Dual WAN and VPN

[Nkond39]

Asus RT-AC5300
Merlin WRT 384.5
Have Dual WAN in "Load Balancing" set up.
Have VPN I want to use for one specific device. VPN show "Connected" on status page.
Using Strict Policy Rules from GUI to specify a device I want using VPN. However it does not. Me real IP is still detectable and so on. I tried assigning this device to a specific WAN (tried both of them) to no avail. But as soon as I turn off Dual WAN, everything works fine.
Please help me. Will provide additional info, if requested.
Thanks.

 

[Martineau]

Asus RT-AC5300
Merlin WRT 384.5
Have Dual WAN in "Load Balancing" set up.
Have VPN I want to use for one specific device. VPN show "Connected" on status page.
Using Strict Policy Rules from GUI to specify a device I want using VPN. However it does not. Me real IP is still detectable and so on. I tried assigning this device to a specific WAN (tried both of them) to no avail. But as soon as I turn off Dual WAN, everything works fine.

See Dual WAN VPN rules not working

 

[Nkond39]

See Dual WAN VPN rules not working

Thank you for answering!
Ok. I did what you described in the linked post. Still no go.
Basically what I want to do is select one of my WANs (secondary) for VPN connection and then out of a several devices that are configured to use secondary WAN I want a few of them to use VPN.
I used your script from [Solved] Dual Wan with 1 OpenVpn Client and ability to choose from which to wan to go out. to select the WAN i need to connect to VPN and then followed your instructions on mounting modified vpnrouting.sh
This is what I get in my log

May 16 10:54:55 custom_script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn ) - max timeout = 120s
May 16 10:54:55 (openvpnclient1.postconf): 6212 Started..... [/etc/openvpn/client1/config.ovpn]
May 16 10:54:56 (openvpnclient1.postconf): 6212 VPN Client will BIND to 37.146.214.39 via interface 'vlan3'
May 16 10:54:56 (openvpnclient1.postconf): 6212 Complete.
May 16 10:54:56 ovpn-client1[6266]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 12 2018
May 16 10:54:56 ovpn-client1[6266]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
May 16 10:54:56 ovpn-client1[6267]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 16 10:54:56 ovpn-client1[6267]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 16 10:54:56 ovpn-client1[6267]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 16 10:54:56 ovpn-client1[6267]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.242.62.244:1194
May 16 10:54:56 ovpn-client1[6267]: Socket Buffers: R=[122880->122880] S=[122880->122880]
May 16 10:54:56 ovpn-client1[6267]: UDP link local (bound): [AF_INET]37.146.214.39:1194
May 16 10:54:56 ovpn-client1[6267]: UDP link remote: [AF_INET]94.242.62.244:1194
May 16 10:54:56 ovpn-client1[6267]: TLS: Initial packet from [AF_INET]94.242.62.244:1194, sid=c3ecd082 db5a3d6d
May 16 10:54:56 ovpn-client1[6267]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 16 10:54:56 ovpn-client1[6267]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ru12.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
May 16 10:54:56 ovpn-client1[6267]: VERIFY KU OK
May 16 10:54:56 ovpn-client1[6267]: Validating certificate extended key usage
May 16 10:54:56 ovpn-client1[6267]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 16 10:54:56 ovpn-client1[6267]: VERIFY EKU OK
May 16 10:54:56 ovpn-client1[6267]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ru12.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
May 16 10:54:56 ovpn-client1[6267]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 16 10:54:56 ovpn-client1[6267]: [ru12.nordvpn.com] Peer Connection Initiated with [AF_INET]94.242.62.244:1194
May 16 10:54:58 ovpn-client1[6267]: SENT CONTROL [ru12.nordvpn.com]: 'PUSH_REQUEST' (status=1)
May 16 10:54:58 ovpn-client1[6267]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.64 255.255.255.0,peer-id 40,cipher AES-256-GCM'
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: timers and/or timeouts modified
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
May 16 10:54:58 ovpn-client1[6267]: Socket Buffers: R=[122880->245760] S=[122880->245760]
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --ifconfig/up options modified
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: route options modified
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: route-related options modified
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: peer-id set
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: adjusting link_mtu to 1657
May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: data channel crypto options modified
May 16 10:54:58 ovpn-client1[6267]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 16 10:54:58 ovpn-client1[6267]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 16 10:54:58 ovpn-client1[6267]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 16 10:54:58 ovpn-client1[6267]: TUN/TAP device tun11 opened
May 16 10:54:58 ovpn-client1[6267]: TUN/TAP TX queue length set to 100
May 16 10:54:58 ovpn-client1[6267]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 16 10:54:58 ovpn-client1[6267]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 16 10:54:58 ovpn-client1[6267]: /usr/sbin/ip addr add dev tun11 10.8.8.64/24 broadcast 10.8.8.255
May 16 10:54:58 ovpn-client1[6267]: updown.sh tun11 1500 1585 10.8.8.64 255.255.255.0 init
May 16 10:54:58 openvpn-updown: Forcing 192.168.1.22 to use DNS server 103.86.96.100
May 16 10:54:58 rc_service: service 6386:notify_rc updateresolv

