RT-AC5300. Dual WAN leaks my real IP despite the strict mode of OpenVPN Firewall.

[scareferatis]

Hello. So, the title says it's all. I have 2 ISP GPON terminals I want to merge into one net with my ASUS router. When I had only one such box, I decided to protect my connection with OpenVPN. By utilizing Strict Policy mode inside the built-in OpenVPN firewall, I created a killswitch and forbid any of my devices to use internet if my VPN connection is down. However, since I started using Dual WAN with Load Balancer mode, it leaks my second GPON box's IP address despite the rule I set up. My firmware version is 384_5b1 (update is impossible for me, because it deprecates OpenVPN Firewall and refers to some "postconf scripts" which I have zero clue of.) System Log's openvpn part doesn't have any info about my secondary WAN connection, like if it is non existent.

What's the reason for this problem? How can I fix it and continue to use OpenVPN Firewall like before?

 

[L&LD]

I am not sure of your logic in running old, beta firmware and also be concerned about security/privacy issues?

I would suggest upgrading to the latest firmware, 384.9, perform a full reset to factory defaults and then manually configure your router(s) again as needed. You may need to learn or relearn a few things about the updated (everything) from your old config, but I think it will be time well spent.

Others will be better able to help out then, imo.

 

[scareferatis]

I am not sure of your logic in running old, beta firmware and also be concerned about security/privacy issues?

I would suggest upgrading to the latest firmware, 384.9, perform a full reset to factory defaults and then manually configure your router(s) again as needed. You may need to learn or relearn a few things about the updated (everything) from your old config, but I think it will be time well spent.

Others will be better able to help out then, imo.

Thanks for your answer. The thing is, there's NO GUI OpenVPN Firewall at the latest version, it needs to be configured via some postconf scripts, which is a big hit for privacy, IMO.

 

[L&LD]

Thanks for your answer. The thing is, there's NO GUI OpenVPN Firewall at the latest version, it needs to be configured via some postconf scripts, which is a big hit for privacy, IMO.

I won't pretend to understand this fully, but I can't believe that something as seemingly important as this feature would be dropped for no reason?

How is configuring postconf scripts yourself a hit on privacy?

 

[scareferatis]

Not everyone has the knowledge to do it's setup. I guess, the coder knows this. I tried googling these scripts, but there's only a tad bit of info with high risk of bricking the router.

 

[L&LD]

Not everyone has the knowledge to do it's setup. I guess, the coder knows this. I tried googling these scripts, but there's only a tad bit of info with high risk of bricking the router.

You are right. I certainly do not know.

But, you're in the right place to ask nicely how to do this and more. In the end, you'll have a much more secure network and have learned a little too.

 

[scareferatis]

You are right. I certainly do not know.

But, you're in the right place to ask nicely how to do this and more. In the end, you'll have a much more secure network and have learned a little too.

Thanks for your advice, my friend. But, like some wise people say, "if it ain't broke, don't fix it".

 

[L&LD]

Thanks for your advice, my friend. But, like some wise people say, "if it ain't broke, don't fix it".

You're welcome! Just trying to help out.

From my end though, it seems like it is already broken. By the simple fact that your firmware is almost a year old, let alone the specific issue you need to be fixed.

 

[RMerlin]

The firewall rules are the same as under older version, the only difference is I no longer offer an option to disable it. Postconf scripts are only intended for people needing to customize these, and should not be needed by normal users. For instance people who need to disable the firewall for some reason.

The biggest source of leaks is if you have clients using IPv6, which will completely bypass the VPN tunnel.

 

[scareferatis]

The firewall rules are the same as under older version, the only difference is I no longer offer an option to disable it. Postconf scripts are only intended for people needing to customize these, and should not be needed by normal users. For instance people who need to disable the firewall for some reason.

The biggest source of leaks is if you have clients using IPv6, which will completely bypass the VPN tunnel.

Thanks for your answer, but I don't have any IPv6 client in my net. The problem is, that the second connection doesn't route via OpenVPN tunnel at all. The only thing I see in the log is "bound 172.0.0.x via 172.0.0.1", which is a standard DCHP lease. And that's it. It doesn't connect to my VPN account.

 

[roguetr]

Just for my own curiosity, where is the tunnel established? Are you connecting in or this a tunnel going out?

I've read your post a few times and I can't figure out how you've implemented OpenVPN and it's intended use.

Sorry I know this doesn't help but curiosity got the better of me

Sent from my MI 5 using Tapatalk

 

[scareferatis]

Just for my own curiosity, where is the tunnel established? Are you connecting in or this a tunnel going out?

I've read your post a few times and I can't figure out how you've implemented OpenVPN and it's intended use.

Sorry I know this doesn't help but curiosity got the better of me

Sent from my MI 5 using Tapatalk

No problem. I have a subscription to a certain VPN provider, whose OVPN Config is used in my RT-AC5300 to protect my traffic 24/7. Up untill 3 days ago, I had 1 ISP with proprietary GPON terminal. Gateway IP was 192.168.1.1. It was connected to my Asus and my traffic was tunneled by VPN with protection of leaks via Policy Rules (Strict) mode. Now I have 2 ISP'S. I want to combine them via Dual WAN with VPN working. But for some reason that rule doesn't work for my NEW SECOND connection. If I will disable VPN, Internet still works at the second one. If it's enabled, I can see both VPN IP from my first connection and a REAL ONE OF THE SECOND. Which is a big no-no. And I don't see any tunnel assignments in system log for the second ISP, except for DHCP Lease.