OpenVPN policy routing guide?

[Rturnock]

So now I reboot a machine that is in the list of those that should go through the VPN, actually he only one in the list, and it does not, it just goes directly out. So I load a new ovpn that points to the US. The machine now goes out through a VPN but it is the one that was set previously to the UK which is the one it should have used in the first place.

The symptoms are serious here but the underlying issue may be quite simple.

For me this doesn't work reliably. Rebooting a machine and having it come up not on the VPN is a major issue. As important is the fact that failure to use the VPN should have blocked the machine from the internet but it did not.

I don't want to sound rude but this feature simple does not work.

Richard

 

[Rturnock]

This gets worse. I uploaded a new ovpn and it "took" but the policy was gone and all the computers used the ovpn

 

[Calisro]

rebootinf has nothing to do with how tge router routes. Is the cliebt your rebooting have a static ip? That is all that matters.

 

[Rturnock]

Yes, the client has a static IP. It's all very odd, perhaps I am missing something but it really doesn't seem to wok "as advertised"

 

[Calisro]

So you have two options, you can just complain about it or you can help identify whatever problem you're having. It works "as advertised" for a vast number of user.

But again, rebooting a client can't affect the router policy. The only thing that can affect it is the ip address.

If you need help, post the problem and at least some data people can use to help you.

 

[Rturnock]

I don't want to just complain but I am not sure what data to provide, I don't think screen shots that just show what I am saying would help. So here is the chronology of my latest issue...

Reboot the sole computer that is in the VPN policy list. It then shows that it is not using the VPN.

Check the router and see that the "Redirect Internet traffic" has changed to "no". I set it to "Policy rules" and "Apply" but there is not change.

I load a U.S. ovpn (previously it had been UK) and Apply. "Policy Rules" still show as the selection. I now see that every computer is going to the UK using the ovpn configuration that I just overwrote. I do another "Apply" and everything works as it should, just the one computer is now "in" the U.S. and all the others are not using the VPN.

I recognize that this may be my problem but I'm not a new to computers. Merlin's work is great and this router with his software is great but something is wrong, in my case, with the OpenVPN.

r

 

[Rturnock]

I don't want to just complain but I am not sure what data to provide, I don't think screen shots that just show what I am saying would help. So here is the chronology of my latest issue...

Reboot the sole computer that is in the VPN policy list. It then shows that it is not using the VPN.

Check the router and see that the "Redirect Internet traffic" has changed to "no". I set it to "Policy rules" and "Apply" but there is not change.

I load a U.S. ovpn (previously it had been UK) and Apply. "Policy Rules" still show as the selection. I now see that every computer is going to the UK using the ovpn configuration that I just overwrote. I do another "Apply" and everything works as it should, just the one computer is now "in" the U.S. and all the others are not using the VPN.

I recognize that this may be my problem but I'm not a new to computers. Merlin's work is great and this router with his software is great but something is wrong, in my case, with the OpenVPN.

r

More of the same. I reboot and the second client comes up enabled and even though both clients show that they are using a policy every machine is going through the VPN. I turn off the second client and Apply, then Apply on the first client and things are as they should be.

I'm thinking hardware or something got corrupted. Probably time to reinstall the firmware and reload the config. and if that doesn't work then manually reenter the config and if that doesn't work a new router.

 

[Calisro]

Stop throwing variables in by stopping importing ovpns. Stick with one. apply it. reboot the router. go in and make sure everything looks good. if you change anything, reboot the router and be sure it comes up perfect. When you get it looking right, save the config in /etc/openvpn and post it here when it reoccurs (before and after of the file if it changed). Also collect the before and after of your routing table and rules:

route -n

ip rule

 

[pixeler02]

Hi,

I've been trying to get one Win7 PC (192.168.1.2) to go through the VPN, using this.

When I visit a site like https://ipleak.net/ it shows my VPN's IP address, but it knows my ISP's DNS servers.

