I’ve been treating my blog as if it is some kind of publication that can only push updates that have been heavily edited and carefully crafted. I’ve been doing this for a few years.
That’s been more stifling than I realized. I start to write something here, decide it’s not interesting or “worth writing a whole blog about”, and walk away. I don’t know when I let this get so precious, but I did, and it’s is YEARS overdue for a return to the early days, the Old Internet, before the Bad Place was so big and influential on how we spent time online. I also noticed that that so much of what I put into the world online is on platforms I don’t own, subject to the whims of an unaccountable, byzantine algorithm. Who am I writing for, anyway? Me? Readers? A stupid algorithm that actively works to fuck me (and not in the good way)?
So I posted this on Facebook already, since that’s where the people are, but I’m also posting it here to break this cycle of But That Isn’t Important or whatever else gets in between me and using my blog that I’ve worked so hard on for twenty years.
So with that, this post is an ask for technical support. Just a basic, straightforward, “Hey, Internet, can someone help me out here?” And before you ask, yes, I have turned it off and back on again.
Internet, I need some assistance, and I hope one of you can help me out.
I use ProtonVPN for everything (and so should you). It Just Works(tm) as far as anonymizing my connection goes, but I keep running into problems on my LAN.
The machine I’m tying on is named Bela. Bela has no trouble connecting to the Internet using the VPN. But when I try to use the printer, it can’t find it unless I turn the VPN off. Same thing if I attempt to access my NAS (though the NAS issue is greater: even with the VPN off, my Desktop (Nemo, on Linux Mint) can’t connect to the NAS.
I thought it would be simple to tell my machine “Hey, use the VPN when you talk to the Internet, but when you talk to the LAN, just ignore it.” I figured there was some way to edit a hosts file to accomplish this?
Well, this is where I have been stuck, and where I feel a little dumb. Everything I look up online solves a similar problem but not mine.
I’m sure there is some simple, three lines in a .conf file solution to this, but I can’t find it. Can anyone help me?
Here, as a thank you, I offer this trip (in every sense of the word) down memory lane:
Did you try turning it off and back on again? 🙂 I think you would need a static IP as the computer on the VPN isn’t on the LAN any more?
Hi Will, I use the ProtonVPN too and have the same issue. This isn’t the best solution but instead of using the ethernet cable to connect to my printer, I use a USB cable to plug directly into the computer. There has to be a better work around. But I haven’t found it yet. The folks at Proton are very helpful if you write them about the issue.
Greetings and salutations-
I will probably not be the only one to make suggestions, but I can share what worked for me. My situation, ProtonVPN and local network. If Proton VPN active, couldn’t see things on the local network and would not react to pings. There are two solutions that worked for me, hopefully one will work for you.
I installed ProtonVPN on my router, it was relatively easy. The instructions can be found by using your preferred search engine and looking for “Guide to installing Proton VPN on different routers”. The plus side it protects everything on your network. Some streaming services don’t like VPNs so be aware.
The other option is using two network address interfaces on the same computer. Using that one can set a metric for which network should be checked first to see if the device exists on that network. I have it check my home network first and then the big Internet second. The second network is the one that I enable ProtonVPN for. I have not attempted if for Linux as solution 1 addressed that issue for me.
Hope that helped.
Bradford
Hi Wil,
I believe you can do this by enabling the split tunneling feature in the ProtonVPN settings and then excluding the printer’s IP address so that your printer traffic is not routed through the VPN. It should also work for the NAS–in theory at least! Good luck.
This. This is the answer. Split tunneling will allow you to use the local interface for local stuff and proton for everything else.
Docs for split tunneling with Proton are here : https://protonvpn.com/support/protonvpn-split-tunneling
Wil, when you follow those instructions, what you will want to do is when you get to step 2, choose Exclude apps/IPs from using VPN tunnel, and in step 3, choose to Add IPv4 Address +. This will now require the IP Address(es) of your local machines/network. That should allow your machine to get to the printer and NAS.
Now, for Nemo’s issues with getting to the NAS, that can be a little more complicated, since it depends on how access to the NAS is supposed to work. Usually, this is through SMB (window’s style file sharing) or NFS (Network File System). So it depends on which you are using, or if it is something else entirely.
This may help. When you connect to your VPN I suspect your host table looses track of where things are. https://docs.rackspace.com/docs/modify-your-hosts-file
Use “Split Tunnel” : which is an option you will find in all OS’es when configuring the VPN network adapter.
I hadn’t considered this, but will now. I have a similar issue and I’ve just been lazy and drop off my VPN when I want to print something. I believe the issue is that your printer (and NAS, etc.) are connected to your local network, so you can hit them when you’re not rerouting all traffic through a VPN. But when you route through the VPN, that traffic can’t find its way back into your network to your printer (and that’s good). Looks like split tunnelling is the right approach as it’ll let you direct traffic meant for local network devices to those without routing through the VPN while still handling all other traffic through the VPN as you should.
My ignorant and IT-lazy workaround for this problem may sound stupid, but when using a VPN, I just “Save to PDF”, and then print later when on my LAN.
