It runs in the background, now I'm gonna do a second profile in FF, using the proxy and I can alternate between the two without thinking about it. Do you see any logic fallacy in this approach?

Edit: even simpler! https://addons.mozilla.org/en-US/firefox/addon/proxy-toggle-button/ this on FF toolbar. Click VPN connection, click ISP connection. Love it!
 
3 hours ago, NaDre said:

I also encouraged you to take the code from vpn_gateway_route that detects the VPN addresses and put it in the squid script. Then $GATEWAY_LOCAL4 and $GATEWAY_LOCAL6 go where the hard-coded addresses are right now.


Tried that, unfortunately my non-existant programming skills hit a wall when $GATEWAY_LOCAL4  and $GATEWAY_LOCAL6 contain the right address, followed by /somenumbers (which are probably ip routing stuff, see how ignorant I am...). I am sure there's an easy trick to cut from and including the forward slash, maybe a regular expression... but I'm not knowledgeable in this regard.
 

Share this post


Link to post
5 hours ago, tranquivox69 said:
...
With a 24/7 (hopefully) torrent client going, that's not something I could do. Or... hmmm... don't know how I could combine the scripts. I mean, the VPN would stay up, torrent client is bound to it, so no, I wouldn't be exposing my IP. But after i run gateway_route can I run gateway_show while VPN is still up? And if I later run gateway_hide it hides it once more for the whole system? Is that how it works?

I missed this post.

Yes. That is how it works. In Windows too.You can flip the default gateway between the VPN and the real one any time you want and the torrent client will not notice. It uses the VPN regardless.

You said you usually use the VPN to browse with a few exceptions. Then you don't need this squid thing. And you probably don't want to have vpn_gateway_hide run when you start the VPN in Eddie. Just run it when you want to browse without the VPN for a while.
 

Share this post


Link to post
1 hour ago, NaDre said:

You said you usually use the VPN to browse with a few exceptions. Then you don't need this squid thing. And you probably don't want to have vpn_gateway_hide run when you start the VPN in Eddie. Just run it when you want to browse without the VPN for a while.

Oh, no, I need it for services that need to be reachable from outside the local network.

But, apart from that FATAL thing I mention above, which leaves me uneasy, everything is now working like I want. The proxy toggle extension is absolutely handy. The service runs in the background, I don't even notice it. It seems all is good. Just need to recheck the sudo permissions for those scripts because when I rebooted earlier they seemed not to be in effect. Then I relaunched sudo visudo to check, nothing needed to be changed, I exited without saving the file (I did not modify it after all) and then they were working once more. I checked to see that I wasn't running Windows 😅

EDIT: celebrated too early. While the proxy toggle works like a beauty, the service I installed has a problem. The gateways change according to which AirVPN server one connects to, as such I can't hard code addresses in a fixed .conf file. So it's impossible to run it (or the simple bash script) before being connected to AirVPN. At that point one has to find out the gateways (see above where I stop in trying to automate that process), fill in the numbers and run the script.

Share this post


Link to post
3 hours ago, tranquivox69 said:
...
EDIT: celebrated too early. While the proxy toggle works like a beauty, the service I installed has a problem. The gateways change according to which AirVPN server one connects to, as such I can't hard code addresses in a fixed .conf file. So it's impossible to run it (or the simple bash script) before being connected to AirVPN. At that point one has to find out the gateways (see above where I stop in trying to automate that process), fill in the numbers and run the script.

I'll have some time tomorrow. I make the changes to the script I was trying to lead you through. So it determines the addresses. Can't right now though.
 

Share this post


Link to post
On 4/11/2023 at 8:30 PM, NaDre said:

I'll have some time tomorrow. I make the changes to the script I was trying to lead you through. So it determines the addresses. Can't right now though.
 

I have a script for you to try. I have tested to be sure it runs. But I have not connected a browser to it. There was a complication in the scanning that I probably could not expect you to work out.

EDIT: There is an updated version of these scripts here:
https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway

The message "FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid ..." is because it attempts to stop any already running version of itself. Normal if it is not already running.

vpn_gateway_squid
#!/bin/bash

PORT=$1
if [ "$PORT" = "" ]; then PORT=3128; fi

# helper function
token () {
N=$1
shift
eval echo \$${N}
}

echo
echo === scanning routing table to set VPN gateway variables ...

