RT-AC68U requires reboot after stopping OpenVPN Client on Merlin 380.64

[pusb87]

Hi everyone.

This is my first post and I have looked around the forum for similar situations I am experiencing myself.

I have recently purchased the RT-AC68U and installed the Asuswrt-Merlin firmware 380.64.

My VPN provider is Private Internet Access (PIA) and I have carefully followed the excellent guide from @yorgi on How to Setup a VPN Client including Policy Rules for PIA.

All seems to work very well using the PIA openvpn config files for UDP 1198 except when using Policy Rules and selecting the option to Block Routed Clients if the Tunnel goes down.

If I have the openvpn client running then all is well and I have good internet access.....however when i stop the client from running then i have to reboot the router to regain internet access.

Is this the expected behavior or is something not quite right ?

I am happy to post any additional information about my setup should it be required.

many thanks in anticipation of some help or advice

 

[yorgi]

Hi everyone.

This is my first post and I have looked around the forum for similar situations I am experiencing myself.

I have recently purchased the RT-AC68U and installed the Asuswrt-Merlin firmware 380.64.

My VPN provider is Private Internet Access (PIA) and I have carefully followed the excellent guide from @yorgi on How to Setup a VPN Client including Policy Rules for PIA.

All seems to work very well using the PIA openvpn config files for UDP 1198 except when using Policy Rules and selecting the option to Block Routed Clients if the Tunnel goes down.

If I have the openvpn client running then all is well and I have good internet access.....however when i stop the client from running then i have to reboot the router to regain internet access.

Is this the expected behavior or is something not quite right ?

I am happy to post any additional information about my setup should it be required.

many thanks in anticipation of some help or advice

Hi
When you use policy rules you need to create rules in which Devices have access to VPN only or VPN and WAN. otherwise when you have the feature if tunnel goes down stop the service. this is why when you close the service there is no internet. This is normal because it's a protection. If the VPN goes down as you switched it off its suppose to stop the internet from working.
What puzzles me is why you get internet working when you reboot the router unless you are no longer using policy rules when you reboot. I am confused.

this is the rules you need to put in order to make it work right

assuming your router is 192.168.1.1

The rule below says that IP addresses ranging from 192.168.1.80-192.168.1.94 will be on the VPN and all other IP addresses will go to Local ISP

Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN

You can add more IP addresses if you like.

You can also do this which you are telling the router all traffic goes to VPN.
Source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN

I am not sure what exactly your needs are with the VPN and how you want to use policy rules but if you looked at my guide I have given many examples of how to use policy rules.
If you need more help please be more specific.

 

[pusb87]

Hi
When you use policy rules you need to create rules in which Devices have access to VPN only or VPN and WAN. otherwise when you have the feature if tunnel goes down stop the service. this is why when you close the service there is no internet. This is normal because it's a protection. If the VPN goes down as you switched it off its suppose to stop the internet from working.
What puzzles me is why you get internet working when you reboot the router unless you are no longer using policy rules when you reboot. I am confused.

this is the rules you need to put in order to make it work right

assuming your router is 192.168.1.1

The rule below says that IP addresses ranging from 192.168.1.80-192.168.1.94 will be on the VPN and all other IP addresses will go to Local ISP

Source IP 192.168.1.80/28 Destination IP 0.0.0.0 lface VPN

You can add more IP addresses if you like.

You can also do this which you are telling the router all traffic goes to VPN.
Source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN

I am not sure what exactly your needs are with the VPN and how you want to use policy rules but if you looked at my guide I have given many examples of how to use policy rules.
If you need more help please be more specific.

Hi @yorgi
thanks for taking the time to reply, much appreciated as I'm pretty new to all this and on the bottom of a steep learning curve!!

Ive attached a couple of screenshots showing my list of manually assigned ip devices and my policy rules



OK , so when i turn the openvpn client Service State to ON then all seems to be OK and I have vpn internet access to my PC (192.168.1.2) and all others except the TIVO ( a TV box) and Sony PS3 Playstation.

I may then want to access, using my PC, the internet and my local LAN without any VPN at all so i turn the Service State to OFF.
I find that now if try using my PC that I cannot access any web sites at all.
To regain access to the web I have to reboot the router..... which starts without any clients ( and hence i assume policy rules) being active.....I do not have the router set to start with WAN.

I hope that helps to clarify....and that you can offer some further suggestions

 

[john9527]

selecting the option to Block Routed Clients if the Tunnel goes down.

