openvpn server and client question

[Xentrk]

Hiya,

I have run that through SSH & there is no mention of the IPSec tunnel at all? I have: eth0, tun11, lo & br0. I have run the command while actually connected to the IPSec tunnel. This seems very strange.

I found a guide for PPTP selective routing. But I'm not seeing the interface appear when I use the "route -n" command for PPTP or IPSec.

 

[Net Noob]

I found a guide for PPTP selective routing. But I'm not seeing the interface appear when I use the "route -n" command for PPTP or IPSec.

I have tried to run an ifconfig -a through SSH & i can see everything, things i never even knew existed, but i cant see the IPSec tunnel either. I wonder the issue is?

I have tried this with both the IPSec tunnel active and inactive, the output from ifconfig -a is the same. So, its not as if the tunnel is named as something else either

 

[Martineau]

Hello,

Thank you for your reply.

I believe this code provided will not work due to me coming in from an IPSec tunnel into my router. However, the code you have provided sparked an idea:

###vpnserver1-up
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE

I modified the above thinking i could use the IP range of connected clients to the IPSec tunnel instead which according to the GUI is 10.10.10.1 - 10.10.10.254 (as default). I tried the following:

(At this point the IPSec IKEV2 tunnel was already up and accepting connections)

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

I also added 10.10.10.0/24 to the OpenVPN client rules for routing traffic through the tunnel through the GUI.

Unfortunately running the code through SSH on the router did not force the traffic from the IPSec tunnel through to the OpenVPN client & onward through to NordVPN. I am not sure if the IPsec tunnel is even using the specified range?

Thank you for any help.

Ensure the VPN Client is UP and you have an inbound client connected to the IPSec Server.

Confirm the status of IPSec

ipsec statusall

To create the inbound IPSec Server VPN passthru' you need three elements:

e.g. outbound via VPN Client 1

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add $ROUTE table ovpnc${VPN_ID};done

Spoiler: Full configuration steps

IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE

PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

and hopefully the inbound IPSec Server client is now routed via the nominated VPN Client outbound.

iptables --line -t nat -nvL

If it is working, then you can use the openvpn-event triggers 'vpnclientX-route-up'/'vpnclientX-down' to manage the appropriate ip route/RPDB/iptables.

 

[Chris_J]

Guys, I asked this over in a old thread I had created, but figured this is now the goto thread for OpenVPN server questions.

Anyone know how I would force all clients to use a specific DNS server? dhcp-option DNS doesn't seem to work and the router uses the DNS setting used on the WAN configuration page instead. I have this set to cloudflare (for when the router boots) but I'd like to use my own DNS server.

 

[Salles]

Guys, I asked this over in a old thread I had created, but figured this is now the goto thread for OpenVPN server questions.

Anyone know how I would force all clients to use a specific DNS server? dhcp-option DNS doesn't seem to work and the router uses the DNS setting used on the WAN configuration page instead. I have this set to cloudflare (for when the router boots) but I'd like to use my own DNS server.

Not really sure what you are asking, but I think this is the wrong thread for this question.

If you do not want to use the DNS of your VPN Client, set "Accept DNS Configuration" to Disabled.
Xentrk explains it here.

IMPORTANT: make sure you didn't enter a custom DNS server on the LAN -> DHCP page. For DNS Privacy to work, the DHCP server must point your client at the router's IP to use as their DNS server. Likewise, your client must not be configured with a static DNS other than the router's IP.
Quote from the Wiki.

I do not have my own DNS server, but I would guess you could do this by setting "Connect to DNS Server automatically" to NO in the WAN page and then type the IP adress of your DNS server.

 

[Chris_J]

You misunderstand. I am talking about the clients that connect to the VPN Server and the DNS settings that they adopt from the router configuration. In this case, they use the DNS server specified in the WAN page on the GUI, however, I'd like to force them to use a specific DNS server, as currently, they are bypassing the DNSFilter in the Merlin firmware. The server that I would like is located on my network, so entering this into the WAN page would not be a good idea because when the router sends a DNS query (sync time, update Entware package etc), it would create an endless loop between the DNS server and the router.

 

[Xentrk]

You misunderstand. I am talking about the clients that connect to the VPN Server and the DNS settings that they adopt from the router configuration. In this case, they use the DNS server specified in the WAN page on the GUI, however, I'd like to force them to use a specific DNS server, as currently, they are bypassing the DNSFilter in the Merlin firmware. The server that I would like is located on my network, so entering this into the WAN page would not be a good idea because when the router sends a DNS query (sync time, update Entware package etc), it would create an endless loop between the DNS server and the router.

