1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Dual WAN and VPN

Discussion in 'Asuswrt-Merlin' started by Nkond39, May 16, 2018.

  1. Nkond39

    Nkond39 New Around Here

    Joined:
    May 16, 2018
    Messages:
    2
    Asus RT-AC5300
    Merlin WRT 384.5
    Have Dual WAN in "Load Balancing" set up.
    Have VPN I want to use for one specific device. VPN show "Connected" on status page.
    Using Strict Policy Rules from GUI to specify a device I want using VPN. However it does not. Me real IP is still detectable and so on. I tried assigning this device to a specific WAN (tried both of them) to no avail. But as soon as I turn off Dual WAN, everything works fine.
    Please help me. Will provide additional info, if requested.
    Thanks.
     
    Last edited: May 16, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,787
    Location:
    UK
    See Dual WAN VPN rules not working
     
    HuskyHerder and Nkond39 like this.
  4. Nkond39

    Nkond39 New Around Here

    Joined:
    May 16, 2018
    Messages:
    2
    Thank you for answering!
    Ok. I did what you described in the linked post. Still no go.
    Basically what I want to do is select one of my WANs (secondary) for VPN connection and then out of a several devices that are configured to use secondary WAN I want a few of them to use VPN.
    I used your script from [Solved] Dual Wan with 1 OpenVpn Client and ability to choose from which to wan to go out. to select the WAN i need to connect to VPN and then followed your instructions on mounting modified vpnrouting.sh
    This is what I get in my log
    Code:
    May 16 10:54:55 custom_script: Running /jffs/scripts/openvpnclient1.postconf (args: /etc/openvpn/client1/config.ovpn ) - max timeout = 120s
    May 16 10:54:55 (openvpnclient1.postconf): 6212 Started..... [/etc/openvpn/client1/config.ovpn]
    May 16 10:54:56 (openvpnclient1.postconf): 6212 VPN Client will BIND to 37.146.214.39 via interface 'vlan3'
    May 16 10:54:56 (openvpnclient1.postconf): 6212 Complete.
    May 16 10:54:56 ovpn-client1[6266]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 12 2018
    May 16 10:54:56 ovpn-client1[6266]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
    May 16 10:54:56 ovpn-client1[6267]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    May 16 10:54:56 ovpn-client1[6267]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    May 16 10:54:56 ovpn-client1[6267]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    May 16 10:54:56 ovpn-client1[6267]: TCP/UDP: Preserving recently used remote address: [AF_INET]94.242.62.244:1194
    May 16 10:54:56 ovpn-client1[6267]: Socket Buffers: R=[122880->122880] S=[122880->122880]
    May 16 10:54:56 ovpn-client1[6267]: UDP link local (bound): [AF_INET]37.146.214.39:1194
    May 16 10:54:56 ovpn-client1[6267]: UDP link remote: [AF_INET]94.242.62.244:1194
    May 16 10:54:56 ovpn-client1[6267]: TLS: Initial packet from [AF_INET]94.242.62.244:1194, sid=c3ecd082 db5a3d6d
    May 16 10:54:56 ovpn-client1[6267]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    May 16 10:54:56 ovpn-client1[6267]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ru12.nordvpn.com, name=NordVPN, [email protected]
    May 16 10:54:56 ovpn-client1[6267]: VERIFY KU OK
    May 16 10:54:56 ovpn-client1[6267]: Validating certificate extended key usage
    May 16 10:54:56 ovpn-client1[6267]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    May 16 10:54:56 ovpn-client1[6267]: VERIFY EKU OK
    May 16 10:54:56 ovpn-client1[6267]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=ru12.nordvpn.com, name=NordVPN, [email protected]
    May 16 10:54:56 ovpn-client1[6267]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    May 16 10:54:56 ovpn-client1[6267]: [ru12.nordvpn.com] Peer Connection Initiated with [AF_INET]94.242.62.244:1194
    May 16 10:54:58 ovpn-client1[6267]: SENT CONTROL [ru12.nordvpn.com]: 'PUSH_REQUEST' (status=1)
    May 16 10:54:58 ovpn-client1[6267]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.64 255.255.255.0,peer-id 40,cipher AES-256-GCM'
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: timers and/or timeouts modified
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    May 16 10:54:58 ovpn-client1[6267]: Socket Buffers: R=[122880->245760] S=[122880->245760]
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --ifconfig/up options modified
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: route options modified
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: route-related options modified
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: peer-id set
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: adjusting link_mtu to 1657
    May 16 10:54:58 ovpn-client1[6267]: OPTIONS IMPORT: data channel crypto options modified
    May 16 10:54:58 ovpn-client1[6267]: Data Channel: using negotiated cipher 'AES-256-GCM'
    May 16 10:54:58 ovpn-client1[6267]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    May 16 10:54:58 ovpn-client1[6267]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    May 16 10:54:58 ovpn-client1[6267]: TUN/TAP device tun11 opened
    May 16 10:54:58 ovpn-client1[6267]: TUN/TAP TX queue length set to 100
    May 16 10:54:58 ovpn-client1[6267]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    May 16 10:54:58 ovpn-client1[6267]: /usr/sbin/ip link set dev tun11 up mtu 1500
    May 16 10:54:58 ovpn-client1[6267]: /usr/sbin/ip addr add dev tun11 10.8.8.64/24 broadcast 10.8.8.255
    May 16 10:54:58 ovpn-client1[6267]: updown.sh tun11 1500 1585 10.8.8.64 255.255.255.0 init
    May 16 10:54:58 openvpn-updown: Forcing 192.168.1.22 to use DNS server 103.86.96.100
    May 16 10:54:58 rc_service: service 6386:notify_rc updateresolv
    
