Multiple VPN Connections

[bpalob]

Good day,

am using a Asus AC-5300 with latest ASUSWRT Merlin 3.84.15.

I so have an account with a VPN service provider running servers in several countries. I´d like to connect simultaneously to more than one country and then enforce policy routing to have one device running to country a) and another device to country b), the rest should bypass VPN.

I configured OpenVPN client profiles for both countries, I can also connect to them and everything is fine. If I only use country a), the client I define to use the VPN in the policy routing section goes to country a). The rest bypasses. All as intended.

When I though configure country b) and add different devices to country a) and b), for instance, device 1=a and device 2=b, and I then check the IPs on the devices, device 1 shows correctly country a), but device 2 is also showing country a).

Am I overseeing something?

Also, I have set the routing policy to "strict".

Thanks for any help.

 

[Martineau]

Good day,

am using a Asus AC-5300 with latest ASUSWRT Merlin 3.84.15.

I so have an account with a VPN service provider running servers in several countries. I´d like to connect simultaneously to more than one country and then enforce policy routing to have one device running to country a) and another device to country b), the rest should bypass VPN.

I configured OpenVPN client profiles for both countries, I can also connect to them and everything is fine. If I only use country a), the client I define to use the VPN in the policy routing section goes to country a). The rest bypasses. All as intended.

When I though configure country b) and add different devices to country a) and b), for instance, device 1=a and device 2=b, and I then check the IPs on the devices, device 1 shows correctly country a), but device 2 is also showing country a).

Am I overseeing something?

Also, I have set the routing policy to "strict".

Thanks for any help.

Copy'n'paste (triple click the code line) this VPN configuration debugging one-liner into the SSH command prompt and post the output

echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do [ -n "$(nvram get vpn_client${I}_addr)" ] && echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto) || echo -e "\t"Client ovpnc${I} NOT configured;ip route show table 11$I |  grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"

 

[SuperKerl]

I had the same issues, you have to use different protocols and ports for your VPNs, e.g. UDP 1194 and TCP 443. With different protocols you get different internal IP ranges, e.g. 10.8.x.x and 10.7.x.x (visible on the VPN status page). I couldn‘t find out if this is VPN provider related or has to do with the router.

 

[CaptainSTX]

The fact that the provider says you can have five or more connections in their advertising means using different devices. Only some VPN providers will let you run more than one VPN client on your router and then for it to work you need to use different ports.

 

[bpalob]

Thanks for the hints.

@Martineau, here´s teh result from your command:

ASUSWRT-Merlin RT-AC5300 384.15_0 Sat Feb 8 18:40:05 UTC 2020
admin@PACANET_ASUS:/tmp/home/root# echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto);ip r
oute show table 11$I | grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"

RPDB Rules
0: from all lookup local
10501: from 10.0.0.16 lookup ovpnc3
10502: from 10.0.0.15 lookup ovpnc3
10503: from 10.0.0.20 lookup ovpnc3
10701: from 10.0.0.10 lookup ovpnc4
32766: from all lookup main
32767: from all lookup default

Client ovpnc1 port 1194 udp
Client ovpnc2 port 1194 udp
Client ovpnc3 port 1194 udp
10.8.8.0/24 dev tun13 proto kernel scope link src 10.8.8.4
default via 10.8.8.1 dev tun13
Client ovpnc4 port 1194 udp
10.8.8.0/24 dev tun14 proto kernel scope link src 10.8.8.11
default via 10.8.8.1 dev tun13
Client ovpnc5 port 1194 udp

Table main
default via 80.***.**.* dev eth0


I will also, when I get time, try the option to use different protocols and will verify with my VPN provider whether he supports multiple connections from same device.

BTW, I get around 20-30mbps on the VPN connection, using a 300mbps cable link. If multiple connections from same device would be possible, could I also bundle connections to increase speed?

Thanks.

 

[Martineau]

Thanks for the hints.

@Martineau, here´s teh result from your command:

ASUSWRT-Merlin RT-AC5300 384.15_0 Sat Feb 8 18:40:05 UTC 2020
admin@PACANET_ASUS:/tmp/home/root# echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto);ip r
oute show table 11$I | grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"

RPDB Rules
0: from all lookup local
10501: from 10.0.0.16 lookup ovpnc3
10502: from 10.0.0.15 lookup ovpnc3
10503: from 10.0.0.20 lookup ovpnc3
10701: from 10.0.0.10 lookup ovpnc4
32766: from all lookup main
32767: from all lookup default

Client ovpnc1 port 1194 udp
Client ovpnc2 port 1194 udp
Client ovpnc3 port 1194 udp
10.8.8.0/24 dev tun13 proto kernel scope link src 10.8.8.4
default via 10.8.8.1 dev tun13
Client ovpnc4 port 1194 udp
10.8.8.0/24 dev tun14 proto kernel scope link src 10.8.8.11
default via 10.8.8.1 dev tun13
Client ovpnc5 port 1194 udp

Table main
default via 80.***.**.* dev eth0


I will also, when I get time, try the option to use different protocols and will verify with my VPN provider whether he supports multiple connections from same device.

BTW, I get around 20-30mbps on the VPN connection, using a 300mbps cable link. If multiple connections from same device would be possible, could I also bundle connections to increase speed?

Thanks.

There's your error...VPN Client 4 will always route via VPN Client 3 (interface tun13)

        Client ovpnc3 port 1194 udp
10.8.8.0/24 dev tun13  proto kernel  scope link  src 10.8.8.4
default via 10.8.8.1 dev tun13

        Client ovpnc4 port 1194 udp
10.8.8.0/24 dev tun14  proto kernel  scope link  src 10.8.8.11
default via 10.8.8.1 dev tun13

so Selective Routing RPDB rule for LAN device 10.0.0.10

10701:  from 10.0.0.10 lookup ovpnc4

is inadvertently routed via VPN Client 3