I think you were close. What I've seen recommended is adding the "push" directive on the server side:

push "dhcp-option DNS 10.66.0.4"

See https://openvpn.net/community-resources/pushing-dhcp-options-to-clients/. There are some caveats you will need to be aware of.

 

[Martineau]

You misunderstand. I am talking about the clients that connect to the VPN Server and the DNS settings that they adopt from the router configuration. In this case, they use the DNS server specified in the WAN page on the GUI, however, I'd like to force them to use a specific DNS server, as currently, they are bypassing the DNSFilter in the Merlin firmware. The server that I would like is located on my network, so entering this into the WAN page would not be a good idea because when the router sends a DNS query (sync time, update Entware package etc), it would create an endless loop between the DNS server and the router.

EDIT: @Xentrk beat me to it.....

see this post and you may need to explicitly exclude the Pi-hole on the DNSFilter TAB.

e.g. On the client mobile device it is assigned a static IP from the OpenVPN Server IP-pool, and the OpenVPN log shows

Opening tun interface:
Local IPv4: 10.16.0.88/24 IPv6: (not set)MTU:1500
DNS Server:192.168.1.149,Domain:null

and 10.16.0.88 appears in the Pi-hole log:

 

[Chris_J]

Thanks for the responses, guys.

When I first set up the Pi-hole, I already added an exclusion to DNSFilter for the Pi-hole IP address. Without this, nobody on the entire network had internet. It took me nearly half an hour to work this one out!

When I connect my Android phone to the AC-86U VPN server, I get the following appear in the system log:

'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.21.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.21.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

This happens despite adding to the client configuration file:

dhcp-option DNS 192.168.1.3

Which is the Pi's IP address of course. So from what you are both recommending, I needed to add this not to the client configuration, but to the server configuration. Oops!

Edit: I see from your other post that this will actually add the server as an additional one, so I will need to edit the postconf instead?

 

[Chris_J]

Another snag that I ran into today:

I cannot access devices on the local network when connecting externally via the VPN server. By chance, I managed to work out that the setting for Policy Rules in the VPN client configuration page is causing this. I have this set to "Policy Rules (strict)", but I can only see local devices over VPN when this is set to "Policy Rules" only.

The problem is, I need to have the strict setting, because I have some routes set up that send traffic over the WAN (bypassing the VPN) for particular devices on my network. Without the strict setting, sometimes the WAN routes are ignored, which causes some headaches.

Do I perhaps need to add an ip rule to allow access to the 192.168.x.x ip range when accessing remotely?

 

[Martineau]

Another snag that I ran into today:

I cannot access devices on the local network when connecting externally via the VPN server. By chance, I managed to work out that the setting for Policy Rules in the VPN client configuration page is causing this. I have this set to "Policy Rules (strict)", but I can only see local devices over VPN when this is set to "Policy Rules" only.

The problem is, I need to have the strict setting, because I have some routes set up that send traffic over the WAN (bypassing the VPN) for particular devices on my network. Without the strict setting, sometimes the WAN routes are ignored, which causes some headaches.

Do I perhaps need to add an ip rule to allow access to the 192.168.x.x ip range when accessing remotely?

Access to the LAN is controlled by the GUI option

which modifies the OVPN chain

 iptables  --line -t filter -nvL OVPN

You should only need to manually add rules to the OVPN chain ('vpnserverX-route-up') if you have say custom downstream VLANs etc.

 

[Chris_J]

I should have mentioned, I already have "both" set on the GUI.

 

[Net Noob]

Ensure the VPN Client is UP and you have an inbound client connected to the IPSec Server.

Confirm the status of IPSec

ipsec statusall

To create the inbound IPSec Server VPN passthru' you need three elements:

e.g. outbound via VPN Client 1

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done

Spoiler: Full configuration steps

IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE

PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO 2>dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

and hopefully the inbound IPSec Server client is now routed via the nominated VPN Client outbound.

iptables --line -t nat -nvL

If it is working, then you can use the openvpn-event triggers 'vpnclientX-route-up'/'vpnclientX-down' to manage the appropriate ip route/RPDB/iptables.

Hello there,

I have added the following word for word, line by line after successfully starting the IPSec server and connecting my mobile phone to it through mobile internet:

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO 2>dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

At the point where i try to execute:

ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO 2>dev/null

I get an error saying: -sh: can't create dev/null: nonexistent directory.

This line works fine:

ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

The error does not occur when executing:

iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null

Am i making a mistake somewhere?