# determine VPN gateway IPv4 address and interface name
ip -4 route show
ROUTE4=`ip -4 route show 0.0.0.0/1`
#echo ROUTE4=$ROUTE4
GATEWAY_IF=`token 3 $ROUTE4`
echo GATEWAY_IF=$GATEWAY_IF

# determine VPN local IPv4 address
ip -4 addr show dev $GATEWAY_IF
ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL4=`token 2 $ADDR4`
GATEWAY_LOCAL4=${GATEWAY_LOCAL4%%/*}
echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4
ip -6 addr show dev $GATEWAY_IF
# determine VPN local IPv6 address
ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global`
GATEWAY_LOCAL6=`token 2 $ADDR6`
GATEWAY_LOCAL6=${GATEWAY_LOCAL6%%/*}
echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6

NAME=squid_vpn_${PORT}

mkdir -p ~/tmp > /dev/null

cat <<EOF >~/tmp/${NAME}.conf
tcp_outgoing_address $GATEWAY_LOCAL4
tcp_outgoing_address $GATEWAY_LOCAL6
udp_outgoing_address $GATEWAY_LOCAL4
udp_outgoing_address $GATEWAY_LOCAL6
# quad9 DNS
dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
# Cloudflare DNS
#dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
# Google DNS
#dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
http_port 127.0.0.1:${PORT}
pid_filename $HOME/tmp/${NAME}.pid
acl localnet src 127.0.0.1
http_access allow localnet
shutdown_lifetime 1 seconds
buffered_logs off
access_log stdio:/dev/stdout
cache_log /dev/stdout
netdb_filename none
via off
forwarded_for delete
EOF

echo
echo === contents of squid configuration file ...

cat ~/tmp/${NAME}.conf

echo
echo === starting squid ...

pushd ~/tmp > /dev/null
SQUID_BIN=/usr/sbin/squid
echo SQUID_RUN=$SQUID_BIN
$SQUID_BIN -f ~/tmp/${NAME}.conf -N -k kill
$SQUID_BIN -f ~/tmp/${NAME}.conf -N -n SQUID${PORT}
popd > /dev/null

echo
echo === ... squid has stopped
I ran it in a VM. I stopped it with ctrl-c. Here is the output I got.
=== scanning routing table to set VPN gateway variables ...
0.0.0.0/2 via 10.0.2.1 dev enp0s3 
0.0.0.0/1 dev Eddie scope link 
default via 10.0.2.1 dev enp0s3 proto dhcp metric 100 
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.4 metric 100 
64.0.0.0/2 via 10.0.2.1 dev enp0s3 
128.0.0.0/2 via 10.0.2.1 dev enp0s3 
128.0.0.0/1 dev Eddie scope link 
169.254.0.0/16 dev enp0s3 scope link metric 1000 
192.0.0.0/2 via 10.0.2.1 dev enp0s3 
213.152.186.18 via 10.0.2.1 dev enp0s3 
213.152.186.19 dev Eddie scope link 
GATEWAY_IF=Eddie
3: Eddie: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.130.176.43/32 scope global Eddie
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL4=10.130.176.43
3: Eddie: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet6 fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c/128 scope global 
       valid_lft forever preferred_lft forever
GATEWAY_LOCAL6=fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c

=== contents of squid configuration file ...
tcp_outgoing_address 10.130.176.43
tcp_outgoing_address fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c
udp_outgoing_address 10.130.176.43
udp_outgoing_address fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c
# quad9 DNS
dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
# Cloudflare DNS
#dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
# Google DNS
#dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
http_port 127.0.0.1:3128
pid_filename /home/user/tmp/squid_vpn_3128.pid
acl localnet src 127.0.0.1
http_access allow localnet
shutdown_lifetime 1 seconds
buffered_logs off
access_log stdio:/dev/stdout
cache_log /dev/stdout
netdb_filename none
via off
forwarded_for delete

=== starting squid ...
SQUID_RUN=/usr/sbin/squid
2023/04/11 21:33:02| Current Directory is /home/user/tmp
2023/04/11 21:33:02| FATAL: failed to open /home/user/tmp/squid_vpn_3128.pid: (2) No such file or directory
    exception location: File.cc(190) open

