Multiple VPN routing policy settings

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

stamzrat10

New Around Here
Hi friends, this is my first post, therefore, I would like to say that the Merlin firmware is awesome. I really appreciate all the work and development invested in it. thanks to it I have gained enough knowledge to set up a very convinent setup at home.

I have an RT-AC86U, I use NordVPN and have about 3 concurrent OpenVPN clients working at the same time.

At the moment, I only manage to give very specific routing rules, e.g have printer connect to OpenVPN#1 TV to OpenVPN#2 phone to OpenVPN#3, etc. But if I try to have all connections tunneled by default through OpenVPN #1, unless they have rules in OpenVPN #2 or 3 it fails and the internet connection drops.

I use 192.168.1.0/24 0.0.0.0 VPN at OpenVPN#1 and add all the rules from the other OpenVPN clients as xx.xx.xx.xx 0.0.0.0 WAN.

With all clients I use Accept DNS Configuration Exclusive
Force Internet traffic through tunnel Policy Rules (strict)
No NAT or private IP
and the subnets and ports are different and not overlapping

in other words, how do I configure all connection to be tunneled by default through OpenVPN client #1 unless stated otherwise in OpenVPN client 2 or 3.
When I browsed through the forum I couldn't find the answer so maybe others will benefit from this thread as well.

John
 

Martineau

Part of the Furniture
Hi friends, this is my first post, therefore, I would like to say that the Merlin firmware is awesome. I really appreciate all the work and development invested in it. thanks to it I have gained enough knowledge to set up a very convinent setup at home.

I have an RT-AC86U, I use NordVPN and have about 3 concurrent OpenVPN clients working at the same time.

At the moment, I only manage to give very specific routing rules, e.g have printer connect to OpenVPN#1 TV to OpenVPN#2 phone to OpenVPN#3, etc. But if I try to have all connections tunneled by default through OpenVPN #1, unless they have rules in OpenVPN #2 or 3 it fails and the internet connection drops.

I use 192.168.1.0/24 0.0.0.0 VPN at OpenVPN#1 and add all the rules from the other OpenVPN clients as xx.xx.xx.xx 0.0.0.0 WAN.

With all clients I use Accept DNS Configuration Exclusive
Force Internet traffic through tunnel Policy Rules (strict)
No NAT or private IP
and the subnets and ports are different and not overlapping

in other words, how do I configure all connection to be tunneled by default through OpenVPN client #1 unless stated otherwise in OpenVPN client 2 or 3.
When I browsed through the forum I couldn't find the answer so maybe others will benefit from this thread as well.

John
The Selective Routing (RPDB) GUI rules are applied in the following order...(but may be overridden by using the 'openvpn-event' trigger scripts)
Code:
     GUI:    Selective Routing Source/Destination (Client 1 WAN)    <-HIGHEST priority
     GUI:    Selective Routing Source/Destination (Client 1 VPN)
     etc.
     GUI:    Selective Routing Source/Destination (Client 5 WAN)
     GUI:    Selective Routing Source/Destination (Client 5 VPN)    <-LOWEST priority

e.g.
Code:
     VPN Client 1
     192.168.55.111/32  0.0.0.0 VPN    Selective routing for a single LAN device
 
     VPN Client 2
     192.168.55.222/31  0.0.0.0 VPN    Selective routing for two LAN devices
 
     VPN Client 3
     192.168.55.0/24    0.0.0.0 VPN    (default) Selective routing for ALL LAN devices
     192.168.55.99/32   0.0.0.0 WAN           except for this single LAN device which always uses the WAN

NOTE: If either VPN Client 1 and or VPN Client 2 is DOWN, then you would need to judiciously specify the KILL-Switch assuming the nominated explicit VPN Client 1/2 devices must not use VPN Client 3.
 
Last edited:

stamzrat10

New Around Here
Thanks for your reply, I tried it and it didn't work.
I now understand how the priority works, here is what I did.

In vpn client 1 I placed just one lan device (but the client is off at the moment)

vpn client 2 I placed 2 lan devices

vpn 3 I placed the 192.168.1.0/24 VPN
and the devices from client 2 and 1 as WAN so that they won't be tunneled through client 3

but then there is no connection, as i assume something overlaps or causes an error. I can live without it, but I just want new connected devices to automatically use client 3
 

Martineau

Part of the Furniture
Thanks for your reply, I tried it and it didn't work.
I now understand how the priority works, here is what I did.

In vpn client 1 I placed just one lan device (but the client is off at the moment)

vpn client 2 I placed 2 lan devices

vpn 3 I placed the 192.168.1.0/24 VPN
and the devices from client 2 and 1 as WAN so that they won't be tunneled through client 3

but then there is no connection, as i assume something overlaps or causes an error. I can live without it, but I just want new connected devices to automatically use client 3
You can use this one-line command to debug the RPDB/routing rules

Code:
echo -e "\n\tRPDB Rules";ip rule;for I in 1 2 3 4 5;do VPNSERVER="$(nvram get vpn_client${I}_addr)";VPNPORT="$(nvram get vpn_client${I}_port)"; VPNPROTO="$(nvram get vpn_client${I}_proto)"; [ -z "$VPNSERVER" ] && VPNSERVER="Not configured!"; echo -e "\n\tVPN Client $I (${VPNSERVER} ${VPNPORT}:${VPNPROTO}) ovpn$I routes";ip route show table 11$I;echo;done;echo -e "\tWAN";ip route | grep -E "^0\.|^128.|^default" | sed '/^default/ s/[^ ]*[^ ]/xxx.xxx.xxx.xxx/3'

EDIT: Update diagnostic to Include configured VPN server, Port and Protocol used.

