I installed NordVPN from the AUR (nordvpn-bin package) around a week or two weeks ago. After installing and getting logged in it worked as it was supposed to. However, after rebooting my computer, every time I try to connect, no matter what server I try to connect to, I get the following message: at 07:44:37 ❯❯❯ nordvpn connect chicago Connecting to United States #8798 (us8798.nordvpn.com) Whoops! We couldn't connect you to 'chicago'. Please try again. If the problem persists, contact our customer support. I tried logging out and back in, restarting nordvpnd, and running as sudo. All of my packages are up to date. I'm not sure what else to try. Any ideas?

I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two. This is output from resolvectl before VPN is established: username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: -- After VPN is established resolvectl reports additional link called vpn: username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.20.1.21 DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: company.com Link 5 (vpn) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write username@hostname:~$ resolvectl query name.company.com name.company.com: resolve call failed: 'name.company.com' not found I do not get anything. If I try with nslookup like this username@hostname:~$ nslookup > server 172.20.1.16 Default server: 172.20.1.16 Address: 171.20.1.16#53 > name.company.com Server: 172.20.1.16 Address: 172.20.1.16#53 Name: name.company.com Address: 172.20.38.251 I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query. It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers. Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name. Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not. I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one? ---------- Update: I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows: username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS: 192.168.1.1 IP6.DNS: 2a00:ee0:d::13 IP6.DNS: 2a00:ee0:e::13 After VPN is connected: username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS: 172.20.1.16 IP4.DNS: 172.20.1.21 username@hostname:~$ nmcli device show vpn | grep DNS IP4.DNS: 172.20.1.16 IP4.DNS: 172.20.1.21

I use Juniper Networks network connect to connect to the office network. Once i am inside the office network, i check the server ips and add entries for them in /etc/hosts file like, 10.199.xx.yy offi When i come out of the VPN network into public domain, network connect resets all changes it made and brings my /etc/hosts file to the state it was in before entering the network. I think, this behaviour is Juniper Network connect's expected behaviour as it adds an entry on the top of the hosts file as, # BEGIN hosts added by Network Connect 61.xx.yy.zz vpn.ip.com # END hosts added by Network Connect But in trying to reset its own entries, network connect reset the user made entries as well.. I tried to make /etc/hosts as immutable using chattr +i /etc/hosts but that caused my vpn login to fail as network connect comes out, if it fails to write into /etc/hosts

I'm trying to connect my Laptop (which is running fedora or manjaro) to connect all the time to my raspberry Pi with PiVPN. I have set up the IP tables and also port forwarding. I can access my Pi under 10.6.0.1 but not my normal subnet 192.168.0.0/24. On my mobile phone I can access my Local Lan from other networks, but not from my laptop. I've generated the wg0.conf wireguard file from PiVPN and put it under /etc/wireguard. And it is working. But I can't access the Lan. It should route all traffic through the Pi. I've tried adding more to the Allowed IPs but this did'nt helped either. I also added IP Tables in the conf file. Is it a problem with the OS or Wireguard? I also can ping 10.6.0.1 (PI) from another network while being connected over WireGuard, but when I try to ping 196.168.178.35 (LAN PI) it says couldn't reach host. Conf files: Pi Server: [Interface] PrivateKey = Address = 10.6.0.1/24 MTU = 1420 ListenPort = PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = PresharedKey = AllowedIPs = 10.6.0.4/32 Client: [Interface] PrivateKey = Address = 10.6.0.4/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE DNS = 10.6.0.1 [Peer] PublicKey = PresharedKey = Endpoint = : AllowedIPs = 0.0.0.0/0 PersistentKeepalive=30

I have a connection via VPN with my work. I know that internet connection (for example to 8.8.8.8) goes through my work network (only when I am connected to VPN). How to configure ip tables to force that connections to internet (for example 8.8.8.8) avoid work network ? Using @Julie help in comments I did managed to discover some options: " class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy"> Nevertheless, after checking 'Use this connection only for resources...' I can't ping machines in VPN network. Can you tell me how should I deal with it ? I guess that I should click 'Add' and set: Address = address of some machine in VPN Netmask = I can get it from ifconfig (in VPN interface) Gateway - as in case of netmask Metri - I have no idea ? Am I right ?

