1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

Discussion in 'VPN' started by yorgi, Mar 5, 2016.

  1. mirage22

    mirage22 Regular Contributor

    Joined:
    Apr 30, 2015
    Messages:
    73
    yes, I had the same question about reneg-sec o. Thank's for answering that Eric.
    Same goes with TLS-CLIENT. is that needed?
     
  2. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Yes its needed.
    You can always see if something is needed by uploading and Import .ovpn file
    it will scan what you already have and only adds what is needed in the custom config.
    I had added a few extra lines and that reneg 0 is one that I didn't know was incorporated in the client.
    there is no perfect openvpn guide its a lot of hit and miss but I think this guide is now pretty accurate.
    I will update if someone finds anything wrong :)
     
  3. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Has anyone had any problems with OpenVPN Client using policy rules?

    I have a few rules that redirect 0.0.0.0 where the destination is x.x.x.x.

    Everything seems to be working fine in the beginning and works as expected, but after a few minutes the error below keeps repeating every 20 seconds and no devices have internet anymore. If I just redirect all traffic instead of using a policy, it seems to work fine.

    Code:
    Mar 24 22:34:39 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
    Mar 24 22:34:54 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
    Mar 24 22:35:14 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
    Mar 24 22:35:34 openvpn[3574]: RESOLVE: Cannot resolve host address: <vpn_host>: Name or service not known
    *Note, <vpn_host> has the actual vpn server name that you would normally enter in the configuration page, and not the text "<vpn_host>". ;)

    Right before that repeated error is this:
    Code:
    Mar 24 22:34:19 openvpn[3574]: read TCPv4_CLIENT: Connection timed out (code=110)
    Mar 24 22:34:19 openvpn[3574]: Connection reset, restarting [0]
    Mar 24 22:34:19 openvpn[3574]: SIGUSR1[soft,connection-reset] received, process restarting
    Mar 24 22:34:19 openvpn[3574]: Restart pause, 5 second(s)
    Mar 24 22:34:24 openvpn[3574]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 24 22:34:24 openvpn[3574]: Socket Buffers: R=[87380->87380] S=[16384->16384]

    Sent from my iPhone using Tapatalk
     
  4. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    specific IP goes to VPN and all other traffic will automatically go to Local ISP

    Under source IP put 192.168.xxx.xxx Destination IP 0.0.0.0 and lface VPN
    add as many lines as you have devices that you want to use for VPN

    also very important to enable
    Block routed clients if tunnel goes down
     
    Last edited: Mar 26, 2016
  5. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Hmm okay, so I'm missing 1 rule I guess if I understand you correctly. I was under the assumption that this was done automatically. Ie, all clients will use the WAN, unless I specify in the rules that it should use the VPN.
    Basically I want all traffic to use the normal WAN, but to a few specific destinations it should use a VPN (for all clients).

    Does source have to be 255.255.255.0? Or does 0.0.0.0 also work?
    So in other words I should change it like this?

    Source: 255.255.255.0 Dest: 0.0.0.0 WAN (I don't currently have this added)
    Source: 255.255.255.0 Dest: x.x.x.x VPN
    Source: 255.255.255.0 Dest: x.x.x.x VPN
    Source: 255.255.255.0 Dest: x.x.x.x VPN
    Source: 255.255.255.0 Dest: x.x.x.x VPN
    Source: 255.255.255.0 Dest: x.x.x.x VPN
     
  6. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    If you want all traffic to use local ISP and selected for VPN then just do it like this
    In the example .50 and .51 will go to VPN everything else will automatically go to Local ISP
    Under source IP put 192.168.1.50 Destination IP 0.0.0.0 and lface VPN
    Under source IP put 192.168.1.51 Destination IP 0.0.0.0 and lface VPN

    Dont change anything on destination IP leave those at 0.0.0.0
    that should work for you without any problems.
     
  7. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Also in LAN basic config in the IP Pool Starting Address put 192.168.1.100
    as it is now by default DHCP uses 192.168.1.2-192.168.1.254
    get those static IP address's to be out of the DHCP pool

    another note
    if you use Manually Assigned IP around the DHCP
    make sure that the IP address's you use are in the Static Pool 192.168.1.2-192.168.1.99

    otherwise it can really screw things up. I never understood why by default the DHCP takes all 254 address's by doing that, Static IP address's will not work properly
     
    Last edited: Mar 26, 2016
  8. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    I actually want it the other way around...
    For example, so all Facebook traffic from all clients should use the VPN.

