Initial commit: StreamFlow IPTV platform

docs/VPN_TROUBLESHOOTING.md

@@ -0,0 +1,288 @@
+# VPN Implementation & Troubleshooting Guide
+
+## Overview
+This document explains the ProtonVPN integration, common issues, and how to diagnose and fix IP/DNS leaks.
+
+## Architecture
+
+### How It Works
+1. **OpenVPN in Docker**: OpenVPN runs inside the Docker container with `NET_ADMIN` and `NET_RAW` capabilities
+2. **TUN Interface**: Creates a virtual network interface (`tun0`) for VPN traffic
+3. **DNS Override**: Updates `/etc/resolv.conf` with ProtonVPN DNS servers (10.2.0.1, 10.2.0.2)
+4. **Traffic Routing**: All container traffic is routed through the VPN tunnel
+5. **Kill Switch**: Iptables rules prevent traffic from leaking outside VPN
+
+## Common Issues & Solutions
+
+### Issue 1: Real IP Address Visible
+**Symptoms**: When connected to VPN, checking IP shows your real IP instead of VPN IP
+
+**Causes**:
+- VPN tunnel not established properly
+- Traffic not routed through `tun0` interface
+- Firewall rules not blocking non-VPN traffic
+
+**Diagnosis**:
+```bash
+# Check if VPN interface exists
+ip addr show tun0
+
+# Check routing table
+ip route
+
+# Should show: default via X.X.X.X dev tun0
+
+# Check public IP
+curl https://api.ipify.org
+```
+
+**Solutions**:
+1. **Verify VPN is connected**: Check backend logs for "Initialization Sequence Completed"
+2. **Check routing**: Ensure default route goes through `tun0`
+3. **Restart VPN connection**: Disconnect and reconnect
+
+### Issue 2: DNS Leaks
+**Symptoms**: DNS queries go to your ISP instead of VPN DNS servers
+
+**Causes**:
+- `/etc/resolv.conf` not updated properly
+- DNS script not executing
+- Container DNS override by Docker
+
+**Diagnosis**:
+```bash
+# Check DNS servers in use
+cat /etc/resolv.conf
+
+# Should show ProtonVPN DNS:
+# nameserver 10.2.0.1
+# nameserver 10.2.0.2
+
+# Test DNS resolution
+nslookup google.com
+```
+
+**Solutions**:
+1. **Check DNS script**: Verify `/etc/openvpn/update-resolv-conf` exists and is executable
+2. **Manual DNS update**:
+   ```bash
+   echo "nameserver 10.2.0.1" > /etc/resolv.conf
+   echo "nameserver 10.2.0.2" >> /etc/resolv.conf
+   ```
+3. **Rebuild container**: Ensures DNS script is properly installed
+
+### Issue 3: VPN Connects but No Traffic
+**Symptoms**: VPN shows connected but no internet access
+
+**Causes**:
+- Firewall rules too restrictive
+- VPN server blocking traffic
+- Authentication issues
+
+**Diagnosis**:
+```bash
+# Check VPN process
+ps aux | grep openvpn
+
+# Check iptables rules
+iptables -L OUTPUT -n -v
+
+# Test connectivity through VPN
+ping -I tun0 8.8.8.8
+```
+
+**Solutions**:
+1. **Check credentials**: Ensure ProtonVPN username/password are correct
+2. **Try different server**: Switch to another country/server
+3. **Check firewall**: Verify iptables rules allow VPN traffic
+
+### Issue 4: Container Networking Issues
+**Symptoms**: Cannot access application after VPN connects
+
+**Causes**:
+- Container ports not properly exposed
+- Docker network conflicts
+- Firewall blocking incoming connections
+
+**Solutions**:
+1. **Check capabilities**: Ensure docker-compose has `NET_ADMIN` and `NET_RAW`:
+   ```yaml
+   cap_add:
+     - NET_ADMIN
+     - NET_RAW
+   ```
+
+2. **Verify port mapping**:
+   ```yaml
+   ports:
+     - "12345:12345"
+   ```
+
+## VPN Configuration Details
+
+### OpenVPN Config
+```conf
+client
+dev tun
+proto udp
+remote [server] 1194
+cipher AES-256-GCM
+auth SHA512
+
+# DNS Settings
+dhcp-option DNS 10.2.0.1
+dhcp-option DNS 10.2.0.2
+block-outside-dns
+
+# Routing
+redirect-gateway def1 bypass-dhcp
+
+# Kill Switch
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+```
+
+### DNS Update Script
+Location: `/etc/openvpn/update-resolv-conf`
+
+This script:
+- Parses OpenVPN's `foreign_option_*` environment variables