If I have the openvpn client running then all is well and I have good internet access.....however when i stop the client from running then i have to reboot the router to regain internet access.

Is this the expected behavior or is something not quite right ?

Expected behavior.....it's doing what you asked. Stopping the client takes the tunnel down so the internet access is blocked. If you are going to be switching back and forth on a client between VPN and non-VPN access, you shouldn't use the Block Routed Clients option.

 

[yorgi]

Hi @yorgi
thanks for taking the time to reply, much appreciated as I'm pretty new to all this and on the bottom of a steep learning curve!!

Ive attached a couple of screenshots showing my list of manually assigned ip devices and my policy rules

View attachment 8109 View attachment 8110

OK , so when i turn the openvpn client Service State to ON then all seems to be OK and I have vpn internet access to my PC (192.168.1.2) and all others except the TIVO ( a TV box) and Sony PS3 Playstation.

I may then want to access, using my PC, the internet and my local LAN without any VPN at all so i turn the Service State to OFF.
I find that now if try using my PC that I cannot access any web sites at all.
To regain access to the web I have to reboot the router..... which starts without any clients ( and hence i assume policy rules) being active.....I do not have the router set to start with WAN.

I hope that helps to clarify....and that you can offer some further suggestions

Remove Persist TUN and Persist-key from the custom configuration that is already setup in the options from Merlin

Ok try to understand this because it is very important.

"Block routed clients if tunnel goes down" <---------------- IMPORTANT

when you have that feature on and you are telling the router 192.168.1.0/24 that means everything goes to VPN

back to the important section above. If you stop the service meaning turn the ON GREEN BUTTON TO OFF or VPN servers drops connections, that tells the router to stop the internet service because you told the router to"Block routed clients if tunnel goes down" This means that when there is no VPN service present, stop all services to 192.168.1.0/24 that means no IP address has access to anything except for the 2 devices that you told have access to WAN, meaing the TIVO and the SONY

So from what I understand your SONY play station and your TIVO always have access to Local ISP and everything else is on the VPN correct?
is this what you are trying to achieve?

My suggestion is make your life a bit simpler
put every PC you want on the VPN and if its a few PC's you can enter them manually one by one.
So say you want to reserve a few addresses for VPN and the rest go to WAN local ISP
do this
Source 192.168.1.80/28 Destination 0.0.0.0 lface VPN
thats it. 192.168.1.81-192.168.1.94 will go to VPN and every other device that doesnt have these addresses will go to WAN local ISP
here is the good part. If you want one of the pcs that is on a VPN to see traffic from Local ISP all you do is manually assign an address which is not part of those 14 reserved addresses and you will be on Local ISP

it is very important that when you turn off that service, that the VPN stops on the 14 reserved addresses but not the rest of them
So say you turned it off your SOny and Tivo will continue to have intnernet.
Was that the case before when you turned off the VPN service your computers that where on VPN didn't work but the SONY and TIVO worked?
if they didn't you have a problem, and the rebooting part makes me worry because even when you reboot the router so long as those rules where there and you didn't change anything, there should have been no way for your router to send internet to PC's that where part of the Rules to have only VPN

When you put Merlin firmware on your router did you do a factory reset? and then cold boot?
if not then you should, and re enter all your data all over again.
Under no circumstances should you have internet on PCs that are part of the VPN rules.
if you do after a reboot you have a serious problem and don't trust your setup.
You have to bullet proof your setup before you trust it and from what I see you have a problem which internet works on VPN pcs that should be blocked after a reboot of a router
Please let me know if this fixes your issues or if you have any other questions.

 

[yorgi]

Expected behavior.....it's doing what you asked. Stopping the client takes the tunnel down so the internet access is blocked. If you are going to be switching back and forth on a client between VPN and non-VPN access, you shouldn't use the Block Routed Clients option.

Edited
Sorry but that is bad advice.
I have seen where the VPN server hick-ups and goes down. I really doubt if someone is using a VPN they would not want to be protected if the server drops connection and they would leek their IP to everyone.
if this feature block internet traffic if tunnel goes down is disabled then there is no purpose to have a VPN. I would reconsider doing that.
This is a quick fix for your problem but I gave you good recommendations with good solutions. If you disable this feature you are not protected from VPN server drops and if you do this as practice to have more convinience and you only disable that feature when you trun off the VPN so that you can have local ISP on your VPN PC then you should not do it that way. To risky. Do it where you manually assign an IP address that is not part of the VPN rules like in the example I gave you above.
If you decide to go any other way its at your own risk. and really be sure that when you reboot your router if you see there is internet in a PC that should be on VPN and you see Local ISP, you have to get your setup right. Don't do foolish things like disable the feature that can save your butt!

