Beta VPN Director testing

[TITAN]

This looks really cool and I'm excited to try it out!
Is there a way to re-order the rules? looking at screenshots posted here it looks like I would need to delete rules to re-order them?
Thanks

 

[octopus]

Something seem really broken with that provider or your setup. They push a hostname instead of an IP as the gateway. Hostnames cannot be combined with a prefix (since they aren't IPs), and your connection flats out fail to connect with the prefix, while it generates that error message if there's no prefix.

Ok I understand that. This config I have used for years and working fine. They have always have it that way. No strange in my config.
They use this pool to get redundancy as they include alot of servers to choose from when startup or restarted vpn.
I get that error but I have connection and seems to choose from that pool when I do a vpn-restart.

daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto udp
remote pool-1.prd.se.sthlm.ovpn.com 1194
remote pool-1.prd.se.sthlm.ovpn.com 1195
remote pool-2.prd.se.sthlm.ovpn.com 1194
remote pool-2.prd.se.sthlm.ovpn.com 1195
nobind
persist-key
persist-tun
compress
data-ciphers CHACHA20-POLY1305
tls-auth static.key 1
ca ca.crt
auth-user-pass auth
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
status-version 2
status status 5

# Custom Configuration
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
pull-filter ignore 'dhcp-option DNS 192.165.9.158'
pull
remote-random
server-poll-timeout 6
resolv-retry infinite
remote-cert-tls server
mute-replay-warnings
replay-window 256
# auth-nocache
reneg-sec 0
fast-io
log /tmp/vpnclient-1.log

PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 60,persist-key,redirect-gateway def1,explicit-exit-notify 2,route-gateway 10.128.0.1,topology subnet,compress ,dhcp-option DNS 46.227.67.134,dhcp-option DNS 192.165.9.158,ifconfig 10.128.1.163 255.255.252.0,peer-id 11,cipher CHACHA20-POLY1305'

Which environment variable are you trying to acesss?

"${script_type}" "${common_name}" "${trusted_ip}" "${trusted_port}"

all script get triggered from my openvpn-event script from @john9527

Can you add a "logger" call to see if the script gets called at all?

Not at then moment as I have reverted back to 386_2_6. Maby someone can test that?

 

[joegreat]

Will the VPN Director replace also the scripting for "How to setup WLAN SSID for VPN routing"?

In case somebody tried this setup already, I would appreciate feedback...
Anyway, I will try it out myself over the weekend (when my wife is out of home).

 

[Jack Yaz]

Will the VPN Director replace also the scripting for "How to setup WLAN SSID for VPN routing"?

In case somebody tried this setup already, I would appreciate feedback...
Anyway, I will try it out myself over the weekend (when my wife is out of home).

Maybe i should cheekily add YazFi to that page

 

[mruk30]

Nord VPN nie działa po instalacji wersji beta. Wygląda na to, że jest połączony, ale mam stan niezabezpieczony. Jakich ustawień, aby wszystko było w porządku.

 

[octopus]

Nord VPN nie działa po instalacji wersji beta. Wygląda na to, że jest połączony, ale mam stan niezabezpieczony. Jakich ustawień, aby wszystko było w porządku.View attachment 34471

In English please

 

[mruk30]

N

ord vpn doesn't work after beta installation. It seems to show that it is connected, but I have an unprotected status. What settings to use to make everything right.

 

[Sonyrolfy]

As people have suggested already: don't put a wide ranging rule on OVPN1 and a more specific rule on OVPN5. This will not work, the first rule will be applied first.

Don't use conflicting rules either. If two rules can affect a client, and the two rules have different DNS behaviour, then the end result as to which DNS gets used is unpredictable, as the DNS redirections are not prioritized. I might try to see it could be prioritized, but no guarantee that it will be doable.

Oke i understand now, I just pointed every single device i have to any of the VPN's running, without putting the whole lan in VPN and go from bottom to top with rules, as i used to do. I have no clue about cidr or sub-netting.

Is it possible to point the director with the description of the device? Or is this empty on purpose for rule descriptions you make?

Thanks!

 

[octopus]

NView attachment 34472ord vpn doesn't work after beta installation. It seems to show that it is connected, but I have an unprotected status. What settings to use to make everything right.

You know this is a early beta... and completely new function.
But try to set accept DNS to exclusiv and restart client.

 

[mruk30]

You know this is a early beta... and completely new function.
But try to set accept DNS to exclusiv and restart client.

it didn't do anything

 

[octopus]

it didn't do anything

Did you read first post?

 

[mruk30]

to nic nie zrobiło

thanks, it works

 

[RMerlin]

Is it possible to point the director with the description of the device? Or is this empty on purpose for rule descriptions you make?

Not sure which empty description you are referring to, but rules have to be IP-based, as it's implemented through a routing table.

 

[RMerlin]

all script get triggered from my openvpn-event script from @john9527

It's possible that your issues are caused by this script, as it might not be compatible with the new VPN implementation. I suspect your error messages and the problems with routes containing a prefix were generated by that script and not by the firmware, which would explain why those messages don't exist in the firmware code itself.

I'll take a look at the missing env variables, maybe they are missing when called from some events.

 

[RMerlin]

Is there a way to re-order the rules? looking at screenshots posted here it looks like I would need to delete rules to re-order them?

No, and the displayed order may also change at any time as the list is sorted by interface on the web interface, to visually show the order in which rules are applied. Within an OVPN instance the order is irrelevant, since all rules will target the same routing table.

The order will always be WAN > OVPN1 > OVPN2 > ... > OVPN5.

 

[heysoundude]

Known issues:

• DNS Exclusive mode doesn't work (Code wasn't updated to VPN Director, fixed)
• Routing fails to work with providers that push a hostname as gateway address instead of an IP (Possibly fixed, will need to be tested)
• VPN routing failing if DNS Mode is set to "Disable" (up-handler was skipping route configuration, fixed)
• After making changes to rules, Exclusive DNS rules aren't refreshed (for now you need to restart a client to refresh these rules, this will be implemented in a future build)

can I take it from this major function/addition/change update beta having most of the issues crossed off this (your, lead dev's) list, 386.3 release is imminent?
Happy Father's Day, @RMerlin ;-)

 

[octopus]

It's possible that your issues are caused by this script, as it might not be compatible with the new VPN implementation. I suspect your error messages and the problems with routes containing a prefix were generated by that script and not by the firmware, which would explain why those messages don't exist in the firmware code itself.

I'll take a look at the missing env variables, maybe they are missing when called from some events.

I don't think so, I only use mentioned environmentvariables and don't do any manipulation to vpn-code.

What I remeber is this variable don't get set:
UDP link remote: [AF_INET]217.64.148.60:1194

I do more test when you releases next alpha/beta build.

 

[Sonyrolfy]

Not sure which empty description you are referring to, but rules have to be IP-based, as it's implemented through a routing table.

The drop down shows the device name but once clicked it will have the proper ip address. Makes sense. i was hoping that the description above that, the device name automatic could be filled. i understand that it can be edited with rules, etc. Maybe you could consider?

Thanks!!!

 

[RMerlin]

can I take it from this major function/addition/change update beta having most of the issues crossed off this (your, lead dev's) list, 386.3 release is imminent?

No, we're still a long way from it, I haven`t even reached beta cycle yet.

Maybe you could consider?

That would be counter-intuitive, people using a dropdown attached to a field wouldn't expect it to auto-fill another field that`s above it. And if you enter fields in a logical order (from top to bottom), users would typically have already filled the Desc field, and having this overwritten would be bad design. I have no plans to change the current behaviour.

 

[buildersboy]

This has to be a joke. Garbage in garbage out.