+- Updates `/etc/resolv.conf` with VPN DNS on connect
+- Restores default DNS on disconnect
+
+### Firewall Rules (Kill Switch)
+```bash
+# Allow loopback
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Allow established connections
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# Allow DNS (needed to resolve VPN server)
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# Allow VPN tunnel traffic
+iptables -A OUTPUT -o tun+ -j ACCEPT
+
+# Everything else is blocked (implicit)
+```
+
+## Testing & Verification
+
+### Using the Web UI
+1. **Connect to VPN** in Settings > VPN
+2. **Click "Check IP"** button when connected
+3. **Verify**:
+   - Public IP is different from your real IP
+   - Location matches VPN country
+   - ISP is ProtonVPN or VPN provider
+   - DNS servers are `10.2.0.1`, `10.2.0.2`
+   - VPN Interface shows "Active"
+
+### Using API Endpoints
+
+#### Check IP
+```bash
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  http://localhost:12345/api/vpn/check-ip
+```
+
+#### Full Diagnostics
+```bash
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  http://localhost:12345/api/vpn/diagnostics
+```
+
+### Manual Testing
+```bash
+# Get current IP
+curl https://api.ipify.org
+
+# Get IP info
+curl https://ipinfo.io/json
+
+# Check DNS
+cat /etc/resolv.conf
+
+# Check VPN interface
+ip addr show tun0
+
+# Check routing
+ip route | grep default
+```
+
+## ProtonVPN Free Tier Servers
+
+The implementation uses ProtonVPN free tier servers:
+- 🇺🇸 US: us-free-01.protonvpn.net
+- 🇳🇱 NL: nl-free-01.protonvpn.net
+- 🇯🇵 JP: jp-free-01.protonvpn.net
+- 🇬🇧 GB: uk-free-01.protonvpn.net
+- 🇩🇪 DE: de-free-01.protonvpn.net
+- 🇫🇷 FR: fr-free-01.protonvpn.net
+- 🇨🇦 CA: ca-free-01.protonvpn.net
+- 🇨🇭 CH: ch-free-01.protonvpn.net
+- 🇸🇪 SE: se-free-01.protonvpn.net
+- 🇷🇴 RO: ro-free-01.protonvpn.net
+
+## Security Considerations
+
+### Credential Storage
+- Credentials encrypted using AES-256-CBC
+- Encryption key derived from JWT secret
+- Stored in SQLite database
+
+### Traffic Isolation
+- All traffic routes through VPN when connected
+- Kill switch prevents leaks if VPN drops
+- DNS forced to VPN DNS servers
+
+### Limitations
+- VPN runs per-user (not container-wide)
+- Free tier has speed limitations
+- Some streaming services may detect VPN
+
+## Troubleshooting Checklist
+
+When VPN isn't working:
+
+- [ ] Check VPN status shows "connected"
+- [ ] Verify `tun0` interface exists (`ip addr show tun0`)
+- [ ] Check routing table has VPN route (`ip route`)
+- [ ] Verify DNS is set to VPN DNS (`cat /etc/resolv.conf`)
+- [ ] Test IP shows VPN IP (`curl https://api.ipify.org`)
+- [ ] Check OpenVPN logs for errors
+- [ ] Verify Docker capabilities (`NET_ADMIN`, `NET_RAW`)
+- [ ] Try different VPN server/country
+- [ ] Rebuild Docker container
+- [ ] Check ProtonVPN credentials are valid
+
+## Known Issues
+
+### IPv6 Leaks
+**Issue**: IPv6 traffic may bypass VPN  
+**Workaround**: Disable IPv6 or use `pull-filter ignore ifconfig-ipv6` in config
+
+### Docker DNS Override
+**Issue**: Docker may override `/etc/resolv.conf`  
+**Workaround**: DNS script updates it on VPN connect
+
+### Multiple Users
+**Issue**: Each user gets their own VPN connection  
+**Note**: This is by design for per-user VPN routing
+
+## Getting Help
+
+If issues persist:
+1. Check backend logs: `docker logs streamflow`
+2. Run diagnostics: `/api/vpn/diagnostics`
+3. Verify OpenVPN logs in container
+4. Check ProtonVPN account status
+5. Review Docker network configuration
+
+## References
+- [ProtonVPN OpenVPN Config](https://protonvpn.com/support/linux-openvpn/)
+- [OpenVPN Documentation](https://openvpn.net/community-resources/)
+- [Docker Networking](https://docs.docker.com/network/)
+- [iptables Tutorial](https://www.netfilter.org/documentation/)