NaDre 157 Posted ... 1 hour ago, reversevpn said: I wonder though, why do you hide the VPN's routing table entries instead of just not pulling them in at all? If they are hidden anyway, what good does it do for them to enter the routing table in the first place? In the scripts I provide in the wiki the VPN routing table entries are suppressed entirely. But those call and configure the openvpn or wireguard client program directly. They don't use Eddie. If someone wants to use Eddie without trying to control the openvpn or wireguard client inside it (i.e. just the way it comes), then the VPN will attempt to install its gateway as the default. You could just remove them afterwards. But a user may want to put them back again later in order to use the VPN with their browser. So you would need a script to remove and another to reinstall the VPN gateway. Also, I prefer not to let the VPN be the default gateway even for a brief moment. If I hide the VPN gateway before I start the VPN, then it will never be the default. And this is how the Windows scripts I provided work. So it should be familiar to tranquivox69. 1 tranquivox69 reacted to this Quote Share this post Link to post
NaDre 157 Posted ... On 4/10/2023 at 9:40 AM, NaDre said: Of course those came originally from the wiki I wrote on github. I guess the scripts I posted there for Linux are not appealing because they do not use Eddie. ,,, Then you could bind qbittorrent to the VPN interface for OpenVPN or to the VPN address for Wireguard. ... I have tested these with OpenVPN with it trying to change the default gateway. Not Wireguard or Eddie though. Give them a try? vpn_gateway_route is the one that runs after the VPN is up and vpn_gateway_hide has been run, to set up source address routing. EDIT: There is an updated version of these scripts here:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway You can give them a quick test using curl: curl -4 icanhazip.com curl -4 --interface tun0 icanhazip.com curl -6 icanhazip.com curl -6 --interface tun0 icanhazip.com vpn_gateway_hide #!/bin/sh # helper function token () { N=$1 shift eval echo \$${N} } echo === adding routing table entries to hide VPN ... echo echo === IPv4 routing table before ... ip -4 route echo echo === IPv6 routing table before ... ip -6 route echo echo === scanning routing table to set gateway variables ... echo echo === IPv4 gateway ... # determine IPv4 gateway IP address and interface name ROUTE4=`ip -4 route show default` #echo ROUTE4=$ROUTE4 GATEWAY_IP4=`token 3 $ROUTE4` echo GATEWAY_IP4=$GATEWAY_IP4 GATEWAY_IF4=`token 5 $ROUTE4` echo GATEWAY_IF4=$GATEWAY_IF4 echo echo === IPv6 gateway ... ROUTE6=`ip -6 route show default` #echo ROUTE6=$ROUTE6 GATEWAY_IP6=`token 3 $ROUTE6` echo GATEWAY_IP6=$GATEWAY_IP6 GATEWAY_IF6=`token 5 $ROUTE6` echo GATEWAY_IF6=$GATEWAY_IF6 echo echo === adding entries to IPv4 routing table ... # to override standard IPv4 gateway entries sudo ip -4 route add 0.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4 sudo ip -4 route add 64.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4 sudo ip -4 route add 128.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4 sudo ip -4 route add 192.0.0.0/2 via $GATEWAY_IP4 dev $GATEWAY_IF4 echo echo === adding entries to IPv6 routing table ... # to override standard IPv6 Wireguard gateway entries sudo ip -6 route add ::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 4000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 8000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add c000::/2 via $GATEWAY_IP6 dev $GATEWAY_IF6 # to override standard IPv6 OpenVPN gateway entries sudo ip -6 route add ::/4 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 1000::/4 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 2000::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 2800::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 3000::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add 3800::/5 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add fc00::/8 via $GATEWAY_IP6 dev $GATEWAY_IF6 sudo ip -6 route add fd00::/8 via $GATEWAY_IP6 dev $GATEWAY_IF6 echo echo === IPv4 routing table after ... ip -4 route echo echo === IPv6 routing table after ... ip -6 route vpn_gateway_show #!/bin/sh echo === removing routing table entries to show VPN ... sudo ip -4 route delete 0.0.0.0/2 sudo ip -4 route delete 64.0.0.0/2 sudo ip -4 route delete 128.0.0.0/2 sudo ip -4 route delete 192.0.0.0/2 sudo ip -6 route delete ::/2 sudo ip -6 route delete 4000::/2 sudo ip -6 route delete 8000::/2 sudo ip -6 route delete c000::/2 sudo ip -6 route delete ::/4 sudo ip -6 route delete 1000::/4 sudo ip -6 route delete 2000::/5 sudo ip -6 route delete 2800::/5 sudo ip -6 route delete 3000::/5 sudo ip -6 route delete 3800::/5 sudo ip -6 route delete fc00::/8 sudo ip -6 route delete fd00::/8 echo echo === IPv4 routing table after ... ip -4 route echo echo === IPv6 routing table after ... ip -6 route vpn_gateway_route #!/bin/sh # helper function token () { N=$1 shift eval echo \$${N} } echo echo === scanning routing table to set VPN gateway variables ... # determine VPN gateway IPv4 address and interface name ROUTE4=`ip -4 route show 0.0.0.0/1` #echo ROUTE4=$ROUTE4 GATEWAY_IP4=`token 3 $ROUTE4` echo GATEWAY_IP4=$GATEWAY_IP4 GATEWAY_IF=`token 5 $ROUTE4` echo GATEWAY_IF=$GATEWAY_IF # determine VPN local IPv4 address ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL4=`token 2 $ADDR4` echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4 # determine VPN local IPv6 address ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL6=`token 2 $ADDR6` echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6 IP_TABLE=9999 echo echo === deleting IPV4 route table $IP_TABLE ... sudo ip -4 rule del table $IP_TABLE sudo ip -4 route delete default table $IP_TABLE echo === adding IPV4 default route for table $IP_TABLE ... sudo ip -4 route add default via $GATEWAY_IP4 dev $GATEWAY_IF table $IP_TABLE echo === adding IPV4 rule for VPN address for table $IP_TABLE ... sudo ip -4 rule add from $GATEWAY_LOCAL4 table $IP_TABLE echo === showing IPv4 rules for table $IP_TABLE ip -4 rule list | grep $IP_TABLE echo === showing IPv4 routing table for table $IP_TABLE ip -4 route show table all | grep $IP_TABLE echo echo === deleting IPV6 route table $IP_TABLE ... sudo ip -6 rule del table $IP_TABLE sudo ip -6 route delete default table $IP_TABLE echo === adding IPV6 default route for table $IP_TABLE ... sudo ip -6 route add default dev $GATEWAY_IF table $IP_TABLE echo === adding IPV6 rule for VPN address for table $IP_TABLE ... sudo ip -6 rule add from $GATEWAY_LOCAL6 table $IP_TABLE echo === showing IPv6 rules for table $IP_TABLE ip -6 rule list | grep $IP_TABLE echo === showing IPv6 routing table for table $IP_TABLE ip -6 route show table all | grep $IP_TABLE Quote Share this post Link to post
tranquivox69 27 Posted ... EDIT 3 Completely missed the last post where you actually provided scripts to try (THANK YOU!). i will test and report back. I thank you for the scripts I've been using these past years. I note that route-nopull in OpenVPN directive does nothing. Quote Share this post Link to post