I installed Softether on Linux Mint Sonya, ran sudo ./vpnclient start , then I ran sudo ./vpncmd and then, followed the instructions from this tutorial ,pressing 2 for Management of a VPN client, then running remoteenable , then niccreate , "se" as adapter name, accountimport for the file from the tutorial(with changed-updated IP address and port, and changed japan0 name for japan4): # VPN Client VPN Connection Setting File # # This file is exported using the VPN Client Manager. # The contents of this file can be edited using a text editor. # # When this file is imported to the Client Connection Manager # it can be used immediately. declare root { bool CheckServerCert false uint64 CreateDateTime 0 uint64 LastConnectDateTime 0 bool StartupAccount false uint64 UpdateDateTime 0 declare ClientAuth { uint AuthType 0 string Username vpn } declare ClientOption { string AccountName japan4 uint AdditionalConnectionInterval 1 uint ConnectionDisconnectSpan 0 string DeviceName se bool DisableQoS false bool HalfConnection false bool HideNicInfoWindow false bool HideStatusWindow false string Hostname 125.193.56.192 string HubName vpngate uint MaxConnection 1 bool NoRoutingTracking false bool NoTls1 false bool NoUdpAcceleration false uint NumRetry 4294967295 uint Port 1369 uint PortUDP 0 string ProxyName $ byte ProxyPassword $ uint ProxyPort 0 uint ProxyType 0 string ProxyUsername $ bool RequireBridgeRoutingMode false bool RequireMonitorMode false uint RetryInterval 15 bool UseCompress false bool UseEncrypt true } } till here, everything was OK, but then, when I type accountconnect and japan4 as the account name, and then type accountlist , it seems that the status of an account is always "connectING", not "connectED", as in the example in the tutorial, and the VPN doesn't work. I wanna know why? How can I set up my own account for a given server from this list, affiliated with official SoftEther creators , not importing accounts created by others? In general , how to connect this stuff?

There's a nameserver 10.92.131.26 on my work VPN, and it appears to get configured on my machine when I connect to our anyconnect VPN server. When I run nslookup server on my Linux workstation, I get a SERVFAIL for it:

;; Got SERVFAIL reply from 10.92.131.26, trying next server
Server:		10.50.177.208
Address:	10.50.177.208#53

** server can't find server: SERVFAIL

But when I open a Windows VM within my workstation run and run nslookup, it succeeds for the very same nameserver.

Default Server:  a.company.domain
Address: 10.92.131.26

Why is this? --- **TMI: Why do I care?** At work, our MFA system applies extra restrictions when I attempt to access certain of the company websites using my Linux workstation, but I don't experience these restrictions when I boot to Windows, nor when I attempt from a Windows VM from within my Linux system. (And I can't satisfy these extra restrictions because I.T. appears not to have planned on anyone actually encountering them legitimately.) I.T. tells me: > Normally this is due to an issue with the VPN routing to [our] servers... Try it in Google Chrome if it still doesn't work as Firefox sometimes uses its own DNS to resolve addresses so it can cause this error where Chrome will just work. ...And indeed, their assertion seems well founded: in the Windows VM, my connection attempts through Chrome succeed, and my attempts through FF do not. Still, my attempts on my Linux host do not work at all. I wonder if my attempts from Linux will succeed if I can get my Linux machine to use 10.92.131.26 for its nameserver. --- **Outputs** **Update:** as requested, here are the outputs to netstat -rn on each machine. They're pretty long, so I'm just linking pastebins: [on Linux](https://pastebin.com/H2GZQhxU) , [on Windows](https://pastebin.com/rdhrjWfV) Here's a tracert 10.92.131.26 from the Windows VM:

Tracing route to 10.92.131.26 over a maximum of 30 hops

  1    29 ms    27 ms    25 ms  192.168.100.1 
  2    35 ms    31 ms    33 ms  173.36.212.117 
  3    35 ms    34 ms    29 ms  50.216.158.108 
  4    41 ms    35 ms    37 ms  10.92.131.26 

Trace complete.

