Split Tunneling Question on AsusWrt Merlin

[Viktor Jaep]

Hi all,

I have an RT-AC3100. I read the documentation on split tunneling (https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing), and did some forum searching, but didn't see any an answer to the particular scenario I have.

I'm planning on again using a StrongVPN openvpn connection (which successfully worked on the stock Asus firmware) to protect all my local network traffic across a VPN, but ran into problems with my Voip device, as it would continually go offline, or lose connection somehow while everything else was going out over the VPN. When I found that Merlin could handle split tunneling, I was hoping to:

1.) Have all traffic on local network traverse across the VPN
2.) Except for a specific IP for my Voip device, which will need to go across the WAN.

So based on this, I'm not sure if I can use CIDR for my internal range, and if so, if I specifically reference this Voip device IP which will be included in the CIDR range, will the router know to make an exception for it and make it's traffic go out through the WAN?

Hoping to do something like this:
LocalNetwork 192.168.1.0/24 0.0.0.0 VPN
VoipDevice 192.168.1.100 0.0.0.0 WAN

Would something like this work, or should I be going about this a different way?

Thank you,
Viktor

 

[Viktor Jaep]

So I have been playing with this, and I can't get this scenario to work... The source IP is a dropdown that requires me to pick specific addresses. Kind of sucks, when the majority of addresses are every-changing DHCP addresses.

It would be nice to say I want to have all traffic traverse across VPN, except for this address or that address, which need to go across the WAN.

Is there a process for requesting enhancements to the firmware for something like this?

Thank you,
Viktor

 

[CaptainSTX]

If I understand what you want it is straight forward and can be accomplished through the VPN tabs using GUI.

1. Install Merlin's latest firmware .
2. Load ovpn file from StrongVPN adding in your user name and password for the server you selected if necessary.
3. Check that VPN is running.
4. Under LAN tab - DHCP server turn on manual assignment and give your devices or at least your VOIP a static IP.
5. Go back to your OpenVPN client tab and select policy routing. Then select the IP you assigned your VOIP device and select Iface as WAN. All other devices will route using VPN.

 

[Martineau]

So I have been playing with this, and I can't get this scenario to work... The source IP is a dropdown that requires me to pick specific addresses. Kind of sucks, when the majority of addresses are every-changing DHCP addresses.

It would be nice to say I want to have all traffic traverse across VPN, except for this address or that address, which need to go across the WAN.

Is there a process for requesting enhancements to the firmware for something like this?

Thank you,
Viktor

Your original idea using both entries

LocalNetwork 192.168.1.0/24 0.0.0.0 VPN
VoipDevice    192.168.1.100 0.0.0.0 WAN

will work!...use the keyboard to type your desired Source....or enter some test text say 'help' in the field then hit the '+' button!

EDIT: If you have more complex requirements, then you can use the openvpn-event 'route-up' trigger to add the appropriate rules direct to the RPDB table.

 

[Martineau]

If I understand what you want it is straight forward and can be accomplished through the VPN tabs using GUI.

5. Go back to your OpenVPN client tab and select policy routing. Then select the IP you assigned your VOIP device and select Iface as WAN. All other devices will route using VPN.

Point 5 is incorrect I'm afraid, the default when 'Policy Rules' is enabled is to use the WAN

https://www.snbforums.com/threads/excluding-specific-clients-from-vpn.38375/#post-316533

 

[Viktor Jaep]

Not having much luck with this, guys...

My Voip router is static, and I've tried both of your suggestions above. For the strangest reason, as soon as I enable that "Policy Rules" dropdown, my VPN remains connected, but it no longer uses this connection. All traffic at that point goes out through the WAN. When I switch it back to "All", then all traffic goes back out over the VPN.

It doesn't matter what rules I use... I even tried just having 1 rule in there, of just my device going across VPN... and the VPN (while connected), still isn't being used for outgoing traffic. I tried the 192.168.1.0/24 entry as well... same issue.

 

[CaptainSTX]

Point 5 is incorrect I'm afraid, the default when 'Policy Rules' is enabled is to use the WAN

https://www.snbforums.com/threads/excluding-specific-clients-from-vpn.38375/#post-316533

You are correct. I forgot that I don't have any IPs assigned using DHCP and all my IPs route VPN.

A good reason for using static IPs and specifying WAN or VPN is you don't have to remember what the defaults are.

Sorry if I confused you. To make a device use the VPN you need to select iface VPN. This means assigning all devices that you want to use the VPN a static LAN IP.

 

[Martineau]

Not having much luck with this, guys...

My Voip router is static, and I've tried both of your suggestions above. For the strangest reason, as soon as I enable that "Policy Rules" dropdown, my VPN remains connected, but it no longer uses this connection. All traffic at that point goes out through the WAN. When I switch it back to "All", then all traffic goes back out over the VPN.

It doesn't matter what rules I use... I even tried just having 1 rule in there, of just my device going across VPN... and the VPN (while connected), still isn't being used for outgoing traffic. I tried the 192.168.1.0/24 entry as well... same issue.

