What's new

Is VPN interfering with the succesful operation of Dual WAN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

globalist

Occasional Visitor
I'm trying to get Dual WAN working (backup connectivity provided via a USB-connected Android phone) but getting erratic behavior when I "cut" the connectivity to my primary WAN:

My AC86U with the latest Merlin is constantly switching between the two WANs which I suspect is due to me using a VPN config on my primary WAN.

Can anyone confirm this can be an issue? Attached system log and screenshots.

Many thanks!
 

Attachments

  • Screen Shot 12-07-21 at 04.16 PM.PNG
    Screen Shot 12-07-21 at 04.16 PM.PNG
    68.5 KB · Views: 119
  • Screen Shot 12-07-21 at 04.19 PM 001.PNG
    Screen Shot 12-07-21 at 04.19 PM 001.PNG
    45.7 KB · Views: 108
  • Screen Shot 12-07-21 at 04.19 PM.PNG
    Screen Shot 12-07-21 at 04.19 PM.PNG
    250.7 KB · Views: 111
Since the VPN can only be bound to one WAN at a time, if you "cut" access to the WAN to which it's currently bound, I would expect the VPN to eventually detect it and reestablish itself on the other WAN. If that's the "constant switching" you're referring to, that seems normal. But if you literally mean the router is constantly attempting to switch from WAN to WAN while access to the primary WAN is disabled, and just because the VPN is active, it's NOT obvious to me that's what's happening in the syslog. You'll need to provide more information as to why you believe that's the case.

P.S. It's not easy to tie messages in the syslog to specific events that may be occurring on the router due to YOUR actions (e.g., (un)plugging a WAN cable).
 
Last edited:
Since the VPN can only be bound to one WAN at a time, if you "cut" access to the WAN to which it's currently bound, I would expect the VPN to eventually detect it and reestablish itself on the other WAN.

Well that just might be the issue. See, in order for my OpenVPN config to work on the primary WAN, it needs to have a specific DNS server defined for that WAN (10.8.8.1 as supplied by ProtonVPN, see screenshot). But when the primary WAN is out, the router switches to the secondary WAN (which is a basically just a 3G/G modem tethered to the router and as such I see no way to define a DNS for it). The connectivity on the secondary WAN briefly works but then it fails after the OpenVPN client tries to establish a connection on it, then works briefly again while the client is "rebooting" or whatever it is doing.

Does this sound plausible?

Edit: But yeah I'm not entirely sure it's switching between the 2 WANs - but it sure looked like it looking at the network map. I'll try to record a video of this later.
 

Attachments

  • Screen Shot 12-07-21 at 07.41 PM.PNG
    Screen Shot 12-07-21 at 07.41 PM.PNG
    322.3 KB · Views: 108
You don't normally define the VPN's DNS on the WAN. For one thing, that DNS server is only available once the VPN is connected. But what about *before* the VPN is connected? How can you, for example, resolve the domain name of the VPN server?

Seems to me you did it this way because that router is NOT the primary router, but daisy-chained behind some other router (I noticed the 192.168.11.x network on the WAN). But even so, normally the OpenVPN server will *push* one or more DNS servers to the OpenVPN client at the time the VPN is established, then the router will reconfigure DNSMasq w/ those DNS servers based on the Accept DNS Configuration option of the OpenVPN client.

IOW, you've turned the DNS configuration into a *static* process, when normally it should be *dynamic*.

The only time I've seen OpenVPN providers suggest you statically configured DNS w/ their servers is when those servers are in the *public* IP space, since at least then they are always accessible over the WAN. But for DNS servers in the *private* IP space (10.8.8.1), that makes no sense.
 
You don't normally define the VPN's DNS on the WAN. For one thing, that DNS server is only available once the VPN is connected. But what about *before* the VPN is connected? How can you, for example, resolve the domain name of the VPN server?