These are my settings:

Advanced Settings:
Poll Interval: 0
Accept DNS Configuration: Exclusive
Encryption cipher: Default
Compression: Adaptive
TLS Renegotiation Time: -1
Connection Retry -1
Redirect Internet traffic: Policy rules
Block routed clients if tunnel goes down: Yes

Rule as follows:
PC 192.168.1.2 0.0.0.0 VPN


When I switch "Redirect Internet traffic" to either "No" or "All Traffic", and visit https://ipleak.net/ it shows my VPN's IP address, and my VPN's DNS servers (which makes me wonder what the difference is between "No" or "All Traffic"). But anyway, the result is what I want - except that's sending all devices on the LAN through the VPN, and not just the device I want.

When using Policy rules, how do I ensure that DNS requests from the specified device(s) are sent through the VPN?

I only want 192.168.1.2 to go through the VPN, including DNS requests.

Tried rebooting router after config, but no change.

The Win7 PC has static IP and DNS set to the IP of the router.

Thanks to all for advice!

 

[bilboSNB]

Use the dns filter section to force that machine to use your vpn providers dns.

 

[pixeler02]

Use the dns filter section to force that machine to use your vpn providers dns.

After a second look and a bit more reading, that makes perfect sense. Thank you very much for your answer!

Still hoping that somebody can tell me the difference between between "No" and "All Traffic" for the "Redirect Internet traffic" setting. ( I haven't been able to find a manual for the advanced VPN settings. )

Cheers.

 

[cosmoxl]

all traffic will makes sure all traffic goes through the VPN. "no" means the openvpn client coding will not do anything special to ensure all traffic goes through the VPN. however, the routes pulled from the VPN server (you can't control this if it's a VPN provider. you could control it if it's your own server) usually accomplish the same thing.

 

[skidzon]

Hi guys,

Great thread, i just flashed my AC68U and now on a crash course on setting it up, how informative this thread is!

Anyone here knows how to direct all downloadmaster traffic to VPN, but leave all other traffic with WAN?

Thanks for your help in advance!

 

[Cake]

have


Yes, you will still need to use the fwmark tagging technique.

Set up RPDB rules for tagging..

ip rule add fwmark 1 table  111 prio 30001
ip rule add fwmark 2 table  112 prio 30002
ip rule add fwmark 3 table main prio 30003
ip route flush cache

then simply add your various selective PORT routing rules with appropriate tags

e.g. Port 80 will be via the WAN, Ports 9001:9005 will be via VPN Client2, and Port 8001 will be via VPN Client1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx    -p tcp --dport 9001:9005 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx    -p tcp --dport 8001      -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx/24 -p tcp --dport 80        -j MARK --set-mark 3

NOTE: If you have ARM router (AC56/68 etc.) then you may need to ensure that the tagging rules are defined in nat-start, as the Trend Micro DPI engine will arbitrarily flush the mangle PREROUTING chain.

Martineau will your instructions work in conjunction with the new GUI vpn server policy? I want to still use the GUI which I really like, but also would like to route Minecraft's port (25565) to the wan. I understand your instructions, just wondering if I can use your instructions on a nat-start script, and the GUI together.
Your instructions should be put in the wiki.

 

[Martineau]

Martineau will your instructions work in conjunction with the new GUI vpn server policy? I want to still use the GUI which I really like, but also would like to route Minecraft's port (25565) to the wan. I understand your instructions, just wondering if I can use your instructions on a nat-start script, and the GUI together.
Your instructions should be put in the wiki.

In theory - yes.

 

[Bogey]

Selective RPDB routing definitely works for a single VPN Client.

Not sure when it got broken, but I know it was working for .53 firmware, but I haven't used selective RPDB routing for both VPN1 and VPN2 concurrently for quite a while.

RMerlin's code:

# Delete existing VPN routes that were pushed by server on table main
    NET_LIST=$(ip route show|awk '$2=="via" && $3==ENVIRON["route_vpn_gateway"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}')
    for NET in $NET_LIST
    do
        ip route del $NET dev $dev
        logger -t "openvpn-routing" "Removing route for $NET to $dev from routing tables"
    done

does not appear to fire for whichever VPN client is started second.....so from what I can tell, an incorrect /invalid route table is being presented to his code so a very very dirty hack may be to replace

&& $5==ENVIRON["dev"]

with

&& ($5=="tun11" ||  $5=="tun12")

effectively force

ip route del 0.0.0.0/1
ip route del 128.0.0.0/1

Looks like a bug to me.