You will need to show the output of these commands (assuming you are using VPN Client 1? - if not then use 11x where x is the VPN Client instance number):

ip rule

ip route show table 111

ip route

NOTE: When using the 'Policy rules' for your exception case, you must enter the two rules !

 

[Viktor Jaep]

I have still not been able to get this to work...

According to my logs, it seems like it's creating the correct routing tables... This is when I select "Policy Rules" from the "redirect internet traffic" option. I'm using these rules:

AllNetwork 192.168.1.0/24 0.0.0.0 VPN
VOIP 192.168.1.11 0.0.0.0 WAN

Jun 23 18:58:22 openvpn-routing: Configuring policy rules for client 1
Jun 23 18:58:22 openvpn-routing: Creating VPN routing table (mode 2)
Jun 23 18:58:22 openvpn-routing: Adding route for 192.168.1.0/24 to 0.0.0.0 through VPN client 1
Jun 23 18:58:22 openvpn-routing: Adding route for 192.168.1.11 to 0.0.0.0 through WAN
Jun 23 18:58:22 openvpn-routing: Completed routing policy configuration for client 1
Jun 23 18:58:22 openvpn[3463]: Initialization Sequence Completed

But when you look at the VPN stats, it's almost like it's somehow disconnected...
TUN/TAP Read and Write bytes both are at 0.
Post Compress and uncompress bytes are both at 0.

When I change the "redirect internet traffic" back to "All", then it starts generating traffic again.
TUN/TAP Read/write are in the hundreds of thousands, as well as all the other fields.

Any other ideas or settings I should be aware of?

Thanks,
Viktor

 

[Martineau]

I have still not been able to get this to work...

According to my logs, it seems like it's creating the correct routing tables...

But when you look at the VPN stats, it's almost like it's somehow disconnected...
TUN/TAP Read and Write bytes both are at 0.
Post Compress and uncompress bytes are both at 0.

When I change the "redirect internet traffic" back to "All", then it starts generating traffic again.
TUN/TAP Read/write are in the hundreds of thousands, as well as all the other fields.

Any other ideas or settings I should be aware of?

If the routing tables are physically incorrect then it won't work - despite the RPDB rule comments in Syslog.

If you are unable/willing to provide the output of the three commands, then guessing what may be the problem will be unnecessarily tedious/futile.

You should yourself manually perform a comparison between the output of the commands when it is passing/creating VPN traffic correctly vs. when it is not.

I suspect VPN Client route table 111 is incorrect, and rather than containing a 'default' route entry for the VPN target 'dev tun11'
e.g.

ip route show table 111

<snip>
default via xxx.xxx.xxx.xxx dev tun11

probably contains an entry for the WAN (dev eth0) etc.

 

[Viktor Jaep]

Thanks for your willingness to help, Martineau... here's the output of those commands. And btw, yes, the vpn slot is set up for openvpn client 1. Even with this info though... what can I even do to try to fix these routing tables, if the GUI isn't generating the correct stuff?

viktor@RT-AC3100-5FD8:/tmp/home/root# ip rule
0: from all lookup local
10001: from 192.168.1.11 lookup main
10101: from 192.168.1.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

viktor@RT-AC3100-5FD8:/tmp/home/root# ip route show table 111
70.213.124.1 dev eth0 proto kernel scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
70.213.124.0/21 dev eth0 proto kernel scope link src 70.213.127.83
101.62.0.0/21 dev tun11 proto kernel scope link src 101.62.0.3
127.0.0.0/8 dev lo scope link

viktor@RT-AC3100-5FD8:/tmp/home/root# ip route
70.213.124.1 dev eth0 proto kernel scope link
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
70.213.124.0/21 dev eth0 proto kernel scope link src 70.213.127.83
101.62.0.0/21 dev tun11 proto kernel scope link src 101.62.0.3
127.0.0.0/8 dev lo scope link
default via 70.213.124.1 dev eth0

Thanks,
Viktor

 

[Martineau]

Even with this info though... what can I even do to try to fix these routing tables, if the GUI isn't generating the correct stuff?

Complain to the author?

viktor@RT-AC3100-5FD8:/tmp/home/root# ip route show table 111
70.213.124.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
70.213.124.0/21 dev eth0  proto kernel  scope link  src 70.213.127.83
101.62.0.0/21 dev tun11  proto kernel  scope link  src 101.62.0.3
127.0.0.0/8 dev lo  scope link

Are you sure that the above is the complete output for route table 111?

There should be a line such as:

default via 101.62.x.xxx dev tun11

If there isn't a 'default' line then you can obviously manually add it, but possibly there is an inappropriate OpenVPN directive specified.

Can you provide the Custom Configuration options from the GUI?

 

[Viktor Jaep]

Complain to the author?

Lol!

Are you sure that the above is the complete output for route table 111?

There should be a line such as:

default via 101.62.0.xxx dev tun11

That's all there is...