Seems to me you did it this way because that router is NOT the primary router, but daisy-chained behind some other router (I noticed the 192.168.11.x network on the WAN). But even so, normally the OpenVPN server will *push* one or more DNS servers to the OpenVPN client at the time the VPN is established, then the router will reconfigure DNSMasq w/ those DNS servers based on the Accept DNS Configuration option of the OpenVPN client.

IOW, you've turned the DNS configuration into a *static* process, when normally it should be *dynamic*.

The only time I've seen OpenVPN providers suggest you statically configured DNS w/ their servers is when those servers where in the *public* IP space, since at least then they are always accessible over the WAN. But for DNS servers in the *private* IP space (10.8.8.1), that makes no sense.
The router is not really daisy-chained - 192.168.11.1 is the provider's wireless antenna (so the WAN gateway) and I've manually assigned 192.168.11.17 to the Asus router, which is doing all the routing and DHCP.

Anyway, if I leave the WAN DNS undefined, the OpenVPN client won't connect. And defining 10.8.8.1 on the DHCP is not somethig I wanna do because I want to use my own preferred DNS servers on my DHCP'd network. So defining 10.8.8.1 on the WAN is basically a win-win for me.

Here is ProtonVPN recommending to set the DNS (and only THAT DNS): https://protonvpn.com/support/vpn-router-ddwrt/
Frankly, I am as baffled as you are as to why this is necessary, but as I said the config doesn't work without 10.8.8.1 DNS defined on the WAN.
 
Last edited:
Anyway, if I leave the WAN DNS undefined, the OpenVPN client won't connect. And defining 10.8.8.1 on the DHCP is not somethig I wanna do because I want to use my own preferred DNS servers on my DHCP'd network. So defining 10.8.8.1 on the WAN is basically a win-win for me.

But that's where the DNS server should be defined, on the DHCP server, NOT the WAN.

I assume ProtonVPN is doing it this way because they've chosen NOT to push that DNS server to the OpenVPN client (why that is escapes me). But you should still be able to use the normal DHCP server configuration on the LAN, and add 10.8.8.1 to the OpenVPN client config (in the custom config field).

Code:
dhcp-option DNS 10.8.8.1

Now configure Accept DNS Configuration w/ Exclusive on the OpenVPN client. When the OpenVPN client gets connected, DNS will switch to 10.8.8.1 for all those bound to the VPN. All others will continue to use the default DNS server(s).
 
Code:
dhcp-option DNS 10.8.8.1

Now configure Accept DNS Configuration w/ Exclusive on the OpenVPN client. When the OpenVPN client gets connected, DNS will switch to 10.8.8.1 for all those bound to the VPN. All others will continue to use the default DNS server(s).

I am running most of my LAN devices through the VPN, so that would mean they'd all be using this new DNS instead of another DNS I prefer to use (AdGuard DNS), no? Unless you want me to configure the Adguard DNS on each LAN device manually?
 
I am running most of my LAN devices through the VPN, so that would mean they'd all be using this new DNS instead of another DNS I prefer to use (AdGuard DNS), no? Unless you want me to configure the Adguard DNS on each LAN device manually?

Then why are you using 10.8.8.1 for DNS at all?! You can use whatever you want. Nothing says you *have* to use the DNS server(s) offered by the OpenVPN provider. Most ppl do this because they want to prevent DNS leaks (i.e., prevent DNS queries from being routed in the clear over the WAN). And by using 10.8.8.1, that forces DNS over the VPN since that network (10.8.8.x) will be established on the tunnel once the OpenVPN client gets connected. But you could just as well configure the WAN w/ AdGuard servers and leave the DHCP server w/ its default configuration (LAN clients will then access the AdGuard servers indirectly via the router's DNS proxy). And as long as you're using "Yes (all)" for policy routing, those servers will be accessed over the VPN. Or you could configure access to AdGuard w/ DoT on that same WAN. In that case, it wouldn't matter whether those DNS servers were accessed over the WAN or VPN since it would be encrypted.

I'm just getting the impression that you've developed the notion that you *have* to use 10.8.8.1 for some reason, just because the ProtonVPN instructions say so. You DON'T!
 