reversevpn 4 Posted ... @tranquivox69 , from my experiments with Eddie, I can confirm that indeed, Eddie does not honor the route-nopull directive. In my earlier experiments, I was using the standard openvpn binary(the one you can most likely download from your distro's repository), and wrongly assumed that just because the normal openvpn binary honors the route-nopull directive, so would Eddie. For that, I apologize. Quote Share this post Link to post
tranquivox69 27 Posted ... 1 hour ago, reversevpn said: @tranquivox69 , from my experiments with Eddie, I can confirm that indeed, Eddie does not honor the route-nopull directive. In my earlier experiments, I was using the standard openvpn binary(the one you can most likely download from your distro's repository), and wrongly assumed that just because the normal openvpn binary honors the route-nopull directive, so would Eddie. For that, I apologize. You really don't need to apologize. Thanks for helping out, as I said I really appreciate it. For NaDre, after hours of testing I've understood that it's important to run the scripts as administrator. So I tried to follow the process manually. I ran sudo vpn_gateway_hide.sh before connecting through Eddie. After Eddie connected I ran sudo vpn_gateway_route.sh And then I ran sudo vpn_gateway_show.sh The result is some errors I don't understand but more or less it seemed to be working. Firefox connecting to IPleak was seeing my original IP, qBittorrent bound to the VPN was displaying the VPN address in its torrent check function. DNS was always the one from AirVPN, though, even in Firefox. I paste the results of the scripts running below: $ sudo ./vpn_gateway_hide.sh === adding routing table entries to hide VPN ... === IPv4 routing table before ... default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table before ... ::1 dev lo proto kernel metric 256 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium === scanning routing table to set gateway variables ... === IPv4 gateway ... GATEWAY_IP4=192.168.178.1 GATEWAY_IF4=enp88s0 === IPv6 gateway ... GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c GATEWAY_IF6=enp88s0 === adding entries to IPv4 routing table ... === adding entries to IPv6 routing table ... === IPv4 routing table after ... 0.0.0.0/2 via 192.168.178.1 dev enp88s0 default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 64.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/2 via 192.168.178.1 dev enp88s0 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.0.0.0/2 via 192.168.178.1 dev enp88s0 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table after ... ::1 dev lo proto kernel metric 256 pref medium ::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium 2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium ::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium $ sudo ./vpn_gateway_route.sh === scanning routing table to set VPN gateway variables ... GATEWAY_IP4=eddie GATEWAY_IF=link Device "link" does not exist. GATEWAY_LOCAL4= Device "link" does not exist. GATEWAY_LOCAL6= === deleting IPV4 route table 9999 ... RTNETLINK answers: No such file or directory Error: FIB table does not exist. === adding IPV4 default route for table 9999 ... Error: inet address is expected rather than "eddie". === adding IPV4 rule for VPN address for table 9999 ... Error: inet prefix is expected rather than "table". === showing IPv4 rules for table 9999 === showing IPv4 routing table for table 9999 === deleting IPV6 route table 9999 ... RTNETLINK answers: No such file or directory Error: FIB table does not exist. === adding IPV6 default route for table 9999 ... Cannot find device "link" === adding IPV6 rule for VPN address for table 9999 ... Error: inet6 prefix is expected rather than "table". === showing IPv6 rules for table 9999 === showing IPv6 routing table for table 9999 $ sudo ./vpn_gateway_show.sh === removing routing table entries to show VPN ... RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process RTNETLINK answers: No such process === IPv4 routing table after ... default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table after ... ::1 dev lo proto kernel metric 256 pref medium Hope you can make sense of what happens. I've also tried the application that was suggested previously but it does not build: https://github.com/Intika-Linux-Firewall/App-Route-Jail/issues/1 Looking around I've found this solution with Network Netspaces but it's 4 in the morning and I really, really must get some sleep. Quote Share this post Link to post
NaDre 157 Posted ... On 4/10/2023 at 8:14 PM, tranquivox69 said: ... Hope you can make sense of what happens. ... EDIT: There is an updated version of these scripts here:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway I installed eddie. It appears that the output of "ip -4 route show" is different with eddie than with openvpn or wg-quick directly. So the scan for the VPN interface name failed. Try this script instead of vpn_gateway_route: vpn_gateway_route_eddie #!/bin/sh # helper function token () { N=$1 shift eval echo \$${N} } echo echo === scanning routing table to set VPN gateway variables ... # determine VPN gateway IPv4 address and interface name ip -4 route show ROUTE4=`ip -4 route show 0.0.0.0/1` #echo ROUTE4=$ROUTE4 GATEWAY_IF=`token 3 $ROUTE4` echo GATEWAY_IF=$GATEWAY_IF # determine VPN local IPv4 address ip -4 addr show dev $GATEWAY_IF ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL4=`token 2 $ADDR4` echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4 ip -6 addr show dev $GATEWAY_IF # determine VPN local IPv6 address ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL6=`token 2 $ADDR6` echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6 IP_TABLE=9999 echo echo === deleting IPV4 route table $IP_TABLE ... sudo ip -4 rule del table $IP_TABLE sudo ip -4 route delete default table $IP_TABLE echo === adding IPV4 default route for table $IP_TABLE ... sudo ip -4 route add default dev $GATEWAY_IF table $IP_TABLE echo === adding IPV4 rule for VPN address for table $IP_TABLE ... sudo ip -4 rule add from $GATEWAY_LOCAL4 table $IP_TABLE echo === showing IPv4 rules for table $IP_TABLE ip -4 rule list | grep $IP_TABLE echo === showing IPv4 routing table for table $IP_TABLE ip -4 route show table all | grep $IP_TABLE echo echo === deleting IPV6 route table $IP_TABLE ... sudo ip -6 rule del table $IP_TABLE sudo ip -6 route delete default table $IP_TABLE echo === adding IPV6 default route for table $IP_TABLE ... sudo ip -6 route add default dev $GATEWAY_IF table $IP_TABLE echo === adding IPV6 rule for VPN address for table $IP_TABLE ... sudo ip -6 rule add from $GATEWAY_LOCAL6 table $IP_TABLE echo === showing IPv6 rules for table $IP_TABLE ip -6 rule list | grep $IP_TABLE echo === showing IPv6 routing table for table $IP_TABLE ip -6 route show table all | grep $IP_TABLE Quote Share this post Link to post
