Multiple VPN clients active for different devices

[HardCat]

Usually this is caused by a 'corruption' of the Selective Routing configuration - i.e. the firewall has unexpectedly restarted (due to manual tinkering with QOS or other features in the GUI?) but it depends on the router model/firmware/features enabled etc.

You could try this crude debugging script when it fails, or schedule it using cru/cron to track/dump the status of the Selective Routing environment to Syslog.

#!/bin/sh

# Debugging Selective routing use cru/cron

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
SayT() {
   echo -e $$ $@ | logger -t "($(basename $0))"
}
ANSIColours() {
    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    cRED_="\e[41m";cGRE_="\e[42m"
}

ANSIColours

VPN_ROUTES=
WAN_IP=

for VPN_TAB in 254 $(ip route show table 254 | grep -oE "tun1[1|2|3|4|5]" | sort )
    do
        [ "$VPN_TAB" != "254" ] && VPN_TAB=$(echo $VPN_TAB | sed 's/tun1/11/')
        echo -e $cBWHT
        Say "VPN Client" ${VPN_TAB:2:1}  "route Table:" $VPN_TAB
        echo -en $cBMAG
 
        AROUTE=$(ip route show table $VPN_TAB | awk ' /default/ {print $3}')
        if [ -z "$(echo  "$VPN_ROUTES" | grep -oF $AROUTE )" ];then
            VPN_ROUTES=$VPN_ROUTES" "$AROUTE
        else
            echo -e $cBRED"\a"
            TXT="ALREADY used by a previous VPN Client"
            if [ "$WAN_IP" == "$AROUTE" ];then
                TXT="is via the WAN!!!"
            fi
            Say "***ERROR*** VPN Client" ${VPN_TAB:2:1} "route" $AROUTE $TXT
            echo -e $cRESET
        fi

        # Obfuscate IP address <optional>
        ip route show table $VPN_TAB |  grep -E "^0\.|^128.|^default|tun1"
        ip route show table $VPN_TAB |  grep -E "^0\.|^128.|^default|tun1"  >>/tmp/syslog.log
 
        if [ "$VPN_TAB" != "254" ];then
            DEV=$(ip route show table $VPN_TAB | grep -v "default" | grep -oE "tun1[1|2|3|4|5]" )
            if [ "tun1"${VPN_TAB:2:1} != "$DEV" ];then
                echo -e $cBRED"\a"
                Say "***ERROR*** RPDB rules will be misdirected for VPN Client" ${VPN_TAB:2:1}
                echo -e $cRESET
            else
                if [ ! -z "$(ip route show table $VPN_TAB |  grep -E "^0\.|^128.]")" ];then
                    echo -e $cBRED"\a"
                    Say "***ERROR***Selective routing NOT enabled! - table 'main' is routing ALL traffic via VPN"
                    echo -e $cRESET
                fi
            fi
        else
            WAN_IP=$AROUTE
        fi
    done

echo -e $cBWHT
Say "RPDB rules:"
echo -en $cBMAG
ip rule;ip rule >>/tmp/syslog.log

echo -e $cBWHT
Say "Count of active RPDB rules:"
echo -en $cBGRE

# How many entities Selectively routed
ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c
ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c >>/tmp/syslog.log
SayT "Summary:$(ip rule | grep -v "fwmark" | grep -oE "lookup.*ovpnc[1-5]+" | sort -k 2 | uniq -c)"

echo -e $cRESET

exit 0

You may get a clue in finding the issue either in the RPDB rules (less likely though can happen) or the actual individual Selective routing tables (highly likely).

