OpenConnect client on ASUS RT-AC68P router not working

[ResumeNothing]

I'm trying to run OpenConnect client on an ASUS RT-AC68P router. I've flashed the router with Asuswrt-Merlin, installed Entware-ng on a USB drive, and installed OpenConnect and all of the other relevant packages.

After replacing the symlinked /etc/resolv.conf file with a non-read-only duplicate, I'm able to get the OpenConnect client running, but it doesn't actually work, that is, all of the sites I go to report the IP address from my ISP instead of the one from my VPN provider. If I run OpenConnect with identical options directly on my mac instead (prepended with sudo), it works fine and all sites show the IP from my VPN provider.

Comparing the output of the command with -v between the two, there aren't a whole lot of differences. One thing I've noticed is that the router usually outputs this line at some point:

TCP_INFO rcv mss 1258, snd mss 1448, adv mss 1448, pmtu 1500

I say usually because if I set the --mtu and --base-mtu options to various values, I can sometimes get this line to go away, though it still doesn't seem to work. Often the mtu values seem different from what I'm getting on the mac side, but I can make them the same with these options to no avail.

The other difference is that at the very end, the mac outputs these lines:

add host xxx.xx.xx.xxx: gateway 192.168.1.1
add net yy.yy.0.0: gateway yy.yy.zzz.zzz
delete net default: gateway 192.168.1.1
add net default: gateway yy.yy.zzz.zzz

xxx.xx.xx.xxx is the IP of the VPN server I'm connecting to and what my IP resolves as if I connect successfully. yy.yy.zzz.zzz is listed as the X-CSTP-Address and again in this output:

Connected as yy.yy.zzz.zzz, using SSL + lzs

The router doesn't output these four lines, though it does output the "Connected as..." line. Changes to "ip route" output before and after connecting seem similar on the mac and router.

I've been scouring the internet for clues as to why it isn't working, but I haven't found anything that's helped. OpenConnect seems like it could be much faster than L2TP or OpenVPN (I can get 150mbps down on the mac, but only 30 and 15 down on the router for L2TP and OpenVPN respectively).

Any help is appreciated!

 

[ResumeNothing]

I've also tried running OpenVPN on the command line in pretty much the same way with nearly identical results. It works fine when I run it on the mac, but doesn't appear to do anything when I run it on the router.

I also noticed that if I run OpenVPN through the interface, which works, then it uses tun11, whereas on the command line it uses tun0 by default. I tried setting the command line to run through tun11 instead, but then everything just breaks.

This makes me think that somehow when I'm trying to run the vpn through the command line, regardless of whether I'm using OpenConnect or OpenVPN, it's creating the tunnel, but it's not bothering to actually send any traffic through it. I've seen some things about split-tunneling, which is sort of the opposite of what I'm trying to do, but I wonder if I'm inadvertently split-tunneling, except everything is going through the non-VPN tunnel and nothing is going through the VPN tunnel.

I also figured out that there's a setting in the interface to set the MTU, which had been set to 1500, so that solves the MTU mystery. I dropped this down to 1100 just in case that might fix things, but I had no luck.

Anyways, I'm still looking into what's going on, but since there's a lot more knowledge out there about OpenVPN than OpenConnect, someone else might know how to properly set up OpenVPN to work from the command line, and then hopefully I can apply that to OpenConnect.

 

[ResumeNothing]

It looks like I'm running into routing conflicts because of some rules that Asuswrt-Merlin is running, so I've gone ahead and posted there instead:

https://www.snbforums.com/threads/r...wrt-merlin-and-entware-ngs-openconnect.40672/

I don't see any way of closing this thread, but if there is that would probably make the most sense at this point since these seems to be an Asuswrt-Merlin issue and not a VPN issue.