tranquivox69 27 Posted ... 7 hours ago, NaDre said: I installed eddie. It appears that the output of "ip -4 route show" is different with eddie than with openvpn or wg-quick directly. So the scan for the VPN interface name failed. Try this script instead of vpn_gateway_route: vpn_gateway_route_eddie Ok, tried this new one. I paste the results below. I reactivated IPv6 in Eddie, so as to avoid confusion on that side. $ sudo ./vpn_gateway_hide.sh === adding routing table entries to hide VPN ... === IPv4 routing table before ... default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table before ... ::1 dev lo proto kernel metric 256 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium === scanning routing table to set gateway variables ... === IPv4 gateway ... GATEWAY_IP4=192.168.178.1 GATEWAY_IF4=enp88s0 === IPv6 gateway ... GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c GATEWAY_IF6=enp88s0 === adding entries to IPv4 routing table ... === adding entries to IPv6 routing table ... === IPv4 routing table after ... 0.0.0.0/2 via 192.168.178.1 dev enp88s0 default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 64.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/2 via 192.168.178.1 dev enp88s0 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.0.0.0/2 via 192.168.178.1 dev enp88s0 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table after ... ::1 dev lo proto kernel metric 256 pref medium ::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium 2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium ::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium $ sudo ./vpn_gateway_route.sh === scanning routing table to set VPN gateway variables ... 0.0.0.0/2 via 192.168.178.1 dev enp88s0 0.0.0.0/1 dev eddie scope link default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 10.24.230.0/24 dev eddie proto kernel scope link src 10.24.230.243 64.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/1 dev eddie scope link 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.0.0.0/2 via 192.168.178.1 dev enp88s0 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 213.152.161.25 dev eddie scope link 213.152.161.27 via 192.168.178.1 dev enp88s0 GATEWAY_IF=eddie 4: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 inet 10.24.230.243/24 scope global eddie valid_lft forever preferred_lft forever GATEWAY_LOCAL4=10.24.230.243/24 4: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 inet6 fde6:7a:7d20:14e6::10f1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::895b:5113:eb:6da8/64 scope link stable-privacy valid_lft forever preferred_lft forever GATEWAY_LOCAL6=fde6:7a:7d20:14e6::10f1/64 === deleting IPV4 route table 9999 ... Error: argument "9999" is wrong: invalid table ID Error: FIB table does not exist. ./vpn_gateway_route.sh: 38: : not found === adding IPV4 default route for table 9999 ... === adding IPV4 rule for VPN address for table 9999 ... Error: inet prefix is expected rather than "OCAL4". === showing IPv4 rules for table 9999 === showing IPv4 routing table for table 9999 default dev eddie table 9999 scope link === deleting IPV6 route table 9999 ... RTNETLINK answers: No such file or directory Error: FIB table does not exist. ./vpn_gateway_route.sh: 56: : not found === adding IPV6 default route for table 9999 ... === adding IPV6 rule for VPN address for table 9999 ... === showing IPv6 rules for table 9999 ./vpn_gateway_route.sh: 65: : not found === showing IPv6 routing table for table 9999 default dev eddie table 9999 metric 1024 pref medium $ sudo ./vpn_gateway_show.sh === removing routing table entries to show VPN ... === IPv4 routing table after ... default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table after ... ::1 dev lo proto kernel metric 256 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium Still some errors on the "route" script, apparently. Still AirVPN DNS being used (don't know if that's normal, I mention it because that was not the case with your scripts in Windows). Edit: tried looking at the scripts... you declare the $IP_TABLE variable to be 9999 but immediately after that 9999 is refused as an invalid table ID. Unfortunately here is where I really get lost. 😕 Quote Share this post Link to post
NaDre 157 Posted ... 3 hours ago, tranquivox69 said: ... l some errors on the "route" script, apparently. Still AirVPN DNS being used (don't know if that's normal, I mention it because that was not the case with your scripts in Windows). Are you sure the script you have exactly matches the one I provided. The "OCAL4" message suggests that something went wrong in transcription. What Linux variant are you using if you run "ip" or "grep" without the full file name does it work? That script definitely works with Eddie for me. Your output does show that it determined the VPN interface name and IP addresses OK. Something must have gotten mangled in the rest of the script when you copied it. The line numbers are blank lines in my copy. For DNS you need to tell Eddie not to change the DNS. You must have done that in Windows. But if the DNS is not reachable via AirVPN (e.g. your ISP blocks outside access) then when you "show" the VPN gateway domain name resolution will fail. You could set the DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) or Google (8.8.8.8). Quote Share this post Link to post
tranquivox69 27 Posted ... 1 minute ago, NaDre said: Are you sure the script you have exactly matches the one I provided. The "OCAL4" message suggests that something went wrong in transcription. What Linux variant are you using if you run "ip" or "grep" without the full file name does it work? That script definitely works with Eddie for me. Your output does show that it determined the VPN interface name and IP addresses OK. Something must have gotten mangled in the rest of the script when you copied it. The line numbers are blank lines in my copy. For DNS you need to tell Eddie not to change the DNS. You must have done that in Windows. But if the DNS is not reachable via AirVPN (e.g. your ISP blocks outside access) then when you "show" the VPN gateway domain name resolution will fail. You could set the DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) or Google (8.8.8.8). I suspected problems in copying and I double checked. But I will triple check because I slept less than five hours and that's not conducive to doing things well. I'll report back. Quote Share this post Link to post
