Issue with Setting up Policy Routing with VPN Client

[hydraulics]

Hi all,

I have an Asus RT-AC86u router and I'm on Asus Merlin firmware version 386.9 which I just updated 2 weeks ago. On the router I had installed various AMTM scripts such as Skynet, x3mRouting, Diversion, Wireguard Server, etc.

I want to have only a few devices using the VPN (like Apple TV) but not others like my cell phone. I wanted to use policy routing to do so. I'm using ProtonVPN as the OpenVPN client which is set up and working just fine.

However, when I try to set up policy routing by inputting the Source IP and adding it, when I click "Apply" then the settings dont save. I cant seem to save my settings. Can anyone please help me understand why that is? Is it the x3mRouting Script that is to blame?

I'd be grateful for you to review this problem.​

​

The picture above shows what I put in, but once I try to "Apply" the settings then the settings dissapear and the policy routing does not get applied. Can you please help me understand why??

 

[hydraulics]

Folks, does anyone have any idea? Would appreciate any thoughts on this issue.

 

[L&LD]

Try a different browser.

 

[rung]

Silly question: did you hit the plus symbol before apply?

 

[hydraulics]

Hi thanks @L&LD I did try a different browser and incognito as well and the same problem happens where it doesnt register my saved policy routing.

@rung Yes I would 'add' the entry first with the plus sign and then hit 'Apply'. I tried both ways , hitting Apply directly and clicking on the plus sign first and then hitting apply. Either way the settings don't save.

In my logs I get the following. Note that I have XXXX out sensitive info like IP addresses. From the logs it seems like the policy rules are being configured? But they are not being applied properly. My configuration doesnt actually save and I did check to see by testing with DNS check and the settings are not being applied.

