/dev/nullip rule del fwmark $vlan priority 20$vlan 2>/dev/nullip route flush table $vlan 2>/dev/null doneip rule del priority 500 2>/dev/nullip rule del priority 1000 2>/dev/null# Remove iptables rulesiptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/nulliptables -D FORWARD -s 10.15.0.55 -d 10.15.0.5 -j ACCEPT 2>/dev/null# Remove mangle table marks for vlan in 15 25 30 45; doiptables -t mangle -D PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate NEW -j MARK --set-mark $vlan 2>/dev/nulliptables -t mangle -D PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j MARK --set-mark $vlan 2>/dev/null done}if [ "$1" = "stop" ]; thencleanupexit 0fi# Clean slatecleanup# CRITICAL: Allow ALL ESTABLISHED/RELATED before policy routing interferesiptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT# LOCAL BYPASS - traffic TO local networks stays in main tableip rule add to 10.0.0.0/8 lookup main priority 500# Universal Local Bypass - traffic FROM local TO local stays in main tableip rule add from 10.0.0.0/8 to 10.0.0.0/8 lookup main priority 1000# Create Specific VLAN Tables with connection markingfor vlan in 15 25 30 45; do# Mark ALL packets from this VLAN (NEW and ESTABLISHED)iptables -t mangle -A PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate NEW -j MARK --set-mark $vlaniptables -t mangle -A PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j MARK --set-mark $vlan# Route based on mark (not source IP)ip rule add fwmark $vlan lookup $vlan priority 20$vlan# Default route in VLAN table goes to Sentinelip route add default via 10.$vlan.0.5 dev br$vlan table $vlandoneecho "Symmetric VPN Policy Routing Applied with Connection Marking"echo "Rules applied for VLANs: 15, 25, 30, 45"#!/bin/shI tried every solution the LLMs threw at my, various MTU values, MSS clamping, disabling rp_filter, explicitly allowing established/related rules in the forward chain, ... Claude summarises my problem as follows:The setup involves a Raspberry Pi 5 (NixOS) acting as a VPN gateway for specific VLANs behind a Unifi Dream Router. The VPN connection works perfectly on the Pi itself, and clients can successfully ping websites (DNS resolves, ICMP works). However, HTTP/HTTPS traffic fails - tcpdump shows that TCP handshakes appear to complete on the client side (SYN/SYN-ACK/ACK observed), but the Pi never receives the ACK or subsequent data packets even though the router's tcpdump confirms it's receiving them from clients. Connections get stuck in SYN_RECV state on the Pi. The router appears to be dropping packets after the initial SYN despite policy routing rules with connection marking (fwmark) that should forward all traffic from the VLAN to the Pi." title="Asking for Help Using a Raspberry Pi as VPN Client">full image - Repost: Asking for Help Using a Raspberry Pi as VPN Client (from Reddit.com, Asking for Help Using a Raspberry Pi as VPN Client)
Mining:
Exchanges:
Donations:
Hey! After recently upgrading my internet, I noticed that my UDR could not keep up with the maximum speed when using it as a VPN client. I wanted to use an old Raspberry Pi 5 as a client, as it should be fast enough to handle this task. I have spent the last two days trying to get it to work, but to no avail, no amount of Claude or Gemini could help...I use different VLANs, for now I'll just focus on the server VLAN 10, and the client VLAN 15. I run NixOS on all my systems, including the Pi. Here is the current Wireguard configuration block: wg-quick.interfaces = { wg0 = { address = [ "10.2.0.2/32" ]; dns = [ "9.9.9.9" ]; mtu = 1320; privateKeyFile = config.sops.secrets."wireguard/proton/private_key".path; postUp = '' # 1. Route for internal 10.x.x.x traffic (Avoids the VPN) ${pkgs.iproute2}/bin/ip route add 10.0.0.0/8 via 10.10.0.1 dev end0 || true ''; postDown = '' # Cleanup everything on shutdown/restart ${pkgs.iproute2}/bin/ip route del 10.0.0.0/8 via 10.10.0.1 dev end0 || true ''; peers = [ { publicKey = "P1QvY9fC6v7kb2jI4jQMhHpMKHgKrMR1u/XFVezJ4ys="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "154.47.19.213:51820"; persistentKeepalive = 25; } ]; }; };This configuration works correctly and still allows access from my local network. Furthermore, boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv4.conf.all.rp_filter" = 0; "net.ipv4.conf.default.rp_filter" = 0; "net.ipv4.conf.vlan15.rp_filter" = 0; "net.ipv4.conf.end0.rp_filter" = 0; };Here is the config for my network adapters: vlans = { vlan15 = { id = 15; interface = "end0"; }; };# Use DHCP on the ethernet interface interfaces = { end0.useDHCP = true; # RPi5 ethernet interface vlan15 = { ipv4.addresses = [ { address = "10.15.0.5"; prefixLength = 24; } ]; }; };Lastly, I created a script to create rules on the UDR, as I don't think this can be done using the GUI (please correct me if I'm wrong!)#!/bin/shcleanup() {echo "Cleaning up VPN routing rules..."# Remove ip rules for vlan in 10 15 25 30 45; doip rule del priority 20$vlan 2>/dev/nullip rule del fwmark $vlan priority 20$vlan 2>/dev/nullip route flush table $vlan 2>/dev/null doneip rule del priority 500 2>/dev/nullip rule del priority 1000 2>/dev/null# Remove iptables rulesiptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/nulliptables -D FORWARD -s 10.15.0.55 -d 10.15.0.5 -j ACCEPT 2>/dev/null# Remove mangle table marks for vlan in 15 25 30 45; doiptables -t mangle -D PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate NEW -j MARK --set-mark $vlan 2>/dev/nulliptables -t mangle -D PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j MARK --set-mark $vlan 2>/dev/null done}if [ "$1" = "stop" ]; thencleanupexit 0fi# Clean slatecleanup# CRITICAL: Allow ALL ESTABLISHED/RELATED before policy routing interferesiptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT# LOCAL BYPASS - traffic TO local networks stays in main tableip rule add to 10.0.0.0/8 lookup main priority 500# Universal Local Bypass - traffic FROM local TO local stays in main tableip rule add from 10.0.0.0/8 to 10.0.0.0/8 lookup main priority 1000# Create Specific VLAN Tables with connection markingfor vlan in 15 25 30 45; do# Mark ALL packets from this VLAN (NEW and ESTABLISHED)iptables -t mangle -A PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate NEW -j MARK --set-mark $vlaniptables -t mangle -A PREROUTING -s 10.$vlan.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j MARK --set-mark $vlan# Route based on mark (not source IP)ip rule add fwmark $vlan lookup $vlan priority 20$vlan# Default route in VLAN table goes to Sentinelip route add default via 10.$vlan.0.5 dev br$vlan table $vlandoneecho "Symmetric VPN Policy Routing Applied with Connection Marking"echo "Rules applied for VLANs: 15, 25, 30, 45"#!/bin/shI tried every solution the LLMs threw at my, various MTU values, MSS clamping, disabling rp_filter, explicitly allowing established/related rules in the forward chain, ... Claude summarises my problem as follows:The setup involves a Raspberry Pi 5 (NixOS) acting as a VPN gateway for specific VLANs behind a Unifi Dream Router. The VPN connection works perfectly on the Pi itself, and clients can successfully ping websites (DNS resolves, ICMP works). However, HTTP/HTTPS traffic fails - tcpdump shows that TCP handshakes appear to complete on the client side (SYN/SYN-ACK/ACK observed), but the Pi never receives the ACK or subsequent data packets even though the router's tcpdump confirms it's receiving them from clients. Connections get stuck in SYN_RECV state on the Pi. The router appears to be dropping packets after the initial SYN despite policy routing rules with connection marking (fwmark) that should forward all traffic from the VLAN to the Pi.
Social Media Icons