Can any tell me why this is not working?

[AsusRouterUser]

Can any one tell me why the route is not working, if I set "redirect internet traffic" to all then it works, but not with Policy Rules?

 

[ColinTaylor]

Post your screenshot again without the IP information blanked out. There is no reason to hide private IP addresses, it just makes problems more difficult to diagnose.

Look in the system log for error messages when you start the VPN client.

You appear to be using an old version of the firmware. Policy Rules was replaced by VPN Director some time ago.

 

[AsusRouterUser]

Post your screenshot again without the IP information blanked out. There is no reason to hide private IP addresses, it just makes problems more difficult to diagnose.

Look in the system log for error messages when you start the VPN client.

You appear to be using an old version of the firmware. Policy Rules was replaced by VPN Director some time ago.

Sorry I am not where I can take another screenshot, however the missing parts are at the top the All Traffic is 192.168.50.0/24 and the part at the bottom is route 192.168.25.100 255.255.255.255 vpn_gateway and that is a local machine on the other side of the VPN, I can get to it no problem with All instead of Policy Rules, but with it set that way if the VPN goes down it uses my regular internet instead of just thinking there is NO internet like it does with Policy Rules (which is what I want). As for it being old firmware it is because it is an old router and that is the newest firmware I can get for it. I only use it for temp stuff most the time it is off.

 

[ColinTaylor]

I can get to it no problem with All instead of Policy Rules, but with it set that way if the VPN goes down it uses my regular internet instead of just thinking there is NO internet like it does with Policy Rules (which is what I want).

I've read this about 20 times and I still can't work out what "it" is having the problem.

Are you saying this problem only happens when you have the "route" command present in your custom configuration?

Is "it" the router? So you're saying that "Block routed clients if tunnel goes down" is not working when Policy Rules are not being used? This seems to be the opposite of what you said in post #1.

 

[AsusRouterUser]

I've read this about 20 times and I still can't work out what "it" is having the problem.

Are you saying this problem only happens when you have the "route" command present in your custom configuration?

Is "it" the router? So you're saying that "Block routed clients if tunnel goes down" is not working when Policy Rules are not being used? This seems to be the opposite of what you said in post #1.

Sorry I was not clear the issue is I can't get to the routed device ie 192.168.25.100 when it is set to Policy Rules but I can get to it if, it is set to All, and I want to use Policy Rules, but I can't figure out why the "route 192.168.25.100 255.255.255.255 vpn_gateway" does not work when it is set to Policy Rules. Sorry and it is "Redirect Internet traffic".

 

[ColinTaylor]

Do you need the route 192.168.25.100 255.255.255.255 vpn_gateway line at all? As far as I can see that would only be required if the device at 192.168.25.100 wanted to initiate a connection back to your router.

Sorry, ignore the second part. I got the client and server ends of the tunnel confused.

 

[AsusRouterUser]

Do you need the route 192.168.25.100 255.255.255.255 vpn_gateway line at all? As far as I can see that would only be required if the device at 192.168.25.100 wanted to initiate a connection back to your router.

Well if I take out "route 192.168.25.100 255.255.255.255 vpn_gateway" it does not connect on All or Policy Rules, but with it in I can get to it on All but not Policy Rules.

 

[ColinTaylor]

Well if I take out "route 192.168.25.100 255.255.255.255 vpn_gateway" it does not connect on All or Policy Rules, but with it in I can get to it on All but not Policy Rules.

See the edit to my previous post.

Can you confirm that 192.168.25.0/24 is the network on the server side of the tunnel? Is there any unusual routing happening on the remote network?

 

[AsusRouterUser]

See the edit to my previous post.

Can you confirm that 192.168.25.0/24 is the network on the server side of the tunnel? Is there any unusual routing happening on the remote network?

Yes 192.168.25.0/24 is definitely the server side of the tunnel and no there is nothing unusual happening on it.

 

[ColinTaylor]

Sorry, I'm out of ideas. I don't have any way of testing this and in any case the implementation of policy rules has changed over time.

