Having trouble running custom scripts

[Martineau]

Ok, just so I understand, "Redirect Internet traffic" what is this asking me? Is that the option that you speak of that "forces" clients via the VPN? If so, should it be set to "No" or what?

I personally don't know why this option exists, as either the VPN is active for ALL traffic or selective routing. Having a VPN UP and active then specifying NO is probably only useful for home workers via a corporate VPN??, but I'm still not sure how it is a useful option for most users, but RMerlin tries to keep all enhancements as flexible as possible.

The option 'Block routed clients' forces the use of the VPN, so if the VPN isn't UP then internet access is effectively blocked either for ALL traffic or the nominated clients.

So since your initial post referred to the 'Selective routing whilst also preventing WAN access if VPN is DOWN' script, then I think you should be able to answer your own question?

i.e. Both 'Policy Rules' and 'Blocked routed clients' should be selected if this is what you want?

 

[Chrysalis]

The option exists for situations where you only want a VPN to selective destinations such as a corporate server or maybe just for things like netflix and hulu, in such instances you add the routing on the server side via push commands. It is also good for testing.

 

[RMerlin]

I personally don't know why this option exists, as either the VPN is active for ALL traffic or selective routing. Having a VPN UP and active then specifying NO is probably only useful for home workers via a corporate VPN??, but I'm still not sure how it is a useful option for most users, but RMerlin tries to keep all enhancements as flexible as possible.

Enabling Policy-based routing applies some changes to the main routing table (removing some routes that might have been pushed by the tunnel provider). Having the option set to "No" ensures full backward compatibility with how this used to work.

It's also more intuitive to users who are used to having the "No" option available for years. Removing it would have resulted in support questions as to "How do I disable it?"

 

[Deceiver]

Alright, just to add to the confusion. When I read this "redirect internet traffic", I see VPN tunnel goes down, router asks can I redirect my clients to access the internet. Answer "No", Ok router says block internet access. However, you guys are telling me that I need to Policy rules and Blocked routed clients as my settings. This makes sense to me as well. This is where I get confused. So, if I set up blocked routed, what do I set the destination IP as? Is it the destination or gateway IP that is in the IPtables for tun11?

The reason I'm all confused about this is, again this morning, I woke up and I had lost internet access from the VPN as the connection was dropped. Logs had numerous "...openvpn[1208]: RESOLVE: Cannot resolve host address:...". Upload a new ovpn profile and I'm reconnected. So, whether or not it's the vpn provider or whether this has something to do with the redirect internet traffic, I am really not sure.

 

[Martineau]

Alright, just to add to the confusion. When I read this "redirect internet traffic", I see VPN tunnel goes down, router asks can I redirect my clients to access the internet. Answer "No", Ok router says block internet access. However, you guys are telling me that I need to Policy rules and Blocked routed clients as my settings. This makes sense to me as well. This is where I get confused. So, if I set up blocked routed, what do I set the destination IP as? Is it the destination or gateway IP that is in the IPtables for tun11?

The reason I'm all confused about this is, again this morning, I woke up and I had lost internet access from the VPN as the connection was dropped. Logs had numerous "...openvpn[1208]: RESOLVE: Cannot resolve host address:...". Upload a new ovpn profile and I'm reconnected. So, whether or not it's the vpn provider or whether this has something to do with the redirect internet traffic, I am really not sure.

You really haven't clearly specified what you actually want to do when the VPN is UP.

1. No traffic to use the VPN
2. ALL traffic /devices to use VPN
3. Selectively route only some devices through the VPN (leave dest I/P blank for ALL destinations)
4. Block use of WAN access if VPN is DOWN i.e. force VPN

If you use IPVanish then there is a bug that has been identified (and fixed by RMerlin in the next release) where Openvpn crashes when it tries to terminate and does not correctly tidy up the /etc/resolve entries.

I suggest you check the log to see if there is an error message when the VPN connection is lost.

 

[Deceiver]

You really haven't clearly specified what you actually want to do when the VPN is UP.

1. No traffic to use the VPN
2. ALL traffic /devices to use VPN
3. Selectively route only some devices through the VPN (leave dest I/P blank for ALL destinations)
4. Block use of WAN access if VPN is DOWN i.e. force VPN

If you use IPVanish then there is a bug that has been identified (and fixed by RMerlin in the next release) where Openvpn crashes when it tries to terminate and does not correctly tidy up the /etc/resolve entries.

I suggest you check the log to see if there is an error message when the VPN connection is lost.

Apologies for this.

When the VPN is UP, all traffic to use VPN connection. If I want some devices to use standard ISP connection, they connect to the router which is in between the Asus Merlin router and the modem. If the VPN goes DOWN on the Asus Merlin router, then any device which is connected to it, block the use of WAN (force VPN). And, if it needs to be known, I'm using ExpressVPN.

