Split Tunneling Question on AsusWrt Merlin

[Viktor Jaep]

I already spend more time than many other software developers with a similar userbase size trying to keep up with the volume of communications I get, and actively participating in these forums. I had 20 mins to devote to my morning forum scan before leaving for the office this morning, and I just spent them on this one discussion. So don't ask me to devote more time, as if it was an infinite resource, or as if I wasn't devoting any time to this already - I'm already giving all I can offer in terms of time, more than I even should.

Eric... Just wanted to say thanks for your time and dedication to this project... I will definitely be sending you a donation to show my appreciation here shortly after the 1st of the month. I have been truly impressed with your product. I can only imagine the amount of time projects like this sap from your daily work/personal life. Having been involved in the past with Android OS developers, and the DD-WRT Broadcom firmware devs/forums (agreed - what a nightmare), I definitely have an appreciation.

Thanks again,
Viktor

 

[Martineau]

I don't have "additional time" to offer. .

Whoops poor choice of phrasing on my part .....

"Clearly you need to devote additional time to review/reject the separate GitHub repository tickets that unfortunately are probably only viewed by a select few.

So, acknowledging the increase in your workload (outside of this 'hobby')"

...but I clearly unintentionally touched a nerve.

My intention was to highlight/acknowledge that you are currently wasting time through duplication of effort having to keep track of feedback on both GitHub and the Asus specific forum(s).

In no way was I complaining/suggesting that you should devote even more of your personal time to this 'hobby'...although sadly you won't get back the time spent writing your lengthy reply

I don't care if it's done on Github or on these forums, as long as they are clear, and not lost in the middle of a discussion.

So back to the original question, if I correctly interpret/comprehend your statement above, an enhancement request would be better suited if submitted to GitHub, as there isn't a dedicated enhancement request thread, and attaching the enhancement request to either an Apha/Beta or Release thread wouldn't be tracked over future releases and potentially lost in all of the 'noise'.

 

[Viktor Jaep]

So back to the original question, if I correctly interpret/comprehend your statement above, an enhancement request would be better suited if submitted to GitHub, as there isn't a dedicated enhancement request thread, and attaching the enhancement request to either an Apha/Beta or Release thread wouldn't be tracked over future releases and potentially lost in all of the 'noise'.

Just a suggestion... I'm not sure what kind of capabilities/security that Github has to offer, but perhaps it could be configured in a way so that only a handful of knowledgeable individuals (like yourself, Martineau) can have the ability to feed Github with valid requests that you have vetted/tested yourself to be flaws, or worthwhile additions? That might help stem the flow, and make this a lot more valuable to Eric, instead being deluged with requests coming in from the public who treat it as a support request system, who didn't do their research or due diligence beforehand?

Thanks,
Viktor

 

[Odkrys]

Hey, try this.

Add one line in Custom Configuration

route add default gw 101.63.2.1

 

[RMerlin]

Whoops poor choice of phrasing on my part

Then it was just a misunderstanding. No problem.

So back to the original question, if I correctly interpret/comprehend your statement above, an enhancement request would be better suited if submitted to GitHub, as there isn't a dedicated enhancement request thread, and attaching the enhancement request to either an Apha/Beta or Release thread wouldn't be tracked over future releases and potentially lost in all of the 'noise'.

The two ways I would suggest for enhancement requests:

1) Start a new thread here for the specific enhancement. It allows to provide some back and forth discussion, and also involve feedback from other users.

2) Start an entry on Github's issue tracker.

At this point, I'd be more in favour of the first method. The Github issue tracker is itself an... issue, as I was mentionning in my post. Too many users are drowning it with support requests, and also for every new issue post, I get an email. That means on some morning I have to sort through a lot of emails coming from Github. If four users exchanged messages on an issue, I get four separate emails.

I'm still debating whether I want to re-disable the Github issue tracker again, due to the amount of noise. However, there has been cases where some very positive feedback/reports came from it, so it makes me hesitate in shutting it down a second time. That's why I haven't really made a very clear statement as to which channel to use. I'd say that for bug report or feature requests, both forums (in a new thread per issue) or Github are good with me. If however someone has a doubt on whether it's actually a bug or not, I prefer the forums, where more pair of eyes can take a look at it, and possibly assist the user in case it turns out to be a configuration issue.