If there isn't a 'default' line then you can obviously manually add it, but possibly there is an inappropriate OpenVPN directive specified.

Can you provide the Custom Configuration options from the GUI?

Yep... its whatever the default is...

hand-window 30
mute 3
ns-cert-type server
route-delay 2
route-method exe
route-metric 1
topology subnet
tun-mtu 1500

 

[Martineau]

Lol!



That's all there is...



Yep... its whatever the default is...

hand-window 30
mute 3
ns-cert-type server
route-delay 2
route-method exe
route-metric 1
topology subnet
tun-mtu 1500

OK, I'd start by removing all except 'ns-cert-type server' and restart the VPN and see if the 'default' entry appears in table 111.

 

[Viktor Jaep]

OK, I'd start by removing all except 'ns-cert-type server' and restart the VPN and see if the 'default' entry appears in table 111.

Done... but did not do the trick.

 

[Martineau]

Done... but did not do the trick.

So if you remove all of the entries it still doesn't create the entry?

As a test
1. Set 'Block routed clients if tunnel goes down=YES' in the GUI.
2. Start/Stop the VPN Client or preferably reboot

Check if there is a an entry in table 111

prohibit default

 

[Viktor Jaep]

So if you remove all of the entries it still doesn't create the entry?

As a test
1. Set 'Block routed clients if tunnel goes down=YES' in the GUI.
2. Start/Stop the VPN Client or preferably reboot

Check if there is a an entry in table 111

prohibit default

I removed all the entries, and reset the VPN... it still didn't add an entry.

I changed the Blocked routed clients option to YES and restarted... it did not add a "prohibit default".

Pretty frustrating that it's not behaving as expected...

 

[Martineau]

I removed all the entries, and reset the VPN... it still didn't add an entry.

I changed the Blocked routed clients option to YES and restarted... it did not add a "prohibit default".

Pretty frustrating that it's not behaving as expected...

Computers eh?

/usr/sbin/vpnrouting.sh contains the clause that adds the required 'default' statement to the table:

# Setup table default route
if [ "$VPN_IP_LIST" != "" ]
then
        if [ "$VPN_FORCE" == "1" ]
        then
             logger -t "openvpn-routing" "Tunnel re-established, restoring WAN access to clients"
        fi

        ip route del default table $VPN_TBL
        ip route add default via $route_vpn_gateway table $VPN_TBL
fi

if [ "$route_net_gateway" != "" ]
then
        ip route del default
        ip route add default via $route_net_gateway
fi

So if you are comfortable/familiar with modifying internal system scripts then you could add debug statements to print the values of these variables:

$VPN_IP_LIST
$VPN_TBL
$route_vpn_gateway

to identify which one is causing the failure.....

i.e. if variable '$route_vpn_gateway' is invalid and caused the intended 'ip route add default' request to (silently) fail, then assuming the preceding 'ip route delete default table' command was successful this may explain why the statement doesn't exist etc.

Alternatively you could try to force the missing statement to be added using the user-defined openvpn-event 'route-up' trigger (see Wiki https://github.com/RMerl/asuswrt-merlin/wiki)

I recommend you adopt @john9527's openvpn-event script template. Simply copy from here:
https://www.snbforums.com/threads/f...leases-v23e4-v24b8.18914/page-240#post-294825

then create the specific script as follows:

/jffs/scripts/vpnclient1-route-up

#!/bin/sh
logger -st "Debug" "Hack to fix missing 'default' statement in table 111" $route_vpn_gateway $VPN_TBL $VPN_FORCE

ip route add default via $route_vpn_gateway dev tun11 table 111

# Should really check the error code $? here ;-)

Attempt to start the VPN Client 1 and this will automatically run (assuming you have diligently followed the Wiki instructions to create the scripts!) so then check if the VPN routing issue has been improved.

 

[Viktor Jaep]

Computers eh?

Couple of newb questions... Im using Putty, found the nano command, and tried to save a script under jffs/scripts, however, no file ever gets saved out there. What's the preferred way to save/edit scripts? (EDIT: I have enabled the Administration->System->Enable jffs scripts)

Also, if I copy that script from John9527, what would I need to call that? And I'm guessing this goes under jffs/scripts as well?

In order to test this, would I just need to execute your vpnclient1-route-up script? And not use the GUI to start the vpn?

Thank you!

 

[Martineau]

. What's the preferred way to save/edit scripts

Nano works, not sure why you would have trouble?

However, if you are using a Windows laptop, then I recommend you use WinSCP

see https://www.snbforums.com/threads/h...outbound-connections.38086/page-3#post-314828

and substitute the appropriate filenames.

Also, if I copy that script from John9527, what would I need to call that? And I'm guessing this goes under jffs/scripts as well?

/jffs/scripts/openvpn-event

In order to test this, would I just need to execute your vpnclient1-route-up script? And not use the GUI to start the vpn?

No you use the VPN GUI as normal, and vpnrouting.sh will now automatically find/execute openvpn-event who will then execute vpnclient1-route-up