"Error connecting - IP/Routing conflict" error when attempting to setup OpenVPN client with policy r

[r0bbie]

I was drawn to trying out asuswrt-merlin due to its Policy Based Routing capability, in order to direct some traffic through a VPN at the router level while excluding others. I've attempted to set this up, however am continually receving a "Routing conflict" error message when the VPN client is enabled with policy rules in place.

Steps to reproduce:

- Set up for a new VPN client (for instance on client 1). Import .ovpn file, input login information etc, turn on. Test internet and works fine, traffic appears to be being correctly routed through the VPN.

- Turn the VPN client off, and switch the "Redirect Internet traffic" setting to "Policy Rules". Create two rules in order to direct all internet traffic throug the VPN, unless its source is a particular computer at source IP 192.168.1.88 (in line with instructions at https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing):

All traffic       0.0.0.0       0.0.0.0       VPN
mediaserver       192.168.1.88   0.0.0.0       WAN

- I get a "Routing conflict" error (screenshots attached below), and the VPN connection seems to not work (no traffic is routed via the VPN).

I've tried setting this up multiple times, rebooted the router, etc, and can't see where I'm going wrong. Tried various different policy rules as well to see if I could get any working at all or determine where a conflict might be, with no luck.

Any assistance would be much appreciated. Let me know if I might provide any log information etc which may be helpful in diagnosing.

 

[RMerlin]

Post the System Log content that's generated when starting the client.

 

[r0bbie]

Jan  7 20:16:41 rc_service: httpd 2428:notify_rc start_vpnclient1
Jan  7 20:16:41 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan  7 20:16:41 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan  7 20:16:42 openvpn[5143]: OpenVPN 2.3.14 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 16 2016
Jan  7 20:16:42 openvpn[5143]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Jan  7 20:16:42 openvpn[5144]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  7 20:16:42 openvpn[5144]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Jan  7 20:16:42 openvpn[5144]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  7 20:16:42 openvpn[5144]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  7 20:16:42 openvpn[5144]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Jan  7 20:16:42 openvpn[5144]: UDPv4 link local: [undef]
Jan  7 20:16:42 openvpn[5144]: UDPv4 link remote: [AF_INET]VPN_IP_HERE:443
Jan  7 20:16:42 openvpn[5144]: TLS: Initial packet from [AF_INET]VPN_IP_HERE:443, sid=857acbb7 ba79f4e1
Jan  7 20:16:42 openvpn[5144]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  7 20:16:42 openvpn[5144]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Jan  7 20:16:42 openvpn[5144]: Validating certificate key usage
Jan  7 20:16:42 openvpn[5144]: ++ Certificate has key usage  00a0, expects 00a0
Jan  7 20:16:42 openvpn[5144]: VERIFY KU OK
Jan  7 20:16:42 openvpn[5144]: Validating certificate extended key usage
Jan  7 20:16:42 openvpn[5144]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan  7 20:16:42 openvpn[5144]: VERIFY EKU OK
Jan  7 20:16:42 openvpn[5144]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Jan  7 20:16:44 openvpn[5144]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan  7 20:16:44 openvpn[5144]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  7 20:16:44 openvpn[5144]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan  7 20:16:44 openvpn[5144]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  7 20:16:44 openvpn[5144]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jan  7 20:16:44 openvpn[5144]: [server] Peer Connection Initiated with [AF_INET]VPN_IP_HERE:443
Jan  7 20:16:46 openvpn[5144]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan  7 20:16:46 openvpn[5144]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.11.69 255.255.0.0'
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: timers and/or timeouts modified
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: LZO parms modified
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: --ifconfig/up options modified
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: route options modified
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: route-related options modified
Jan  7 20:16:46 openvpn[5144]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan  7 20:16:46 openvpn[5144]: TUN/TAP device tun11 opened
Jan  7 20:16:46 openvpn[5144]: TUN/TAP TX queue length set to 100
Jan  7 20:16:46 openvpn[5144]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan  7 20:16:46 openvpn[5144]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan  7 20:16:46 openvpn[5144]: /usr/sbin/ip addr add dev tun11 10.4.11.69/16 broadcast 10.4.255.255
Jan  7 20:16:49 openvpn[5144]: Ignore conflicted routing rule: VPN_IP_HERE 255.255.255.255
Jan  7 20:16:49 openvpn[5144]: /usr/sbin/ip route add 0.0.0.0/1 via 10.4.0.1
Jan  7 20:16:49 openvpn[5144]: /usr/sbin/ip route add 128.0.0.0/1 via 10.4.0.1
Jan  7 20:16:49 openvpn-routing: Configuring policy rules for client 1
Jan  7 20:16:49 openvpn-routing: Creating VPN routing table
Jan  7 20:16:49 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from main routing table
Jan  7 20:16:49 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from main routing table
Jan  7 20:16:49 openvpn-routing: Removing rule 10001 from routing policy
Jan  7 20:16:49 openvpn-routing: Adding route for 192.168.1.22 to 0.0.0.0 through WAN
Jan  7 20:16:49 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Jan  7 20:16:49 openvpn-routing: Completed routing policy configuration for client 1
Jan  7 20:16:49 openvpn[5144]: Initialization Sequence Completed

 

[RMerlin]

What's in your custom config section?

 

[r0bbie]

Current custom configuration entry for that client:

 

[RMerlin]

Current custom configuration entry for that client:

Remove "explicit-exit-notify 5".