[AC87U] Firmware 384.4, VPN rules not working

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Auguste

New Around Here
Hello,

Since I updated my AC87Uto 384.4, my VPN rules not working. On my device when I check on myip.org, I have the FAI IP and not VPN IP.

What I can do?

Thanks,
 

joegreat

Very Senior Member
87U with VPN, no problems here.
Same here: Working perfectly fine (coming from version 380.69_2) and using this approach/rules to redirect traffic to VPN connection.

I did a "dirty" update with no factory reset and re-config after the update. :rolleyes:
 

Auguste

New Around Here
Thanks,

But I found.

In add of VPN rules, I had a DualWan rules to route all traffic of this device on second FAI.

It seems to take over the DualWan rules on VPN rules.

When I deleted Dualwan rules, It's work.
 

Auguste

New Around Here
Bad news for me...

I found another problem. The VPN rules works only if dualwan was disabled. When I enable the dualwan, the VPN rules don't work.
 

Martineau

Part of the Furniture
Bad news for me...

I found another problem. The VPN rules works only if dualwan was disabled. When I enable the dualwan, the VPN rules don't work.
Script /usr/sbin/vpnrouting.sh will need to be patched

e.g. something like this:
Code:
        if [ "$TARGET_ROUTE" = "WAN" ]                                                                                                                
        then
            TARGET_LOOKUP="main"
            WAN_PRIO=$((WAN_PRIO+1))
            RULE_PRIO=$WAN_PRIO
            TARGET_NAME="WAN"
        else
            TARGET_LOOKUP=$VPN_TBL                                                                                                                                                         
            VPN_PRIO=$((VPN_PRIO+1))
            RULE_PRIO=$VPN_PRIO
            TARGET_NAME="VPN client "$VPN_UNIT
        fi
change to
Code:
        ########################################################################################## Martineau Hack 2 of 10
        DESC=$(echo $ENTRY | cut -d ">" -f 1)
        #if [ "$TARGET_ROUTE" = "WAN" ]
        if [ "$TARGET_ROUTE" = "WAN" ] || [ "$TARGET_ROUTE" = "WAN0" ] || [ "$TARGET_ROUTE" = "WAN1" ]
        #################################################################################################################
        then
            TARGET_LOOKUP="main"
            TARGET_NAME="WAN"
            ########################################################################################## Martineau Hack 2 of 10
            # Allow GUI tagging for Dual WAN i.e. if DESC contains 'WAN1' then use it! - since drop down is 'WAN' only :-(
            # NOTE: WAN0 entries preferably should precede tagged 'WAN1' entries in the GUI as they will share a single priority
            #       although they will both ALWAYS have a higher priority than the VPN entries
            #if [ "$(nvram get wans_mode) == "lb" )];then  # FO (Failover) / FB (Fallback) / LB (Load-Balancing)
            #if [ -z "$(nvram get wans_dualwan | grep -io "none")" ];then
                if [ "$TARGET_ROUTE" = "WAN1" ] || [ ! -z "$(echo "$DESC" | grep -owi "WAN1" )" ];then
                    TARGET_LOOKUP="200"
                    TARGET_NAME="WAN1"
                    my_logger"Dual-WAN will use WAN1 instead of WAN0 (table main)"
                else
                    if [ "$TARGET_ROUTE" = "WAN0" ];then
                        TARGET_LOOKUP="100"
                    fi
                fi
            #fi
            # v382.xx> for Dual WAN etc. uses prio 100,150,200 and 400 :-(
            #WAN_PRIO=$((WAN_PRIO+1))
            WAN_PRIO=$((WAN_PRIO+OFFSET))
            ################################################################################################################
            RULE_PRIO=$WAN_PRIO
        else
            TARGET_LOOKUP=$VPN_TBL
            ########################################################################################## Martineau Hack 3 of 10
            # v382.xx> for Dual WAN etc. uses prio 100,150,200 and 400 :-(
            #VPN_PRIO=$((VPN_PRIO+1))
            VPN_PRIO=$((VPN_PRIO+OFFSET))
            ################################################################################################################
            RULE_PRIO=$VPN_PRIO
            TARGET_NAME="VPN client "$VPN_UNIT
        fi
and
Code:
START_PRIO=$((10000+(200*($VPN_UNIT-1))))
END_PRIO=$(($START_PRIO+199))
WAN_PRIO=$START_PRIO
VPN_PRIO=$(($START_PRIO+100))
change to
Code:
########################################################################################## Martineau Hack 9 of 10
# v382.xx> for Dual WAN etc. uses prio 100,150,200 and 400? :-(
FIRMWARE=$(echo $(nvram get buildno) | awk 'BEGIN { FS = "." } {printf("%03d%02d",$1,$2)}')
if [ -z "$(ip rule | grep -Eo -m 1 "^[1|2|4]00:")" ];then
    START_PRIO=$((10000+(200*($VPN_UNIT-1))))
    END_PRIO=$(($START_PRIO+199))
    VPN_PRIO=$(($START_PRIO+100))
    OFFSET=1
else
    START_PRIO=$VPN_UNIT"0"                     # Limit the VPN Clients to a single rule prio
    END_PRIO=$(($START_PRIO+9))
    VPN_PRIO=$(($START_PRIO+5))
    OFFSET=0                                    # Limit the VPN Clients to a single (multiple) rule prio 10,15 and 20,25 etc.
fi
WAN_PRIO=$START_PRIO
#VPN_PRIO=$(($START_PRIO+100))
################################################################################################################
 

Martineau

Part of the Furniture
Thanks Mr Martineau, but I'm very sorry to ask another question.

How to patch?

I'm connect by ssh, but it's read-only system, and on https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files I can't see vpnrouting.sh able to modify.
You can always wait until the issue is formally resolved in the next release by the developer? ;)

However, if you prefer not to wait, simply clone the read-only script
Code:
cp /usr/sbin/vpnrouting.sh /jffs/scripts/vpnrouting.sh
chmod +x /jffs/scripts/vpnrouting.sh
Use nano/WinSCP etc. to edit /jffs/scripts/vpnrouting.sh

Test your script by mapping your modified script to the original
Code:
mount -o bind  /jffs/scripts/vpnrouting.sh /usr/sbin/vpnrouting.sh
df
and restarting the VPN Clients to see if the VPN Clients initialise successfully, and to check if the modifications to the RPDB rules has been made; issue:
Code:
ip rule
To revert to the original read-only script simply issue:
Code:
umount  /usr/sbin/vpnrouting.sh
NOTE: OpenVPN scripts can also be manually specified by the user either in the GUI or even via the openvpn-event trigger scripts but the mount/umount method is 'global' rather than per client.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top