What's new

Redirect Internet traffic through tunnel VPN Director (policy rules) Problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

audioquest

Regular Contributor
Asus AC88U - Running latest version of Merlin
If I change the VPN Directory policy rules the VPN won't connect.
Once I change the VPN Directory policy rules to YES to All I am able to connect to my VPN.
Anyone have any ideas? Thanks
 
The VPN itself stays connected to the server, but your policy rules don't work, *OR*, the VPN itself is no longer connected to the server?

If it's the former, then let's see your policy rules (I hope it's obvious, but without any rules nothing will go through the VPN).
 
The VPN does not connect to the server, but the internet does work. What other type of rules do I need to setup the kill switch

lfac - WAN - localip 192.168.11.0/24 Your script did work but for some reason stopped, rm and then re-installed , I do have JFFS scrips enabled
Thanks
 
Last edited:
ASUSWRT-Merlin RT-AC88U 386.3_2 Fri Aug 6 21:47:27 UTC 2021
flashrouter@RT-AC88U-FCB0:/tmp/home/root# cat /jffs/openvpn/vpndirector_rulelist
<1>VPN>192.168.11.0/24>>WANflashrouter@RT-AC88U-FCB0:/tmp/home/root#
 
To be honest, I'm completely lost as to your situation.

It appears you have a policy rule that routes the 192.168.11.x network (in its entirety) over the WAN (yet it has a description of "VPN"). Then you say having this policy rule, the OpenVPN client is no longer connected to the OpenVPN server, which doesn't make sense either. All the policy rules do is change how things are routed. AFAIK, they have NO EFFECT on the state of the OpenVPN client to server connection itself.

Instead of just providing tidbits of what you think is relevant, let's see the entire syslog for when things are working normally, vs. when things go wrong. Post it to pastebin.com.
 
Stupid move on my part,
The problem started when someone recommended that I replace my lan cable between the routers . Problem was download speed was decreasing
when router was rebooted download speed about 52, a week later download speed decreased to 35
I shutdown both routers, replaced cable and rebooted,
Prior to that everything was working perfectly, after that vpn, never connected when policy rules were enabled, but did have internet connection
I was so frustrated I went back to my Linksys running dd-wrt because it was extremely important that if the VPN dropped kill switch would go into effect.
I updated the logfile when policy rules were enabled. If you have a resolution I will hookup the Asus again.
 
Did you find anything in the logfile?
I want to insure VPN-protected devices are never routed insecurely.
Was I looking at this incorrectly, selecting lface WAN would be bypassing the VPN if down?
I used the subnet so in the case ip changed I would be covered. The configuration used to have selection of VPN or WAN.
Now selection is client1, 2, 3.. or WAN The client would be the ip associated to the device, correct?
IE 168.1.1.10 would be my computer if I selected client
When I reset to factory and installed ASUS stock firmware over Merlin could that have caused an issue. Possible I should have used the rescue utility?
I wanted to start fresh and then configure
 
Last edited:
Did you find anything in the logfile?
What log file? You haven't provided any log file.

I really can't make any sense of anything you're saying. And to add to the confusion you're now suggesting that you might be using some sort of custom script.

Post a link to the log file, complete screen shots of all of your VPN settings as well as any scripts you might be using.
 
Just copied log to pastebin.com, VPN setting is enabled, VPN policy rules (select Redirect Internet Traffic: Policy Rules)but did not connect to server, set VPN policy yes to all, then was able to connect to the VPN server
The script I implemented "merlin-opvn-kill-switch-74948.sh" which was installed from pastebin.com

Sorry for the confusion

Maybe should start fresh, not using script.

How should the VPN Directory Policy be set so whenever the VPN is down, no traffic will pass through from any devices that are hardwired to the router
specifying subnet range 192.168.1.0/24
I am a novice, appreciate your help
 
Last edited:
I looked at the syslog. I can see your local IP network is 192.168.11.0/24. And the OpenVPN client gets connected. And that you have a VPN Director rule that routes the 192.168.11.0/24 network over the WAN (for some unknown reason). So naturally *nothing* on that network is going to use the VPN!

If you want 192.168.11.0/24 routed over the VPN, you need to change the rule's interface to OVPN1. Or else I don't understand what the issue is here.
 
The log file shows that the VPN client connected successfully. Upload a log file that actually shows the problem, i.e. when it doesn't connect.
 
the logfile uploaded - VPN was not connected to the server even though it was turned on in the config
https://nordvpn.com/what-is-my-ip/ - displays your internet traffic is not secure.
When VPN is connected to server- traffic is secure.

I will need to re-install Merlin ,( since I re-installed stock firmware when problem started and was going to re-configure) I did rm the script and re-install but that made no difference. I will provide log when VPN connects when policy=all and when policy rules are in effect does not connect
Is it possible when powering off the router, unplugging , plugging back in could have corrupted something. I had no issues prior.

Before Installing Merlin , is there something I need to clear out first?
 
Last edited:
Is is possible in the next release or future of release of merlin , you could have an option to turn/off (enable/disable) kill switch - firewall option

iptables -A lan2wan -i br0 -o eth0 -j DROP
 
Is is possible in the next release or future of release of merlin , you could have an option to turn/off (enable/disable) kill switch - firewall option

iptables -A lan2wan -i br0 -o eth0 -j DROP

No. Merlin has his own reasons for only supporting a route-based kill switch rather than firewall-based one, like my script.

 
Would your recommendation be re-installing merlin & script,
I looked at the syslog. I can see your local IP network is 192.168.11.0/24. And the OpenVPN client gets connected. And that you have a VPN Director rule that routes the 192.168.11.0/24 network over the WAN (for some unknown reason). So naturally *nothing* on that network is going to use the VPN!

If you want 192.168.11.0/24 routed over the VPN, you need to change the rule's interface to OVPN1. Or else I don't understand what the issue is here.
 
Would your recommendation be re-installing merlin & script,
I looked at the syslog. I can see your local IP network is 192.168.11.0/24. And the OpenVPN client gets connected. And that you have a VPN Director rule that routes the 192.168.11.0/24 network over the WAN (for some unknown reason). So naturally *nothing* on that network is going to use the VPN!

If you want 192.168.11.0/24 routed over the VPN, you need to change the rule's interface to OVPN1. Or else I don't understand what the issue is here.
I did not know that I could provide a subnet when selection in the drop down in the . When I selected OPVN1 it displayed the IP's that were connected to the router. I selected my computer's ip and saved. Still allowed access to the internet when client was turned off.

I need to start from the beginning and go from there, this way I will be able to provide logs when vpn is enabled disabled and validate if access to the internet stops when not enabled
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top