    May 16 10:55:01 ovpn-client1[6267]: Ignore conflicted routing rule: 94.242.62.244 255.255.255.255
    May 16 10:55:01 ovpn-client1[6267]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.8.1
    May 16 10:55:01 ovpn-client1[6267]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.8.1
    May 16 10:55:01 ovpn-client1[6267]: WARNING: Failed running command (--route-up): could not execute external program
    May 16 10:55:01 ovpn-client1[6267]: Initialization Sequence Completed
    
    This is what I get from ip rule
    Code:
    0:      from all lookup local
    100:    from 192.168.1.21 lookup wan0
    100:    from 192.168.1.25 lookup wan0
    100:    from 192.168.1.27 lookup wan0
    100:    from 192.168.1.28 lookup wan0
    100:    from 192.168.1.29 lookup wan0
    100:    from 192.168.1.31 lookup wan0
    100:    from 192.168.1.33 lookup wan0
    100:    from 192.168.1.41 lookup wan0
    100:    from 192.168.1.43 lookup wan0
    100:    from 192.168.1.44 lookup wan0
    100:    from 192.168.1.45 lookup wan0
    100:    from 192.168.1.92 lookup wan0
    100:    from 192.168.1.93 lookup wan0
    100:    from 192.168.1.94 lookup wan0
    100:    from 192.168.1.95 lookup wan0
    100:    from 192.168.1.97 lookup wan0
    100:    from 192.168.1.98 lookup wan0
    100:    from 192.168.1.22 lookup wan1
    100:    from 192.168.1.24 lookup wan1
    100:    from 192.168.1.42 lookup wan1
    100:    from 192.168.1.91 lookup wan1
    100:    from 192.168.1.96 lookup wan1
    100:    from 192.168.1.225 lookup wan1
    100:    from 192.168.1.26 lookup wan1
    150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
    150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
    200:    from 31.192.132.41 lookup wan0
    200:    from 37.146.214.39 lookup wan1
    200:    from 83.219.128.10 lookup wan0
    200:    from 83.219.128.14 lookup wan0
    200:    from 77.88.8.8 lookup wan1
    200:    from 77.88.8.1 lookup wan1
    400:    from all to 83.219.128.0 lookup wan0
    400:    from all to 37.146.208.1 lookup wan1
    400:    from all to 83.219.128.10 lookup wan0
    400:    from all to 83.219.128.14 lookup wan0
    400:    from all to 77.88.8.8 lookup wan1
    400:    from all to 77.88.8.1 lookup wan1
    10101:  from 192.168.1.22 lookup ovpnc1
    32766:  from all lookup main
    32767:  from all lookup default
    
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,787
    Location:
    UK
    Oh dear you are using two of my dodgy scripts? :eek:
    I assume you created the script as a Unix LF ending file with the correct encoding?

    As you can see, the Selective routing rule
    Code:
    10101:  from 192.168.1.22 lookup ovpnc1
    is too low a priority, and the vpnrouting.sh hack simply tries to move the GUI generated VPN rules to a higher priority i.e. less than PRIO 100 rather than greater than PRIO 10000

    To prove the rule, you can manually insert the required RPDB Selective routing rule
    Code:
    ip rule add from 192.168.1.22 table ovpnc1 prio 15
    ip route flush cache
    and test to see if it works, before needlessly spending time debugging the vpnrouting.sh hacks

    i.e.
    Code:
    df    -Th
    
    Filesystem           Type       1K-blocks      Used Available Use% Mounted on
    <snip>
    /dev/mtdblock4       jffs2          62.8M     16.0M     46.8M  25% /usr/sbin/vpnrouting.sh
    Set GUI VPN 1 Client Log verbosity=4 and insert judicious 'logger' statements to print out the variables $START_PRIO,$END_PRIO,$VPN_PRIO and $OFFSET etc.
    e.g.
    Code:
     START_PRIO=$VPN_UNIT"0"      # Limit the VPN Clients to a single rule prio
     END_PRIO=$(($START_PRIO+9))
     VPN_PRIO=$(($START_PRIO+5))
     logger -st "($(basename $0))" $$ "Dual WAN (Load Balance) RPDB rules detected....START_PRIO="$START_PRIO", and VPN Client" $VPN_UNIT "VPN_PRIO="$VPN_PRIO
     
    Last edited: May 17, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!