 

[RMerlin]

Hey, try this.

Add one line in Custom Configuration

route add default gw 101.63.2.1

That might not be a good idea, in case that IP might not always be the same.

 

[Viktor Jaep]

Hey, try this.

Add one line in Custom Configuration

route add default gw 101.63.2.1

It would be preferred to have a more automated way of assigning the gateway. These VPN providers change things all the time, and like with DHCP, I'd constantly have to worry about having to fix this each time they change their back-end, or if I flip between a variety of different VPN end-points around the globe. But thank you for the suggestion!

Thanks,
Viktor

 

[RMerlin]

Jun 23 11:16:34 openvpn[12258]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 171.225.236.244,dhcp-option DNS 215.285.237.194,ping 1,ping-restart 60,route-gateway 101.63.2.1,topology subnet,socket-flags TCP_NODELAY,ifconfig 101.63.2.3 255.255.248.0'

...which is strange, as it does seem to include a "route-gateway"... unless that's not the same thing that we've been talking about?

This indeed doesn't make sense. According to the OpenVPN manual, the route_vpn_gateway env variable should be set based on either the route-gateway parameter (which your provider does supply) or the second parameter to the ifconfig command (which will be a gateway when not in a subnet topology - in your case it is, therefore it's a mask instead). Is there any mention in your syslog regarding the default route or any pushed parameter being rejected?

 

[RMerlin]

I'll subscribe to StrongVPN's 1 month plan, that way I'll be able to run some actual tests to figure out what's wrong.

 

[RMerlin]

StrongVPN's instructions (and their provided ovpn file) requires the user to add "redirect-gateway def1" to their configuration. After I added that, my ovpnc3 table was properly displaying a default route.

Without:

107.1.1.1 dev eth0  proto kernel  scope link
107.1.1.0/27 dev eth0  proto kernel  scope link  src 107.1.1.6
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.10.0/24 dev br0  proto kernel  scope link  src 192.168.10.1
100.64.16.0/21 dev tun13  proto kernel  scope link  src 100.64.16.23
127.0.0.0/8 dev lo  scope link

After I added it to the custom config section:

107.1.1.1 dev eth0  proto kernel  scope link
192.200.152.4 via 107.1.1.1 dev eth0
107.1.1.0/27 dev eth0  proto kernel  scope link  src 107.1.1.6
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.10.0/24 dev br0  proto kernel  scope link  src 192.168.10.1
100.64.16.0/21 dev tun13  proto kernel  scope link  src 100.64.16.23
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 100.64.16.1 dev tun13
128.0.0.0/1 via 100.64.16.1 dev tun13
default via 100.64.16.1 dev tun13

So to resolve your issue, you probably just need to insert "redirect-gateway def1" in your custom config. PIA pushes that at config-time, while StrongVPN expects the user to specify it in their client config.


As for the firmware, I see two potential issues that I'll need to investigate:

1) how redirect-gateway def1 is handled when an ovpn file is imported. Currently, it's not being added to the custom config section, which is what breaks it for StrongVPN users who import the ovpn file. I need to review how I import that parameter.

2) vpnrouting.sh might need to be more robust in handling cases where there is no provided remote gateway. I'll need to review that code.


@Martineau , since you often debug stuff related to ip routing, here's a handy tip to troubleshoot that kind of problem: replace /usr/sbin/ip by a wrapper script which will send to syslog the arguments, before passing them to a (real) copy of /usr/sbin/ip. That way, you can see actually which ip commands are sent by OpenVPN (in addition to the scripts). Basically:

cp /usr/sbin/ip /tmp/ip
nano /tmp/fakeip (see below for content)
mount -o bind /tmp/fakeip /usr/sbin/ip

/tmp/fakeip looks like this:

#!/bin/sh

logger -t "ip-debug" "$*"
/tmp/ip $*

Then you get a detailed list of all "ip" commands being run by the router inside your syslog.