You could try looking at the output of these commands and comparing them with and without policy rules.

ip rule
ip route show table main
ip route show table ovpnc1

 

[AsusRouterUser]

Sorry, I'm out of ideas. I don't have any way of testing this and in any case the implementation of policy rules has changed over time.

You could try looking at the output of these commands and comparing them with and without policy rules.

ip rule
ip route show table main
ip route show table ovpnc1

Ok well thanks for trying to help anyway, I appreciate your time. these are the logs when Policy Rules is on...

Jul 21 13:39:53 openvpn[2460]: /usr/sbin/ip route add “remote ip”/32 via “my ip”
Jul 21 13:39:53 openvpn[2460]: /usr/sbin/ip route add 0.0.0.0/1 via 10.12.234.1
Jul 21 13:39:53 openvpn[2460]: /usr/sbin/ip route add 128.0.0.0/1 via 10.12.234.1
Jul 21 13:39:53 openvpn[2460]: /usr/sbin/ip route add 192.168.25.100/32 via 10.12.234.1
Jul 21 13:39:54 openvpn-routing: Configuring policy rules for client 1
Jul 21 13:39:54 openvpn-routing: Creating VPN routing table
Jul 21 13:39:54 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from VPN table
Jul 21 13:39:54 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from VPN table
Jul 21 13:39:54 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from table main
Jul 21 13:39:54 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from table main
Jul 21 13:39:54 openvpn-routing: Retained route for 192.168.25.100 to tun11 in table main
Jul 21 13:39:54 openvpn-routing: Removing rule 10101 from routing policy
Jul 21 13:39:54 openvpn-routing: Added 192.168.50.0/24 to 0.0.0.0 through VPN to routing policy
Jul 21 13:39:54 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Jul 21 13:39:54 openvpn-routing: Setting default VPN route via 10.12.234.1
Jul 21 13:39:54 openvpn-routing: VPN WAN address is “remote ip”
Jul 21 13:39:54 openvpn-routing: Completed routing policy configuration for client 1
Jul 21 13:39:54 openvpn[2460]: Initialization Sequence Completed

 

[AsusRouterUser]

Sorry, I'm out of ideas. I don't have any way of testing this and in any case the implementation of policy rules has changed over time.

You could try looking at the output of these commands and comparing them with and without policy rules.

ip rule
ip route show table main
ip route show table ovpnc1

Ok well here is the output of those commands...

This is with it set to All and here it WORKS...
# ip route show table main
x.x.x.x dev eth0 scope link
192.168.25.100 via 10.12.234.1 dev tun11
"SERVER IP" via x.x.x.x dev eth0
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
10.12.234.0/24 dev tun11 proto kernel scope link src 10.12.234.2
x.x.x.x/24 dev eth0 proto kernel scope link src "MY IP"
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 10.12.234.1 dev tun11
128.0.0.0/1 via 10.12.234.1 dev tun11
default via x.x.x.x dev eth0

# ip route show table ovpnc1
x.x.x.x dev eth0 scope link
"SERVER IP" via x.x.x.x dev eth0
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
x.x.x.x/24 dev eth0 proto kernel scope link src "MY IP"
127.0.0.0/8 dev lo scope link


This is with Policy Rules on and it NOT WORKING...
# ip rule
0: from all lookup local
10101: from 192.168.50.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

# ip route show table main
x.x.x.x dev eth0 scope link
192.168.25.100 via 10.12.234.1 dev tun11
"SERVER IP" via x.x.x.x dev eth0
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
10.12.234.0/24 dev tun11 proto kernel scope link src 10.12.234.2
x.x.x.x/24 dev eth0 proto kernel scope link src "MY IP"
127.0.0.0/8 dev lo scope link
default via x.x.x.x dev eth0

# ip route show table ovpnc1
x.x.x.x dev eth0 scope link
"SERVER IP" via x.x.x.x dev eth0
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
x.x.x.x/24 dev eth0 proto kernel scope link src "MY IP"
127.0.0.0/8 dev lo scope link
default via 10.12.234.1 dev tun11

The only real difference I see is when it works I see this...
128.0.0.0/1 via 10.12.234.1

But I don't understand this well enough to know what that means or how to fix it.