openvpn multiple client default behavior?

[dasus]

When I have client 1-5 all connected to 5 different VPN servers with the default settings on a fresh install, what exactly is the behavior? For me it appears to randomly direct all my devices to one of the VPN servers at random.

 

[ASadani]

I didn't know you could run more than two, but as you mention, I may be wrong. If you route the VPN to a device then it should stick to that device. VPN's run on CPU and I believe one VPN will take up one CPU. If you have 5 VPN's then that may be the issue.

 

[Martineau]

When I have client 1-5 all connected to 5 different VPN servers with the default settings on a fresh install, what exactly is the behavior?

For me it appears to randomly direct all my devices to one of the VPN servers at random.

If ALL 5 VPN clients have Selective Routing enabled ('Redirect Internet traffic=Policy Rules*'), then if there are overlapping source IP ranges defined for Selective Routing, then for routing decisions, VPN Client 1 will have the highest priority with VPN Client 5 having the lowest priority.

If however, 'Redirect Internet traffic=ALL', then the selective routing will depend on which VPN Client connection is enabled/ACTIVE last and may be the cause of the seemingly random selective routing you have described.

NOTE: CPU affinity has no bearing on the routing rules, but can affect VPN tunnel throughput performance.

Unless you're also running a Dual-WAN environment, the Policy routing rules are always static and are processed in descending order of priority.

I suggest you verify/check the Routing Policy rules and routes:

ip rule

for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done

EDIT: Corrected typo in command 'ip rules'

 

[dasus]

If however, 'Redirect Internet traffic=ALL', then the selective routing will depend on which VPN Client connection is enabled/ACTIVE last and may be the cause of the seemingly random selective routing you have described.

I have all VPNs connected but Redirect Internet traffic to "No" on all of them. I just disconnected and reconnected them all and all traffic goes strait out the WAN until I hit apply on one of the VPN configs so it seems like the behavior is the last VPN config you hit apply on?

If ALL 5 VPN clients have Selective Routing enabled ('Redirect Internet traffic=Policy Rules*'), then if there are overlapping source IP ranges defined for Selective Routing, then for routing decisions, VPN Client 1 will have the highest priority with VPN Client 5 having the lowest priority.

Does this mean I can use Policy Rules or Policy Rules strict and turn the kill switch only on VPN config 5 to have backups leading to a final failure?

NOTE: CPU affinity has no bearing on the routing rules, but can affect VPN tunnel throughput performance.
Unless you're also running a Dual-WAN environment, the Policy routing rules are always static and are processed in descending order of priority.
I suggest you verify/check the Routing Policy rules and routes:

ip rules
for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done

I am getting an error on the command "ip rules" or was this just the title of the next command? The output I get is:

Table 254
0.0.0.0/1 via 10.8.2.1 dev tun14
default via **my ISP** dev eth0
128.0.0.0/1 via 10.8.2.1 dev tun14
Table 111
Table 112
Table 113
Table 114
Table 115

Thanks for your assistance.

 

[Martineau]

I have all VPNs connected but Redirect Internet traffic to "No" on all of them. I just disconnected and reconnected them all and all traffic goes strait out the WAN until I hit apply on one of the VPN configs so it seems like the behavior is the last VPN config you hit apply on?

Correct - 'Redirect Internet Traffic=No' doesn't do what you would expect....it is the same as 'Redirect Internet Traffic=ALL'

and is clearly shown in your output

i.e. everything is routed via VPN Client 4

Table 254

0.0.0.0/1 via 10.8.2.1 dev tun14
default via **my ISP** dev eth0
128.0.0.0/1 via 10.8.2.1 dev tun14
Table 111
Table 112
Table 113
Table 114
Table 115​

Does this mean I can use Policy Rules or Policy Rules strict and turn the kill switch only on VPN config 5 to have backups leading to a final failure?

Yes

I am getting an error on the command "ip rules"

Abject apologies, I have corrected the silly typo in the command[/QUOTE]

 

[RMerlin]

Correct - 'Redirect Internet Traffic=No' doesn't do what you would expect....it is the same as 'Redirect Internet Traffic=ALL'

To be more accurate, it's the same as "Redirect Internet Traffic = whatever your remote server tells us to do". If they redirect traffic (like a typical VPN tunnel provider does), it will get redirected.

This might be more obvious if you read this setting as "Force Internet traffic redirection" perhaps. I should perhaps reword it that way.

 

[dasus]

This might be more obvious if you read this setting as "Force Internet traffic redirection" perhaps. I should perhaps reword it that way.

I think adding the word Force makes a lot of sense. Makes me wonder, theoretically could a VPN provider selectively not encrypt certain traffic?

New Question #1
Online somewhere they recommended routing the default gateway/router IP to WAN for better performance... but I don't really understand what that means? Was that site mistaken? What exactly is the pro/con of encrypting the default gateway, by default it will encrypt the router/default gateway the way I currently have it set up?

New Question #2

in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic

I can't quite understand this, is there a simple example to show the difference between strict mode and regular policy mode, what is an example of a rule "not specifically" targeting a tunnel interface?

 

[RMerlin]

I think adding the word Force makes a lot of sense. Makes me wonder, theoretically could a VPN provider selectively not encrypt certain traffic?

Not a provider. However the original, REAL use for a VPN is to connect to a remote office, in which case you typically do not want traffic to be redirected through the tunnel.

Online somewhere they recommended routing the default gateway/router IP to WAN for better performance... but I don't really understand what that means?

Can't say, not knowing what they exactly wrote, and in what context.

 

[dasus]

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

"A common configuration setup where you want your whole LAN to go through the VPN, but not the router itself:"
LAN 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN

What is the effect of making an exception for the router? I thought everything would be going through the VPN anyway even with making such an exception?