The same trick can easily be applied as well to "tc" or "iptables". Old leftover from my WDLXTV days

 

[Viktor Jaep]

StrongVPN's instructions (and their provided ovpn file) requires the user to add "redirect-gateway def1" to their configuration. After I added that, my ovpnc3 table was properly displaying a default route.

UGH... you beat me to it, Eric. I wasn't able to get to this ALL day, it was killing me. Thanks very much for subscribing to StrongVPN and figuring this out! I really appreciate this, and thank you for looking into this further, so that future .ovpn files won't have this issue.

(My upcoming donation should cover your first month easily)

Thanks,
Viktor

 

[RMerlin]

1) how redirect-gateway def1 is handled when an ovpn file is imported. Currently, it's not being added to the custom config section, which is what breaks it for StrongVPN users who import the ovpn file. I need to review how I import that parameter.

Taken care of with this commit. I opted against hardcoding def1 whenever any redirection mode was enabled (currently it only is when "all" traffic is redirected) in case someone might, for some reason, want policy-based routing without having a default gateway set for the clients.

2) vpnrouting.sh might need to be more robust in handling cases where there is no provided remote gateway. I'll need to review that code.

Taken care of with this commit. I don't like the idea of blindly trying to set one (BTW, $4 contains a netmask and not a gateway on some configurations - that's the case with StrongVPN for instance), so I focused on making sure it wouldn't issue invalid commands, and report to syslog that this might not be what the user desires.

 

[Viktor Jaep]

Taken care of with this commit. I opted against hardcoding def1 whenever any redirection mode was enabled (currently it only is when "all" traffic is redirected) in case someone might, for some reason, want policy-based routing without having a default gateway set for the clients.



Taken care of with this commit. I don't like the idea of blindly trying to set one (BTW, $4 contains a netmask and not a gateway on some configurations - that's the case with StrongVPN for instance), so I focused on making sure it wouldn't issue invalid commands, and report to syslog that this might not be what the user desires.

Thank you very much!! I really appreciate you looking at this, and working in a fix!

Thank you,
Viktor

 

[Rickyrsx]

Hi all,
I'm a noob to VPN but I flashed my Asus router to the latest Merlin firmware and I got the policy rules sorted out except for one thing. Unfortunately, TD Bank in Canada is not allowing access to their site if they detect I'm using VPN. I've ping'ed their website and I made a rule to bypass the VPN when connecting to this one IP address but they have more than one IP address so sometimes the rule works and sometimes it doesn't. Is there a way to route to WAN when connecting to https://easyweb.td.com or any other domain name?

 

[RMerlin]

Hi all,
I'm a noob to VPN but I flashed my Asus router to the latest Merlin firmware and I got the policy rules sorted out except for one thing. Unfortunately, TD Bank in Canada is not allowing access to their site if they detect I'm using VPN. I've ping'ed their website and I made a rule to bypass the VPN when connecting to this one IP address but they have more than one IP address so sometimes the rule works and sometimes it doesn't. Is there a way to route to WAN when connecting to https://easyweb.td.com or any other domain name?

Unfortunately it's going to be difficult, as they use Edgekey/Akamai, which means they use many different IP addresses.

 

[Rickyrsx]

Unfortunately it's going to be difficult, as they use Edgekey/Akamai, which means they use many different IP addresses.

Thanks for your reply Merlin. I didn't think it was going to be easy. Too bad though. Funny thing though is that TD doesn't block the app on iOS.

 

[RMerlin]

Thanks for your reply Merlin. I didn't think it was going to be easy. Too bad though. Funny thing though is that TD doesn't block the app on iOS.

I suspect the mobile app might be using a different hostname, which isn't behind Akamai (or, the config for the mobile site is different).

 

[Rickyrsx]

I suspect the mobile app might be using a different hostname, which isn't behind Akamai (or, the config for the mobile site is different).

Does obfuscation work to get around this? I know some VPN's offer it.

 

[RMerlin]

Does obfuscation work to get around this? I know some VPN's offer it.

No. The issue isn't that it detects the VPN, it's more than it doesn't like the IP used by that VPN.

Obfuscation is mostly used to bypass firewalls between you and the remote VPN server.