 

[yorgi]

nothing personal john9527 your answer is right but I don't think one can see how dangerous or risky that can be.

 

[john9527]

nothing personal john9527 your answer is right but I don't think one can see how dangerous or risky that can be.

No offense taken It depends on what you are trying to get out of the VPN connection. If it's to a private 'business' connection, obviously it's important. If it's geo-unblocking, or to provide some minimum level of anonymity thru a service provider, maybe not as important. And if you have a particular client with strict security concerns that you want to use or not use the VPN on a regular basis, it may be better to run the VPN on that client instead of the router.

 

[pusb87]

@yorgi @john9527

many thanks to both of you for your responses,
please give me some time to have a good read and digest everything and try to get my head around things..its all very new to me

my use is not business, purely recreational , just wanting to have some degree of privacy and anonymity but would like it to be primarily across all devices I have and not on an as device basis so my preference is to have the vpn client on the router

 

[pusb87]

Remove Persist TUN and Persist-key from the custom configuration that is already setup in the options from Merlin



Ok try to understand this because it is very important.

"Block routed clients if tunnel goes down" <---------------- IMPORTANT

when you have that feature on and you are telling the router 192.168.1.0/24 that means everything goes to VPN

back to the important section above. If you stop the service meaning turn the ON GREEN BUTTON TO OFF or VPN servers drops connections, that tells the router to stop the internet service because you told the router to"Block routed clients if tunnel goes down" This means that when there is no VPN service present, stop all services to 192.168.1.0/24 that means no IP address has access to anything except for the 2 devices that you told have access to WAN, meaing the TIVO and the SONY

So from what I understand your SONY play station and your TIVO always have access to Local ISP and everything else is on the VPN correct?
is this what you are trying to achieve?

My suggestion is make your life a bit simpler
put every PC you want on the VPN and if its a few PC's you can enter them manually one by one.
So say you want to reserve a few addresses for VPN and the rest go to WAN local ISP
do this
Source 192.168.1.80/28 Destination 0.0.0.0 lface VPN
thats it. 192.168.1.81-192.168.1.94 will go to VPN and every other device that doesnt have these addresses will go to WAN local ISP
here is the good part. If you want one of the pcs that is on a VPN to see traffic from Local ISP all you do is manually assign an address which is not part of those 14 reserved addresses and you will be on Local ISP

it is very important that when you turn off that service, that the VPN stops on the 14 reserved addresses but not the rest of them
So say you turned it off your SOny and Tivo will continue to have intnernet.
Was that the case before when you turned off the VPN service your computers that where on VPN didn't work but the SONY and TIVO worked?
if they didn't you have a problem, and the rebooting part makes me worry because even when you reboot the router so long as those rules where there and you didn't change anything, there should have been no way for your router to send internet to PC's that where part of the Rules to have only VPN

When you put Merlin firmware on your router did you do a factory reset? and then cold boot?
if not then you should, and re enter all your data all over again.
Under no circumstances should you have internet on PCs that are part of the VPN rules.
if you do after a reboot you have a serious problem and don't trust your setup.
You have to bullet proof your setup before you trust it and from what I see you have a problem which internet works on VPN pcs that should be blocked after a reboot of a router
Please let me know if this fixes your issues or if you have any other questions.

Hi @yorgi

Thanks for all your suggestions and advice given to help me out.

I think i now have the router and vpn clients and policy rules sorted out OK .

I did remove Persist TUN and Persist-key from the custom configuration that is already setup in the options from Merlin.

I had a bit of rethinking about my policy rules and followed your suggestion to only include those devices I really needed to have on the VPN manually one by one.

I wasn't sure if I had previously done a factory reset and cold booted so I did this time and then reconfigured the router.

So now when i enable the VPN client all works as should as far as i can tell.....all manually added devices to VPN show my PIA addresses and other devices show my ISP, where i have been able to test.

If I stop the vpn client than none of the VPN devices have internet access but the other devices do, and if restart the vpn client all works as should again...no need to reboot.

I think i'm good to go......famous last words