    So then I've added:
    Under source IP put 0.0.0.0 Destination IP 66.220.158.68 and face VPN

    And for the first 5-10 minutes it seems to work fine, and on the VPN status page I can see that traffic is passed through it. But then all of a sudden everything dies as I mentioned in my initial post because it seems like it can't fine the VPN host anymore. But when I don't use policy rules it works fine....

    So, I was just wondering if it was me having a wrong config, or something else.

    I have it setup as such:
    Code:
    Start with WAN Yes
    Interface Type TUN
    Protocol TCP
    Server Address and Port Address: nl-am-001.privatetunnel.com Port: 443
    Firewall Automatic
    Authorization Mode  TLS
    Username/Password Authentication No
    Extra HMAC authorisation Outgoing (1)
    Auth digest SHA1
    Create NAT on tunnel Yes
    ------------------------------------------------------------
    Global Log verbosity 3
    Poll Interval 0
    Accept DNS Configuration Exclusive
    Encryption cipher BF-CBC
    Compression None
    TLS Renegotiation Time -1
    Connection Retry -1
    Verify Server Certificate No
    Redirect Internet traffic Policy Rules
    Block routed clients if tunnel goes down No
    ------------------------------------------------------------
    FaceBook    0.0.0.0    66.220.158.68    VPN
    ------------------------------------------------------------
    setenv USERNAME [email protected]
    remote-cert-tls server
    sndbuf 0
    rcvbuf 0
    socket-flags TCP_NODELAY
    auth-nocache
    
     
  9. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I think this will help you. I found it in README-merlin.txt

    To have all your clients use the VPN tunnel when trying to
    access an IP from this block that belongs to Google:

    RouteGoogle 0.0.0.0 74.125.0.0/16 VPN
     
    Last edited: Mar 26, 2016
  10. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Well that's pretty much what I'm doing actually, except to a few specific IP's instead of a whole range.

    @RMerlin, any ideas?
     
  11. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    try doing it like this maybe it will work better.
    0.0.0.0 66.220.144.0/20 lface VPN
    this is for facebook.com
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    What method did you use to know that you where successful in routing Facebook via your VPN?
    I am trying to do the same thing to see if I get the same issues you are getting
     
  13. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Well FaceBook was just an example. But it's to specific IP's, not a range.

    I suppose I can't thoroughly test that the route actually works unless all other traffic is disabled.
    I was just looking at the VPN statistics and saw that data was sent/received. Also in my PrivateTunnel app I can see that data was used. Ie, I downloaded a 200MB file, and 200MB showed up in the statistics & app.

    So it appears that the route works. But then then something happens, and all goes to hell.

    If you are testing it, just leave it running for about 15-20 minutes. The problem usually occurs by then.

    Even if the route is wrong and no traffic goes over the VPN though, it shouldn't be giving this problem and going ape ###%! :p


    Sent from my iPhone using Tapatalk
     
    Last edited: Mar 26, 2016
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Turn off the power on your router and start it up again.
    Something doesn't seem right on your end.
    maybe that will help
     
  15. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Yeah, just wanted to check that it was just me.

    I'll do a factory reset and try again.

    Thanks for looking into it :)


    Sent from my iPhone using Tapatalk
     
  16. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Well from the problems you where having that made me learn more about selective routing.
    and I tried what you are talking about with my VPN on and having the SMPT server use the Local ISP and it worked like a charm.
    So whatever problems you had, a factory reset or upgrading the firmware will probably help for sure.
    I am using the latest 380.58 Merlin
     
  17. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    I am also using Merlin 380.58

    Anyway, after some late night home network maintenance, the problem seems to be solved!

    However, in bad troubleshooting fashion, I did 4 different things in setup this time, so I'm not sure which caused the problem or may be in any way related.

    1) I did a factory reset with the WPS button and setup everything from scratch.
    2) I setup the client manually this time, the previous time I just imported the profile.
    3) I used UDP 1194 instead of TCP 443 this time.
    4) I have DNSCrypt running this time. Previously not.