Here is a copy of the section of the log just before the connection drops. Please note, I have replaced the vpn url with *** as this information is only available to customers of the VPN service.

openvpn[1208]: TLS: tls_process: killed expiring key
May 11 20:01:16 openvpn[1208]: TLS: soft reset sec=0 bytes=6145531/0 pkts=15486/0
May 11 20:01:18 openvpn[1208]: VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
May 11 20:01:18 openvpn[1208]: VERIFY OK: nsCertType=SERVER
May 11 20:01:18 openvpn[1208]: VERIFY X509NAME OK: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
May 11 20:01:18 openvpn[1208]: VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
May 11 20:01:23 openvpn[1208]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 11 20:01:23 openvpn[1208]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 11 20:01:23 openvpn[1208]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
May 11 20:01:23 openvpn[1208]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 11 20:01:23 openvpn[1208]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 11 21:01:16 openvpn[1208]: TLS: tls_process: killed expiring key
May 11 21:01:23 openvpn[1208]: TLS: soft reset sec=0 bytes=710836/0 pkts=1869/0
May 11 21:01:37 openvpn[1208]: [server] Inactivity timeout (--ping-restart), restarting
May 11 21:01:37 openvpn[1208]: SIGUSR1[soft,ping-restart] received, process restarting
May 11 21:01:37 openvpn[1208]: Restart pause, 2 second(s)
May 11 21:01:39 openvpn[1208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 11 21:01:39 openvpn[1208]: Socket Buffers: R=[118784->131072] S=[118784->131072]
May 11 21:02:10 openvpn[1208]: RESOLVE: Cannot resolve host address: ***.***.***: Name or service not known

 

[Martineau]

Apologies for this.

When the VPN is UP, all traffic to use VPN connection. If I want some devices to use standard ISP connection, they connect to the router which is in between the Asus Merlin router and the modem. If the VPN goes DOWN on the Asus Merlin router, then any device which is connected to it, block the use of WAN (force VPN). And, if it needs to be known, I'm using ExpressVPN.

Here is a copy of the section of the log just before the connection drops. Please note, I have replaced the vpn url with *** as this information is only available to customers of the VPN service.

openvpn[1208]: TLS: tls_process: killed expiring key
<snip>
May 11 21:02:10 openvpn[1208]: RESOLVE: Cannot resolve host address: ***.***.***: Name or service not known

So you have two routers before the modem? and on the ASUS Merlin router you have

Redirect Internet traffic = Policy Rules
Block routed clients if tunnel goes down = YES

and presumably under

Rules for routing client traffic through the tunnel (Max Limit : 64)

have appropriate entries for the subnet/devices directly connected to the ASUS Merlin router that should be forced to use the VPN

Via VPN xxx.xxx.xxx.xxx/yy 0.0.0.0
or
PC1 xxx.xxx.xxx.xxx 0.0.0.0


If the VPN is brought down and the openvpn updown.sh script isn't firing to reset the etc/resolve file (which presumably has been modified by the ExpressVPN server push directives?) then this appears similar to the IPVanish issue that will be resolved by RMerlin in the next release, but his disclaimer is that his fix may not actually work if the VPN termination is initiated by the ISP or is caused by a genuine line fault etc.

Maybe there is now a DNS catch-22 situation as having forced ALL traffic via the VPN, if the VPN is DOWN, how can the router resolve the ExpressVPN hostname?

Don't think there is a lot more I can suggest apart from specifiying the target ExpressVPN end-point as an I/P address rather than a domain name or wait for someone else to advise on how to use DNS effectively in this situation.

 

[Deceiver]

So you have two routers before the modem? and on the ASUS Merlin router you have

Redirect Internet traffic = Policy Rules
Block routed clients if tunnel goes down = YES

Redirect Internet traffic is actually set to No.

and presumably under

Rules for routing client traffic through the tunnel (Max Limit : 64)

have appropriate entries for the subnet/devices directly connected to the ASUS Merlin router that should be forced to use the VPN

Via VPN xxx.xxx.xxx.xxx/yy 0.0.0.0
or
PC1 xxx.xxx.xxx.xxx 0.0.0.0

This isn't enabled.

If the VPN is brought down and the openvpn updown.sh script isn't firing to reset the etc/resolve file (which presumably has been modified by the ExpressVPN server push directives?) then this appears similar to the IPVanish issue that will be resolved by RMerlin in the next release, but his disclaimer is that his fix may not actually work if the VPN termination is initiated by the ISP or is caused by a genuine line fault etc.

Maybe there is now a DNS catch-22 situation as having forced ALL traffic via the VPN, if the VPN is DOWN, how can the router resolve the ExpressVPN hostname?

Don't think there is a lot more I can suggest apart from specifiying the target ExpressVPN end-point as an I/P address rather than a domain name or wait for someone else to advise on how to use DNS effectively in this situation.

How do you check to see if a script is firing? Any ideas as to when the next release will be released?

 

[Deceiver]

I guess we're entering territory that not many people understand. If that's the case, can you please point me in the direction of some documentation that explains what I'm looking at. So I can start playing around and see if I can get the router to do what I want.