gitbls / pistrong Goto Github PK

I have a Pi4b acting as wireguard host and openvpn host using standard ports forwarded from an edgerouter bridged to a 5g LTE modem. Wg for simplicity and openvpn on TCP as UDP can be blocked. When nothing else works a commercial IKeV2 connection to a paid VPN provider gets through.
I have used Pistrong to add IKeV2 to this Pi but with the firewall rules provided with Pistrong wg and openvpn apparently connect but there is no traffic. If these rules are disabled wg and openvpn are working as expected.
I don't know much about IP tables, can you point me to a route around this problem?

So for about two years (close to one and a half?) now, I've been using pistrong to access my files & Pi at home, but now I'm having a bit of trouble with getting it to work. I recently got an iPad and I tried adding it as a device & installed the certs but it doesn't work. I got all the certs to install properly and I actually can connect to it (like the little VPN icon shows up), but I can't access anything (terminal, webpages, files, etc.) as it just says it can't connect to the server/server issue. And my iPhone also stopped allowing me to connect (or same with the iPad, as in the VPN icon pops up and says I'm connected, but I can't do anything). Interestingly, my Windows device & cert remained intact so I suspect it's something specific pertaining to the iOS connection/cert.

I opened up a similar issue about two years ago (Closed Issue #10), and I tried retracing all the steps I took, but perhaps something changed with iOS certifications through an iOS update that caused this issue (like the switch to iPadOS instead of iOS)? Or maybe I messed up somewhere along the process?

Here are the devices listed (as you can see, the 2021 certs are from when I first setup Pistrong, and the 2023 cert is the newest one, ignore the ethan-iphone11 ):

And here's the command I used to setup the new device (iPad):

And this is off-topic, but I remember when I first worked with you on this, you mentioned a paid SSH application on iOS/iPadOS that was pretty good and I never got the chance to check it out. I can't seem to find it after searching through #10 and the emails we exchanged, so I was hoping if you still remember/use it, could you let me know what it is? Thanks!

Hi. I'm trying to configure pistrong with an external smtp server, but it appears that maybe the smtp user configuration value is not fully implemented? This is the error message I'm getting. I looked briefly at the code as well and there are only a couple references to the smtpuser parameter.

pi@swan:/etc/swanctl/pistrong $ sudo pistrong config --smtpuser [email protected]
usage: pistrong [-h]
{config,createca,deleteca,showcert,makevpncert,makecacert,showca,listca,add,delete,revoke,list,resend,service,client,help,version}
...
pistrong: error: unrecognized arguments: --smtpuser [email protected]
pi@swan:/etc/swanctl/pistrong $

Hi there,

Just a quick note to say that linux mint isn't recognised by your install script:

% Pre-reqs unknown for distro linuxmint

These will just be the same as for Ubuntu as mint is based on Ubuntu :)

I have 2 networks that I'm trying to connect with LAN ranges 192.168.1.0/24 and 192.168.0.0/24. Both networks have an RPi running pistrong and it looks like the tunnel is established correctly. I can ping between the networks from the pi's themselves but no dice when trying from another node on the network which leads me to believe it's a routing issue.

Running sudo iptables -t nat --list on each pi gives the following:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  $therange       anywhere             policy match dir out pol ipsec
MASQUERADE  all  --  $therange       anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

$therange is the range of the other end of the tunnel.

Running sudo iptables -L -v on each end gives the following:
From pi @ 192.168.1.10

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   252 ACCEPT     all  --  eth0   any     192.168.0.0/24       192.168.1.0/24       policy match dir in pol ipsec reqid 1 proto esp
    3   252 ACCEPT     all  --  any    eth0    192.168.1.0/24       192.168.0.0/24       policy match dir out pol ipsec reqid 1 proto esp

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

From pi @ 192.168.0.10

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   any     192.168.1.0/24       192.168.0.0/24       policy match dir in pol ipsec reqid 1 proto esp
    0     0 ACCEPT     all  --  any    eth0    192.168.0.0/24       192.168.1.0/24       policy match dir out pol ipsec reqid 1 proto esp

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

I know I'm probably just overlooking something simple. Any ideas why I can't reach the other side of the tunnel from other nodes?

Raspberry Pi OS 32-bit Bullseye with Desktop
Install pistrong script on client and run it. Install finishes normally. OK.
Reboot pi
copy zip file raspi1-linux.zip to pi
sudo pistrong client install raspi1-linux.zip
fails
Archive: raspi1-linux.zip
caution: filename not matched: pistrong-vpn-installer
Traceback (most recent call last):
File "/usr/local/bin/pistrong", line 1411, in
args.func(pd, args)
File "/usr/local/bin/pistrong", line 1164, in cmd_client
client_cmd_actions[args.action][0](pd, args)
File "/usr/local/bin/pistrong", line 1126, in cmd_client_install
os.chmod(ufn, 0o755)
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/pistrongnv0dsy_0/pistrong-vpn-installer'

This was originally a thread from: https://forums.raspberrypi.com/viewtopic.php?p=1951935#p1951935

But basically, I'm trying to set up Pistrong as a VPN I can tunnel through to my Pi on my phone/computer outside my home network for SSH & SFTP (Samba). I've already installed Pistrong and setup port forwarding on my Pi through my router's settings but am stuck on trying to setup the CA (Certification authority?). I'm running the makeMyCA script through terminal and am getting stuck at the part where it asks for my VPN Server Local LAN Subnet. I've already entered tried entering the subnet (from command ip a in terminal) with no success and saying that 'No IP Address is assigned to network device my router/gateway's IP address'.

Though one thing I'm confused about is what is the difference between my 'eth0' and 'lo' IP addresses? I know eth0 is ethernet but what exactly is 'lo'? From what I can gather from Google, is that it's some kind of loopback address that communicates with my Pi? Not sure what exactly the use for that is, but I entered in my both my 'eth0' and 'lo' IP addresses during the makeMyCA session/script with the same error message on VPN Server Local LAN Subnet.

I also have a suspicion it's because I set up DDNS incorrectly (using no-ip), but I'm not too sure. For my IPv4 address, I entered in what I got from echo "$(curl -s 'dynupdate.no-ip.com/ip.php')" but I'm not sure if I need to do any more setup on that end. I've port forwarded ports 500 & 4500 already but do I need to configure anything extra in my router/gateway settings (like static IP, private from pool/fixed private lan assignment, etc?)

Running the makeTunnel script says the following: "NOTE: LocalNet1 and LocalNet2 cannot be the same subnet (e.g., 192.168.1.0/24 on both networks)"

I'm trying to implement a site to site tunnel with both ends on the same subnet 192.168.1.0/24. Would it be possible if the routers on both ends used non colliding ip ranges?
e.g. LocalNet1 Router dchp range 192.168.1.2-128
LocalNet2 Router dchp range 192.168.1.129-255