tranquivox69 27 Posted ... I installed a Kdiff3 to compare the script I was using to a new cut and paste from here. There was no text difference but the program was still showing 5 differences in empty spaces... I redid the cut and paste and now it appears to be working. This will probably remain a mystery to me, as I did exactly the same thing before... 😕 Here's the result, I don't know what to make of those RTNETLINK answers... don't know if they could signal a problem or what. From my point of view, things seem to be working ok. Now I "just" need to understand why Eddie isn't executing scripts as sudo, considering there's a service giving it elevated privileges... and find a way to bind apps that don't have the option to do it to the VPN interface. At least Firefox for anonymous (close to) navigation would be nice. $ sudo ./vpn_gateway_hide.sh === adding routing table entries to hide VPN ... === IPv4 routing table before ... default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table before ... ::1 dev lo proto kernel metric 256 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium === scanning routing table to set gateway variables ... === IPv4 gateway ... GATEWAY_IP4=192.168.178.1 GATEWAY_IF4=enp88s0 === IPv6 gateway ... GATEWAY_IP6=fe80::b2f2:8ff:fe9e:174c GATEWAY_IF6=enp88s0 === adding entries to IPv4 routing table ... === adding entries to IPv6 routing table ... === IPv4 routing table after ... 0.0.0.0/2 via 192.168.178.1 dev enp88s0 default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 64.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/2 via 192.168.178.1 dev enp88s0 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.0.0.0/2 via 192.168.178.1 dev enp88s0 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 === IPv6 routing table after ... ::1 dev lo proto kernel metric 256 pref medium ::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 1000::/4 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 2a07:7e81:3d59::/64 dev enp88s0 proto ra metric 100 pref medium 2a07:7e81:3d59::/48 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium 2800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3000::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 3800::/5 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium ::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 4000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium 8000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fc00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fd00::/8 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium fe80::/64 dev enp88s0 proto kernel metric 1024 pref medium c000::/2 via fe80::b2f2:8ff:fe9e:174c dev enp88s0 metric 1024 pref medium default via fe80::b2f2:8ff:fe9e:174c dev enp88s0 proto ra metric 100 pref medium $ sudo ./vpn_gateway_route.sh === scanning routing table to set VPN gateway variables ... 0.0.0.0/2 via 192.168.178.1 dev enp88s0 0.0.0.0/1 dev eddie scope link default via 192.168.178.1 dev enp88s0 proto dhcp metric 100 10.24.230.0/24 dev eddie proto kernel scope link src 10.24.230.243 64.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/2 via 192.168.178.1 dev enp88s0 128.0.0.0/1 dev eddie scope link 169.254.0.0/16 dev enp88s0 scope link metric 1000 192.0.0.0/2 via 192.168.178.1 dev enp88s0 192.168.178.0/24 dev enp88s0 proto kernel scope link src 192.168.178.46 metric 100 213.152.161.25 dev eddie scope link 213.152.161.27 via 192.168.178.1 dev enp88s0 GATEWAY_IF=eddie 8: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 inet 10.24.230.243/24 scope global eddie valid_lft forever preferred_lft forever GATEWAY_LOCAL4=10.24.230.243/24 8: eddie: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 inet6 fde6:7a:7d20:14e6::10f1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::aecf:1543:e75d:47a8/64 scope link stable-privacy valid_lft forever preferred_lft forever GATEWAY_LOCAL6=fde6:7a:7d20:14e6::10f1/64 === deleting IPV4 route table 9999 ... RTNETLINK answers: No such process === adding IPV4 default route for table 9999 ... === adding IPV4 rule for VPN address for table 9999 ... === showing IPv4 rules for table 9999 32765: from 10.24.230.243/24 lookup 9999 === showing IPv4 routing table for table 9999 default dev eddie table 9999 scope link === deleting IPV6 route table 9999 ... RTNETLINK answers: No such file or directory === adding IPV6 default route for table 9999 ... === adding IPV6 rule for VPN address for table 9999 ... === showing IPv6 rules for table 9999 32765: from fde6:7a:7d20:14e6::10f1/64 lookup 9999 === showing IPv6 routing table for table 9999 default dev eddie table 9999 metric 1024 pref medium Quote Share this post Link to post
NaDre 157 Posted ... 18 minutes ago, tranquivox69 said: ...Here's the result, I don't know what to make of those RTNETLINK answers... don't know if they could signal a problem or what. From my point of view, things seem to be working ok. Now I "just" need to understand why Eddie isn't executing scripts as sudo, considering there's a service giving it elevated privileges... and find a way to bind apps that don't have the option to do it to the VPN interface. At least Firefox for anonymous (close to) navigation would be nice. ... The RTNETLINK messages are because the script removes anything left over from a previous run first. Expected on first run. Those scripts expect your user ID to be able to "sudo" without a prompt. In Debian you can set this up by running the following as root: echo "user_name ALL = NOPASSWD: ALL" > /etc/sudoers.d/allow_user_name chmod 0440 /etc/sudoers.d/allow_user_name Replace "user_name" with the user ID. Use "man sudo.conf" and poke around in /etc to see where the config files for sudo are. You may have to modify that. Some people may feel that is too broad. Ubuntu does this by default. Or used to anyway. I have an LD_PRELOAD script that I use to force things to bind:https://github.com/tool-maker/forceIP But for a browser you can run squid bound to the VPN interface and then have the browser use squid as an HTTP proxy. There is an example script for running squid this way at the end of this:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 27 Posted ... 16 minutes ago, NaDre said: The RTNETLINK messages are because the script removes anything left over from a previous run first. Expected on first run. Those scripts expect your user ID to be able to "sudo" without a prompt. In Debian you can set this up by running the following as root: echo "user_name ALL = NOPASSWD: ALL" > /etc/sudoers.d/allow_user_name chmod 0440 /etc/sudoers.d/allow_user_name Replace "user_name" with the user ID. Use "man sudo.conf" and poke around in /etc to see where the config files for sudo are. You may have to modify that. Some people may feel that is too broad. Ubuntu does this by default. Or used to anyway. I have an LD_PRELOAD script that I use to force things to bind:https://github.com/tool-maker/forceIP But for a browser you can run squid bound to the VPN interface and then have the browser use squid as an HTTP proxy. There is an example script for running squid this way at the end of this:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway You previously mentioned users willing to learn and I just ended configuring my user (which Eddie uses) to be able to use those scripts with sudo privileges, through sudo visudo configuration: tranquivox ALL=/home/tranquivox/Documents/VPNscripts/vpn_gateway_hide.sh Three lines with the three scripts, launched Eddie through the terminal (which shows what happens with Events) and everything went flawlessly. I will now read about the solutions you mention for binding programs to a specific interface. I don't know how to express my gratitude. If you have a PayPal somewhere, which I could donate to, I'd like to offer you at least a beer. Thanks, really. Quote Share this post Link to post