My goal is to set up a public IP for a Android Smartphone which is running an "IP Cam" software. The interface can be accessed in local network on (example) 192.168.0.2:8080, but it has no public IP, as it should also work in the 3G network. I know there are services which offer a VPN with static dedicated addresses; the free one I found offers only PPTP with IPv6 (didn't work). The rest of them offer IPv4 for much higher cost than an actual VPS at Host1Plus with the lowest specs, so I went with this. At least I can practice and/or use the VPS for other projects. I followed this tutorial . Now I am at the point where I created a new user, assigned a static VPN Address in the OpenVPN Admin Panel to the account, and logged in with my device. Everything works so far. My android device gets the public IP of the VPS while browsing. I can ping the device's private VPN IP in the ssh terminal of the VPS. What is the next step? I tried [this](https://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html) , but it doesn't really work. I am lost at this point. I never did anything with routes or forwarding. If I enter the public VPS IP right now, I get the openVPN Login Form as before. If I enter [PublicVPSIP]:8080 I get a "Server not reachable etc." error. At the end it should work like this. Android (running some service at port 8080) (VPN IP: 1.2.3.4)
▼
connects via openVPN to my VPS
▼
VPS (running openVPN Server) (Public IP: 123.123.123.123)
▼
Traffic from visitor at 123.123.123.123:8080 should be redirected/forwarded to my android device. (1.2.3.4:8080)