I was hoping with the latest firmware I could finally get this working. But unfortunately it didn't.
Whenever I have more than one VPN active, all traffic is routed through the first.
I tried also
- using VPN 3 and 5 (instead of 1 and 2).
- removing all scripts
- reset to factory settings and starting from scratch
- loading the latest Asus firmware and then clearing all settings
- reloading the latest rmerlin firmware again factory reset
But alas... I cannot get one computer through vpn1 and the other through vpn2 (or 3, 4 or 5).
It would be great to get this fixed, and I'm willing to make changes, post results, the lot! Just need some help...

Thanks,
Erwin

 

[Bogey]

Selective RPDB routing definitely works for a single VPN Client.

Not sure when it got broken, but I know it was working for .53 firmware, but I haven't used selective RPDB routing for both VPN1 and VPN2 concurrently for quite a while.

RMerlin's code:

# Delete existing VPN routes that were pushed by server on table main
    NET_LIST=$(ip route show|awk '$2=="via" && $3==ENVIRON["route_vpn_gateway"] && $4=="dev" && $5==ENVIRON["dev"] {print $1}')
    for NET in $NET_LIST
    do
        ip route del $NET dev $dev
        logger -t "openvpn-routing" "Removing route for $NET to $dev from routing tables"
    done

does not appear to fire for whichever VPN client is started second.....so from what I can tell, an incorrect /invalid route table is being presented to his code so a very very dirty hack may be to replace

&& $5==ENVIRON["dev"]

with

&& ($5=="tun11" ||  $5=="tun12")

effectively force

ip route del 0.0.0.0/1
ip route del 128.0.0.0/1

Looks like a bug to me.

FYI Martineau, I replaced as suggested

&& $5==ENVIRON["dev"]

with

&& ($5=="tun11" ||  $5=="tun12" ||  $5=="tun13" ||  $5=="tun14" ||  $5=="tun15")

But it didn't make any difference. I also tried placing "route-noexec" into the Custom Configuration, but alas...

What other ideas do you have for me to try?

 

[Martineau]

FYI Martineau, I replaced as suggested

&& $5==ENVIRON["dev"]

with

&& ($5=="tun11" ||  $5=="tun12" ||  $5=="tun13" ||  $5=="tun14" ||  $5=="tun15")

But it didn't make any difference. I also tried placing "route-noexec" into the Custom Configuration, but alas...

What other ideas do you have for me to try?

Try my hack?

http://www.snbforums.com/threads/clear-delete-vpn-profile-from-router.29899/#post-232454

 

[Hemanshu]

I'm not sure if my question is the same as some of the ones above, but I've googled a lot and haven't come up with a thread that is closer to what I want to try out.. so let me try my luck here with all your rockstars?

My request is simple.. I have PIA VPN running on my Asus RT-AC66U.. and so far I was using the "All Traffic" option to route all traffic through the VPN.. but since the last few days I had to turn it off as Netflix has stopped allowing traffic reaching it from VPN services to stream content. (I'm in the US).

So I decided to use the Policy option and let my Roku and wife's laptop go via WAN instead of VPN.. this solves the problem.

The issue I now have is that the Transmission that I run on the router (via Entware) goes via WAN and not VPN. I tried adding a policy rule for 192.168.1.1 (my router IP as well as transmission IP given that Transmission runs on the router?) to go via VPN but it doesn't seem to work. I checked by using the block traffic when VN goes down to check, but transmission still seeds when I turn off VPN (but ofcourse my laptop internet dies which means the issue lies elsewherE).

Could anyone suggest how I can make this work better? Essentially I need transmission on entware (on my router) as well as ONE PC (my laptop) to run via VPN while all other devices in the house are OK to run directly through WAN.

 

[netguru]

Hm, good question ...
You could try to set your Network 192.168.1.0/24 to "ips netflix" to VPN.
The killswitch in your cas could not work, as the router himself should always be able to connect via WAN.

In my eyes running Transmission on the router is very slow, why u do not use a better solution like a NAS or a rs pi?