NaDre 157 Posted ... 46 minutes ago, tranquivox69 said: ... Three lines with the three scripts, launched Eddie through the terminal (which shows what happens with Events) and everything went flawlessly. ... I will now read about the solutions you mention for binding programs to a specific interface. .. Maybe you should explain where you plugged the scripts into Eddie events for the benefit of others who may be following this. The output from the LD_PRELOAD shim may be a bit ugly. It is really a work in progress. And always will be. I want information from it about the behavior of a program I apply it to. Quote Share this post Link to post
tranquivox69 27 Posted ... 43 minutes ago, NaDre said: Maybe you should explain where you plugged the scripts into Eddie events for the benefit of others who may be following this. The output from the LD_PRELOAD shim may be a bit ugly. It is really a work in progress. And always will be. I want information from it about the behavior of a program I apply it to. Sorry, I am sure I wrote about Events but I can sum it up (maybe it got deleted when I removed tonight's stream of consciousness). Under Eddie Settings/Events I put vpn_gateway_hide.sh under Session Start vpn_gateway_route.sh under VPN Up vpn_gateway_show.sh under Session End As mentioned, I needed to grant my user permissions to execute those scripts without password (they contain sudo instructions). I did that through sudo visudo, adding three lines I mentioned in this post (substitute user name with yours). Now I'm kinda fighting with squid and your script. Instructions are not newbie friendly. I installed squid but when I try to run it to see options it states that it's already running. From what I understand, your script it's an executable bash script where we have to put in our relevant values. But it's not very clear what the values are... I mean, for regular connection my gateway is my router address at 192.168.178.1 but how can I find out the IPv6 gateway and how can I find the gateways for AirVPN IPv4 and IPv6? I suppose for IPv4 it could be 10.24.230.0. And I would expect the gateway to be relevant for the script, while, from your example, you put in there 10.44.0.2 and fc00:44::2 which seem to me the IP addresses the VPN assigns and not the gateway. Since those change potentially at every connection, it would mean needing to update the script every time. But that doesn't seem to be what you refer to. After this, I suppose you run the script and then run a browser where you configured squid as proxy. But searches for "configuring proxy firefox squid" are not much productive, so far. And now I sound like a whiny baby... 😞EDIT I think I understand some more. Your script creates a configuration file for squid. It places it in a temporary directory and then pushes it to squid, first killing it and the relaunching it, if I get it right. The mystery remains as to where the addresses in the four outgoing addresses entries come from. And also, is this something we need to launch every time or, with squid being a service, once it's configured it will work with those parameters until we change them, for whatever reason? As for Firefox... I found this Which leads me back to what addresses to use... Quote Share this post Link to post
NaDre 157 Posted ... 28 minutes ago, tranquivox69 said: ... Now I'm kinda fighting with squid and your script. Instructions are not newbie friendly. I installed squid but when I try to run it to see options it states that it's already running. From what I understand, your script it's an executable bash script where we have to put in our relevant values. But it's not very clear what the values are... I mean, for regular connection my gateway is my router address at 192.168.178.1 but how can I find out the IPv6 gateway and how can I find the gateways for AirVPN IPv4 and IPv6? I suppose for IPv4 it could be 10.24.230.0. And I would expect the gateway to be relevant for the script, while, from your example, you put in there 10.44.0.2 and fc00:44::2 which seem to me the IP addresses the VPN assigns and not the gateway. Since those change potentially at every connection, it would mean needing to update the script every time. But that doesn't seem to be what you refer to. After this, I suppose you run the script and then run a browser where you configured squid as proxy. But searches for "configuring proxy firefox squid" are not much productive, so far. And now I sound like a whiny baby... 😞 The script was meant to be used with the framework the scripts in that wiki page established. Those scripts set up alias addresses for the VPN interface so that they appear to never change. I could probably expand the vpn_gateway_route script to incorporate that. Then I could include all of this stuff in that page. But I won't be able to do this for a few hours. The alternative would be to add stuff to the squid script that detects the addresses to use first. At this moment this does not appeal to me. Maybe you want to give it a try? The code at the start of the vpn_gateway_route script does this. For now how about just "show" the VPN gateway when you want to browse via the VPN. And then "hide" it when you are done? It says that squid is running because it is running. When installed it probably set up a daemon that runs at boot. In Debian I do this after I install squid: sudo ps -ef | grep squid - # takes 30 seconds sudo systemctl stop squid sudo ps -ef | grep squid - sudo systemctl disable squid After that the daemon will not be running and won't start at boot. I don't know if that will work in your distro. For firefox network settings this looks about right:https://support.mozilla.org/en-US/kb/connection-settings-firefox You might want a separate profile for using squid. This looks good:https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 27 Posted ... 1 hour ago, NaDre said: The script was meant to be used with the framework the scripts in that wiki page established. Those scripts set up alias addresses for the VPN interface so that they appear to never change. I could probably expand the vpn_gateway_route script to incorporate that. Then I could include all of this stuff in that page. But I won't be able to do this for a few hours. The alternative would be to add stuff to the squid script that detects the addresses to use first. At this moment this does not appeal to me. Maybe you want to give it a try? The code at the start of the vpn_gateway_route script does this. Got family dinner in an hour or so. My tries would be probably hilarious 😃. Which does not mean I couldn't try, I actually don't exclude that, I'm too stubborn for my own good but, in this case... I come to Linux after thirty years+ of Windows, I'm way, way, way over my head, believe me. 1 hour ago, NaDre said: For firefox network settings this looks about right:https://support.mozilla.org/en-US/kb/connection-settings-firefox Oh, so squid "becomes" the system proxy. I thought it required specific addresses in that space. 1 hour ago, NaDre said: ou might want a separate profile for using squid. This looks good:https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles This is a good suggestion, I might take it into consideration. In Windows I used Firefox only through VPN (launching it with ForceBindIP) and Chrome for the rare occasions when I wanted to go outside (or websites, sadly, misbehaved with FF). 1 hour ago, NaDre said: For now how about just "show" the VPN gateway when you want to browse via the VPN. And then "hide" it when you are done? With a 24/7 (hopefully) torrent client going, that's not something I could do. Or... hmmm... don't know how I could combine the scripts. I mean, the VPN would stay up, torrent client is bound to it, so no, I wouldn't be exposing my IP. But after i run gateway_route can I run gateway_show while VPN is still up? And if I later run gateway_hide it hides it once more for the whole system? Is that how it works? Quote Share this post Link to post
