Menu
What's new
By:
Filters Better Search

384.13 VPN activating on IP by itself

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

rn170uk

Occasional Visitor
Hi All,

I'm using 384.13 on an RT-AC68U. One of my fixed IPs which is not in the OpenVPN client settings is routing through VPN automatically - but not all the time. If I enabled/disable, then all is good for a couple of days, then Ntflx/AmPrm both tell me I'm using a VPN and I have to repeat the process.

Any ideas of options except rebooting every couple of days? If I added it to the VPN list with "WAN" as the setting, this still happens.

Thanks in advance
 
Martineau

Martineau

Part of the Furniture
rn170uk said:
I'm using 384.13 on an RT-AC68U. One of my fixed IPs which is not in the OpenVPN client settings is routing through VPN automatically - but not all the time. If I enabled/disable, then all is good for a couple of days, then Ntflx/AmPrm both tell me I'm using a VPN and I have to repeat the process.

Any ideas of options except rebooting every couple of days? If I added it to the VPN list with "WAN" as the setting, this still happens.
Click to expand...

When the issue occurs, you should manually dump the VPN Clients' RPDB rules and their associated routing tables to look for anomalies:
Code: 
ip rule

for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done
Alternatively you could use cron to schedule a debugging script e.g. ChkVPNConfig.sh
 
R

rn170uk

Occasional Visitor
Thanks. Here is the result:
Code: 
ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-8028:/tmp/home/root# ip rule
0:      from all lookup local
10101:  from 192.168.1.2 lookup ovpnc1
10102:  from 192.168.1.12 lookup ovpnc1
10103:  from 192.168.1.193 to aa.bbb.cc.ddd lookup ovpnc1
10104:  from 192.168.1.10 lookup ovpnc1
10105:  from 192.168.1.182 lookup ovpnc1
10106:  from 192.168.1.50 lookup ovpnc1
10301:  from 192.168.1.183 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-8028:/tmp/home/root#


for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done

Table 254
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.zzz dev ppp0
Table 111
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 112
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 113
Table 114
Table 115


(checkVPNConfig.sh): 19402 **Warning WAN IP address 172.xx.yy.zzz is Private - is Asus router behind an ISP modem?

(checkVPNConfig.sh): 19402 ***ERROR*** Selective Routing NOT enabled! - table 'main' is FORCE routing ALL traffic via VPN Client 1

(checkVPNConfig.sh): 19402 VPN Client 1 route Table: 111 (VPN KILL switch Protection ENABLED)

172.xx.yy.0/23 dev tun11  proto kernel  scope link  src 172.xx.yy.zzz
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11

(checkVPNConfig.sh): 19402 **Warning '0.0.0.0/1 via 172.xx.yy.1 dev tun11 ' found in VPN Client 1

(checkVPNConfig.sh): 19402 ***ERROR*** RPDB rules will be misdirected for VPN Client 2 via tun11

(checkVPNConfig.sh): 19402 ***ERROR*** '0.0.0.0/1 via 172.xx.yy.1 dev tun11 ' will misdirect VPN Client 2 via wrong VPN Client

(checkVPNConfig.sh): 19402 **Warning for multiple ACTIVE concurrent VPN Clients
UNIQUE ports are advised - Port 443:UDP is configured for use by several VPN Clients
 
Martineau

Martineau

Part of the Furniture
rn170uk said:
Thanks. Here is the result:
Code: 
ASUSWRT-Merlin RT-AC68U 384.13-0 Wed Jul 31 17:27:27 UTC 2019
admin@RT-AC68U-8028:/tmp/home/root# ip rule
0:      from all lookup local
10101:  from 192.168.1.2 lookup ovpnc1
10102:  from 192.168.1.12 lookup ovpnc1
10103:  from 192.168.1.193 to aa.bbb.cc.ddd lookup ovpnc1
10104:  from 192.168.1.10 lookup ovpnc1
10105:  from 192.168.1.182 lookup ovpnc1
10106:  from 192.168.1.50 lookup ovpnc1
10301:  from 192.168.1.183 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC68U-8028:/tmp/home/root#


for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done

Table 254
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.zzz dev ppp0
Table 111
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 112
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 113
Table 114
Table 115


(checkVPNConfig.sh): 19402 **Warning WAN IP address 172.xx.yy.zzz is Private - is Asus router behind an ISP modem?

