Updated FAQ (markdown)

FAQ.md

@@ -7,7 +7,14 @@
 
 ## How do I diagnose port forwarding?
 
-This guide assumes that the PiVPN installation was successful and you see all `[OK]` on the `pivpn -d` self check (i.e. the server is working and listening for connections).
+### Before you begin
+
+This guide assumes that the PiVPN installation was successful and you see all [OK] on the `pivpn -d` self check (i.e. the server is working, listening for connections, with firewall rules in place).
+
+If your debug log shows some [ERR], you need to solve those first: accept the [Y/n], look through existing issues or open a new issue.
+Instead, if you performed all the following steps and suggestions, again, look through existing issues or open a new issue adding the packet capture (censor client IPs if you want) and the attempted remedies. Remember to follow the ISSUE TEMPLATE.
+
+### Packet capture
 
 We will use `tcpdump` take a peek into the network interface to see if packets are reaching our Raspberry Pi.
 
@@ -50,21 +57,10 @@ listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
 
 ### What to do if I see no packets?
 
-- Check your port forwarding, make sure you forwarded the correct PORT, with the correct PROTOCOL, to the correct IP of your Pi. Again, you can see what you chose by looking at `IPv4dev`, `pivpnPROTO` and `pivpnPORT` inside `/etc/pivpn/setupVars.conf`.
+- Check your port forwarding, make sure you forwarded the correct PORT, with the correct PROTOCOL, to the correct IP of your Pi. You can see what you chose by looking at `IPv4addr` (without the netmask part, `/24` in most cases), `pivpnPROTO` and `pivpnPORT` inside `/etc/pivpn/setupVars.conf`.
-- Check if the router still assigned the internal IP you chose during the installation. If it changed even though you set up a static IP when installing PiVPN, use DHCP reservation on the router and reserve `IPv4dev`.
+- Check if the router still assigned the internal IP you chose during the installation. If it changed even though you set up a static IP when installing PiVPN, use DHCP reservation on the router and reserve `IPv4addr`.
 - If you set up PiVPN with ethernet and later switched to wifi, you will have a different IP. Easiest what to fix is to reinstall and pick the new network interface.
 - Check if your ISP uses Carrier-grade NAT. With CGNAT, your router gets a private IP, making port forwarding ineffective. This is mostly the norm if your router connects via 4G/LTE. If that's the case, you need to ask the ISP for a public IP.
-
+- Check if the IP in your client config matches the public IP of your Pi or that the DDNS is updated. To see the public IP of your Pi, run `curl -s https://checkip.amazonaws.com`.
-### What if I see packets coming but my client does not connect?
+- If you see packets coming, but no response from the Pi, it may indicate routing issues, attempts to block the connection (on either side), or poor connectivity. In all cases, try to connect from a different network.
-
+- You may have misconfigured firewall rules on your Pi, open an issue and add the output of `sudo ipables -S` and `sudo iptables -t nat -S`.
-Example:
-
-```
-tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
-listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
-10:57:38.952503 IP SOURCE_IP.28050 > 192.168.23.211.51820: UDP, length 32
-10:57:49.144774 IP SOURCE_IP.28050 > 192.168.23.211.51820: UDP, length 128
-```
-
-- If SOURCE_IP is the IP of your device, this may indicate routing issues, attempts to block the connection (on either side), or poor connectivity. In all cases, try to connect from a different network.
-- If SOURCE_IP is NOT the IP of your device, this indicates that SOURCE_IP is just a bot trying to scan your Pi and that your client is not trying to connect to your Pi. Check if the IP in your client config matches the public IP of your Pi or that the DDNS is updated. To see the public IP of your Pi, run `curl -s https://checkip.amazonaws.com`.