tranquivox69 27 Posted ... 1 hour ago, NaDre said: After that the daemon will not be running and won't start at boot. I don't know if that will work in your distro. Yes, it installed a daemon. And I thought the bash script interacted with that. Instead, from what you state, it just launches the binary. But then how would I stop it? In any case, I stopped it and disabled it. Quote Share this post Link to post
tranquivox69 27 Posted ... I said I was stubborn... and you prompted me in a useful direction. So I looked at the results of vpn_gateway_route and I saw the values I needed for gateway. Resulting squid_vpn script: #!/bin/bash PORT=$1 if [ "$PORT" == "" ]; then PORT=3128; fi NAME=squid_vpn_${PORT} mkdir -p ~/tmp > /dev/null cat <<EOF >~/tmp/${NAME}.conf tcp_outgoing_address 10.24.230.243 tcp_outgoing_address fde6:7a:7d20:14e6::10f1 udp_outgoing_address 10.24.230.243 udp_outgoing_address fde6:7a:7d20:14e6::10f1 # quad9 DNS #dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 # Cloudflare DNS dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Google DNS #dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 http_port 127.0.0.1:${PORT} pid_filename $HOME/tmp/${NAME}.pid acl localnet src 127.0.0.1 http_access allow localnet shutdown_lifetime 1 seconds buffered_logs off access_log stdio:/dev/stdout cache_log /dev/stdout netdb_filename none via off forwarded_for delete EOF cat ~/tmp/${NAME}.conf pushd ~/tmp > /dev/null SQUID_BIN=/usr/sbin/squid echo SQUID_RUN=$SQUID_BIN $SQUID_BIN -f ~/tmp/${NAME}.conf -N -k kill $SQUID_BIN -f ~/tmp/${NAME}.conf -N -n SQUID${PORT} popd > /dev/null I ran it through the terminal, to see how it reacted. This is the output: SQUID_RUN=/usr/sbin/squid 2023/04/11 19:51:59| FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid: (2) No such file or directory exception location: File.cc(190) open 2023/04/11 19:51:59| Current Directory is /home/tranquivox/tmp 2023/04/11 19:51:59| Starting Squid Cache version 5.2 for x86_64-pc-linux-gnu... 2023/04/11 19:51:59| Service Name: SQUID3128 2023/04/11 19:51:59| Process ID 19401 2023/04/11 19:51:59| Process Roles: master worker 2023/04/11 19:51:59| With 1024 file descriptors available 2023/04/11 19:51:59| Initializing IP Cache... 2023/04/11 19:51:59| DNS Socket created at [fde6:7a:7d20:14e6::10f1], FD 8 2023/04/11 19:51:59| Adding nameserver 1.1.1.1 from squid.conf 2023/04/11 19:51:59| Adding nameserver 1.0.0.1 from squid.conf 2023/04/11 19:51:59| Adding nameserver 2606:4700:4700::1111 from squid.conf 2023/04/11 19:51:59| Adding nameserver 2606:4700:4700::1001 from squid.conf 2023/04/11 19:51:59| Logfile: opening log stdio:/dev/stdout 2023/04/11 19:51:59| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2023/04/11 19:51:59| Store logging disabled 2023/04/11 19:51:59| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2023/04/11 19:51:59| Target number of buckets: 1008 2023/04/11 19:51:59| Using 8192 Store buckets 2023/04/11 19:51:59| Max Mem size: 262144 KB 2023/04/11 19:51:59| Max Swap size: 0 KB 2023/04/11 19:51:59| Using Least Load store dir selection 2023/04/11 19:51:59| Current Directory is /home/tranquivox/tmp 2023/04/11 19:51:59| Finished loading MIME types and icons. 2023/04/11 19:51:59| HTCP Disabled. 2023/04/11 19:51:59| WARNING: no_suid: setuid(0): (1) Operation not permitted 2023/04/11 19:51:59| Pinger socket opened on FD 12 2023/04/11 19:51:59| Squid plugin modules loaded: 0 2023/04/11 19:51:59| Adaptation support is off. 2023/04/11 19:51:59| Accepting HTTP Socket connections at conn2 local=127.0.0.1:3128 remote=[::] FD 10 flags=9 2023/04/11 19:51:59| pinger: Initialising ICMP pinger ... 2023/04/11 19:51:59| pinger: ICMP socket opened. 2023/04/11 19:51:59| pinger: ICMPv6 socket opened 2023/04/11 19:52:00| storeLateRelease: released 0 objects 2023/04/11 19:54:17| idnsSendQuery FD -1: sendto: (0) No error. current master transaction: master53 Final line repeats periodically. Now... like this, fatal error notwithstanding, it doesn't work with FF configured with system proxy but it does work (apparently) with manual configuration to 127.0.0.1 and port 3128. IPleak says I have VPN address in FF and normal ISP address in Chromium (with no proxy configured). AirVPN website sees me connected to VPN as well. Now this is not automated in any way and I don't even know how I could stop it from running if I launched it normally and not through terminal. Plus the fatal error, warnings, etc. But it seems a step in the right direction. Edit: I'm also suspecting DNS leaks, as IPleak shows DNS from all over the place, both VPN, my original country, another country... a wild mix. Forgot to say, while the script is running in terminal I have these two processes running, don't know if that's the expected behavior: Quote Share this post Link to post
NaDre 157 Posted ... 1 hour ago, tranquivox69 said: I said I was stubborn... and you prompted me in a useful direction. So I looked at the results of vpn_gateway_route and I saw the values I needed for gateway. Resulting squid_vpn script: ... it through the terminal, to see how it reacted. This is the output: ... Final line repeats periodically. Now... like this, fatal error notwithstanding, it doesn't work with FF configured with system proxy but it does work (apparently) with manual configuration to 127.0.0.1 and port 3128. IPleak says I have VPN address in FF and normal ISP address in Chromium (with no proxy configured). AirVPN website sees me connected to VPN as well. Now this is not automated in any way and I don't even know how I could stop it from running if I launched it normally and not through terminal. Plus the fatal error, warnings, etc. But it seems a step in the right direction. Edit: I'm also suspecting DNS leaks, as IPleak shows DNS from all over the place, both VPN, my original country, another country... a wild mix. Forgot to say, while the script is running in terminal I have these two processes running, don't know if that's the expected behavior: ... It looks about right to me. The warning about suid is OK. A squid idiosyncrasy . Those DNS servers are probably all Cloudflare exit points. Do "whois" on a few of them. Ctrl-c will stop squid more gracefully than closing the terminal window. Why does it need to launch automatically and run all of the time?' Why not run it just when you want to browse via the VPN? What is wrong with it being in a terminal window? You want it to be invisible? This could be done using "screen". It could even be launched from Eddie. But why? Maybe just keep it simple? I also encouraged you to take the code from vpn_gateway_route that detects the VPN addresses and put it in the squid script. Then $GATEWAY_LOCAL4 and $GATEWAY_LOCAL6 go where the hard-coded addresses are right now. Quote Share this post Link to post