@Martineau, I just had to give this script a try. Please understand I am a noob when it comes to try and figure out what is happening here but when I ran the script with only VPN Client 3 active I received the following output. Client 3 has policy rules configured for 1 PC to utilize the VPN. My concern is why Client 4 shows up and the error "RPDB rules will be misdirected for VPN Client 3. Any help is appreciated.

admin@RT-AC86U:/tmp/mnt/USB1/scripts# ./Debug_VPN.sh

(Debug_VPN.sh): 14046 VPN Client 4 route Table: 254
default via xxx.xxx.156.1 dev eth0
10.11.10.5 dev tun13  proto kernel  scope link  src 10.11.10.6

(Debug_VPN.sh): 14046 VPN Client 3 route Table: 113
0.0.0.0/1 via 10.11.10.5 dev tun13
default via 10.11.10.5 dev tun13
10.11.10.1 via 10.11.10.5 dev tun13
10.11.10.5 dev tun13  proto kernel  scope link  src 10.11.10.6
128.0.0.0/1 via 10.11.10.5 dev tun13

(Debug_VPN.sh): 14046 ***ERROR*** RPDB rules will be misdirected for VPN Client 3


(Debug_VPN.sh): 14046 RPDB rules:
0:    from all lookup local
10501:    from 192.168.xxx.103 lookup ovpnc3
32766:    from all lookup main
32767:    from all lookup default

(Debug_VPN.sh): 14046 Count of active RPDB rules:
      1 lookup ovpnc3

 

[Martineau]

@Martineau, I just had to give this script a try. Please understand I am a noob when it comes to try and figure out what is happening here but when I ran the script with only VPN Client 3 active I received the following output. Client 3 has policy rules configured for 1 PC to utilize the VPN. My concern is why Client 4 shows up and the error "RPDB rules will be misdirected for VPN Client 3. Any help is appreciated.

Whoops

Apologies, please try the v1.01b1 version.

NOTE: The script is designed for identifying possible Selective Routing issues for multiple concurrent VPN Clients as described by the OP.

 

[Jack Bauer]

Thank you @Martineau for the response!!. I'll have a crack at it when I get home. I might also give the RT-AC68U_384.3_beta1.zip a try. changelog says below: (not sure though if it is directly related to my issue, I'll give it a go anyways)
- FIXED: traffic routing from the router itself would fail when
restarting the firewall while using an ovpn client with
policy rules in effect.

 

[HardCat]

Whoops

Apologies, please try the v1.01b1 version.

NOTE: The script is designed for identifying possible Selective Routing issues for multiple concurrent VPN Clients as described by the OP.

That solved it, output makes more sense now! Thanks.

 

[Martineau]

That solved it, output makes more sense now! Thanks.

The initial release was written primarily to provide scheduled tracking of any strange/unexpected changes to Syslog.

I then thought why not give the user some advice by highlighting potential problems:

e.g. the existence of pushed VPN routes such as 0.0.0.0/1 and 128.0.0.0/1 should be regarded as invalid 'anywhere' when Selective Routing is configured, but with only 1 active VPN Client (as in your case) then it clearly doesn't matter.

 

[Jack Bauer]

pardon my silly question. I'm level 0 at scripting. How do i run the script on my router?
I've Enabled JFFS custom scripts and configs, managed to SSH to the router. but cannot mount my USB.
What do I do with the code , should i save it as .sh then load find the file from USB?
I read some instructions how to mount usb as well not working for me. Any help would be greatly appreciated.

I've upgraded to version Version:384.3_beta1, just tried one VPN at the moment, looks promising. did some test all working fine. I'll try multiple concurrent VPN soon.

 

[Martineau]

What do I do with the code

Simply copy'n'paste to the /jffs filesystem either using the router's nano editor, or if using a Win PC, WinSCP (WinSCP is the preferred editor!)

I use WinSCP to develop all my scripts (although I have configured it to use notepad++)
I posted a mini-tutorial of getting a script onto the router and how to test it all via WinSCP:
Mini WinSCP tutorial to show how to create/test a new script

I prefer to ensure that the '.sh' suffix is used for all end-user named custom scripts to differentiate between RMerlin scripts that are recognised internally by the firmware and made available for use ( see RMerlin Wiki )

How do i run the script on my route

I created the script as '/jffs/scripts/ChkVPNConfig.sh'

SSH to the router (Xshell5 is personally recommended) then you can execute it from the command line:

cd /jffs/scripts

./ChkVPNConfig.sh

 

[Jack Bauer]

Thanks for your response and patience. I managed to create a file but getting permission denied. The attached txt file is the exact same contents i saved to .sh extension and loaded in the router.

