VPN Director... design issue???

[naraku]

I have No problem running 3 clients to different location and different lan devices.

Me neither!
The problem only appears when you set the first VPN client "Force Internet traffic through tunnel" to "No", all the others(VPN client 2,3,4) will fail to tunnel the devices too.
Even though the WebUI shows the VPNs are connected.

Can you help to verify?

(In my case the first VPN client is base on static routes, maybe or maybe not relevant.)

 

[octopus]

Me neither!
The problem only appears when you set the first VPN client "Force Internet traffic through tunnel" to "No", all the others(VPN client 2,3,4) will fail to tunnel the devices too.
Even though the WebUI shows the VPNs are connected.

Can you help to verify?

(In my case the first VPN client is base on static routes, maybe or maybe not relevant.)

Try to relocate your clients regarding this:
Priority

Rules are applied in the following order:

Rules with a WAN destination
Rules with an OpenVPN 1 destination
Rules with an OpenVPN 2 destination
...
Rules with an OpenVPN 5 destination

Also note that any routes configured on the Dual WAN page will have a higher priority than all of these.

 

[naraku]

Try to relocate your clients regarding this:
Priority

Rules are applied in the following order:

Rules with a WAN destination
Rules with an OpenVPN 1 destination
Rules with an OpenVPN 2 destination
...
Rules with an OpenVPN 5 destination

Also note that any routes configured on the Dual WAN page will have a higher priority than all of these.

OK, but when I have two clients with "No" options, the first one whatsoever overwrites the second one, does that make sense to you?
I mean I choose "No" because I want the VPN server to decide the routes, but never expected the first VPN to delete/takeover the second VPN's routes.


I can understand in your scenarios, the Priority in the "VPN Directer" is certainly a good approach, but shouldn't "No" be an exception??

 

[RMerlin]

If you don't use VPN Director, then the first VPN instance will get all the traffic routed through it. You need to use VPN Director if you need to handle multiple simultaneous tunnels. Just set rules for each remote subnets, pointing at the appropriate VPN tunnel.

 

[naraku]

If you don't use VPN Director, then the first VPN instance will get all the traffic routed through it. You need to use VPN Director if you need to handle multiple simultaneous tunnels. Just set rules for each remote subnets, pointing at the appropriate VPN tunnel.

Thanks for your reply.

Still "VPN Director" can not solve my case, since my VPN servers have hundreds of static routes which push to the clients... plus they keep updating after some time.
To use "VPN Director", I need to copy the routes from some other VPN client then manually add them to "VPN Director" one by one...
That seems unrealistic...

 

[RMerlin]

since my VPN servers have hundreds of static routes

Sounds like a rather unusual scenario to me. Sorry, but VPN Director wasn't designed with that kind of scenario in mind. You will have to manually configure routing tables to fit your needs then.

 

[naraku]

Sounds like a rather unusual scenario to me. Sorry, but VPN Director wasn't designed with that kind of scenario in mind. You will have to manually configure routing tables to fit your needs then.

Okay, understood.. VPN Director wasn't..
But from what I know, the old version was designed to handle this kind of scenario since from the beginning, and there's no room for improvement in the new update?

Not being picky, I can still run VPN client on some other device ie. my laptop, just thought maybe this is an reasonable request for the new design too.

Still Merlin is surely a great router firmware in any way!

 

[RMerlin]

But from what I know, the old version was designed to handle this kind of scenario since from the beginning, and there's no room for improvement in the new update?

While it might have been "working", it was unreliable. Routes were added to the main table, and copied to client tables, which means you might sometime have duplicate, or missing routes.

Your current problem is probably that each client table ends with a default route going through the default gateway, which prevents you from matching multiple tables. A temporary workaround would be to delete the default route from the client table at connect time, through an openvpn-event script. I will experiment on my end to see if this works as expected, and if so, I will change it in the next release so that when Redirect Internet is set to "No", instead of adding the default WAN gateway, I won't set any default gateway to the client table. This should in theory allow the RPDB to continue on with the next table (the iproute2 documentation wasn't clear on this, I will need to test it myself).

 

[RMerlin]

If you want to test yourself, you can remove the default route from a client table this way (change ovpnc3 with each client that you have connected)

ip route del default table ovpnc3

 

[naraku]

While it might have been "working", it was unreliable. Routes were added to the main table, and copied to client tables, which means you might sometime have duplicate, or missing routes.

Your current problem is probably that each client table ends with a default route going through the default gateway, which prevents you from matching multiple tables. A temporary workaround would be to delete the default route from the client table at connect time, through an openvpn-event script. I will experiment on my end to see if this works as expected, and if so, I will change it in the next release so that when Redirect Internet is set to "No", instead of adding the default WAN gateway, I won't set any default gateway to the client table. This should in theory allow the RPDB to continue on with the next table (the iproute2 documentation wasn't clear on this, I will need to test it myself).

Sounds great!
Thanks for contributing such a great code!

 

[RMerlin]

Seems to work for me with that change.

Client 1 (server on another of my routers): VPN with Redirect Internet set to "No", and server pushes a route to 10.9.9.0/24
Client 2 (NordVPN): VPN with Redirect Internet set to "Yes"

Traceroute to 10.9.9.1 properly reaches the router at the end of Client 1, and traceroute to 4.2.2.2 went through NordVPN.

 

[maestr0]

Had the same issue.

Setup: 5 VPN clients with Redirect Internet set to "No", connecting to ASUS routers (on "John's" firmware)on remote locations. All traffic was routed through the first VPN client (and therefore only the first was working properly).

After executing:

ip route del default table ovpnc1
ip route del default table ovpnc2
ip route del default table ovpnc3
ip route del default table ovpnc4
ip route del default table ovpnc5

the last 4 clients immediately started working (now they all working as on 386.2_6.

Thx for the suggestion.

 

[Galaxysurfer]

Not sure if this is the right place to put this comment. I have a request. Would it be possible to have a sorter? In this way I could group together more than one rule set up for the same device. Under old configuration, I had a rule based on client instance, VPN 1, VPN 2 etc. under new config they are listed by device & ip. From here I can enable or disable which setup per device I want to use at the time. Basically I am asking to priority sort rules by ip over wan/vpn instance so all instance from same ip are listed together or maybe even a toggle to switch between the two views.

 

[Jetfn1]

If I route a VPN to redirect ALL TRAFFIC. Can I exclude 1 or 2 devices and have them go directly through WAN and bypass the VPN?

I have like 20 devices on my network and I want ALL of the devices, including any guests that come over to be on the VPN. There are only 2 devices I want to bypass the VPN.

So can I do this, or do I have to manually enter all 18 devices I want to go through the VPN and exclude the other 2? Or is there a way I can redirect all traffic and exclude those 2?

 

[RMerlin]

If I route a VPN to redirect ALL TRAFFIC. Can I exclude 1 or 2 devices and have them go directly through WAN and bypass the VPN?

Yes. WAN rules are always processed before any VPN rules.