Then why are you using 10.8.8.1 for DNS at all?!

Because as I said, I am using 10.8.8.1 on the WAN because when I don't, the VPN client won't connect, for some reason. I'm going to test this once more (without specifying it on the WAN, and instead trying AdGuard w/ DoT as you suggested) and report back.

And as long as you're using "Yes (all)" for policy routing

I am using VPN Director which redirects MOST of my stuff through the VPN tunnel.
 
Because as I said, I am using 10.8.8.1 on the WAN because when I don't, the VPN client won't connect, for some reason. I'm going to test this once more (without specifying it on the WAN, and instead trying AdGuard w/ DoT as you suggested) and report back.

There's no way that could be true. 10.8.8.1 isn't even a public IP!! If the OpenVPN client is configured w/ a domain name for the Server Address, that can only be resolved via a public DNS server (e.g., Google DNS, 8.8.8.8, 8.8.4.4). Or else your ISP if offering a private DNS server (10.8.8.1) that coincidentally happens to match that of the VPN provider (which seems highly unlikely). IOW, if the DNS server 10.8.8.1 is being offered by the VPN provider, you can't use it for those purposes until you're connected! Yet, you're claiming you need it to get connected.

Where to find this specific setting?

On the OpenVPN client, Network Settings section, "Redirect internet traffic through tunnel" setting.
 
There's no way that could be true. 10.8.8.1 isn't even a public IP!! If the OpenVPN client is configured w/ a domain name for the Server Address, that can only be resolved via a public DNS server (e.g., Google DNS, 8.8.8.8, 8.8.4.4).
OK, we shall see. Does the attached settings look OK to you? 84.200.69.80 is another DNS server I'd prefer to use as backup. BTW the OVPN client is configured w/ an IP, not a domain name.

On the OpenVPN client, Network Settings section, "Redirect internet traffic through tunnel" setting.

I realized where it is and I am using VPN Director there, which redirects MOST of my stuff through the VPN tunnel.
 

Attachments

  • Screen Shot 12-07-21 at 09.35 PM.PNG
    Screen Shot 12-07-21 at 09.35 PM.PNG
    310 KB · Views: 91
To summarize …

Under normal circumstances, you rely on the DNS server(s) configured on the WAN from the ISP to resolve domain names, including the Server Address of the OpenVPN client. There's no need to be changing any of that information. No need for 10.8.8.1 or anything else.

Once the OpenVPN client is connected to the OpenVPN server, *now* you need to decide how DNS will be configured for your LAN clients, which is a completely separate issue. Normally you allow the OpenVPN client to reconfigure DNSMasq (which is normally acting as the local DNS proxy for LAN clients) w/ the DNS server(s) push'd by the OpenVPN server. Hence, those LAN clients have their DNS queries resolved over the VPN.

Alternatively, you can ignore the DNS servers push'd by the OpenVPN provider and configure DoT on the WAN. As I said, now it doesn't matter if LAN clients have their DNS routed over the VPN since all DNS is encrypted over the WAN.
 
Last edited:
Yeah I guess I understand that now and will try as you suggested (once the missus is in bed and doesn't complain of sudden intenet failures). In the meantime I just wanted to check if the settings in the screenshot I posted above look correct for your suggested config?
 
Yeah I guess I understand that now and will try as you suggested (once the missus is in bed and doesn't complain of sudden intenet failures). In the meantime I just wanted to check if the settings in the screenshot I posted above look correct for your suggested config?

If you're going to configure DoT on the WAN, there's no need to change the defaults for DNS manually. Just accept whatever the ISP is offering since you intend to override it w/ the DoT settings anyway.

As far as the DoT entries themselves, I recognize the 94.140.14.15 as AdGuard (family), but not the other (84.200.69.80). I would have assumed you'd have picked the other AdGuard (family) server (94.140.14.16).
 
