What's new

Can't SSH to Raspberry Pi on LAN with VPN Director

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

arkywein

Occasional Visitor
Hi all,

I have a RT-AX58U router running 388.1 firmware.
I also have a VPN client that is constantly connected to Mullvad VPN (in fact, five of them with only one being active at a time). The only VPN Director rule that I have is to forward traffic from all local devices through that very VPN client.

Screenshot 2023-01-09 at 15.58.34.png


After I've restarted my router several hours ago, my RPi stopped responding through SSH (it has a static IP 192.168.0 254), everything that is hosted there became unavailable too. At first I thought that there was something wrong with the RPi itself so I rebooted it, but it didn't help.
ssh admin@192.168.0.254 -p 2022 -vvv
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.0.254 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/MAJ/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/MAJ/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.0.254 [192.168.0.254] port 2022.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: connect to address 192.168.0.254 port 2022: Operation timed out
ssh: connect to host 192.168.0.254 port 2022: Operation timed out

Then I added another rule to VPN Director to forward RPi's traffic through WAN and voila! – I managed to connect to it via SSH. Not sure what is happening as it worked flawlessly in the past with my RPi being constantly connected to VPN through VPN Client/Director rules.

Here's the log when I route my RPi through WAN
Jan 9 16:06:47 rc_service: httpd 1593:notify_rc restart_vpnrouting0
Jan 9 16:06:47 custom_script: Running /jffs/scripts/service-event (args: restart vpnrouting0)
Jan 9 16:06:47 vpndirector: Routing ROUTER from 192.168.0.1 to any through main
Jan 9 16:06:47 vpndirector: Routing APPLE TV from 192.168.0.130 to any through main
Jan 9 16:06:47 vpndirector: Routing MRK-SRV from 192.168.0.254 to any through main
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc5
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc5
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC5
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC5
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc4
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc4
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC4
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC4
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc3
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc3
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC3
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC3
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc2
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc2
Jan 9 16:06:47 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:06:47 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC2
Jan 9 16:06:47 wireguard: Excluding 192.168.0.254 from forced DNS routing for WGC2
Jan 9 16:06:47 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc1
Jan 9 16:06:47 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc1

And here's what happens when I disable the RPi through WAN rule
Jan 9 16:08:34 rc_service: httpd 1593:notify_rc restart_vpnrouting0
Jan 9 16:08:34 custom_script: Running /jffs/scripts/service-event (args: restart vpnrouting0)
Jan 9 16:08:34 vpndirector: Routing ROUTER from 192.168.0.1 to any through main
Jan 9 16:08:34 vpndirector: Routing APPLE TV from 192.168.0.130 to any through main
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc5
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc5
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC5
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC5
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC5
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc4
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc4
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC4
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC4
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC4
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc3
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc3
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC3
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC3
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC3
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc2
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc2
Jan 9 16:08:34 wireguard: Forcing 192.168.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:08:34 wireguard: Forcing 10.6.0.0/24 to use DNS server 10.64.0.1 for WGC2
Jan 9 16:08:34 wireguard: Excluding 192.168.0.1 from forced DNS routing for WGC2
Jan 9 16:08:34 wireguard: Excluding 192.168.0.130 from forced DNS routing for WGC2
Jan 9 16:08:34 vpndirector: Routing ALL LOCAL from 192.168.0.0/24 to any through wgc1
Jan 9 16:08:34 vpndirector: Routing ALL VPN from 10.6.0.0/24 to any through wgc1

What do you think could be the reason for it?
 
Fixed it by disconnecting other VPN clients and leaving just one connected. Still not sure what exactly happened as everything worked well with four other clients connected, but the issue is now gone. Will be happy to provide logs if this is a potential bug material ;)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top