I have 2 computers - both on Debian 10. I need to connect them both to the same remote VPN server. One has a desktop manager (with Network Manager), and the other does not. I will refer to the one with the desktop manager as Debian GUI and the other as Debian Server. I have successfully connected Debian GUI to the remote VPN server using Network Manager, however I am stuck unable to connect Debian Server to the remote VPN server. Here are the Network Manager settings, with details modified for privacy: My LAN IP address on client PC before turning on the VPN: 192.168.0.1 VPN Type: TTL2TP VPN VPN Gateway public IP address: 100.100.100.100 Remote network domain: mywindowsdomain Remote network username: me Remote network password: mypassword Enable IPSec tunnel to L2TP host: yes Pre-shared key: mypresharedkey Phase 1 Algorithms: aes256-md5-modp1024 Phase 2 Algorithms: aes256-md5 Enforce UDP encapsulation: yes L2TP PPP authentication: MS Chap v2 Allow BSD data compression: yes Allow deflate compression: yes Use TCP header compression: yes Use protocol field compression negotiation: yes Use address/control compression: yes MTU: 1400 MRU: 1400 These are the only settings I used in Network Manager, and I am able to successfully connect to the remote VPN server on Debian GUI. However I have been unable to do the same on Debian Server. In Debian Server I installed strongswan and xl2tpd. I don't care which client I use as long as I can get it working, these were just the ones I found available in Debian 10. I attempted to configure them like so: $ cat /etc/xl2tpd/xl2tpd.conf [lac vpn-connection] lns = 100.100.100.100 ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes $ cat /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 $ cat /etc/ipsec.secrets include /var/lib/strongswan/ipsec.secrets.inc 192.168.0.1 100.100.100.100 : PSK "mypresharedkey" $ cat /etc/ipsec.conf config setup virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 nat_traversal=yes protostack=netkey plutoopts="--interface=eth0" strictcrlpolicy=yes uniqueids = no conn L2TP-PSK pfs=no auto=add authby=secret # phase 1 keyexchange=ikev1 ike=aes256-md5-modp1024 # phase 2 esp=aes256-md5 forceencaps=yes keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear rekey=yes ikelifetime=8h keylife=1h type=transport type=tunnel left=192.168.0.1 leftprotoport=17/1701 right=100.100.100.100 rightprotoport=17/1701 include /var/lib/strongswan/ipsec.conf.inc $ cat /etc/ppp/options.l2tpd.client ipcp-accept-local ipcp-accept-remote refuse-eap refuse-pap refuse-chap refuse-mschap require-mschap-v2 nobsdcomp nodeflate noccp noauth idle 1800 mtu 1400 mru 1400 defaultroute usepeerdns debug connect-delay 5000 name mywindowsdomain\\me password mypassword $ cat /etc/strongswan.conf charon { # this line commented out on 2020-11-19 #load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf Let me know if any files needed to diagnose this issue are missing and I can add their contents here. Then I started everything and got the following results: $ sudo systemctl restart xl2tpd.service $ sudo systemctl status xl2tpd.service ● xl2tpd.service - LSB: layer 2 tunelling protocol daemon Loaded: loaded (/etc/init.d/xl2tpd; generated) Active: active (running) since Thu 2020-11-19 21:13:41 ACDT; 12s ago Docs: man:systemd-sysv-generator(8) Process: 11111 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 4915) Memory: 876.0K CGroup: /system.slice/xl2tpd.service └─11112 /usr/sbin/xl2tpd $ sudo systemctl restart strongswan.service $ sudo systemctl status strongswan.service ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-11-19 21:17:16 ACDT; 9s ago Main PID: 11113 (starter) Tasks: 18 (limit: 4915) Memory: 3.4M CGroup: /system.slice/strongswan.service ├─11114 /usr/lib/ipsec/starter --daemon charon --nofork └─11115 /usr/lib/ipsec/charon $ # all good so far i guess, but then this fails: $ sudo ipsec up L2TP-PSK initiating Main Mode IKE_SA L2TP-PSK to 100.100.100.100 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 192.168.0.1 to 100.100.100.100 (240 bytes) received packet: from 100.100.100.100 to 192.168.0.1 (188 bytes) parsed ID_PROT response 0 [ SA V V V V V ] received NAT-T (RFC 3947) vendor ID received DPD vendor ID received unknown vendor ID: 88:77:44:11:55:aa:66:88:cc:aa:22:dd:00:00:00:00 received FRAGMENTATION vendor ID received FRAGMENTATION vendor ID selected proposal: IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.0.1 to 100.100.100.100 (236 bytes) received packet: from 100.100.100.100 to 192.168.0.1 (220 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 192.168.0.1 to 100.100.100.100 (92 bytes) received packet: from 100.100.100.100 to 192.168.0.1 (76 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA L2TP-PSK established between 192.168.0.1[192.168.0.1]...100.100.100.100[100.100.100.100] scheduling reauthentication in 28017s maximum IKE_SA lifetime 28557s generating QUICK_MODE request 3034622638 [ HASH SA No ID ID ] sending packet: from 192.168.0.1 to 100.100.100.100 (204 bytes) received packet: from 100.100.100.100 to 192.168.0.1 (76 bytes) parsed INFORMATIONAL_V1 request 3102838840 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'L2TP-PSK' failed Sources I used (I have tried a lot of combinations): https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup https://github.com/xelerance/Openswan/wiki/L2tp-ipsec-configuration-using-openswan-and-xl2tpd http://manpages.ubuntu.com/manpages/bionic/man5/ipsec.conf.5.html

