Solved Issue with YazFi and VPN

Er0n

Occasional Visitor
First of all, YazFi is THE addon. Really, I am so excited I've found it, as it basically allows you to segregate wifi and add different VPN's to each.

But honestly i cannot make it work and i don't know why.

I'm on Merlin AC68, with the latest firmware, rules on the director, and i've made a wifi for work computer and another for mobile. A third one, without VPN, for the smart tv's.

Well, while the one without VPN perfectly works, the other two don't. No matter what setting i try to change, on mobile clients i see the wifi icon for "connected without internet".
LAN is working properly, even with VPN.

I'd like to ask expert users how they suggest to troubleshoot this issue, thanks.
 
Last edited:

eibgrad

Part of the Furniture
Just speculating, but you have to be very careful about the additional IP networks you create. I see you're using 10.10.x.x for those networks. But use of the 10.x.x.x range is very common among OpenVPN providers, and therefore it's possible you're creating a conflict between those networks and the IP networks of the tunnels (it's even possible to create conflicts between the tunnels themselves, esp. if you're using the same OpenVPN provider). Since you've provided no relevant information about the VPNs (e.g., a dump of the relevant routing tables), it's difficult to know if this is the problem.

Code:
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
 

CaptainSTX

Part of the Furniture
To get what you want working try at least temporarily eliminating the YazFi.

Merlin's firmware lets you create up to six Guest SSIDs plus two main SSIDs.

Assign your trusted devices to one of the main SSIDs and then categorize you less trusted devices and assign them to one of the six guest SSIDs. You may have to change the SSIDs and passwords to prevent devices from connecting to a guest network SSID that they previously connected to.

Then set up as many VPN clients as you think you need.

Finally using the VPN director assign devices that you want routed using a specific VPN to whichever VPN client you want them to use. Policy routing needs to be implemented for each VPN client that you have active. Using the VPN director with multiple VPN clients will also require for at least the devices you want to route using a specific VPN that you assign the it a static IP.
 

Er0n

Occasional Visitor
Thanks for your reply @eibgrad but the IP you see are just the 100th try. Usually i have common 192.168.stuff.
However, the result of the ip route show, I tried to highlight the architecture and the route (basically I have the ISP router, the Asus behind).
@CaptainSTX thanks, is this mandatory (i mean may be the fact i am using CIDR that blocks them?):
Using the VPN director with multiple VPN clients will also require for at least the devices you want to route using a specific VPN that you assign the it a static IP.
 
Last edited:

eibgrad

Part of the Furniture
It's one thing to hide your public IP. But there's no need to hide any *private* IPs. Those are NOT routable over the internet. It only makes it that much more difficult to diagnose the problem.

In spite of that, I can see tun11's network is using 10.10.0.0/16, which is overlapping all the other 10.10.x.x/24 networks. That's NOT good.
 

Jack Yaz

Part of the Furniture
It's one thing to hide your public IP. But there's no need to hide any *private* IPs. Those are NOT routable over the internet. It only makes it that much more difficult to diagnose the problem.

In spite of that, I can see tun11's network is using 10.10.0.0/16, which is overlapping all the other 10.10.x.x/24 networks. That's NOT good.
that'd probably do it - shifting the YazFi networks to a non-overlapped range would at least rule it out
 

Er0n

Occasional Visitor
Thanks @eibgrad , I just thought it would be more clear if I labelled them.
I did all what you suggested, including deleting all the scripts and start with YazFi only.
I followed also the path of @CaptainSTX, deleting router YazFi guests and redo everything from scratch: first the standard guests (worked), then manual ip assignement (worked) then vpn director (both cidr and single ip -worked) and finally yazfi (vpn stopped working).

As in picture, I have different subnets now, but devices connected to the VPN on YazFi suddenly doesn't go to internet anymore. I even tried to change VPN DNS with 192.168.x.1 in DNS 1 and VPN in DNS 2, still nothing.

Interesting: if on YazFi I turn "Redirect all to VPN", I connect again to internet without VPN, even with VPN Director Rules.
Straight before adding YazFi, VPN worked properly following rules.

What else I can do? Could it be that I've set manual IP address but while connected to standard guest, with main network IP's (i.e. 192.168.X.Y) while now they have all different ones (i.e. 192.168.Z.Y)?
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Thanks @eibgrad , I just thought it would be more clear if I labelled them.
I did all what you suggested, including deleting all the scripts and start with YazFi only.
I followed also the path of @CaptainSTX, deleting router YazFi guests and redo everything from scratch: first the standard guests (worked), then manual ip assignement (worked) then vpn director (both cidr and single ip -worked) and finally yazfi (vpn stopped working).

As in picture, I have different subnets now, but devices connected to the VPN on YazFi suddenly doesn't go to internet anymore. I even tried to change VPN DNS with 192.168.x.1 in DNS 1 and VPN in DNS 2, still nothing.

Interesting: if on YazFi I turn "Redirect all to VPN", I connect again to internet without VPN, even with VPN Director Rules.
Straight before adding YazFi, VPN worked properly following rules.

What else I can do? Could it be that I've set manual IP address but while connected to standard guest, with main network IP's (i.e. 192.168.X.Y) while now they have all different ones (i.e. 192.168.Z.Y)?
It is how you have your rules listed.
You need to try placing your others rule last on the list and not first on the list.
Or try turning off your Others vpn rule.
 

Jack Yaz

Part of the Furniture
@SomeWhereOverTheRainBow thanks, have deleted all the CIDR rules and added single, specific, one by one IP/device rule. And also, it list them WAN first then VPN alphabetically. Still, nothing changed.
please can you run the Diagnostics option in YazFi CLI and PM me the passphrase and a link to the tar archive? i can send a dropbox link if needed
 

Er0n

Occasional Visitor
I'd like to add this try to the story.
I've formatted the usb key. While it was even unplugged, I still saw YazFi tab on router.
So i deleted also the script from amtm, and I've redo the whole process of installing on the usb.

Now only YazFi and Disk Check.
I've configured again the guests, leaving the original (Google) DNS. Guess...: non VPN guests work, VPN doesnt.
Attached, the result of iproute.
 

Jack Yaz

Part of the Furniture
I'd like to add this try to the story.
I've formatted the usb key. While it was even unplugged, I still saw YazFi tab on router.
So i deleted also the script from amtm, and I've redo the whole process of installing on the usb.

Now only YazFi and Disk Check.
I've configured again the guests, leaving the original (Google) DNS. Guess...: non VPN guests work, VPN doesnt.
Attached, the result of iproute.
that default entry looks suspicious - can you share a screenshot of the VPN director tab?
 

SomeWhereOverTheRainBow

Part of the Furniture
Any clues? Thank you for your help
In reality the new vpn director routes based on priority from my understanding. So the problem could simply be too many routes being defined per tunnel forcing it to use only one of the routes. Maybe @RMerlin could elaborate if there is a problem in the way you have things configured.
 

Er0n

Occasional Visitor
I solved this issue in a total unknow way.
I was bored and discouraged nothing were working as intended, so was just playing around then I jumped to this post. did the script suggested to change MAC (no reason, just a boredom test) and suddenly for some reason the router password was not anymore accepted. I could not login anymore.
So had to hard reset the router, but since had .cfg file was matter of minutes to have it all back in place.
I just re-added the usb and reinstalled YazFi, and apparently, now everything working.

So I cannot say if it was related to nvram/mac operation, vpn director or the hard reset.
Thanks to everyone who tried to help.

Next step > VLAN
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top