    Anyway, at least it working now. Or at least it has been for the last 12 hours anyway, so far so good ;)


    Sent from my iPhone using Tapatalk
     
  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I am happy it worked out.
    I am not sure about your VPN settings because you are not using PIA as your provider, but 1194 is a better port
    when you loaded the openvpn config it added a bunch of stuff on the custom configuration which I would assume are important in achiving a proper connection;

    setenv USERNAME [email protected]
    remote-cert-tls server
    sndbuf 0
    rcvbuf 0
    socket-flags TCP_NODELAY
    auth-nocache

    double check that out.

    I did quite a bit of research and test yesterday as well and I figured it out.
    in regards to the Facebook example,
    You would need to add the entire CDIR for Facebook to work right. maybe that's why you where getting problems.
    this is the way you find out.

    open command prompt and type nslookup facebook.com
    you need to do a whois lookup on the IP you get from Facebook which is 173.252.120.68
    go to this website https://www.whatismyip.com/ip-whois-lookup/ paste that address in the IP box
    and do a whois search, the results are as follows
    NetRange: 173.252.64.0 - 173.252.127.255
    CIDR: 173.252.64.0/18
    In the policy rules you would have to put it like this.
    in the example below everything in the IP range of 192.168.1.1-192.168.1.254 will go to Local ISP
    and the Facebook IP will go to VPN

    192.168.1.0/24 0.0.0.0 WAN
    source IP 0.0.0.0 destination IP 173.252.64.0/18 lface VPN

    so basically 0.0.0.0 means any source IP in your case any IP in your network,
    when the router sees the CDIR IP range it will automatically pass everything coming from Facebook through the VPN
    This is great when you want SMPT for email which is normally blocked by the VPN service provider
    and you can set a rule that everything goes via the VPN except for SMPT which goes to Local ISP
    assuming the SMPT server is 74.123.214.22 the rule would be as follows;
    So this example all traffic goes to the VPN and when the router sees that SMPT address it will send the data via Local ISP

    192.168.1.0/24 0.0.0.0 VPN
    0.0.0.0 74.123.214.22 lface WAN

    What an amazing way to do things :)
    thanks for bringing up that question, I really learned a lot about selective routing.
    I put some more examples on the how to guide in regards to policy based routes.

    Here is a good site to find out the CDIR of an IP range
    http://networkcalculator.ca/ip-calculator.php

    If anyone knows how to properly tests the IP range of Facebook to make sure the data is going via the VPN please let us know :)
     
  19. Veldkornet

    Veldkornet Senior Member

    Joined:
    May 24, 2015
    Messages:
    241
    Location:
    Nederland
    Yeah I use PrivateTunnel from OpenVPN, but indeed I added those extra parameters as well. Although "TCP_NODELAY" no longer does anything, tells me now in the logs that it's ignored, but it's there just in case :p

    Also, now that it's working properly and no longer crashes out, I did indeed use the ranges instead of individual IP's, i.e. "x.x.x.0/24" etc.

    Been testing it most of the morning, looks to be working 100%!

    Thanks for looking into it with me! :)

    Going back to the FaceBook example, instead of FaceBook, you could use Goolge for the tests (although I guess they have a lot more ranges to cover :p) If you log into Gmail, it shows you what IP you're logged in from, or have logged on from previously. Maybe Facebook has something similar in their security settings somewhere.

    But that IP that's shown should be different to the one that your ISP gives that you can also find in all of those whatsismyip websites.
     
  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Well the problem I am encountering is that a lot of the big sites use more then 1 IP address.
    for example if you do a nslookup enough times on facebook you will get 2 address's and for ebay you get 6 address's
    that would mean quite a few CDIR rules to cover each site and you still can't be sure when you visit that site if it will go though VPN or WAN
    because the IP ranges seem to change often enough.

    So what seems to be a great thing ends up being a nightmare. but in a perfect world this makes total sense because when you are on a VPN
    and you want to go do your banking or check your email you don't necessarily want to visit with your VPN thus having to change from VPN to Local each time. with selective routing one can do it but how many address's would it take for each huge site. that is something to really think about. At least with SMPT server for email its good because you don't get a ton of IPs
    so this policy based routing has its great features but a huge downfall at the same time :(

    Hopefully someone can shed some fresh lite in this matter :)
     
    Veldkornet likes this.