How to set up a connection TO a VPN

#1

Hello! I’m interested in setting up my Freedombox to connect to a VPN server. All external traffic (or only the mldonkey or transmission traffic) should be sent to the VPN server. When the VPN connection breaks or is refused or whatever, the traffic should be blocked.

I’m hoping some of you had the same idea and succeeded in making it work. I’d like to hear from you!

What I did so far: using the OpenVPN app is only for creating a VPN server, so
I used the instructions here to establish a VPN connection using SSH. Seems to work fine: The FreedomBox’ external IP address is the VPN’s.

Now, the next steps…?
Perhaps I can use firewall rules to make sure the traffic goes to the VPN or not at all, but what is the name of the FreedomBox firewall app? I tried the list here, but no success.
And does anyone have experience using vpnautoconnect on the FreedomBox?

Kind regards,
Bart

#2

I can’t give you reliable info or help, I just know that VPN in 19.2 is not working as expected (at least for me) and that there are issues. Not sure how that relates to your situation.

#3

Every time I install OpenVPN on the raspberry PI 3 B+ it bricks my freedombox. I am willing to pay a bounty to get this working or even better WireGuard.

The OpenVPN works from my Android phone till freedombox reboots. Then it’s bricked.

#4

Every time I install OpenVPN on the raspberry PI 3 B+ it bricks my freedombox. I am willing to pay a bounty to get this working or even better WireGuard.

The OpenVPN works from my Android phone till freedombox reboots. Then it’s bricked.

OpenVPN making firewall inaccessible was a problem with firewalld in Debian. A work around was implemented in FreedomBox version 19.2. Could you check if the version you tried is equal or newer. Please note that if you are installing Buster, then version available there is 19.1

Other that this issue (needing version 19.2 for fix) there are no known problems with OpenVPN. It has been tested multiple times to work in 19.2 and in Pinoeer edition images.

@mray, The original post is about setting up a VPN client manually which we didn’t implement yet.

#5

I am also an external VPN user and would love to get this to work.

Another way to get this to work is:

  1. apt install network-manager-openvpn
  2. Configure an OpenVPN connection on your GNU/Linux desktop in Gnome or KDE. Then copy the file /etc/NetworkManager/system-connections/MyOpenVPN.nmconnection to the same folder in FreedomBox.
  3. Activate the connection.

Advantage of this approach is that network-manager will keep trying doing reconnections and will also start the connection on boot.

FreedomBox uses firewalld and we are not careful, the rules added outside of firewalld will be removed if firewalld gets restarted (dangerous). I have found instructions on how to block all traffic except VPN traffic. I have not tried the instructions myself. Some notes:

  • No need for masquerading rules.
  • You need to run the rules twice. Once with --permanent option so that they work after reboot (or firewalld restart). And once without --permanent so they get applied for current session (or instead just reboot machine).
  • Currently we are using nftables backend (newer) instead of iptables. You may have to convert those rules to nft.
  • It blocks all IPv6 traffic, needs tweeking.
  • It works for a specific outgoing IP to VPN. needs tweeking.

Let us know how it goes.

#6

Just want to show support for coding this into the Plinth interface. If I understand correctly, connecting the FreedomBox to a VPN would solve the Carrier-Grade NAT issue (see Let's Encrypt "Failed to obtain certificate ...").

#7

@dgj, would you please review the tasks which we have planned for this:

Apart from connecting to a remote server via VPN, we need to be diverting all the traffic coming to the public interface of that server back to the FreedomBox.