Anyway to do a "route print"?

[Dave Kolb]

I've installed the latest firmware for the AC68U and defined 3 OpenVPN clients on the router.

All three work but two of them only work by themselves and not together. If both are started, does not matter which, the other one shows "Error Connecting - IP/Routing conflict". The .ovpn files I imported work together under SecurePoint OpenVPN client on Windows 10 but not together on the router.

I'm guessing (software dev not a network expert) this has something to do with the routes push by our OpenVPN servers, though they are pushed with different metrics so they are not in conflict with each other. I can verify that using Windows "route print".

Does OpenVPN in the Merlin firmware respect metrics? Is ignoring metrics perhaps the conflict mentioned that keeps both clients from running at the same time?

If I could get a log of "route print" on the router, or more detailed logging, that might help diagnose.

Router system log and Win10 output below...

Thanks, Dave

The merlin router system log shows this for the client that does not start proper but does not show the entire rule unfortunately -

Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.178.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.179.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.140.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.160.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.180.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.141.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.161.0 255.255.255.0
Dec 8 18:13:09 openvpn[2023]: Ignore conflicted routing rule: 192.168.181.0 255.255.255.0

Win10 "route print" where the clients work together (same ovpn files), shows the same routes with their interfaces for each client and with different metrics -

192.168.140.0 255.255.255.0 192.168.132.1 192.168.132.3 100
192.168.140.0 255.255.255.0 192.168.131.1 192.168.131.2 20
192.168.141.0 255.255.255.0 192.168.132.1 192.168.132.3 10
192.168.141.0 255.255.255.0 192.168.131.1 192.168.131.2 100
192.168.160.0 255.255.255.0 192.168.132.1 192.168.132.3 100
192.168.160.0 255.255.255.0 192.168.131.1 192.168.131.2 20
192.168.161.0 255.255.255.0 192.168.132.1 192.168.132.3 10
192.168.161.0 255.255.255.0 192.168.131.1 192.168.131.2 100
192.168.178.0 255.255.255.0 192.168.132.1 192.168.132.3 100
192.168.178.0 255.255.255.0 192.168.131.1 192.168.131.2 20
192.168.179.0 255.255.255.0 192.168.132.1 192.168.132.3 100
192.168.179.0 255.255.255.0 192.168.131.1 192.168.131.2 20
192.168.180.0 255.255.255.0 192.168.132.1 192.168.132.3 100
192.168.180.0 255.255.255.0 192.168.131.1 192.168.131.2 20
192.168.181.0 255.255.255.0 192.168.132.1 192.168.132.3 10
192.168.181.0 255.255.255.0 192.168.131.1 192.168.131.2 100
-------- end ------

 

[Etz]

route from router cli?

 

[Dave Kolb]

No doubt stupid question, but where is the CLI as I could not find it

 

[Etz]

Enable SSH access under Administration -> System.
And after that, download putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Use putty to SSH into router and you have access to commandline interface.

 

[Dave Kolb]

thx Etz

 

[Etz]

Merlin firmware had CLI access from GUI as well on eariler versions, but it got removed due to simple fact that it was basically a big security hole, too easy to exploit via XSS.

So right now SSH is the only and proper way...

Now I have a question about your actual problem.
Why do you have multiple routes for same network via different gateway and different metric?
And what is the actual goal of such setup?

I currently suspect, that to make it work, every client should have different routes or there will be conflicts, unless metric is getting pushed too.

 

[Dave Kolb]

Etz, got it working with WinSCP, thx.
Do I need to do anything special to not allow external Internet access? I want ssh local private subnet access only.

 

[Etz]

Etz, got it working with WinSCP, thx.
Do I need to do anything special to not allow external Internet access? I want ssh local private subnet access only.

Make sure that "Allow SSH access from WAN" is set to "No", on that very same page where did you actually enabled SSH and Firewall is enabled on router.
Keep in mind, that disabling Firewall, will actually completely disable it, so all other "rules and conditions" will be ignored and whole router including Web GUI will be accessible from internet.

 

[Dave Kolb]

Thx. Not sure how I missed that.

 

[Etz]

Now back to the problem itself, I suspect that OpenVPN client on AsusWRT disregards metric being pushed from server, hence the issue with conflicting routes...

Why do you actually need same routes via different VPN`s?
Because due to different metric, it won`t load balance anyway...it would just use route with better value and that is it.
And it is not good practice to run such setups, if load-balancing or redundancy is required, dynamic routing protocols should be used. AsusWRT is not capable of doing that.

 

[Dave Kolb]

Now back to the problem itself, I suspect that OpenVPN client on AsusWRT disregards metric being pushed from server, hence the issue with conflicting routes...

Why do you actually need same routes via different VPN`s?
Because due to different metric, it won`t load balance anyway...it would just use route with better value and that is it.

Indeed, the route printout verifies it is not keeping the same metrics I see on Win10 - seems to always set them to 100 or 0. But I have not been able to see any routes for the VPN that fails though it does not show to be OFF. And so far have not figured out how to get more detail on the route command that is failing. Strongly suspect the ignoring of metric values.

Not trying to load balance, but we have multiple AD sites where one is a failover of the other, and they are also connected together if both are up. Depending on which subnet the IP is on that I want to access, and which VPN connection is working, I still want access, and I was hoping we could optimize the routes using metrics where each VPN sets routes to its local subnets with with a higher metric.

Perhaps the OpenVPN route syntax is not fully supported by Linux OpenVPN? Or maybe what is pushed needs to be more specific or really is in conflict? Maybe the Windows SecurePoint client just ignores it...

So far, I have not been able to identify exactly what is being pushed to either the router or the win10 client but am currently trying to get a list of commands pushed by our servers.

Possibly know of anyway to get the router OpenVPN client to log more detail? Thx!

 

[Etz]

Well, instead of playing with metric, I would use more simpler approach.
If one VPN endpoint (site) goes down, just connect to another one.

I don`t think it is a OpenVPN Linux client problem in general, but more likely implementation issue or even more likely a design choice.

And actually I don`t see a way to achieve your goal reliably, without using some kind of dynamic routing, OSPF for example.
It is home device and it does not have quagga or any other dynamic routing protocol daemon or horsepower to actually run it.

Hard to say, what and how is pushed from server side, without at least partial config file, to look at.

 

[Dave Kolb]

Thx Etz. I'll just use one or the other for now.