[Solved] Problem With "Block routed clients if tunnel goes down"

[mad4merlin]

Hi...

I have one client PC (IP: 10.0.0.11) using the router (IP: 10.0.0.1) and I want to force it to use VPN or have no internet access otherwise. The problem is that client can still access the internet when the tunnel is down! It is like the settings have no effect at all!

I searched and tried but I don't know how to fix this, can someone pls help?

My config:
RT-N66R Merlin 380.63_2
Parent controls: OFF

VPN Client 1,
TUN, UDP,
Redirect Internet Traffic: Policy Rules,
Block routed clients if tunnel goes down: Yes,
Rules for routing ....
All2VPN 10.0.0.0/24 0.0.0.0 VPN

Administration:
Allow SSH: LAN+WAN
Allow SSH port forwarding: Yes


openvpn-routing log lines:

Spoiler: openvpn-routing log lines

Dec 12 18:50:33 openvpn-routing: Configuring policy rules for client 1
Dec 12 18:50:33 openvpn-routing: Creating VPN routing table
Dec 12 18:50:33 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from main routing table
Dec 12 18:50:33 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from main routing table
Dec 12 18:50:33 openvpn-routing: Removing rule 10101 from routing policy
Dec 12 18:50:33 openvpn-routing: Adding route for 10.0.0.0/24 to 0.0.0.0 through VPN client 1
Dec 12 18:50:33 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Dec 12 18:50:33 openvpn-routing: Completed routing policy configuration for client 1

With the tunnel connected, here is my "iptables -vL" output:

Spoiler: iptables -vL

admin@RT-N66R:/tmp/home/root# iptables -vL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination     

    8   964 ACCEPT     all  --  tun11  any     anywhere             anywhere        

    0     0 DROP       icmp --  eth0   any     anywhere             anywhere            icmp echo-request

 2540  215K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED

    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID

   51  8561 ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW

   45  8597 ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW

  105  6720 ACCEPT     tcp  --  any    any     anywhere             router.asus.com     ctstate DNAT tcp dpt:www

    2   180 SSHBFP     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:ssh state NEW

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp !echo-request

   40  2723 DROP       all  --  any    any     anywhere             anywhere        


Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination     

    3   400 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED

    0     0 ACCEPT     all  --  tun11  any     anywhere             anywhere        

    0     0 DROP       all  --  !br0   eth0    anywhere             anywhere        

    0     0 DROP       all  --  eth0   any     anywhere             anywhere            state INVALID

    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere        

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            ctstate DNAT

    2  1509 ACCEPT     all  --  br0    any     anywhere             anywhere        


Chain OUTPUT (policy ACCEPT 3223 packets, 3313K bytes)

 pkts bytes target     prot opt in     out     source               destination     


Chain FUPNP (0 references)

 pkts bytes target     prot opt in     out     source               destination     


Chain NSFW (0 references)

 pkts bytes target     prot opt in     out     source               destination     


Chain PControls (0 references)

 pkts bytes target     prot opt in     out     source               destination     

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere        


Chain SECURITY (0 references)

 pkts bytes target     prot opt in     out     source               destination     

    0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

    0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST

    0     0 RETURN     icmp --  any    any     anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5

    0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request

    0     0 RETURN     all  --  any    any     anywhere             anywhere        


Chain SSHBFP (1 references)

 pkts bytes target     prot opt in     out     source               destination     

    2   180            all  --  any    any     anywhere             anywhere            recent: SET name: SSH side: source

    0     0 DROP       all  --  any    any     anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source

    2   180 ACCEPT     all  --  any    any     anywhere             anywhere        


Chain logaccept (0 references)

 pkts bytes target     prot opt in     out     source               destination     

    0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '

    0     0 ACCEPT     all  --  any    any     anywhere             anywhere        


Chain logdrop (0 references)

 pkts bytes target     prot opt in     out     source               destination     

    0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '

    0     0 DROP       all  --  any    any     anywhere             anywhere

and my "route" output is:

Spoiler: route

admin@RT-N66R:/tmp/home/root# route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.0.1     *               255.255.255.255 UH    0      0        0 eth0

XXX.156.175.XXX  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0

10.0.0.0        *               255.255.255.0   U     0      0        0 br0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

10.4.0.0        *               255.255.0.0     U     0      0        0 tun11

127.0.0.0       *               255.0.0.0       U     0      0        0 lo

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

 

[mad4merlin]

Fixed it!

Turns out my my provider AirVPN uses "explicit-exit-notify 5" in their configuration and that doesn't play well with Merlin. So when I removed that option from the config everything seems to work perfectly.

Of course, this doesn't make any sense and it seems like a bug because "explicit-exit-notify 5" has nothing to do with routing, it simply tells the client process to exit if the tunnel is terminated.