OpenVPN Policy Rules feature doesn't work (AC66U) (Solved)

[Marsi4eg]

I'm running 378.56_2 and I have noticed that openvpn policy rules don't take effect.
My VPN service sends some routes to me, which must be ignored by client, when policy rules feature is enabled.

On some earlier build I have configued those rules only for one PC in my home network, so when I enable OpenVPN client - I have access to some 'secret' places only from that PC. Also, there was no new entries in router's route table. (server routes were ignored by client)

But now the client assign routes by VPN server even when policy rules enabled, those routes being added to routing table and every device in my network have an access to all 'secret' places.

So, the positive effect of using Policy Rules become negative or zero

 

[RMerlin]

Add no-pull to your configuration if you want to ignore all pushed routes. The policy setup script only removes global routes such as 0.0.0.0.

Sent from my Nexus 5X using Tapatalk

 

[Marsi4eg]

Do you mean 'route-nopull'? Or exactly 'no-pull'?

 

[RMerlin]

Do you mean 'route-nopull'? Or exactly 'no-pull'?

Check the OpenVPN documentation, I don't remember the exact parameter name.

 

[octopus]

Do you mean 'route-nopull'? Or exactly 'no-pull'?

route-nopull will be fine.

 

[Marsi4eg]

Ok, now the client ignores server routes, policy rules are being added as I can see in syslog:

Nov 14 23:32:07 openvpn-routing: Configuring policy rules for client 1
Nov 14 23:32:07 openvpn-routing: Creating VPN routing table
Nov 14 23:32:07 openvpn-routing: Added x.x.x.x to y.y.y.y through VPN to routing policy
...etc.

but actually the devices don't have access to those resources using policies.
Will try to downgrade and test again

 

[RMerlin]

Are you sure your issue is with routing and not with DNS?

Also, note that routing entries are in the kernel RPDB, not in the general routes listed by the "route" command. You need to use the "ip route" command to view those tables. Table 111 has client1, 112 client2, etc...

 

[Marsi4eg]

'ip route' shows me the same entries as 'route'. P.S. VPN Client is enabled with syslog info of added rules
______

Oh, maybe you mean 'ip rule' - now I can see those entries

It's not related to DNS, because nslookup resolves an IP address of resource correctly

It's the closed area of my ISP where I work and I'm a customer of this ISP at the same time. So I use the DNS which exactly knows all intranet resource addresses.

admin@RT-AC66U-2490:/tmp/home/root# nslookup pbx.matrixb2b.net
Server:  127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:  pbx.matrixb2b.net
Address 1: xxx.xxx.xx.xx xxx.xxxxxxxxxx.net

and I have a rule enabled

1112:  from x.x.x.x4 to y.y.y.y lookup 111

of course I'm testing from the pc with correct ip, also tried some other devices, but resource is unavailable, also no ping etc.

 

[Marsi4eg]

Soooooooo sorry for double post, but I have just rolled back to 378.54_2 and got policy rules working again. (Also didn't work with 378.55)
I haven't reconfigured any option. The only things I have modified in VPN config are security certs and keys, which were lost because they were moved to jffs after 378.55.

And no need to use 'route-nopull' - if policy rules enabled, global routes are ignored automatically.

Please take a look into this issue.
________
Next edit:
Thank you all, no bug, that was my fault, I had an active route-up script to delete some unnesessary routes (old script I wrote when there was not policy rules option). But for some strange reason activity of this script didn't broke policy rules in 378.54_2 (maybe openvpn daemon was older) and I've noticed these problems only after upgrade.

Everything works fine now, so RMerlin please close this topic

 

[jz_]

Soooooooo sorry for double post, but I have just rolled back to 378.54_2 and got policy rules working again. (Also didn't work with 378.55)
I haven't reconfigured any option. The only things I have modified in VPN config are security certs and keys, which were lost because they were moved to jffs after 378.55.

And no need to use 'route-nopull' - if policy rules enabled, global routes are ignored automatically.

Please take a look into this issue.
________
Next edit:
Thank you all, no bug, that was my fault, I had an active route-up script to delete some unnesessary routes (old script I wrote when there was not policy rules option). But for some strange reason activity of this script didn't broke policy rules in 378.54_2 (maybe openvpn daemon was older) and I've noticed these problems only after upgrade.

Everything works fine now, so RMerlin please close this topic

Had the exact same issue since trying to setup OpenVPN last night and gave up on a solution, but glad to hear rolling back worked for you! Will try it asap.