cannot connect to my openvpn server when my vpnclient is running

[pat.ibulaire]

Hello everybody,

- I have my asus/merlin router running vpnclient1 (tap11) which connect to an external vpn server
- All internet traffic is routed through this vpn client by default when it is running
- I have my asus/Merlin router running vpnserver1 (tap21) which listen on some WAN port
- when the vpnclient1 is not running I can connect from outside to the asus/merlin vpnserver1 successfully
- when the vpnclient1 is running I cannot connectto the asus/merlin vpnserver1 , i guess the packet from vpnserver1 are routed through the vpnclient and then the connection cannot succeed

I have manage to selectively route some of my LAN (192.168.2.253) client to bypass the vpnclient1 by adding rule :
ip rule add from 192.168.2.253 dev br0 table 100
ip route add default table 100 via 192.168.0.1
ip route flush cache

I think the vpnserver1 (tap21) has to bypass the vpnclient1 to respond to a client connection request but I don't manage to do it.

I hope someone can help, Thank you very much in advance

here are my settings :
Wan network :
gateway 192.168.0.1
netmmask 255.255.255.0

Lan network
gateway 192.168.2.1
netmask 255.255.255.255

Asus/merlin router wan ip 192.168.0.10
vpnclient1 connect to 74.131.173.17:21000
public ip assigned to vpnclient is 74.131.169.132
gateway "pushed" to vpn client is 74.131.169.129

when the vpnclient1 is not running I get for the command ip route list
192.168.0.1 dev eth0 scope link
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
127.0.0.0/8 dev lo scope link lo scope link
default via 192.168.0.1 dev eth0

when the vpnclient1 is running I get for the command ip route list
74.131.173.17 via 192.168.0.1 dev eth0
192.168.0.1 dev eth0 scope link
74.131.168.128/27 dev tap11 proto kernel scope link src 74.131.162.132
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
127.0.0.0/8 dev lo scope link lo scope link
0.0.0.0/1 via 74.131.169.129 dev tap11
128.0.0.0/1 via 74.131.169.129 dev tap11
default via 192.168.0.1 dev eth0

 

[RMerlin]

Use the selective routing that's implemented on the 378.54 webui. You can easily define rules there as to what to route through the VPN, and what through the WAN interface. I would try having the router's IP set to router through WAN, and a rule for the whole subnet (192.168.2.0/24) to the VPN. WAN rules have priority over VPN rules.

 

[pat.ibulaire]

Thank you very much Merlin for your reply, the problem is that I will be on leave in a few days and I don't want to take the risk to install a new firmware version and having to reconfigure everything with such a short notice. I was under the impression that adding a couple of routing rules could be be enough to solve the problem but I'm not experienced enough to figure what they are.



When you say having the router's IP set to route through WAN you mean the router ip from the LAN 192.168.2.1 or the router ip from the WAN : 192.168.0.10 ?

By the way as you can see the whole LAN subnet is routed through then vpnclient1 except for what is related to the table 100 that is the lan ip 192.168.2.253

 

[john9527]

I believe you need to route the addresses for the vpnserver (by default 10.8.0.0/24) to bypass the vpnclient.

 

[pat.ibulaire]

I believe you need to route the addresses for the vpnserver (by default 10.8.0.0/24) to bypass the vpnclient.

Do you mean doing something like :
ip rule add from 10.8.0.0/24 dev tap21 table 100

 

[pat.ibulaire]

I believe you need to route the addresses for the vpnserver (by default 10.8.0.0/24) to bypass the vpnclient.

in fact ifconfig does not show any ip associated to tap21 it shows
UP¨BROADCAST RUNNING PROMISC MULTICAST

 

[pat.ibulaire]

Use the selective routing that's implemented on the 378.54 webui. You can easily define rules there as to what to route through the VPN, and what through the WAN interface. I would try having the router's IP set to router through WAN, and a rule for the whole subnet (192.168.2.0/24) to the VPN. WAN rules have priority over VPN rules.

I noticed that is the route below that prevent the connection when the vpnclient1 is running
0.0.0.0/1 via 74.131.169.129 dev tap11

if I delete that route I can connect to o the vpnserver but indeed traffic from lan is not routed through vpnclient1 anymore and just go nowhere

 

[john9527]

That route (and the one that follows it) are just a way to bypass the ending default route and force everything thru the vpn (any address where the first bit is 0 (0.0.0.0/1) or 1 (128.0.0.0/1).

0.0.0.0/1 via 74.131.169.129 dev tap11
128.0.0.0/1 via 74.131.169.129 dev tap11
default via 192.168.0.1 dev eth0

I'm not an expert here, but you may not see an ifconfig entry running in tap mode (I do see it running in tun mode)

tun21  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
  UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Did you try adding the rule you mentioned? Seems as if that should work.

 

[pat.ibulaire]

That route (and the one that follows it) are just a way to bypass the ending default route and force everything thru the vpn (any address where the first bit is 0 (0.0.0.0/1) or 1 (128.0.0.0/1).

0.0.0.0/1 via 74.131.169.129 dev tap11
128.0.0.0/1 via 74.131.169.129 dev tap11
default via 192.168.0.1 dev eth0

I'm not an expert here, but you may not see an ifconfig entry running in tap mode (I do see it running in tun mode)

tun21  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
  inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
  UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Did you try adding the rule you mentioned? Seems as if that should work.

Yes i tried but it did not work.

A ping to 10.8.0.1 from the router interface result in 100% lost packets with the vpnclient1 runing or not. In fact I think the vpnserver packet send to the the listening port 192.168.0.10:1194 does not reach their target. Edit a ping to 192.168.0.1 ans 192.168.0.10 from the router interface in fact succeed

 

[john9527]

Just for sanity check, what is your rule list (ip rule) and table 100 (ip route show table 100)

 

[pat.ibulaire]

Just for sanity check, what is your rule list (ip rule) and table 100 (ip route show table 100)

I managed to succeed manually, using the selective routing script, but I have trouble extracting the gateway address from "ip route list" see my post http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-19#post-191504

 

[john9527]

You don't want to delete the route you reference. That will cause all traffic from the 192 subnet to also bypass the VPN.

instead, try this...

ip route add 10.8.0.0/24 dev tap21