(checkVPNConfig.sh): 19402 ***ERROR*** Selective Routing NOT enabled! - table 'main' is FORCE routing ALL traffic via VPN Client 1

(checkVPNConfig.sh): 19402 VPN Client 1 route Table: 111 (VPN KILL switch Protection ENABLED)

172.xx.yy.0/23 dev tun11  proto kernel  scope link  src 172.xx.yy.zzz
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11

(checkVPNConfig.sh): 19402 **Warning '0.0.0.0/1 via 172.xx.yy.1 dev tun11 ' found in VPN Client 1

(checkVPNConfig.sh): 19402 ***ERROR*** RPDB rules will be misdirected for VPN Client 2 via tun11

(checkVPNConfig.sh): 19402 ***ERROR*** '0.0.0.0/1 via 172.xx.yy.1 dev tun11 ' will misdirect VPN Client 2 via wrong VPN Client

(checkVPNConfig.sh): 19402 **Warning for multiple ACTIVE concurrent VPN Clients
UNIQUE ports are advised - Port 443:UDP is configured for use by several VPN Clients
Click to expand...

The RPDB rules show that your intention is to have the following five devices routed via VPN Client 1
Code: 
10101:  from 192.168.1.2 lookup ovpnc1
10102:  from 192.168.1.12 lookup ovpnc1
10104:  from 192.168.1.10 lookup ovpnc1
10105:  from 192.168.1.182 lookup ovpnc1
10106:  from 192.168.1.50 lookup ovpnc1
and a single device routed via VPN Client 2
Code: 
10301:  from 192.168.1.183 lookup ovpnc2
whilst all references to a single destination IP aa.bbb.cc.ddd only from device 192.168.1.193 should also be routed via VPN Client 1.
Code: 
10103:  from 192.168.1.193 to  lookup ovpnc1
Unfortunately, the actual Selective Routing tables show that your desired Selective Routing rules are incorrect
Code: 
Table 254
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.zzz dev ppp0
Table 111
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 112
0.0.0.0/1 via 172.xx.yy.1 dev tun11
128.0.0.0/1 via 172.xx.yy.1 dev tun11
default via 172.xx.yy.1 dev tun11
Table 113
Table 114
Table 115
and my crude ChkVPNConfig.sh script has attempted to explain in simple layman's terms why the actual routing tables are causing the weird symptom you have described.

i.e.

1. VPN Client 2 is incorrectly routing traffic via physical interface tun11 (which is actually VPN Client 1) rather than interface tun12
2. ALL (non-VPN) WAN traffic is also forced via physical interface tun11 (which is actually VPN Client 1) rather than interface ppp0.​

I suggest you stop both VPN Clients, and focus on correcting the forced routing of ALL WAN traffic via VPN Client 1

Ensure the reworded GUI 'Force Internet traffic through tunnel=' (was previously 'Redirect Internet traffic=') is explicitly set to 'Policy Rules(strict)' for both VPN Clients, then start VPN Client 1 only.

The WAN routing table (254) should now look like
Code: 
Table 254
default via 172.xx.yy.zzz dev ppp0
with the two clever OpenVPN override rules '0.0.0.0/1' and '128.0.0.0/1' being absent.
If the two OpenVPN rules are still present, then a dirty hack would be to manually delete them
Code: 
ip route delete 0.0.0.0/1

ip route delete 128.0.0.0/1
to allow non-VPN Client 1 traffic to correctly use the WAN.

Also, to correct the VPN Client 2 issue, check if your VPN ISP allows multiple VPN connections from the same device, or if an alternative destination Port is available.
 
You must log in or register to reply here.

Similar threads

P
RT-AC68U OpenVPN Server Slow
Replies
9
Views
565
pjd50
P
E
VPN Stability Issues
Replies
4
Views
354
cptnoblivious
C
L
RT-AC68U VPN Director rule works intermittently
Replies
6
Views
548
LightGuy48
L
G
VPN Director help
Replies
4
Views
661
g121
G
J
Best settings for VPN client on router with AdGuard + Unbound
Replies
2
Views
445
jata
J
Similar threads
Thread starter Title Forum Replies Date
T Asus-wrtMerlin unable to upgrade my firmware from 384.7_2 to 386.9 Asuswrt-Merlin 4
H Set up NUT Client on AC87u with 384.13_10 Asuswrt-Merlin 1
S Does 384.13)19 include all of 3.0.0.4.382.52651 Asuswrt-Merlin 8
D AC87U running Merlin 384.13.10 hacked? Asuswrt-Merlin 1
B RT-AC86U: skip version 384.11_2 to version 386.7_2: risky? Asuswrt-Merlin 9
J Ac86u reset or go to 386 from merlin 384 Asuswrt-Merlin 28
S Can't upgrade former T-Mo RT-AC68U flashed to Asus from 384.19 to 386.72. Rebooted before attempt, update appears to succeed, but fails silently. Asuswrt-Merlin 8
D RT-AC68U stuck on version 384.19 after firmware updates Asuswrt-Merlin 16
garycnew Asuswrt-Merlin 384.19 WebUI won't load after Login Asuswrt-Merlin 7
M Setup IPv6 in the LAN and route it to VPN Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 502 (members: 30, guests: 472)
Top