May 16 10:55:01 ovpn-client1[6267]: Ignore conflicted routing rule: 94.242.62.244 255.255.255.255
May 16 10:55:01 ovpn-client1[6267]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.8.1
May 16 10:55:01 ovpn-client1[6267]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.8.1
May 16 10:55:01 ovpn-client1[6267]: WARNING: Failed running command (--route-up): could not execute external program
May 16 10:55:01 ovpn-client1[6267]: Initialization Sequence Completed

This is what I get from ip rule

0:      from all lookup local
100:    from 192.168.1.21 lookup wan0
100:    from 192.168.1.25 lookup wan0
100:    from 192.168.1.27 lookup wan0
100:    from 192.168.1.28 lookup wan0
100:    from 192.168.1.29 lookup wan0
100:    from 192.168.1.31 lookup wan0
100:    from 192.168.1.33 lookup wan0
100:    from 192.168.1.41 lookup wan0
100:    from 192.168.1.43 lookup wan0
100:    from 192.168.1.44 lookup wan0
100:    from 192.168.1.45 lookup wan0
100:    from 192.168.1.92 lookup wan0
100:    from 192.168.1.93 lookup wan0
100:    from 192.168.1.94 lookup wan0
100:    from 192.168.1.95 lookup wan0
100:    from 192.168.1.97 lookup wan0
100:    from 192.168.1.98 lookup wan0
100:    from 192.168.1.22 lookup wan1
100:    from 192.168.1.24 lookup wan1
100:    from 192.168.1.42 lookup wan1
100:    from 192.168.1.91 lookup wan1
100:    from 192.168.1.96 lookup wan1
100:    from 192.168.1.225 lookup wan1
100:    from 192.168.1.26 lookup wan1
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from 31.192.132.41 lookup wan0
200:    from 37.146.214.39 lookup wan1
200:    from 83.219.128.10 lookup wan0
200:    from 83.219.128.14 lookup wan0
200:    from 77.88.8.8 lookup wan1
200:    from 77.88.8.1 lookup wan1
400:    from all to 83.219.128.0 lookup wan0
400:    from all to 37.146.208.1 lookup wan1
400:    from all to 83.219.128.10 lookup wan0
400:    from all to 83.219.128.14 lookup wan0
400:    from all to 77.88.8.8 lookup wan1
400:    from all to 77.88.8.1 lookup wan1
10101:  from 192.168.1.22 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

 

[Martineau]

I did what you described in the linked post. Still no go.
Basically what I want to do is select one of my WANs (secondary) for VPN connection and then out of a several devices that are configured to use secondary WAN I want a few of them to use VPN. I used your script from [Solved] Dual Wan with 1 OpenVpn Client and ability to choose from which to wan to go out. to select the WAN i need to connect to VPN

Oh dear you are using two of my dodgy scripts?

and then followed your instructions on mounting modified vpnrouting.sh

I assume you created the script as a Unix LF ending file with the correct encoding?

As you can see, the Selective routing rule

10101:  from 192.168.1.22 lookup ovpnc1

is too low a priority, and the vpnrouting.sh hack simply tries to move the GUI generated VPN rules to a higher priority i.e. less than PRIO 100 rather than greater than PRIO 10000

To prove the rule, you can manually insert the required RPDB Selective routing rule

ip rule add from 192.168.1.22 table ovpnc1 prio 15
ip route flush cache

and test to see if it works, before needlessly spending time debugging the vpnrouting.sh hacks

i.e.

df    -Th

Filesystem           Type       1K-blocks      Used Available Use% Mounted on
<snip>
/dev/mtdblock4       jffs2          62.8M     16.0M     46.8M  25% /usr/sbin/vpnrouting.sh

Set GUI VPN 1 Client Log verbosity=4 and insert judicious 'logger' statements to print out the variables $START_PRIO,$END_PRIO,$VPN_PRIO and $OFFSET etc.
e.g.

 START_PRIO=$VPN_UNIT"0"      # Limit the VPN Clients to a single rule prio
 END_PRIO=$(($START_PRIO+9))
 VPN_PRIO=$(($START_PRIO+5))
 logger -st "($(basename $0))" $$ "Dual WAN (Load Balance) RPDB rules detected....START_PRIO="$START_PRIO", and VPN Client" $VPN_UNIT "VPN_PRIO="$VPN_PRIO