Mar 11 06:57:46 rc_service: httpd 1841:notify_rc restart_vpnclient1
Mar 11 06:57:46 custom_script: Running /jffs/scripts/service-event (args: restart vpnclient1)
Mar 11 06:57:46 ovpn-client1[616589]: event_wait : Interrupted system call (code=4)
Mar 11 06:57:46 ovpn-client1[616589]: SIGTERM received, sending exit notification to peer
Mar 11 06:57:47 ovpn-client1[616589]: ovpn-route-pre-down tun11 1500 1584 XXXXXXXXXX init
Mar 11 06:57:47 (updown-dns.sh): 1481499 Starting script execution
Mar 11 06:57:47 (updown-dns.sh): 1481499 Ending script execution
Mar 11 06:57:47 (x3mvpnrouting.sh): 1481524 00 Deleting fwmark 0x1000/0x1000
Mar 11 06:57:47 (x3mvpnrouting.sh): 1481524 Created fwmark 0x1000/0x1000
Mar 11 06:57:47 x3mRouting: Configuring policy rules for client 1
Mar 11 06:57:47 (x3mvpnrouting.sh): 1481524 Completed routing policy configuration for client 1
Mar 11 06:57:47 openvpn-event[1481488]: No scripts found to run for openvpn-event: vpnclient1-route-pre-down
Mar 11 06:57:47 custom_script: Running openvpn-event
Mar 11 06:57:47 ovpn-client1[616589]: Closing TUN/TAP interface
Mar 11 06:57:47 ovpn-client1[616589]: /usr/sbin/ip addr del dev tun11 XXXXXXXXX
Mar 11 06:57:47 ovpn-client1[616589]: ovpn-down 1 client tun11 1500 1584 XXXXXXXXXXX init
Mar 11 06:57:47 openvpn-routing: Configured killswitch on VPN client 1
Mar 11 06:57:47 ovpn-client1[616589]: SIGTERM[soft,exit-with-notification] received, process exiting
Mar 11 06:57:47 openvpn-routing: Clearing routing table for VPN client 1
Mar 11 06:57:48 ovpn-client1[1481697]: OpenVPN 2.5.8 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan  6 2023
Mar 11 06:57:48 ovpn-client1[1481697]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.08
Mar 11 06:57:48 custom_script: Running /jffs/scripts/service-event-end (args: restart vpnclient1)
Mar 11 06:57:48 ovpn-client1[1481698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 11 06:57:48 ovpn-client1[1481698]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 11 06:57:48 ovpn-client1[1481698]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 11 06:57:48 ovpn-client1[1481698]: TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXXX:51820
Mar 11 06:57:48 ovpn-client1[1481698]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Mar 11 06:57:48 ovpn-client1[1481698]: UDP link local: (not bound)
Mar 11 06:57:48 ovpn-client1[1481698]: UDP link remote: [AF_INET]XXXXXXXXX:51820
Mar 11 06:57:48 ovpn-client1[1481698]: TLS: Initial packet from [AF_INET]XXXXXXXXXX:51820, sid=bXXXXXXXXX
Mar 11 06:57:48 ovpn-client1[1481698]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 11 06:57:48 ovpn-client1[1481698]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Mar 11 06:57:48 ovpn-client1[1481698]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Mar 11 06:57:48 ovpn-client1[1481698]: VERIFY KU OK
Mar 11 06:57:48 ovpn-client1[1481698]: Validating certificate extended key usage
Mar 11 06:57:48 ovpn-client1[1481698]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 11 06:57:48 ovpn-client1[1481698]: VERIFY EKU OK
Mar 11 06:57:48 ovpn-client1[1481698]: VERIFY OK: depth=0, CN=node-nl-71.protonvpn.net
Mar 11 06:57:48 ovpn-client1[1481698]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Mar 11 06:57:48 ovpn-client1[1481698]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mar 11 06:57:48 ovpn-client1[1481698]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Mar 11 06:57:48 ovpn-client1[1481698]: [node-nl-71.protonvpn.net] Peer Connection Initiated with [AF_INET]XXXXXXXXX:51820
Mar 11 06:57:49 ovpn-client1[1481698]: SENT CONTROL [node-nl-71.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Mar 11 06:57:49 ovpn-client1[1481698]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS XXXXXXXX,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,explicit-exit-notify,comp-lzo no,route-gateway XXXXXXX,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig XXXXXXXXX,peer-id 65542,cipher AES-256-GCM'
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: explicit notify parm(s) modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: compression parms modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mar 11 06:57:49 ovpn-client1[1481698]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: --socket-flags option modified
Mar 11 06:57:49 ovpn-client1[1481698]: NOTE: setsockopt TCP_NODELAY=1 failed
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: route options modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: route-related options modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: peer-id set
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: adjusting link_mtu to 1656
Mar 11 06:57:49 ovpn-client1[1481698]: OPTIONS IMPORT: data channel crypto options modified
Mar 11 06:57:49 ovpn-client1[1481698]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 11 06:57:49 ovpn-client1[1481698]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 06:57:49 ovpn-client1[1481698]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 11 06:57:49 ovpn-client1[1481698]: TUN/TAP device tun11 opened
Mar 11 06:57:49 ovpn-client1[1481698]: TUN/TAP TX queue length set to 1000
Mar 11 06:57:49 ovpn-client1[1481698]: /usr/sbin/ip link set dev tun11 up mtu 1500
Mar 11 06:57:49 ovpn-client1[1481698]: /usr/sbin/ip link set dev tun11 up
Mar 11 06:57:49 ovpn-client1[1481698]: /usr/sbin/ip addr add dev tun11 XXXXXXXX/16
Mar 11 06:57:49 ovpn-client1[1481698]: ovpn-up 1 client tun11 1500 1584 XXXXXXXX 255.255.0.0 init
Mar 11 06:57:50 openvpn-routing: Setting client 1 routing table's default route through the tunnel
Mar 11 06:57:52 (updown-dns.sh): 1481815 Starting script execution
Mar 11 06:57:52 YazFi: VPN tunnel route just came up, running YazFi to fix RPDB routing
Mar 11 06:57:52 (updown-dns.sh): 1481815 Ending script execution
Mar 11 06:57:52 (x3mvpnrouting.sh): 1481854 00 Deleting fwmark 0x1000/0x1000
Mar 11 06:57:52 (x3mvpnrouting.sh): 1481854 Created fwmark 0x1000/0x1000
Mar 11 06:57:52 x3mRouting: Configuring policy rules for client 1
Mar 11 06:57:52 (x3mvpnrouting.sh): 1481854 Completed routing policy configuration for client 1
Mar 11 06:57:52 openvpn-event[1481803]: No scripts found to run for openvpn-event: vpnclient1-route-up
Mar 11 06:57:52 custom_script: Running openvpn-event
Mar 11 06:57:52 ovpn-client1[1481698]: Initialization Sequence Completed
Mar 11 06:57:57 YazFi: No YazFi guests are enabled in the configuration file!
Mar 11 06:58:05 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=XXXXXX SRC=XXXXXX DST=XXXXX LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=37940 PROTO=TCP SPT=52863 DPT=4455 SEQ=1385592256 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000