I have a setup like this: - Raspberry Pi connected to router via LAN cable - Created a bridged connection between eth0 and wlan0 - Using hostapd for Wi-Fi hotstop - Configured l2tp/ipsec connection with one of my servers online An Issue I am having & goal: - Goal is to have this Raspberry Pi as a Wi-Fi router that would route all traffic coming via Wi-Fi through my VPN - **Issue I am having** is that Raspberry Pi is using the VPN tunnel when I do curl, but all Wi-Fi guests connected do not get the VPN IP. Interface example: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether b8:27:eb:21:2b:9a brd ff:ff:ff:ff:ff:ff 3: br0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether b8:27:eb:21:2b:9a brd ff:ff:ff:ff:ff:ff inet 192.168.1.7/24 brd 192.168.1.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::ba27:ebff:fe21:2b9a/64 scope link valid_lft forever preferred_lft forever 4: wlan0: mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether b8:27:eb:74:7e:cf brd ff:ff:ff:ff:ff:ff 6: ppp0: mtu 1280 qdisc pfifo_fast state UNKNOWN group default qlen 3 link/ppp inet 192.168.42.11 peer 192.168.42.1/32 scope global ppp0 valid_lft forever preferred_lft forever Routing table: Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 br0 45.36.81.212 192.168.1.1 255.255.255.255 UGH 0 0 0 br0 63.126.53.74 192.168.1.1 255.255.255.255 UGH 0 0 0 br0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.42.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 45.36.81.212 is my VPN 63.126.53.74 is my own local public IP (ips have been slightly changed for obvious reasons). OS: Raspbian Would forwarding wlan0 to ppp0 do the trick, or do I need to tamper with br0?

I have a simple SSH jump host sitting at a remote site. I could connect without issue for the first two weeks. But now initiating a session seems to fail *unless I use a proxy*. jump host ------- ISP A -------------------------- ISP B ---------- my workstation Port 55555 is properly forwarded through ISP A. The connection simply times out.

ssh -vvv -p 55555 XX.XX.XX.XX
OpenSSH_9.2p1 Debian-2+deb12u3, OpenSSL 3.0.15 3 Sep 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname XX.XX.XX.XX is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/mansomean/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/mansomean/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 55555.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: connect to address XX.XX.XX.XX port 55555: Connection timed out
ssh: connect to host XX.XX.XX.XX port 55555: Connection timed out

If I push it over a VPN, for example, the connection is immediately accepted. It is only accepted so long as does *not* originate from my public IP at ISP B. Is there a way I can determine whether ISP B (or A) is blocking this traffic? And why were there no connectivity issues in the first two weeks?

Currently, I use Zerotier to combine SSH on Debian 12 successfully and reliability. The server is encrypted FDE cryptsetup/LUKS2 and requires a password after each restart. I would like to use dropbear-initramfs for remotely introducing the password, but I also need that Zerotier also starts in initramfs (before Dropbear), because the home server does not have a public IP. How to add Zerotier to Initramfs?

I have a simple netns setup

ip netns del ns1
ip netns del ns2

ip netns add ns1
ip netns add ns2

ip link add veth1 type veth peer name veth2
ip link set veth1 netns ns1
ip link set veth2 netns ns2

ip netns exec ns1 ip addr add 10.1.1.1/24 dev veth1
ip netns exec ns2 ip addr add 10.1.1.2/24 dev veth2

ip netns exec ns1 ip addr add 10.1.2.1/24 dev veth1
ip netns exec ns2 ip addr add 10.1.2.2/24 dev veth2

ip netns exec ns1 ip link set veth1 up
ip netns exec ns2 ip link set veth2 up

ip netns exec ns1 ip link set lo up
ip netns exec ns2 ip link set lo up

I need to send ICMP requests/replies over an IPsec tunnel I create with netlink socket apis (or equivalently ip xfrm):

ns2                             || ns1
                                ||
             10.1.2.2 TUN end   || 10.1.2.1 TUN end     
              |                 ||  |
10.1.1.2 ---> |=====================|----ICMP echo req----> 10.1.1.1
                                ||
                                ||
10.1.1.2  sudo ip netns exec ns1 tcpdump -nli veth1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:23:53.374316 IP 10.1.2.2 > 10.1.2.1: ESP(spi=0x00000001,seq=0x11), length 132
17:23:53.374316 IP 10.1.1.2 > 10.1.1.1: ICMP echo request, id 52684, seq 1, length 64