tranquivox69 27 Posted ... 3 hours ago, NaDre said: The warning about suid is OK. A squid idiosyncrasy . Even this? FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid: (2) No such file or directory exception location: File.cc(190) open 3 hours ago, NaDre said: Those DNS servers are probably all Cloudflare exit points. Do "whois" on a few of them. Indeed they are, IPLeak openly states so. The "strange" thing is that while under VPN "normally" I only see DNSs from the country the VPN exits to, whereas using squid they're from all over Europe. 3 hours ago, NaDre said: Ctrl-c will stop squid more gracefully than closing the terminal window. Why does it need to launch automatically and run all of the time?' Why not run it just when you want to browse via the VPN? What is wrong with it being in a terminal window? You want it to be invisible? This could be done using "screen". It could even be launched from Eddie. But why? Maybe just keep it simple? I don't know, simple aesthetics... life is confusing enough without an extra window on my desktop which I need to be careful about. In any case, I've modified the squid daemon to use the generated .conf file, re-enabled it and everything works. It runs in the background, now I'm gonna do a second profile in FF, using the proxy and I can alternate between the two without thinking about it. Do you see any logic fallacy in this approach? Edit: even simpler! https://addons.mozilla.org/en-US/firefox/addon/proxy-toggle-button/ this on FF toolbar. Click VPN connection, click ISP connection. Love it! 3 hours ago, NaDre said: I also encouraged you to take the code from vpn_gateway_route that detects the VPN addresses and put it in the squid script. Then $GATEWAY_LOCAL4 and $GATEWAY_LOCAL6 go where the hard-coded addresses are right now. Tried that, unfortunately my non-existant programming skills hit a wall when $GATEWAY_LOCAL4 and $GATEWAY_LOCAL6 contain the right address, followed by /somenumbers (which are probably ip routing stuff, see how ignorant I am...). I am sure there's an easy trick to cut from and including the forward slash, maybe a regular expression... but I'm not knowledgeable in this regard. Quote Share this post Link to post
NaDre 157 Posted ... 5 hours ago, tranquivox69 said: ... With a 24/7 (hopefully) torrent client going, that's not something I could do. Or... hmmm... don't know how I could combine the scripts. I mean, the VPN would stay up, torrent client is bound to it, so no, I wouldn't be exposing my IP. But after i run gateway_route can I run gateway_show while VPN is still up? And if I later run gateway_hide it hides it once more for the whole system? Is that how it works? I missed this post. Yes. That is how it works. In Windows too.You can flip the default gateway between the VPN and the real one any time you want and the torrent client will not notice. It uses the VPN regardless. You said you usually use the VPN to browse with a few exceptions. Then you don't need this squid thing. And you probably don't want to have vpn_gateway_hide run when you start the VPN in Eddie. Just run it when you want to browse without the VPN for a while. Quote Share this post Link to post
tranquivox69 27 Posted ... 1 hour ago, NaDre said: You said you usually use the VPN to browse with a few exceptions. Then you don't need this squid thing. And you probably don't want to have vpn_gateway_hide run when you start the VPN in Eddie. Just run it when you want to browse without the VPN for a while. Oh, no, I need it for services that need to be reachable from outside the local network. But, apart from that FATAL thing I mention above, which leaves me uneasy, everything is now working like I want. The proxy toggle extension is absolutely handy. The service runs in the background, I don't even notice it. It seems all is good. Just need to recheck the sudo permissions for those scripts because when I rebooted earlier they seemed not to be in effect. Then I relaunched sudo visudo to check, nothing needed to be changed, I exited without saving the file (I did not modify it after all) and then they were working once more. I checked to see that I wasn't running Windows 😅 EDIT: celebrated too early. While the proxy toggle works like a beauty, the service I installed has a problem. The gateways change according to which AirVPN server one connects to, as such I can't hard code addresses in a fixed .conf file. So it's impossible to run it (or the simple bash script) before being connected to AirVPN. At that point one has to find out the gateways (see above where I stop in trying to automate that process), fill in the numbers and run the script. Quote Share this post Link to post
NaDre 157 Posted ... 3 hours ago, tranquivox69 said: ... EDIT: celebrated too early. While the proxy toggle works like a beauty, the service I installed has a problem. The gateways change according to which AirVPN server one connects to, as such I can't hard code addresses in a fixed .conf file. So it's impossible to run it (or the simple bash script) before being connected to AirVPN. At that point one has to find out the gateways (see above where I stop in trying to automate that process), fill in the numbers and run the script. I'll have some time tomorrow. I make the changes to the script I was trying to lead you through. So it determines the addresses. Can't right now though. Quote Share this post Link to post
NaDre 157 Posted ... On 4/11/2023 at 8:30 PM, NaDre said: I'll have some time tomorrow. I make the changes to the script I was trying to lead you through. So it determines the addresses. Can't right now though. I have a script for you to try. I have tested to be sure it runs. But I have not connected a browser to it. There was a complication in the scanning that I probably could not expect you to work out. EDIT: There is an updated version of these scripts here:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway The message "FATAL: failed to open /home/tranquivox/tmp/squid_vpn_3128.pid ..." is because it attempts to stop any already running version of itself. Normal if it is not already running. vpn_gateway_squid #!