Two VPN clients not routing properly

[Netspud2K]

Hi All,

First time posting here, so I hope I do it correctly. I have a AC-RT66U B1 with the latest Merlin WRT firmware (384.4_2).

Before I asked any of this I did check and saw others had it working, and from what I could see, just through the GUI, so I don't know why it is not working for me.

I have setup to OpenVPN clients, and turned on "Redirect Internet Traffic" (tried both Policy Rules, and Policy Rules Strict). Everything that has a rule (something absolutely everything) just gets routed through the first VPN.

I had the rule 0.0.0.0 / 192.168.100.0/24 / WAN (which was to allow stuff to get to the other side of my router, where my ISP router is). As soon as I deleted this from VPN1, everything started going through VPN2. When I deleted it from VPN2 (so it's removed from both now), everything started going through 1 again.

Rebooted

Still broken (all going through vpn1)

Changed back to strict

Now all going through VPN2 (changed VPN2 then VPN1)

Rebooted

Now it's not routing everything through the VPN, only stuff on one or other of the VPNs rules. But both sets of rules are still routed through just one of the VPNs.

Changing acept DNS from Exclusive to strict (not expecting this to help).

Everything back going through the VPN (it swapped though) (inc stuff without rules)

Rebooted

Non routed working.

Routed still going through a single VPN.

At this stag I have 1 rule on each VPN:

device IP / 0.0.0.0 / VPN

That's it.

Custom config (it's for NordVPN) is :
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
explicit-exit-notify 3
remote-cert-tls server
pull
fast-io

In case that is effecting it.

These are the advance settings I am basically using on both VPNs.

So short explanation, Anything with a routing rule in VPN1 or VPN2 is routed through just one of the VPNs (from what I can tell the first started).

And I guess my question is, have I done something wrong, is this a bug or is it something else?

Any help much appreciated. I am more than happy to terminal in to get details if needed, but just pretend I have no idea what I am doing (as I mostly don't).

Thanks

 

[Netspud2K]

Poke, any suggestions guys? Bug or config problem?

 

[CaptainSTX]

Poke, any suggestions guys? Bug or config problem?

I am running the same firmware that you are on an AC1900P with three OpenVPN clients from three different VPN providers. All are running UDP AND THEY ARE ALL USING DIFFERENT PORTS. If you are trying to run multiple clients and they are all trying to use the same port I would think that it would not work or at least work well.

All my settings were done using the GUI. Because most of the devices connecting to this router are IoT or streaming devices I need them to work as long is there is Internet service available regardless if the tunnel is up.

To make my setup work most if not all devices have been assigned static IPs. Anything without a static IP which is assigned an IP from the pool get routed by WAN.



CLIENT 1: (Astrill) used with most connecting devices Settings below mostly created when uploading ovpn file from Astrill.

Start with WAN - Yes
Interface Type TUN
Protocol UDP
Server Address and Port
Firewall Automatic
Authorization Mode TLS
Keys and Cert -- Defaut from VPN provider
Username Password NO
TLS Control Outgoing Auth (1)
Auth Digest Default
Create NAT on Tunnel Yes
Log Verbosity 3
Poll Interval 0
Accept DNS Configuration Disabled
Ciper Negotiation Enable (with fallback)
Legacy Fallback AES-256-CBC
Compression LZO Adaptive
TLS renegotiation -1
Connection Retry -1
Verify Server Cert NO
Block routed clients if tunnel goes down NO

Under policy rules I list both clients I want connecting to VPN and those I want using WAN.

(Do not include any IPs for devices you want to connect using another VPN tunnel.)

Custom settings are what Astrill provided.

CLIENT 2. StrongVPN settings mostly from downloaded ovpn file. Any differences from Client 1 noted below.

Username/Password Yes
Auth Digest MD5
TLS renegotiation -1

Any clients I want routed using this tunnel are listed as VPN.

Custom config as per uploaded ovpn file


CLIENT 3: PIA VPN Most setting per uploaded ovpn file. Differences Client 1

Username/Password Yes
TLS Control channel - Disabled
Auth digest SHA1

Under policy routing rules I list any IPs that I want connecting using this VPN tunnel.

Custom config mostly as per upload .

Hope this helps.

 

[Netspud2K]

Hi CaptainSTX,

Thanks for the reply.

I have a few what I hope are quick questions if you don't mind.

Both my Vpn connections are with Nord, I am not sure that I can run Nord on different ports, from a quick search on the internet, I am not seeing any option, I take it this is an option provided by your providers, or am I being incredibly think? Obviously I could do one over TCP and one over UDP, which would have the same effect. But i'm assuming stuff is just getting tagged and routed accordingly, perhaps this is the problem (but I don't think so), I can't do any changes for at least 24 hours, but I will give the TCP/UDP mix a try.

Just to clarify are you saying basically:
VPN1 route ALL non VPN traffic to WAN by putting EVERY IP address not to be VPN routed in the routing table to the WAN, and then the IP to be routed through VPN1 to VPN
VPN2 ONLY has IP's routed through VPN2 pointing to VPN.
No IP for VPN1 should appear in VPN2 routing and vice versa.
I already had most of this except, routing IP that were not to go through the VPNs through the WAN. As it happens I never had any issues with the IPs going thought the wan.