2023/04/11 21:33:02| Created PID file (/home/user/tmp/squid_vpn_3128.pid)
2023/04/11 21:33:02| Current Directory is /home/user/tmp
2023/04/11 21:33:02| Starting Squid Cache version 4.13 for x86_64-pc-linux-gnu...
2023/04/11 21:33:02| Service Name: SQUID3128
2023/04/11 21:33:02| Process ID 5787
2023/04/11 21:33:02| Process Roles: master worker
2023/04/11 21:33:02| With 1024 file descriptors available
2023/04/11 21:33:02| Initializing IP Cache...
2023/04/11 21:33:02| DNS Socket created at [fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c], FD 3
2023/04/11 21:33:02| Adding nameserver 9.9.9.9 from squid.conf
2023/04/11 21:33:02| Adding nameserver 149.112.112.112 from squid.conf
2023/04/11 21:33:02| Adding nameserver 2620:fe::fe from squid.conf
2023/04/11 21:33:02| Adding nameserver 2620:fe::9 from squid.conf
2023/04/11 21:33:02| Logfile: opening log stdio:/dev/stdout
2023/04/11 21:33:02| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2023/04/11 21:33:02| Store logging disabled
2023/04/11 21:33:02| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/04/11 21:33:02| Target number of buckets: 1008
2023/04/11 21:33:02| Using 8192 Store buckets
2023/04/11 21:33:02| Max Mem  size: 262144 KB
2023/04/11 21:33:02| Max Swap size: 0 KB
2023/04/11 21:33:02| Using Least Load store dir selection
2023/04/11 21:33:02| Current Directory is /home/user/tmp
2023/04/11 21:33:02| Finished loading MIME types and icons.
2023/04/11 21:33:02| HTCP Disabled.
2023/04/11 21:33:02| WARNING: no_suid: setuid(0): (1) Operation not permitted
2023/04/11 21:33:02| Pinger socket opened on FD 12
2023/04/11 21:33:02| Squid plugin modules loaded: 0
2023/04/11 21:33:02| Adaptation support is off.
2023/04/11 21:33:02| Accepting HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 10 flags=9
2023/04/11 21:33:02| pinger: Initialising ICMP pinger ...
2023/04/11 21:33:02| pinger: ICMP socket opened.
2023/04/11 21:33:02| pinger: ICMPv6 socket opened
2023/04/11 21:33:03| storeLateRelease: released 0 objects
^C2023/04/11 21:34:28| Preparing for shutdown after 0 requests
2023/04/11 21:34:28| Waiting 0 seconds for active connections to finish
2023/04/11 21:34:28| Closing HTTP(S) port 127.0.0.1:3128
2023/04/11 21:34:28| Closing Pinger socket on FD 12
2023/04/11 21:34:29| Shutdown: NTLM authentication.
2023/04/11 21:34:29| Shutdown: Negotiate authentication.
2023/04/11 21:34:29| Shutdown: Digest authentication.
2023/04/11 21:34:29| Shutdown: Basic authentication.
2023/04/11 21:34:30| Shutting down...
2023/04/11 21:34:30| storeDirWriteCleanLogs: Starting...
2023/04/11 21:34:30|   Finished.  Wrote 0 entries.
2023/04/11 21:34:30|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 0.028 seconds = 0.028 user + 0.000 sys
Maximum Resident Size: 92496 KB
Page faults with physical i/o: 3
2023/04/11 21:34:30| Logfile: closing log stdio:/dev/stdout
2023/04/11 21:34:30| Open FD UNSTARTED     0 stdin
2023/04/11 21:34:30| Open FD UNSTARTED     1 stdout
2023/04/11 21:34:30| Open FD UNSTARTED     2 stderr
2023/04/11 21:34:30| Squid Cache (Version 4.13): Exiting normally.
2023/04/11 21:34:30| Removing PID file (/home/user/tmp/squid_vpn_3128.pid)

=== ... squid has stopped

Share this post


Link to post
4 hours ago, NaDre said:

I have a script for you to try. I have tested to be sure it runs. But I have not connected a browser to it. There was a complication in the scanning that I probably could not expect you to work out.


The forum software managed to mangle your code in invisible ways. Copying it and pasting produced a mysterious "command not found in line 39"... and line 39 in the script is empty. Thank god for FF's dev tools, I managed to avoid retyping it all. 🙂

Script appears to be working perfectly. I'm now working on a solution to automate everything. I'll report back but I'm hopeful.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...