"Network: SymmetricNAT" problem

[zzz]

I2P-over-VPN doesn't work well and you shouldn't do it if at all possible. We report symmetric NAT because the VPN is doing symmetric NAT stuff. If you have to use VPN, and it works, then ignore it saying symmetric NAT, and have fun.

[AntibodyMama]

I2P-over-VPN doesn't work well and you shouldn't do it if at all possible. We report symmetric NAT because the VPN is doing symmetric NAT stuff. If you have to use VPN, and it works, then ignore it saying symmetric NAT, and have fun.

Thanks much

[anikey]

On that note, I think there is a way to exclude VPN from specific programs (or, rather, enable it for specific processes).

There is a feature in the kernel called network namespaces (netns). It allows to create separate spaces with different network interfaces.

The plan is like this:
- Create a netns with the command `ip netns add`
- After the VPN is up, move the tun/tap interface of the vpn (typically called tun0, or wg0, or something like that [but definitely not wlan0, eth0, wlp..., enp..., beacuse those are usually physical interfaces]) into the netns, with `ip link set <tun interface> netns <netns name>`.
- Launch specific programs, for which you want to enable VPN, in the netns, with `ip netns exec`, or attach processes with `ip netns attach`.
- When want to cleanup, remove netns with `ip netns delete`.

(i haven't actually tried myself, because i haven't used vpn since switching to linux, but this seems like it should work)

That is the rough plan, please consult the man pages [ip-link(8), ip-netns(8), etc.] for details.
If you wanted to run everything except I2P through the VPN, you would need to attach everything (or at least the programs that are internet-connected) except the I2P process to the netns.

Linux namespaces are an amazing containment and isolation feature.

[AntibodyMama]

On that note, I think there is a way to exclude VPN from specific programs (or, rather, enable it for specific processes).

There is a feature in the kernel called network namespaces (netns). It allows to create separate spaces with different network interfaces.

The plan is like this:
- Create a netns with the command `ip netns add`
- After the VPN is up, move the tun/tap interface of the vpn (typically called tun0, or wg0, or something like that [but definitely not wlan0, eth0, wlp..., enp..., beacuse those are usually physical interfaces]) into the netns, with `ip link set <tun interface> netns <netns name>`.
- Launch specific programs, for which you want to enable VPN, in the netns, with `ip netns exec`, or attach processes with `ip netns attach`.
- When want to cleanup, remove netns with `ip netns delete`.

(i haven't actually tried myself, because i haven't used vpn since switching to linux, but this seems like it should work)

That is the rough plan, please consult the man pages [ip-link(8), ip-netns(8), etc.] for details.
If you wanted to run everything except I2P through the VPN, you would need to attach everything (or at least the programs that are internet-connected) except the I2P process to the netns.

Linux namespaces are an amazing containment and isolation feature.

This seems to be lots of work. I am getting "Network: OK" when the VPN in turned off and "Network: SymmetricNAT" when the VPN in turned on. I consulted the VPN company and will see what they say.

I tried excluding the i2p processes from the VPN app but it does not seem to be working, i excluded:
/usr/bin/java-service-wrapper
and
/usr/lib/jvm/java-21-openjdk/bin/java

[1337s]

I tried excluding the i2p processes from the VPN app but it does not seem to be working, i excluded:
/usr/bin/java-service-wrapper
and
/usr/lib/jvm/java-21-openjdk/bin/java

Which VPN protocol are you using? Not all of them support split tunneling, I would imagine that if you're using one of those this would have little affect.

[AntibodyMama]

I tried excluding the i2p processes from the VPN app but it does not seem to be working, i excluded:
/usr/bin/java-service-wrapper
and
/usr/lib/jvm/java-21-openjdk/bin/java

Which VPN protocol are you using? Not all of them support split tunneling, I would imagine that if you're using one of those this would have little affect.

I was using WireGuard. The app has an option to use OpenVPN.
I am now using the VPN as a browser extension instead of system wide VPN via the desktop app. This makes me run i2p without a VPN and use only the VPN in the browser. The disadvantage is that all the other desktop app or system updates will not use the VPN.

[1337s]

I tried excluding the i2p processes from the VPN app but it does not seem to be working, i excluded:
/usr/bin/java-service-wrapper
and
/usr/lib/jvm/java-21-openjdk/bin/java

Which VPN protocol are you using? Not all of them support split tunneling, I would imagine that if you're using one of those this would have little affect.

I was using WireGuard. The app has an option to use OpenVPN.
I am now using the VPN as a browser extension instead of system wide VPN via the desktop app. This makes me run i2p without a VPN and use only the VPN in the browser. The disadvantage is that all the other desktop app or system updates will not use the VPN.

Try connecting to the vpn using the built in software in your OS and select protocol PPOE and do not force DNS over remote gateway.

[AntibodyMama]

I used port forwarding in my router and i am getting "Network: OK", everything seems to be working fine now.
The VPN in not used tho.

Screenshot_20241013_062306.png (62.25 KiB) Viewed 1814 times

I used the port from my UDP configuration in WAN and LAN ports, also the LAN host has my device mac address.

[AntibodyMama]

(Update)

I switched to another ISP but they are using CGNAT, so normal port forwarding will not work, nor UPnP.

I connected to the VPN and requested port forwarding from the VPN, then i added that port i got from the VPN in the I2P Network settings for both UDP and TCP.

Everything seems to be working perfectly and Network: OK.

Now my VPN works well with I2P without the need to Split Tunnel.

[AntibodyMama]

(Update)

The port forwarding via the VPN is working fine, except that the port provided by the VPN keeps changing, and i had to go to the Network configs every time and update it, which is annoying.
Still trying to figure out how can i fix this.