I can see that you are running exactly the same firmware as me, just on a different model. This hopefully suggests I am doing something wrong, as I fear a bug would be much hard to resolve if it works fine on some hardware.

I will feedback with my findings.

Thanks

 

[CaptainSTX]

Hi CaptainSTX,

Thanks for the reply.

I have a few what I hope are quick questions if you don't mind.

Both my Vpn connections are with Nord, I am not sure that I can run Nord on different ports, from a quick search on the internet, I am not seeing any option, I take it this is an option provided by your providers, or am I being incredibly think? Obviously I could do one over TCP and one over UDP, which would have the same effect. But i'm assuming stuff is just getting tagged and routed accordingly, perhaps this is the problem (but I don't think so), I can't do any changes for at least 24 hours, but I will give the TCP/UDP mix a try.

Just to clarify are you saying basically:
VPN1 route ALL non VPN traffic to WAN by putting EVERY IP address not to be VPN routed in the routing table to the WAN, and then the IP to be routed through VPN1 to VPN
VPN2 ONLY has IP's routed through VPN2 pointing to VPN.
No IP for VPN1 should appear in VPN2 routing and vice versa.
I already had most of this except, routing IP that were not to go through the VPNs through the WAN. As it happens I never had any issues with the IPs going thought the wan.

I can see that you are running exactly the same firmware as me, just on a different model. This hopefully suggests I am doing something wrong, as I fear a bug would be much hard to resolve if it works fine on some hardware.

I will feedback with my findings.

Thanks

You may not be able to run two servers from the same VPN provider on the SAME router. Based on my response to you yesterday and with some time to kill I decided to see what is possible.

I found with Astrill they will only allow one connection per device. While you can connect using Port 8292 for UDP and Port 443 for TCP you have to choose one or the other. I can have up to five devices connected using Astrill but only one connection per device. Go figure.

With PIA they offer eleven port choices . Six TCP and five UDP. In a quick trial of some of the ports I was only able to get 502 TCP and 1198 UDP working. I have not tried getting both the TCP and UDP working at the same time on the same device. Each of the ports uses a different encryption, Auth Hash, Root CA and CRL. Both the ports I used and got working used AES-128-CBC and SHA1.

Given that StrongVPN gives you only a single ovpn file that works UDP I have my doubts that it would be possible to get two instances working on the same device.

You will have to experiment with what your provider offers. Perhaps someone else can offer a suggestion for a VPN provider that allows multiple servers to be run simultaneously on the same router. If not then you made need to sign up for accounts with multiple providers.

 

[Netspud2K]

Thanks for the info. I have access to some private VPN's that I can use to test. BUT both VPN's appear to be up and running when I did my test, I was just always getting routed through a single VPN all the time. So I don't think it's a VPN connection issue, but I will test (then I can be sure ).

 

[Netspud2K]

CaptainSTX Thanks, solution found.

You are correct in your assertion that you can't running two VPNs on the same port. Although both VPN's connected and appeared fine, I was only ever getting routed through one of them.

I do have two VPNs running both through Nord, one is UDP and the other TCP, and as of 12 hours ago, both appear to be functioning correctly.

In order for this to work for me all I needed to do was create the two OpenVPNs (using the basic Nordvpn .ovpn files), ensuring one was UDP and the other was TCP.

Then I changed "redirect internet traffic" to "policy rules (strict)" (im not sure if strict is require, but it isn't hurting).
Then add a rule for anything I wanted to route out of that vpn. So if I wanted to route my laptop with IP 192.168.1.34 I woudl add the following:
Description : What every you like
Source IP : 192.168.1.34
Destination IP : 0.0.0.0 (or leave blank, same thing)
Iface : VPN
Click the + button
Click apply
Wait for the VPN to restart (about 5 secs)

It's now getting routed.

I didn't need to add routes for devices that were not using the VPN, i.e. I don't no need to route my phone on 192.168.1.35 to WAN.

(CaptainSTX, I know you didn't need this level of detail (or any at all for that matter), it just to help anyone else that may come across this)

Please note, if you are following this with Nord, you will need to take further steps to avoid DNS Leaks, mostly relating to changing "Accept DNS configuration" to "Exclusive" and ensuring the DHCP on the router is giving out Nord DNS server. I also turn on "Block routed client if tunnel goes down", but that's not required, and would stop internet connections if the vpn tunnel stops for any reason.

Thanks again CaptainSTX

 

[CaptainSTX]

You are welcome.

FYI information I was able to get two VPN clients from PIA working on my router. Both were UDP and to different servers. The for the second connection I had to use Port 1197 which requires AES-256-CBC so the speed is less than Port 1198 where AES-128-CBC can be used.

I now have four open VPN clients running on my AC1900P. Except for testing not heavy traffic to any of the four.

As I said previously PIA is the only VPN provider that I have tried that has multiple TCP and UDP port options. I'm sure there might be others, I'm just not aware of who they might be.

 

[Xentrk]

I use TorGuard and it is the same. I have four vpn clients running concurrently for my selective routing use case. Each client must use a different port.