The command should obfuscate your WAN IP, so you can safely post the output.
 
Last edited:

stamzrat10

New Around Here
Thanks Martineau I appreciate it, I just think that this is a bit beyond my skills at the moment..
I do know how to use putty and to edit things with nano, but I am not completely sure how to edit your script so that it will fit my needs. haha I was afraid that it will eventually get to a scripting level. In this case I will probably just map all the devices in my house to connect to the proper vpns and new devices will be added manually instead of 192.168.1.0/24, it probably conflicts with the other open vpn clients.
 

Martineau

Part of the Furniture
Thanks Martineau I appreciate it, I just think that this is a bit beyond my skills at the moment..
I do know how to use putty and to edit things with nano, but I am not completely sure how to edit your script so that it will fit my needs. haha I was afraid that it will eventually get to a scripting level. In this case I will probably just map all the devices in my house to connect to the proper vpns and new devices will be added manually instead of 192.168.1.0/24, it probably conflicts with the other open vpn clients.
It's not technically a script - just a combination of multiple commands to be executed in a controlled order, and doesn't need any editing to "fit your needs"

Simply triple-Left-click rapidly anywhere on the command - it will be completely highlighted - then Right-click and select copy, then simply paste into your PuTTY session command line and should auto-execute; if not hit enter.
 

stamzrat10

New Around Here
ok I will give it a try! so basically it will use VPN client 3 on anything other than the rules which I already set? and if I would like to disable it I could just reboot the router?
 

Martineau

Part of the Furniture
ok I will give it a try! so basically it will use VPN client 3 on anything other than the rules which I already set? and if I would like to disable it I could just reboot the router?
The "command" is passive - i.e. it simply displays the current Selective Routing RPDB rules together with their associated VPN Client routing tables.

It is intended to be used to assist in debugging any VPN conflicts.
 
Last edited:

stamzrat10

New Around Here
Got it... *face palm*

RPDB Rules
0: from all lookup local
10201: from 192.168.1.3 to yyy.yyy.yyy.yy [masked on purpose] lookup main
10301: from 192.168.1.131 lookup ovpnc2
10302: from 192.168.1.3 lookup ovpnc2
10303: from 192.168.1.232 lookup ovpnc2
10401: from 192.168.1.65 lookup main
10402: from 192.168.1.129 lookup main
10403: from 192.168.1.131 lookup main
10404: from 192.168.1.232 lookup main
10405: from 192.168.1.3 lookup main
10501: from 192.168.1.0/24 lookup ovpnc3
32766: from all lookup main
32767: from all lookup default
VPN Client ovpn1

VPN Client ovpn2
default via 10.7.0.1 dev tun12
10.7.0.0/16 dev tun12 proto kernel scope link src 10.7.251.37
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3

VPN Client ovpn3
default via 10.8.3.1 dev tun13
10.8.3.0/24 dev tun13 proto kernel scope link src 10.8.3.17
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.3

VPN Client ovpn4

VPN Client ovpn5

WAN
default via xxx.xxx.xxx.xxx dev eth0
 
Last edited:

stamzrat10

New Around Here
Big edit:
I will have to wait and see what happens. Everything worked, then the connection dropped all of a sudden, I had to turn off and turn on WAN (from main screen of the router). And turn off and on the VPNs.

now it works again, I wonder if you could spot some error in the output above.

I suspect that I have one dedicated IP vpn, which allows only 2 clients to login, and when I logged in with my phone app (on cellular data) it probably triggered for a second no connection on the VPN and the tunnel fell down.

My suspicion above makes the most sense to me. WIthout your help I couldn't have made it, so thanks again. I will be following this thread in case you spot some error or reply to it. God Bless
 
Last edited:

Martineau

Part of the Furniture
Big edit:
I will have to wait and see what happens. Everything worked, then the connection dropped all of a sudden, I had to turn off and turn on WAN (from main screen of the router). And turn off and on the VPNs.

now it works again, I wonder if you could spot some error in the output above.
Hopefully the (enhanced/edited) diagnostic "command" gives you a useful global view of your GUI defined Selective Routing RPDB rules?

i.e. if you stop VPN Client 2, rule 10302: from 192.168.1.3 lookup ovpnc2 will no longer exist, and 192.168.1.3 will now be explicitly routed via the WAN if VPN Client 3 is UP due to rule 10405: from 192.168.1.3 lookup main
NOTE: The prefix of each RPDB rule determines its priority (PRIO), so for complex/advanced Selective routing, dynamically changing the PRIO (using event scripting) can be useful.
I suspect that I have one dedicated IP vpn, which allows only 2 clients to login, and when I logged in with my phone app (on cellular data) it probably triggered for a second no connection on the VPN and the tunnel fell down.

My suspicion above makes the most sense to me.
Not sure why the VPN/WAN connection is apparently seemingly unstable - usually Syslog and/or increasing the VPN Client logging from its default Log verbosity=3may assist in identifying the issue.

Usually, when running multiple VPN clients concurrently to the same VPN ISP server, changing the protocol and/or ensuring that different ports are used for each client together with Force Internet traffic through tunnel=Policy Rules (strict) is advised.

NOTE: Most VPN ISPs would regard the router as one physical client even when multiple router VPN clients are concurrently ACTIVE, but you may need to check your T&Cs etc.

Regards,
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top