If you haven’t every done a deep dive on these guys, the original is from a band called 7 Seconds of Love. They’re irreverent and wonderful, if a bit dated. You should check them out.
The option for split tunneling is documented here for ProtonVPN:
https :// protonvpn DOT com/support/protonvpn-split-tunneling ( broken apart to prevent it from getting eaten by the Akismet anti-spam filter )
This is the answer. (I came here to say ‘split tunneling’ but now I don’t need to.) As far as Facebook goes, you have to lean into the fucking. I’m in the midst of a multi-year plan to convince it I’m a bot.
…I miss the sponge monkeys…
Seems silly to some, but default behavior is to put the VPN connection (which is just basically another network interface like your Ethernet or Wi-Fi, as far as most stuff on your system is concerned) at the highest priority level. So, when you look for something on your LAN, it goes to your VPN connection and looks for it there, which will obviously fail.
There should be an option in your VPN software (along the lines of “split tunnel”) which will allow LAN access simultaneously with VPN access. I’m not familiar with ProtonVPN but I have run into the same exact thing with my work VPN (GlobalProtect) — and in that case I had to get the IT guys to switch it for me because I’m not allowed to do it myself.
I’m not a network person per se, but here are my thoughts.
The most straightforward way to configure this may be with in the VPN software configuration, rather than your system configuration. What I think you need to do is tell it to pass through (or ignore) traffic that goes to your LAN. You may have to give it the network and the netmask. So depending on what IP range your router/NAT thingy gives you from its DHCP, it’ll be 192.168.0.0/16 (that may not be quite right; I’m a little rusty). I know that my work VPN is configured to ONLY tunnel traffic that goes to sites at work, and leaves other traffic alone; so I would guess if you have reasonable control over the VPN itself and it has reasonable control granularity, that might work.
If you can’t get the VPN to do what you want, my next guess if I were you would be to try to route around the VPN with your routing table? It’s been a decade since I’ve tried to do that, and the commands change from time to time, but it may be that the VPN only pays attention to stuff that goes to a certain network device (from the routing table point of view). So you may need to define second virtual ethernet device, or something like that, and set up routing so that traffic to your LAN gets routed to eth1, and traffic elsewhere goes to the default route to eth0, which is the one that goes to the router and thus the VPN manipulates.
I’m not familiar with the foibles of NASs (I had to look the abbreivation up). My first guess would be to do the usual stuff. Configure an explicit IP address and route to it to make sure your computer can see it. Maybe program its MAC address into your router’s DHCP table so that it doesn’t get a dynamic IP address, but a static one; that will at least make the debugging easier. Dynamic IP addresses are great, most of the time, but sometimes things just work better if you nail them down.
I’ve been reading your blog off and on for all the 20+ years you’ve been writing it. Keep it up. I do admit I click through from Facebook frequently; I’m there a couple of times a week because there are people in my family who that’s my only contact with.
Good luck with your VPN, take care.
Craig Steffen
(now trading at @fsodn at youtube)
I like Martin’s answer. I hadn’t considered this, but will now. I have a similar issue and I’ve just been lazy and drop off my VPN when I want to print something. I believe the issue is that your printer (and NAS, etc.) are connected to your local network, so you can hit them when you’re not rerouting all traffic through a VPN. But when you route through the VPN, that traffic can’t find its way back into your network to your printer (and that’s good). Looks like split tunnelling is the right approach as it’ll let you direct traffic meant for local network devices to those without routing through the VPN while still handling all other traffic through the VPN as you should.
Hey Wil,
Great to see you post on the blog again! I was surprised to see it pop up in my RSS feed (p.s. Newsblur is awesome!).
My thoughts on posting on your blog. Just take a look at Pluralistic, Doctorow’s blog (I’m sure you already know about). He still posts to social media but readers can always just go to https://pluralistic.net/ and get and ad free, tracking free read of his work. It’s great. I hope you keep posting here. Even if it’s short and you think it’s “not worthy”.
As to your VPN issue. I use Mullvad VPN, https://mullvad.net/en . It has a setting called Local Network Sharing which I have turned on. It basically allows access outside the VPN tunnel to anything on the LAN and private ip addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, etc).
I looked around the ProtonVPN site for anything on that type of setting and couldn’t find anything but according to this Reddit post (https://www.reddit.com/r/ProtonVPN/comments/16vg1i4/vpn_interfering_with_local_lan_connections/ ) there is a setting called “allow LAN connections” that needs to be turned on.
HTH.
Tyler
Me, just reading this post, knowing nothing about tech stuff like this: Tralala, do do do, yeppers I definitely can offer no help to Wil. Best just close the tab and-
Then you had to go and metaphorically whack me in the brain with the damn spongmonkeys. And even though it’s the Quizno’s ad, my brain is gonna be singing the “We like the moooooon/cause it is close to us” song All. Damn. Day. How dare you. 🙂
What you’re trying to do is set up a “static route”. When you configure a VPN it does stuff with your route/gateway configuration to send outgoing traffic through the tunX virtual network adapter (i.e. the VPN). So you need to tell it to ignore that default for specific IP addresses (or ranges of IPs).