Thank you for any help.

 

[Martineau]

Hello there,

I have added the following word for word, line by line after successfully starting the IPSec server and connecting my mobile phone to it through mobile internet:

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO 2>dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

At the point where i try to execute:

ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO 2>dev/null

I get an error saying: -sh: can't create dev/null: nonexistent directory.[/CODE]

Am i making a mistake somewhere?

Whoops

There is indeed a typo (now corrected):

ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID  2>/dev/null

but the command is simply ensuring that you do not create unnecessary duplicates by deleting an existing rule.

However, the code is demonstrating how to programmatically extract the IPSec IP subnet and create the RPDB rule using a script, but you have already manually entered this into the Selective Routing GUI as stated in your previous post.

 

[Net Noob]

Whoops

There is indeed a typo (now corrected):

ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID  2>/dev/null

but the command is simply ensuring that you do not create unnecessary duplicates by deleting an existing rule.

However, the code is demonstrating how to programmatically extract the IPSec IP subnet and create the RPDB rule using a script, but you have already manually entered this into the Selective Routing GUI as stated in your previous post.

I rebooted my router, connected my mobile phone to the IPSec tunnel & executed the following:

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

There were no issues with execution of the commands but unfortunately my mobile phone still goes through the WAN and not through the OpenVPN client.

In the router GUI under the OpenVPN client settings, i do not have a rule for routing client traffic added. I added 10.10.10.0/24 to go through the OpenVPN client tunnel but this has not helped either.

Is this line of code:

PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))

Supposed to be:

PRIO=$(($(ip rule | grep -E "^10.*\:" | tail -n 1 | awk -F: '{print $1}')+1))

I am at a loss as to what the issue could be but then again i barely understand whats going on here

Thanks.

 

[Martineau]

I rebooted my router, connected my mobile phone to the IPSec tunnel & executed the following:

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

There were no issues with execution of the commands but unfortunately my mobile phone still goes through the WAN and not through the OpenVPN client.

In the router GUI under the OpenVPN client settings, i do not have a rule for routing client traffic added. I added 10.10.10.0/24 to go through the OpenVPN client tunnel but this has not helped either.

Is this line of code:

PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))

Supposed to be:

PRIO=$(($(ip rule | grep -E "^10.*\:" | tail -n 1 | awk -F: '{print $1}')+1))

I am at a loss as to what the issue could be but then again i barely understand whats going on here

Thanks.

I'm assuming that you have configured VPN Client 1, so you need to show the VPN Client 1 routing table and the associated RPDB rules and the IPSec configuration status

ip route show table ovpnc1

ip rule

ip route show table 220

ipsec statusall

VPN Client 1 RPDB rules use priority range

10000-10099 WAN
101001-10199 VPN

The IPSec pass-thru is exactly the same as the OpenVPN method, we are simply extracting the correct route from the IPSec routing table 220 together with the IPSec Server subnet - usually 10.10.10.0/24

 

[Net Noob]

I'm assuming that you have configured VPN Client 1, so you need to show the VPN Client 1 routing table and the associated RPDB rules and the IPSec configuration status

ip route show table ovpnc1

ip rule

ip route show table 220

ipsec statusall

VPN Client 1 RPDB rules use priority range

10000-10099 WAN
101001-10199 VPN

The IPSec pass-thru is exactly the same as the OpenVPN method, we are simply extracting the correct route from the IPSec routing table 220 together with the IPSec Server subnet - usually 10.10.10.0/24

I ran the commands as they are, first while my mobile was disconnected from the IPSec and then when it was connected. The previous code provided has been run & the router has not been rebooted. The output is as follows:

ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb  8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.26.0.21 dev tun11
10.26.0.21 dev tun11  proto kernel  scope link  src 10.26.0.22
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
RT-AC86U:/tmp/home/root# ip rule
0:   from all lookup local
10101:   from 192.168.1.246 lookup ovpnc1
10102:   from 192.168.1.137 lookup ovpnc1
10103:   from 192.168.1.35 lookup ovpnc1
10104:   from 192.168.1.215 lookup ovpnc1
10105:   from 192.168.1.45 lookup ovpnc1
10106:   from 192.168.1.88 lookup ovpnc1
10108:   from 10.10.10.0/24 lookup ovpnc1
32766:   from all lookup main
32767:   from all lookup default
RT-AC86U:/tmp/home/root# ip route show table 220 (Nothing happened here)
RT-AC86U:/tmp/home/root# ipsec statusall (Run before mobile phone connected to IPSec tunnel)
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.1.27, aarch64):
  uptime: 47 minutes, since Apr 02 19:29:17 2020
  malloc: sbrk 675840, mmap 0, used 204688, free 471152
  worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
  10.10.11.0/24: 254/0/1
Listening IP addresses:
  8x.1x.14x.12x
  10.26.0.22
Connections:
 Host-to-Net:  8x.1x.14x.12x...%any  IKEv1, dpddelay=10s
 Host-to-Net:   local:  [8x.1x.14x.12x] uses pre-shared key authentication
 Host-to-Net:   remote: uses pre-shared key authentication
 Host-to-Net:   remote: uses XAuth authentication: any
 Host-to-Net:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
   IKEv2-EAP:  8x.1x.14x.12x...%any  IKEv2, dpddelay=10s
   IKEv2-EAP:   local:  [myddns.asuscomm.com] uses public key authentication
   IKEv2-EAP:    cert:  "CN=myddns.asuscomm.com"
   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ipsec statusall (Run after mobile phone connected to IPSec tunnel)
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.1.27, aarch64):
  uptime: 49 minutes, since Apr 02 19:29:17 2020
  malloc: sbrk 675840, mmap 0, used 221656, free 454184
  worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
  10.10.11.0/24: 254/1/0
Listening IP addresses:
  8x.1x.14x.12x
  10.26.0.22
Connections:
 Host-to-Net:  8x.1x.14x.12x...%any  IKEv1, dpddelay=10s
 Host-to-Net:   local:  [8x.1x.14x.12x] uses pre-shared key authentication
 Host-to-Net:   remote: uses pre-shared key authentication
 Host-to-Net:   remote: uses XAuth authentication: any
 Host-to-Net:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
   IKEv2-EAP:  8x.1x.14x.12x...%any  IKEv2, dpddelay=10s
   IKEv2-EAP:   local:  [myddns.asuscomm.com] uses public key authentication
   IKEv2-EAP:    cert:  "CN=myddns.asuscomm.com"
   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   IKEv2-EAP[3]: ESTABLISHED 4 seconds ago, 8x.1x.14x.12x[myddns.asuscomm.com]...14x.25x.12x.12x[password1]
   IKEv2-EAP[3]: IKEv2 SPIs: password1_i password2_r*, rekeying disabled
   IKEv2-EAP[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
   IKEv2-EAP{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3b92f54_i 1dc55c2d_o
   IKEv2-EAP{3}:  AES_CBC_128/HMAC_SHA2_256_128, 2542 bytes_i (30 pkts, 0s ago), 8782 bytes_o (27 pkts, 1s ago), rekeying disabled
   IKEv2-EAP{3}:   0.0.0.0/0 === 10.10.11.1/32

In the router GUI under the OpenVPN client settings, i do not have any rules for routing client traffic added.

I hope this helps.

Thank you

 

[Martineau]

I ran the commands as they are, first while my mobile was disconnected from the IPSec and then when it was connected. The previous code provided has been run & the router has not been rebooted. The output is as follows:

ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb  8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.26.0.21 dev tun11
10.26.0.21 dev tun11  proto kernel  scope link  src 10.26.0.22
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
RT-AC86U:/tmp/home/root# ip rule
0:   from all lookup local
10101:   from 192.168.1.246 lookup ovpnc1
10102:   from 192.168.1.137 lookup ovpnc1
10103:   from 192.168.1.35 lookup ovpnc1
10104:   from 192.168.1.215 lookup ovpnc1
10105:   from 192.168.1.45 lookup ovpnc1
10106:   from 192.168.1.88 lookup ovpnc1
10108:   from 10.10.10.0/24 lookup ovpnc1
32766:   from all lookup main
32767:   from all lookup default
RT-AC86U:/tmp/home/root# ip route show table 220 (Nothing happened here)
RT-AC86U:/tmp/home/root# ipsec statusall (Run before mobile phone connected to IPSec tunnel)
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.1.27, aarch64):
  uptime: 47 minutes, since Apr 02 19:29:17 2020
  malloc: sbrk 675840, mmap 0, used 204688, free 471152
  worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
  10.10.11.0/24: 254/0/1
Listening IP addresses:
  8x.1x.14x.12x
  10.26.0.22
Connections:
 Host-to-Net:  8x.1x.14x.12x...%any  IKEv1, dpddelay=10s
 Host-to-Net:   local:  [8x.1x.14x.12x] uses pre-shared key authentication
 Host-to-Net:   remote: uses pre-shared key authentication
 Host-to-Net:   remote: uses XAuth authentication: any
 Host-to-Net:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
   IKEv2-EAP:  8x.1x.14x.12x...%any  IKEv2, dpddelay=10s
   IKEv2-EAP:   local:  [myddns.asuscomm.com] uses public key authentication
   IKEv2-EAP:    cert:  "CN=myddns.asuscomm.com"
   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ipsec statusall (Run after mobile phone connected to IPSec tunnel)
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.1.27, aarch64):
  uptime: 49 minutes, since Apr 02 19:29:17 2020
  malloc: sbrk 675840, mmap 0, used 221656, free 454184
  worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 agent xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
  10.10.11.0/24: 254/1/0
Listening IP addresses:
  8x.1x.14x.12x
  10.26.0.22
Connections:
 Host-to-Net:  8x.1x.14x.12x...%any  IKEv1, dpddelay=10s
 Host-to-Net:   local:  [8x.1x.14x.12x] uses pre-shared key authentication
 Host-to-Net:   remote: uses pre-shared key authentication
 Host-to-Net:   remote: uses XAuth authentication: any
 Host-to-Net:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
   IKEv2-EAP:  8x.1x.14x.12x...%any  IKEv2, dpddelay=10s
   IKEv2-EAP:   local:  [myddns.asuscomm.com] uses public key authentication
   IKEv2-EAP:    cert:  "CN=myddns.asuscomm.com"
   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   IKEv2-EAP[3]: ESTABLISHED 4 seconds ago, 8x.1x.14x.12x[myddns.asuscomm.com]...14x.25x.12x.12x[password1]
   IKEv2-EAP[3]: IKEv2 SPIs: password1_i password2_r*, rekeying disabled
   IKEv2-EAP[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
   IKEv2-EAP{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3b92f54_i 1dc55c2d_o
   IKEv2-EAP{3}:  AES_CBC_128/HMAC_SHA2_256_128, 2542 bytes_i (30 pkts, 0s ago), 8782 bytes_o (27 pkts, 1s ago), rekeying disabled
   IKEv2-EAP{3}:   0.0.0.0/0 === 10.10.11.1/32

In the router GUI under the OpenVPN client settings, i do not have any rules for routing client traffic added.

I hope this helps.

Thank you

So you appear to have two IPSec IP pools, and your connection is NOT using the default 10.10.10.0/24 pool. .....so you need to explicitly hardcode both for the MASQUERADE rule

This should be run after you are connected, otherwise routing table 220 will not exist and you won't be able to clone it

ip route show table 220

ip route show table 220 | while read ROUTE;do ip route add $ROUTE table ovpnc1;done

ip route show table ovpnc1

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -o tun11 -j MASQUERADE

iptables  --line -t nat -nvL POSTROUTING

 

[Net Noob]

So you appear to have two IPSec IP pools, and your connection is NOT using the default 10.0.10.0/24 pool. .....so you need to explicitly hardcode both for the MASQUERADE rule

This should be run after you are connected, otherwise routing table 220 will not exist and you won't be able to clone it

ip route show table 220

ip route show table 220 | while read ROUTE;do ip route add $ROUTE table ovpnc1;done

ip route show table ovpnc1

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -o tun11 -j MASQUERADE

iptables  --line -t nat -nvL POSTROUTING

Have i done something wrong? I cant create 2 IPSec tunnels as there is only an option to create one. Id much rather have all settings standard. I have not changed anything or added any rules or anything like that. Iv just followed various guides that iv found. I managed to get an OpenVPN server to OpenVPN client passthru running briefly & then i moved onto IPSec.

Am i right in assuming that the config you have provided can only be run once an IPSec client (in this case my mobile phone) is connected to the tunnel? Is there a way to automatically apply the config once my mobile phone connects to the IPSec tunnel & undo it if my mobile phone disconnects from the tunnel?

Thank you so much, you have been a great help Mr. Martineau

 

[Martineau]

Thank you so much, you have been a great help Mr. Martineau

Does the IPSec pass-thru now work?

Am i right in assuming that the config you have provided can only be run once an IPSec client (in this case my mobile phone) is connected to the tunnel? Is there a way to automatically apply the config once my mobile phone connects to the IPSec tunnel & undo it if my mobile phone disconnects from the tunnel?

Assuming you will always use VPN Client 1 then all the rules can be hard-coded using scripts that run during the router boot process.

I suggest you try without cloning table 220 as given IPSec is different from OpenVPN it may not actually be required?
​