 

[Martineau]

Thanks for your response and patience. I managed to create a file but getting permission denied. The attached txt file is the exact same contents i saved to .sh extension and loaded in the router.

As per the wiki link I provided you need to set the permissions:

 

[Jack Bauer]

Hi I tried following the instructions, I was using sublime previously reading your comment I then used Notedpad++ to save as .sh. I placed the files in the /jffs/scripts directory but no luck.
since posting here I tried several things , am now using Asus AC68U on Merlin version 384.3_beta2.
defaulted my VPN settings and started new one. At first, it looks promising, it was working as intended for two days (TV and Android TV box on California, some laptop on HK, everything else bypasses VPN.
Then when I checked one laptop whos not supposed to be on VPN is in California, when I checked all the host they are all in California.

Just a thought, I noticed in the VPN settings a warning message "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x), Please refer to FAQ and set port forwarding."
Does my problem has to do with my Asus being behind a Modem/Router and getting private IP?

see my SSH session on the router as below. Not sure what I'm doing wrong. Am I missing something?
https://pastebin.com/cyiJ6cND

see below there is no traffic on my VPN 2

 

[Martineau]

I used Notedpad++ to save as .sh. I placed the files in the /jffs/scripts directory but no luck.

I appears that you have not saved the script with Unix LF chars ?

Issue:

dos2unix   ChkVPNConfig.sh

then retry running the script.

NOTE: I tweaked the (v1.09b) script to also allow a physical 12MB data transfer if requested to validate the VPN tunnel(s) so ensure you have downloaded the most recent version.

 

[Jack Bauer]

I appears that you have not saved the script with Unix LF chars ?

Issue:

dos2unix   ChkVPNConfig.sh

then retry running the script.

NOTE: I tweaked the (v1.09b) script to also allow a physical 12MB data transfer if requested to validate the VPN tunnel(s) so ensure you have downloaded the most recent version.

Thanks, where do I get the v1.09b?

By the way, would you mind sharing some inputs on how you successfully configure your AC68U, how come its working for you? Did you use GUI or custom script? Do you think there is some configuration I should be doing on GUI?

 

[Jack Bauer]

I appears that you have not saved the script with Unix LF chars ?

Issue:

dos2unix   ChkVPNConfig.sh

then retry running the script.

NOTE: I tweaked the (v1.09b) script to also allow a physical 12MB data transfer if requested to validate the VPN tunnel(s) so ensure you have downloaded the most recent version.

got my output already. Are you able to shed some light?
see output here.

 

[amplatfus]

If your VPN provider does allow multiple concurrent client connections from the router to different geographical end-point servers, then you don't need any scripts/iptables knowledge, simply enable either of the 'Policy Rules' options for 'Redirect Internet traffic' for all 4 OpenVPN clients, and add the appropriate device/subnets to their respective tables:

e.g. All outbound traffic from the Roku will use this VPN Client 1 (New York)

View attachment 10108

Hi and thank you for picture posted. Could you please advice how policy rules look like for routing only the traffic made from the router itself through VPN (traffic made by entware i.e. nzbget, torrent).

I tried https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing with configured "Accept DNS configuration" to Exclusive and then policy:

Block routed clients if tunnel goes down: Yes
Redirect Internet traffic: Policy rules (strict)
Source: 192.168.1.1 (router IP) Destination: 0.0.0.0 interface: VPN

But I tested and is not working. Could you please help?

Many thanks,
amplatfus

 

[Martineau]

Thanks, where do I get the v1.09b?

From the original Pastebin link.​

By the way, would you mind sharing some inputs on how you successfully configure your AC68U, how come its working for you? Did you use GUI or custom script? Do you think there is some configuration I should be doing on GUI?

