Can't SSH to Raspberry Pi on LAN with VPN Director

[arkywein]

Hi all,

I have a RT-AX58U router running 388.1 firmware.
I also have a VPN client that is constantly connected to Mullvad VPN (in fact, five of them with only one being active at a time). The only VPN Director rule that I have is to forward traffic from all local devices through that very VPN client.

After I've restarted my router several hours ago, my RPi stopped responding through SSH (it has a static IP 192.168.0 254), everything that is hosted there became unavailable too. At first I thought that there was something wrong with the RPi itself so I rebooted it, but it didn't help.

ssh admin@192.168.0.254 -p 2022 -vvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/MAJ/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/MAJ/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.254 [192.168.0.254] port 2022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: connect to address 192.168.0.254 port 2022: Operation timed out
ssh: connect to host 192.168.0.254 port 2022: Operation timed out

Then I added another rule to VPN Director to forward RPi's traffic through WAN and voila! – I managed to connect to it via SSH. Not sure what is happening as it worked flawlessly in the past with my RPi being constantly connected to VPN through VPN Client/Director rules.

Here's the log when I route my RPi through WAN

Jan 9 16:06:47 rc_service: httpd 1593:notify_rc restart_vpnrouting0
Jan 9 16:06:47 custom_script: Running /jffs/scripts/service-event (args: restart vpnrouting0)
Jan 9 16:06:47 vpndirector: Routing ROUTER from 192.168.0.1 to any through main
Jan 9 16:06:47 vpndirector: Routing APPLE TV from 192.168.0.130 to any through main
Jan 9 16:06:47 vpndirector: Routing MRK-SRV from 192.168.0.254 to any through main
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc5
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc5
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC5
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc4
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc4
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC4
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc3
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc3
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC3
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc2
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc2
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC2
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc1
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc1

And here's what happens when I disable the RPi through WAN rule

Jan 9 16:08:34 rc_service: httpd 1593:notify_rc restart_vpnrouting0
Jan 9 16:08:34 custom_script: Running /jffs/scripts/service-event (args: restart vpnrouting0)
Jan 9 16:08:34 vpndirector: Routing ROUTER from 192.168.0.1 to any through main
Jan 9 16:08:34 vpndirector: Routing APPLE TV from 192.168.0.130 to any through main
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc5
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc5
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC5
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC5
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc4
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc4
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC4
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC4
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc3
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc3
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC3
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC3
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc2
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc2
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC2
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC2
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc1
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc1

What do you think could be the reason for it?

 

[arkywein]

Fixed it by disconnecting other VPN clients and leaving just one connected. Still not sure what exactly happened as everything worked well with four other clients connected, but the issue is now gone. Will be happy to provide logs if this is a potential bug material