Merlin v 384.7_2 Wildcard in OpenVPN client setting not working - bug?

[Panjerossi]

After updating to version 384.7_2 on my RT-AC86U, there seems to be an issue with the OpenVPN routing (redirect internet traffic) setting.

NOT working:

- setting 0.0.0.0 or leave empty as wildcard for local network (source) when using policy-based routing
- selecting ALL as property for the redirect internet traffic setting

Everything is just routed through WAN and nothing through VPN.

WORKING:

- setting 192.168.x.0/24 as wildcard for local network with 0.0.0.0 as destination.

So for destination, the 0.0.0.0 wildcard seems fine.

The workaround in using the /24 approach on local subnet is fine for me. But this might be a bug that needs solving.

 

[RMerlin]

Works for me. I just set a source as 0.0.0.0 and a destination as a subnet, and all traffic sent to that destination subnet is routed through the VPN, while the rest of the traffic isn't.

 

[Panjerossi]

Thanks for checking.
I've tried again from scratch. Findings attached in PDF. Bottom line: it only seems not to work when 0.0.0.0 is in source AND destination. As specifying an address/subnet in destination OR in source seems fine.

 

[RMerlin]

Setting both source and destination as 0.0.0.0 is not a typical case, and I can see it possibly not working. You need to explicitly define either the source or the destination.

 

[Martineau]

Thanks for checking.
I've tried again from scratch. Findings attached in PDF. Bottom line: it only seems not to work when 0.0.0.0 is in source AND destination. As specifying an address/subnet in destination OR in source seems fine.

Hmmm, the following appears to be valid syntax

ip rule add table xxx

ip rule add from 0/0 table xxx

ip rule add from 0.0.0.0 to 0.0.0.0 table xxx

so not sure if /usr/sbin/vpnrouting.sh is handling the request correctly....

NO....seemingly by design it doesn't by rejecting it

        if [ "$VPN_IP" != "0.0.0.0" ]
        then
            SRCC="from"
            SRCA="$VPN_IP"
        else
            SRCC=""
            SRCA=""
        fi
        DST_IP=$(echo $ENTRY | cut -d ">" -f 3)
        if [ "$DST_IP" != "0.0.0.0" ]
        then
            DSTC="to"
            DSTA="$DST_IP"
        else
            DSTC=""
            DSTA=""
        fi
        if [ "$SRCC" != "" -o "$DSTC" != "" ]        <<=====  Explicitly prevents 'ip rule add table xxx priority nnnnn'  command !!!!
        then
            ip rule add $SRCC $SRCA $DSTC $DSTA table $TARGET_LOOKUP priority $RULE_PRIO
            my_logger "Adding route for $VPN_IP to $DST_IP through $TARGET_NAME"
        fi

so forces the user to explicitly specify the source LAN subnet in CIDR format if they want to selectively route 'Everything to Anywhere' via the VPN!

 

[RMerlin]

I can't remember the reason why, been too long since I've written the original script...