Last edited:
Trying to apply those settings I get this message:
 

Attachments

  • Screen Shot 12-08-21 at 12.09 AM.PNG
    Screen Shot 12-08-21 at 12.09 AM.PNG
    252.2 KB · Views: 92
Trying to apply those settings I get this message:

I just realized that you've configured a static IP on the WAN, rather than used DHCP. If it was DHCP, you would have presumably been provided w/ default DNS servers by the upstream DHCP server. But since it's static, the GUI is requiring you to specify at least one DNS server. I suppose that could be 192.168.11.1 (assuming the gateway is acting as a DNS server too), or perhaps any available public DNS servers (Google, 8.8.8.8, 8.8.4.4), or even the AdGuard servers (94.140.14.15, 94.140.14.16).
 
Hey @eibgrad , so I managed to succesfully set up the DNS and VPN stuff as per your invaluable advise. The VPN connects just fine. Many thanks!

But this still doesn't solve the original issue. I've recorded a video where I first show around all the relevant router settings, then I go to my Ubiquity antenna interface to simulate an "internet outage". Next you will see the constant switching between the two WANs which I cannot explain. I am also attaching the system log. In the video I forgot to show my failover/failback settings but they are the same as in the OP.

I've sent you the video link in a PM. Will also send the system log.
 
Last edited:
It's still very difficult to understand what's going on w/ that dual WAN, even w/ the video.

In your OP, you implied that the problem was only happening when the VPN was active. Are you 100% sure the VPN works properly when the router is only configured for a *single* WAN? And for each WAN individually? IOW, let's put aside for the moment any interplay issues between the two WANs, and just verify the VPN works correctly w/ each WAN when configured w/ that WAN alone. Only then should you introduce dual WAN.

P.S. I don't use dual WAN myself, but I may have to configure a router in the lab w/ your setup and verify things are working normally.
 
In your OP, you implied that the problem was only happening when the VPN was active.
I haven't yet tested switching to USB WAN with the VPN inactive. Will try.

Are you 100% sure the VPN works properly when the router is only configured for a *single* WAN?
Well when both WANs are set up but there hasn't been a failover to USB WAN yet, the VPN works fine on the primary WAN. For now I'm keeping the USB WAN configured but "turned off" though - see screenshot. Reason being, if I leave it on, and a real primary WAN failure happens, I'm in trouble (as simulated in the video).
And for each WAN individually?
VPN works fine on the primary WAN. Not sure how I can try to test if it works when USB WAN is the only WAN available - haven't I done just that in the video?
 

Attachments

  • Screen Shot 12-09-21 at 03.13 AM.PNG
    Screen Shot 12-09-21 at 03.13 AM.PNG
    99.2 KB · Views: 89
@eibgrad So, I've done some extensive testing of various scenarios and I've determined the following:

The issue has nothing to do with the VPN tunnel. Both Primary and Secondary WAN can work individually just fine. They also can work with an active VPN tunnel on or off. The issue really comes down to having the Failback setting enabled - with it unticked, the failover itself works fine and WAN2 stays active. But when Failback is also enabled, the router switches between the two WANs constantly and I can see a specific error in the system log (see attached):

wsdd2[4514]: error: wsdd-mcast-v4: wsd_send_soap_msg: send

I've noticed the Failback option has the literal description When the Primary WAN is detected to have an active internet connection using a physical cable and here I think lies the issue. Unlike Failback, the failover detection does NOT try to detect a "physical cable" - rather, it relies on ping (as far as I understand). So when there's no ping it switches to WAN2. But then a cable is detected on WAN1 and the router tries to switch from WAN2 back to WAN1, but alas there's no connectivity on WAN1, so it switches back to WAN2. Rinse and repeat. At least that's my interpreatation. With that said, I really do need a Failback option because my mobile data plan is not unlimited and the outages at the provider do not last longer than 30 minutes or so, so I'd like to use WAN2 as little as possible.

Does this make sense and is this maybe a know isssue in the community? Many thanks!
 

Attachments

  • syslog.txt
    4.9 KB · Views: 78
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top