Given that you are using Linux Mint, I’m guessing that you have a NetworkManager system tray applet that you can use to do things like connect to WiFi, etc. If not, you might be able to find this under Settings.
This page might not match exactly what you have on your desktop, but if not, hopefully it can help get you pointed in the right direction:
https://askubuntu.com/questions/84516/how-to-set-routes-for-my-vpn-connection
What you probably want to do is add a route for the subnet managed by your router. That way if your computer wants to talk to anything else on your home network, it doesn’t try (and fail) to do so from the VPN.
You’ll need to know a few things:
Network address
Netmask
Gateway
If you’re not certain on these, you can view them from the router configuration web UI.
I have no idea how to solve your problem, but it does my soul good to see someone using the internet for the good, old-fashioned purpose of asking the a whole big group of people for help, knowing that the solution is somewhere in that community of minds.
(I was going to say “asking the general internet public,” but of course that would include a lot of people and/or bots whose responses would be very unhelpful.)
This reminds me of the good old internet days which Catherynne M. Valente described so poignantly in her essay, Stop Talking to Each Other and Start Buying Things.
Possibly instead of running ProtonVPN you could run a browser with an integrated VPN like Opera or Brave. Then your machine would only be masked online and not to your LAN or NAS.
Several people already mentioned split-tunneling, which could help. But I use ProtonVPN and I didn’t need it to access my LAN.
Now, this might sound obvious, but sometimes we ignore the obvious, have you tried to access those devices by IP or only by their network name? I ask because the VPN on the computer will use the VPN’s DNS server and that might override any local DNS (it overrides my pi-hole) and probably (although I haven’t tested) the hosts file.
I run my VPN on my main router/AP, a Turris Omnia running OpenWRT-based TurisOS, which provides simplified access and support to configure a robust security environment, including secure TurrisOS updates. My ISP interface has its WiFi node disabled, and connects to the router via wired Ethernet. This means 100% of my internet traffic, from all wired and wireless devices, goes through the router and VPN, not just traffic from my own PC. I have multiple tablets, notebooks, eReaders and other devices I like to use, many of which don’t support my preferred VPN, so I’d need a centralized VPN anyway. Only my main laptop and phone have their own VPN installed mainly for travel, and are not active at home.
All my IoT stuff (including Alexa, my security system, my Home Assistant server, and a bazillion “smart” devices) runs on a separate LAN & WLAN in a DMZ on the same router, connecting via a separate VPN. I’m slowly moving as much as I can to be cloud-free, and the few cloud dependencies I have remaining (such as Alexa) are kept far from everything else. Even my EV is on the DMZ WiFi when at home. I also have a small Guest WLAN, but that’s normally disabled, activated only when the need arises.
I had once tried segmenting all traffic into multiple VLANs with separate security configurations, but it proved too cumbersome to manage effectively, accidentally creating more security issues than it fixed. I think the combination of a Home network, DMZ network and a Guest network is a close to optimal as I can get with reasonably low effort/hassle.
Trying this to get subscribed
ProtonVPN (at least on my Mac) has a preference under “Connection” called “Allow LAN Connections” with is another way of controlling split tunneling. However, that setting doesn’t do anything on mine: Toggling the setting, restarting session, restarting the client doesn’t change its behavior at all. This might be a question for Proton:
^C— 192.168.1.5 ping statistics —
376 packets transmitted, 376 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.408/0.943/113.923/5.843 ms
(Long time….)
Dude, I’ve got nothing. But let me tell you how lovely it is to see an email notifying me of a new post on WWdN! I quit FB, and the algorithm never showed me your posts promptly anyway, so I welcome this return to the old ways. I will not end my comment in a stream of random zeros and ones, though – I still harbor anxiety that one of my strings back in the day (and I know I wasn’t the only one who did that to separate replies to other comments) was what borked WWdN.
Lovely to see you back here, Wil.
I don’t use ProtonVPN but the problem I’m guessing since you’re likely running the VPN on your computer it’s effectively blocking the rest of the LAN where your printer lives. If what others are saying is true, I guess it has a feature to create the tunneling you need for each side (that split tunneling feature). Sounds like an easier solution to creating a bridge to the network (e.g., adding a new adapter to put you on the LAN via a separate network connection).
For the NAS, I figure it’s the same issue though not sure why your desktop is having issues. It could be how the NAS is configured but it’s hard to say without knowing what it is. If the NAS is geared towards Windows environments it could be the endpoint you need to hit is a bit different? You may have to check SMB (I think the linux client is smbclient?) to see if it can see the NAS…
My two cents. More of a general tech guy than a network IT guy though I usually do the whole banging my head against the internet thing to figure things out when I’m not familiar with whatever it is. 🙂
openssl, its your priv network. more and more vpn’s dont think about local and think you dont need them…
I just came here to bemusedly observe that Wheaton quoting Star Wars at me is mildly jarring in a “Don’t cross the streams” kind of way.