Merlin openvpn client: 1 OK, 4 no internet

[Tommy1234]

Hi gals and guys,
Suddenly only one vpn client of 5 that I have configured, is able to connect to the internet. the other four claim they are "connected" (in service state), but I can't reach the internet. Everything worked fine and for no apparent reason, things went wrong. I've tried everything, but to no avail.
If somebody has a suggestion, I would be very very very much obliged.
Asus 5300, Merlin 380.69.2. router (wan) 192.168.1.25 (router after router set up).

Tom

 

[Martineau]

Suddenly only one vpn client of 5 that I have configured, is able to connect to the internet. the other four claim they are "connected" (in service state), but I can't reach the internet. Everything worked fine and for no apparent reason, things went wrong. I've tried everything, but to no avail.

If you are familiar with script creation on the router you could try my crude VPN configuration debugging script from this post Multiple VPN clients active for different devices

 

[Tommy1234]

Thanks for your swift reply, Martineau. I am afraid that I don't know anything about script creation and I can't find any tutorials on the net. It is a bit of a hassle, but alternatively would a factory reset and/or power cycle do the trick?

 

[Martineau]

I am afraid that I don't know anything about script creation and I can't find any tutorials on the net. It is a bit of a hassle, but alternatively would a factory reset and/or power cycle do the trick?

Probably....but only for the first i.e. a single VPN Client connection!

Ultimately you will need to examine the RPDB rules and the VPN Client route tables

ip rule

ip route show table 254

and the active VPN Client tables where 'X' is the client instance (1-5)

ip route show table 11X

Usually the cause is in either of the above, but in some cases, DNS is the culprit.

 

[Tommy1234]

I used the commands above. Here are the results. I don't see anything specific, but then I am no expert, as experts can tell .


ip rule
0: from all lookup local
10101: from 192.168.2.0/24 lookup ovpnc1
10501: from 192.168.2.0/24 lookup ovpnc3
10901: from 192.168.2.0/24 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

ip route show table 254
192.168.1.1 dev eth0 proto kernel scope link
XXX.254.255.XXX via 192.168.1.1 dev eth0
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.25
10.8.8.0/24 dev tun15 proto kernel scope link src 10.8.8.25
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0

ip route show table 115
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
10.8.8.0/24 dev tun15 proto kernel scope link src 10.8.8.25
0.0.0.0/1 via 10.8.8.1 dev tun15
128.0.0.0/1 via 10.8.8.1 dev tun15
default via 10.8.8.1 dev tun15

 

[Tommy1234]

Have been messing about for about six months now, running latest (beta)firmware, but I am still stuck. It looks (sometimes, sometimes not) like the vpn client is connecting to the internet (service state green, including yellow vpn ip address), but when I try I get a "cant reach this page-message". Also sometimes the WAN icon in the top right corner is activated and sometimes not. Using Edge I get either the message:

There was a temporary DNS error. Try refreshing the page.

Error Code: INET_E_RESOURCE_NOT_FOUND

or

DNS name does not exist.

Of course, refreshing the page doesn't help. Btw I am using two different VPN-providers: PIA for nr. 1 and NordVpn for the others, but when I try to use PIA for 2 -5 it also doesn't work, so the Vpn-provider doesn't seem the problem.

And I am using PIA and NordVpn on my iPhone without any issues, so my subscription has been paid

Nevertheless, it is slowly driving me crazy. Any guidance (please bear in mind I am a relative newby when it comes to working with Telnet/SSH etc) would be very much appreciated. It is really frustrating I cannot use one of the most useful, at least to me, features of the Merlin-firmware.
Thanks in advance.

 

[Tommy1234]

anybody has a hint?

 

[CaptainSTX]

anybody has a hint?

Normally on a router you can get only a single VPN client running using a particular port. For PIA you have the option to use several ports the standard being 1198 - UDP - AES-128-CBC SHA1. They have eight other ports that you can use but they have different protocols, encryption, auth hash root ca, crl. Some of the combinations I don't believe are supported by Merlin at least using the GUI.

I know that PIA tells you that you can have five VPNs running and you can but maybe not on the same router. I have had two running from PIA using the standard 1198 and the setup required for 1197. Neither Strong or Astrill offer any other port combinations you can use. Not familiar with how it works with other VPN providers.

 

[Tommy1234]

thanks for your answer Captain, but I am afraid I didn't explain the problem properly: I am not trying to run multiple VPN-clients simultaneously, but I want to be able to use them alternatively (when I need different geo locations). It used to work in the past quite nicely, but suddenly it stopped working and now I can only use the first VPN-client, though when I activate client 2 -5 (not at the same time), in the gui it looks like I get connected, but I am not able to reach the internet. So it seems something is blocking the connection, but as I indicated, I am not an expert, so if I got your answer totally wrong, my apologies.

 

[CaptainSTX]

If you have block routed clients if the tunnel goes down checked for a client un check it and apply before stopping a VPN client and switching to another. Then when you get that client running check block on the new client and apply and see if that helps.

Also if you are using policy routing I have found that a client can only be listed in one list. Should not be a problem if you are routing all.

I have had up to three clients running at the same time so it is possible to make multiple VPN clients work.