Unfortunately I can't see the ICMP echo reply, no matter what I do. I've also made the same attempts over TCP with netcat: again I see the incoming decoded "syn" packet, but this is not propagated locally to the application listening socket whatsoever. Can you help me figure what might be going wrong? I've checked all the forwarding flags in proc in either of the two net namespaces and the default one; everything seems ok so far. EDIT: I with the command sudo ip netns exec ns1 ip xfrm monitor, for every packet sent I see the following:

Async event  (0x20)  timer expired 
	src 10.1.2.2 dst 10.1.2.1  reqid 0x1 protocol esp  SPI 0x1

The xfrm_lifetime_cfg is configured like follows for both policy and sa:

pol->lft.soft_byte_limit = XFRM_INF;
    pol->lft.hard_byte_limit = XFRM_INF;
    pol->lft.soft_packet_limit = XFRM_INF;
    pol->lft.hard_packet_limit = XFRM_INF;
    pol->lft.soft_add_expires_seconds = 0;
    pol->lft.hard_add_expires_seconds = 0;
    pol->lft.soft_use_expires_seconds = 0;
    pol->lft.hard_use_expires_seconds = 0;
    
    sa->lft.soft_byte_limit = XFRM_INF;
    sa->lft.hard_byte_limit = XFRM_INF;
    sa->lft.soft_packet_limit = XFRM_INF;
    sa->lft.hard_packet_limit = XFRM_INF;
    sa->lft.soft_add_expires_seconds = 0;
    sa->lft.hard_add_expires_seconds = 0;
    sa->lft.soft_use_expires_seconds = 0;
    sa->lft.hard_use_expires_seconds = 0;

EDIT2: After trial and error, I managed to make it work by installing the policy with

sudo ip netns exec ns1 ip xfrm policy add dir in     src 10.1.1.2/32 dst 10.1.1.1/32     tmpl src 10.1.2.2 dst 10.1.2.1 proto esp mode tunnel reqid 1

The fun fact is that the resulting policy is IDENTICAL:

src 10.1.1.2/32 dst 10.1.1.1/32
        dir in priority 0 flag icmp
        tmpl src 10.1.2.2 dst 10.1.2.1
                proto esp reqid 1 mode tunnel

I am trying to set up a nftables firewall on my archlinux distribution that only allows traffic through a vpn (and blocks all ipv6 traffic in order to prevent any ipv6 leaks) I have been playing around with it for a while now and ended up with a configuration that lets me browse the web, even though as far as I understand nftable so far, it should not let me do that. The ruleset is pretty short and looks like this: table inet filter { chain input { type filter hook input priority 0; policy drop; jump base_checks ip saddr VPN_IP_ADRESS udp sport openvpn accept } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy drop; ip daddr VPN_IP_ADRESS udp dport openvpn accept oifname "tun0" accept } chain base_checks { ct state { related, established} accept ct state invalid drop } } I tried to find my way thorugh with trial and error and had many other rules in there, but with just this, i am able to connect to the VPN server first and then browse the web. Once I remove the last rule from the outout chain though, it won't let me browse the web anymore. I am completely new to this and pretty much overall clueless, trying to learn. Unfortunately, the documentation on nftables is not that extensive, so I am kind of stuck at the moment. From what I understand so far, this setup should allow to make a connection to the vpn but it should not allow any other incoming traffic - yet I can browse the web without problems. Does anyone know why it works and how i should proceed with the setup of nftables to get a more complete setup?