The GUI configuration should work, but I do have custom scripts to start the VPN tunnels via cron, and also several openvpn-event trigger scripts e.g. to say inject config directives into into the dnsmasq conf etc.

 

[Martineau]

Hi and thank you for picture posted. Could you please advice how policy rules look like for routing only the traffic made from the router itself through VPN (traffic made by entware i.e. nzbget, torrent).

You could try the alternative technique and define an alias for the application that runs on the router if the Selective Routing of the router doesn't seem to work:
e.g. For Transmission you define the IP alias and configure Transmsission to use the alias IP:

ifconfig br0:0 192.168.1.xxx up

then simply add this alias IP to the Selective Routing GUI.

 

[Martineau]

got my output already. Are you able to shed some light?
see output here.

I personally dislike the ambiguity that having possibly conflicting routing rules in a table can bring i.e. the expected 'default' route being overridden by the special VPN 0.0.0.0/1 and 128.0.0.0/1 rules.


e.g.

(Debug_VPN.sh): 14199 VPN Client 2 route Table: 112

172.21.22.0/23 dev tun12  proto kernel  scope link  src 172.21.23.20
172.21.20.0/23 dev tun11  proto kernel  scope link  src 172.21.21.163

0.0.0.0/1 via 172.21.20.1 dev tun11
128.0.0.0/1 via 172.21.20.1 dev tun11
default via 172.21.22.1 dev tun12

(Debug_VPN.sh): 14199 ***ERROR*** RPDB rules will be misdirected for VPN Client 2

I would prefer to see just the single default entry for the appropriate VPN device.

(Debug_VPN.sh): 14199 VPN Client 2 route Table: 112

default via 172.21.22.1 dev tun12

and if that works any additional rule may be added on a per user case basis.

As you originally stated, your issues only occur after some (as yet) unidentified time/event that causes the selective routing to break so I'm not sure if the above examples you have provided are for when the routing is working as expected or when it is broken?​

 

[Jack Bauer]

My problem is resolved. The issue is two-fold, first because my Asus router is behind a router/modem and getting a private IP address. I configured my router/modem to bridge mode and let the ASUS establish the PPPoE connection, thus getting the public WAN on the ASUS router.
secondly, my 2 VPN profile use the same port 1194, I changed one to 443 and the other to 1194. works like charm and stable now. Thank you @Martineau and this forum for your assistance.

 

[Xentrk]

My problem is resolved. The issue is two-fold, first because my Asus router is behind a router/modem and getting a private IP address. I configured my router/modem to bridge mode and let the ASUS establish the PPPoE connection, thus getting the public WAN on the ASUS router.
secondly, my 2 VPN profile use the same port 1194, I changed one to 443 and the other to 1194. works like charm and stable now. Thank you @Martineau and this forum for your assistance.

Been bit by the port issue before too.

Where I live, I see a lot of fiber and dsl modem/routers. I turn them into bridge mode and also disable WiFi and dhcp server. The router/modem is always 192.168.1.1. So, I have to assign static ip to my network adapter before doing so since dhcp since is turned off. Once I make the changes, I never need to access the isp modem/router again. I used to be able to change the isp modem/router to bridge mode myself using the GUI. But now, I have to call the ISP. Within ten minutes, they are done.

 

[Martineau]

My problem is resolved. The issue is two-fold, first because my Asus router is behind a router/modem and getting a private IP address. I configured my router/modem to bridge mode and let the ASUS establish the PPPoE connection, thus getting the public WAN on the ASUS router.
secondly, my 2 VPN profile use the same port 1194, I changed one to 443 and the other to 1194. works like charm and stable now. Thank you @Martineau and this forum for your assistance.

Thanks for the update.

Not 100% sure why it would apparently seemingly work for a couple of days then suddenly fail with the ISP modem in non-bridge mode?, but I have updated the ChkVPNConfig.sh (v1.09b10) script to alert the user if the WAN IP is private.