/bin/bash PORT=$1 if [ "$PORT" = "" ]; then PORT=3128; fi # helper function token () { N=$1 shift eval echo \$${N} } echo echo === scanning routing table to set VPN gateway variables ... # determine VPN gateway IPv4 address and interface name ip -4 route show ROUTE4=`ip -4 route show 0.0.0.0/1` #echo ROUTE4=$ROUTE4 GATEWAY_IF=`token 3 $ROUTE4` echo GATEWAY_IF=$GATEWAY_IF # determine VPN local IPv4 address ip -4 addr show dev $GATEWAY_IF ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL4=`token 2 $ADDR4` GATEWAY_LOCAL4=${GATEWAY_LOCAL4%%/*} echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4 ip -6 addr show dev $GATEWAY_IF # determine VPN local IPv6 address ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL6=`token 2 $ADDR6` GATEWAY_LOCAL6=${GATEWAY_LOCAL6%%/*} echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6 NAME=squid_vpn_${PORT} mkdir -p ~/tmp > /dev/null cat <<EOF >~/tmp/${NAME}.conf tcp_outgoing_address $GATEWAY_LOCAL4 tcp_outgoing_address $GATEWAY_LOCAL6 udp_outgoing_address $GATEWAY_LOCAL4 udp_outgoing_address $GATEWAY_LOCAL6 # quad9 DNS dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 # Cloudflare DNS #dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Google DNS #dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 http_port 127.0.0.1:${PORT} pid_filename $HOME/tmp/${NAME}.pid acl localnet src 127.0.0.1 http_access allow localnet shutdown_lifetime 1 seconds buffered_logs off access_log stdio:/dev/stdout cache_log /dev/stdout netdb_filename none via off forwarded_for delete EOF echo echo === contents of squid configuration file ... cat ~/tmp/${NAME}.conf echo echo === starting squid ... pushd ~/tmp > /dev/null SQUID_BIN=/usr/sbin/squid echo SQUID_RUN=$SQUID_BIN $SQUID_BIN -f ~/tmp/${NAME}.conf -N -k kill $SQUID_BIN -f ~/tmp/${NAME}.conf -N -n SQUID${PORT} popd > /dev/null echo echo === ... squid has stopped I ran it in a VM. I stopped it with ctrl-c. Here is the output I got. === scanning routing table to set VPN gateway variables ... 0.0.0.0/2 via 10.0.2.1 dev enp0s3 0.0.0.0/1 dev Eddie scope link default via 10.0.2.1 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.4 metric 100 64.0.0.0/2 via 10.0.2.1 dev enp0s3 128.0.0.0/2 via 10.0.2.1 dev enp0s3 128.0.0.0/1 dev Eddie scope link 169.254.0.0/16 dev enp0s3 scope link metric 1000 192.0.0.0/2 via 10.0.2.1 dev enp0s3 213.152.186.18 via 10.0.2.1 dev enp0s3 213.152.186.19 dev Eddie scope link GATEWAY_IF=Eddie 3: Eddie: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 inet 10.130.176.43/32 scope global Eddie valid_lft forever preferred_lft forever GATEWAY_LOCAL4=10.130.176.43 3: Eddie: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 inet6 fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c/128 scope global valid_lft forever preferred_lft forever GATEWAY_LOCAL6=fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c === contents of squid configuration file ... tcp_outgoing_address 10.130.176.43 tcp_outgoing_address fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c udp_outgoing_address 10.130.176.43 udp_outgoing_address fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c # quad9 DNS dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 # Cloudflare DNS #dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Google DNS #dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 http_port 127.0.0.1:3128 pid_filename /home/user/tmp/squid_vpn_3128.pid acl localnet src 127.0.0.1 http_access allow localnet shutdown_lifetime 1 seconds buffered_logs off access_log stdio:/dev/stdout cache_log /dev/stdout netdb_filename none via off forwarded_for delete === starting squid ... SQUID_RUN=/usr/sbin/squid 2023/04/11 21:33:02| Current Directory is /home/user/tmp 2023/04/11 21:33:02| FATAL: failed to open /home/user/tmp/squid_vpn_3128.pid: (2) No such file or directory exception location: File.cc(190) open 2023/04/11 21:33:02| Created PID file (/home/user/tmp/squid_vpn_3128.pid) 2023/04/11 21:33:02| Current Directory is /home/user/tmp 2023/04/11 21:33:02| Starting Squid Cache version 4.13 for x86_64-pc-linux-gnu... 2023/04/11 21:33:02| Service Name: SQUID3128 2023/04/11 21:33:02| Process ID 5787 2023/04/11 21:33:02| Process Roles: master worker 2023/04/11 21:33:02| With 1024 file descriptors available 2023/04/11 21:33:02| Initializing IP Cache... 2023/04/11 21:33:02| DNS Socket created at [fd7d:76ee:e68f:a993:ccc3:67e7:3260:491c], FD 3 2023/04/11 21:33:02| Adding nameserver 9.9.9.9 from squid.conf 2023/04/11 21:33:02| Adding nameserver 149.112.112.112 from squid.conf 2023/04/11 21:33:02| Adding nameserver 2620:fe::fe from squid.conf 2023/04/11 21:33:02| Adding nameserver 2620:fe::9 from squid.conf 2023/04/11 21:33:02| Logfile: opening log stdio:/dev/stdout 2023/04/11 21:33:02| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2023/04/11 21:33:02| Store logging disabled 2023/04/11 21:33:02| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2023/04/11 21:33:02| Target number of buckets: 1008 2023/04/11 21:33:02| Using 8192 Store buckets 2023/04/11 21:33:02| Max Mem size: 262144 KB 2023/04/11 21:33:02| Max Swap size: 0 KB 2023/04/11 21:33:02| Using Least Load store dir selection 2023/04/11 21:33:02| Current Directory is /home/user/tmp 2023/04/11 21:33:02| Finished loading MIME types and icons. 2023/04/11 21:33:02| HTCP Disabled. 2023/04/11 21:33:02| WARNING: no_suid: setuid(0): (1) Operation not permitted 2023/04/11 21:33:02| Pinger socket opened on FD 12 2023/04/11 21:33:02| Squid plugin modules loaded: 0 2023/04/11 21:33:02| Adaptation support is off. 2023/04/11 21:33:02| Accepting HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 10 flags=9 2023/04/11 21:33:02| pinger: Initialising ICMP pinger ... 2023/04/11 21:33:02| pinger: ICMP socket opened. 2023/04/11 21:33:02| pinger: ICMPv6 socket opened 2023/04/11 21:33:03| storeLateRelease: released 0 objects ^C2023/04/11 21:34:28| Preparing for shutdown after 0 requests 2023/04/11 21:34:28| Waiting 0 seconds for active connections to finish 2023/04/11 21:34:28| Closing HTTP(S) port 127.0.0.1:3128 2023/04/11 21:34:28| Closing Pinger socket on FD 12 2023/04/11 21:34:29| Shutdown: NTLM authentication. 2023/04/11 21:34:29| Shutdown: Negotiate authentication. 2023/04/11 21:34:29| Shutdown: Digest authentication. 2023/04/11 21:34:29| Shutdown: Basic authentication. 2023/04/11 21:34:30| Shutting down... 2023/04/11 21:34:30| storeDirWriteCleanLogs: Starting... 2023/04/11 21:34:30| Finished. Wrote 0 entries. 2023/04/11 21:34:30| Took 0.00 seconds ( 0.00 entries/sec). CPU Usage: 0.028 seconds = 0.028 user + 0.000 sys Maximum Resident Size: 92496 KB Page faults with physical i/o: 3 2023/04/11 21:34:30| Logfile: closing log stdio:/dev/stdout 2023/04/11 21:34:30| Open FD UNSTARTED 0 stdin 2023/04/11 21:34:30| Open FD UNSTARTED 1 stdout 2023/04/11 21:34:30| Open FD UNSTARTED 2 stderr 2023/04/11 21:34:30| Squid Cache (Version 4.13): Exiting normally. 2023/04/11 21:34:30| Removing PID file (/home/user/tmp/squid_vpn_3128.pid) === ... squid has stopped Quote Share this post Link to post
tranquivox69 27 Posted ... 4 hours ago, NaDre said: I have a script for you to try. I have tested to be sure it runs. But I have not connected a browser to it. There was a complication in the scanning that I probably could not expect you to work out. The forum software managed to mangle your code in invisible ways. Copying it and pasting produced a mysterious "command not found in line 39"... and line 39 in the script is empty. Thank god for FF's dev tools, I managed to avoid retyping it all. 🙂 Script appears to be working perfectly. I'm now working on a solution to automate everything. I'll report back but I'm hopeful. Quote Share this post Link to post
Not connected, Your IP: 3.144.83.204
Online: 25582 users - 275592 Mbit/s total BW