I have pihole in rootless podman on port 1053 and wireguard, openvpn servers (not in podman) on the same host (Debian bookworm). Trying to redirect port 53 to 1053. It works for another hosts in lan, but doesn't work for wg and openvpn clients. Tried: 1) sudo iptables -w -t nat -A PREROUTING -d 192.168.1.100 -p udp --dport 53 -j REDIRECT --to-ports 1053 From another host in lan: dig @192.168.1.100 google.com # ok. From wg client (ip 10.10.0.2): dig @192.168.1.100 -p 1053 google.com # ok; dig @192.168.1.100 google.com # connection time out; nc -v -n -u 192.168.1.100 53 # nothing. 2) sudo socat UDP4-LISTEN:53,reuseaddr,fork,su=nobody UDP4:192.168.1.100:1053,reuseaddr From another host in lan - all ok. From wg client: dig # the same results as above. nc -v -n -u 192.168.1.100 53 # Connection succeeded.

I have a home network behind a router, and I’m running a proxy server with ports forwarded through the router. Some clients connect to the Internet via my proxy, but there's a small problem — sometimes they cannot send files through email or HTML forms (I’m using Squid as the proxy). I tried to set up a PPTP VPN using PoPToP, but when connecting through my router, I encountered error 619. The server is running Fedora 16. What is the best way to provide Internet access to the clients — using a VPN, a different proxy configuration, or something else?

I am trying to use Hamachi on Debian (Wheezy 7.8) with an ARM architecture. Whenever I try to login, it fails: # hamachi login Logging in ..... failed I tried this command on another Ubuntu machine and it's working fine. I downloaded the latest Hamachi version from this page and installed logmein-hamachi_2.1.0.139-1_armhf.deb. "Log Me In Remote Access | Secure Remote Software"

i am an Arch Linux user from Russia so some websites are not working for me. I tried app VPN(Proton VPN), firefox VPNs and other but none of them work! Is there any solution for me?

I have a WireGuard virtual network. Three hosts on the network: A, B and R. Only the host R has a static public IP, so both hosts A and B connect to the host R to connect to the virtual network. Hosts A and R are directly connected, but hosts A and B are not — the packets have to be routed through the host R. ### Problem I want to route packets from host A through the host B, without configuring the routing table of the host R. Example: To send a packet from host A to public host with IP 1.1.1.1: Host A -> Host R -> Host B -> (through B's public interface) -> 1.1.1.1 One possible solution is to create another WireGuard network between the hosts A and B, inside the original virtual network, and then route the same way I would route from host A through R, but that looks redundant. Are there other solutions? Thank you. ### What I have tried Assume VPN subnet: 10.78.1.0/24 Host R: 10.78.1.1 Host A: 10.78.1.2 Host B: 10.78.1.3 VPN interface on host A: wg I tried adding a route on host A (also addings AllowedIPs in wireguard config):

ip route add 1.1.1.1 via 10.78.1.3 dev wg

But the packets never reach host B: the packets are routed according to the routing table of host R, and that is to route immediately through the host R's public interface. I presume that is because host R does not receive any information about the preferred next route. Is there any way to give host R such information?

I have the following setup: * Witopia SSL account * Synology 409 NAS (with OpenVPN and Apache etc) * PS3 * Mac * Apple AirPort router (configured for NAT) * Locked IPT-box (using DHCP and NAT traversing) Internet | Router (192.168.0.1) | |--NAS |--Mac |--PS3 |--IPT-box Requirements: 1. The NAS should handle the VPN connection with Witopia. 2. All connections originating outside the Router and who are routed to the NAS or Mac should reach its target. Nothing originating from outside should enter the VPN tunnel. 3. All connections that originates behind the router and are "aimed specificly" at the NAS should reach it and not be hijacked by the VPN tuinnel.(NFS, SBM, HTTP etc.) 4. Connections that originates from applications on the NAS and terminates anywhere outside the router should go through the VPN tunnel. 5. All connections from PS3 that terminates outside router should go through the tunnel. Connections from PS3 to NAS (SMB, NFS, DLNA etc) should not go through the tunnel, but be served by the NAS. 6. All connections to and from the IPT-box should go direct via the router, not the tunnel. Is this possible with the hardware that I already have? How and where should I configure it? /BE