Open vpn policy rules internet down

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

clvk07

Senior Member
I have setup a open vpn client with policy rules only to one device to block internet traffic if tunnel is down.
If the tunnel is down it blocks internet to all devices including the router itself as it shows internet disconnected. I have latest .17 firmware. Was also happening with .16.

Any ideas?
 

Martineau

Part of the Furniture
I have setup a open vpn client with policy rules only to one device to block internet traffic if tunnel is down.
If the tunnel is down it blocks internet to all devices including the router itself as it shows internet disconnected. I have latest .17 firmware. Was also happening with .16.

Any ideas?
You need to explicitly exclude the router if appropriate see Wiki Policy0based Selective Routing at the bottom of the page, and also KILL-switch Confused as to how to make the kill switch work

You can check the KILL-Switch configuration using
Code:
echo -e "\n\t"RPDB Rules;ip rule;echo;for I in 1 2 3 4 5;do [ -n "$(nvram get vpn_client${I}_addr)" ] && echo -e "\t"Client ovpnc$I port $(nvram get vpn_client${I}_port) $(nvram get vpn_client${I}_proto) || echo -e "\t"Client ovpnc${I} NOT configured;ip route show table 11$I |  grep -E "^0\.|^128.|^default|^prohibit|tun1";done;echo -e "\n\t"Table main;ip route show table 254 | grep -E "^0\.|^128.|^default"
However, if the WAN is truly DOWN, then the RPDB rules will be irrelevant.
 

clvk07

Senior Member
Strange I had policy rule to stop tunnel only for one client 192.168.1.99. After rebooting the router and turning off VPN client service on the router the client (.99) still could not access internet but the rest of the devices could. I changed the IP address of the client to 192.168.1.98 and now it access the internet.

Seems it still blocking for that IP even the VPN is off. Here the result of the command with VPN off.

RPDB Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Client ovpnc1 NOT configured
Client ovpnc2 port 80 tcp-client
Client ovpnc3 NOT configured
Client ovpnc4 NOT configured
Client ovpnc5 NOT configured
Table main
default via XXX.61.XX.1 dev eth0
 

Martineau

Part of the Furniture
Strange I had policy rule to stop tunnel only for one client 192.168.1.99. After rebooting the router and turning off VPN client service on the router the client (.99) still could not access internet but the rest of the devices could. I changed the IP address of the client to 192.168.1.98 and now it access the internet.

Seems it still blocking for that IP even the VPN is off. Here the result of the command with VPN off.

RPDB Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Client ovpnc1 NOT configured
Client ovpnc2 port 80 tcp-client
Client ovpnc3 NOT configured
Client ovpnc4 NOT configured
Client ovpnc5 NOT configured
Table main
default via XXX.61.XX.1 dev eth0
Perhaps there is an iptables blocking rule?

e.g.
Code:
iptables-save | grep 192.168.1.99
 

clvk07

Senior Member
Perhaps there is an iptables blocking rule?

e.g.
Code:
iptables-save | grep 192.168.1.99

[email protected]:/tmp/mnt# iptables-save | grep 192.168.1.99
[email protected]:/tmp/mnt#

no doesn't seems like. I was using a different VPN provider few months ago, didnt have these problems. Could be the configuration of the OPVNFILE? I found strange that the problem is still there if I turn off the VPN or if the tunnel goes down it blocks all clients rather than just the one I have in the policy rules...
 

Martineau

Part of the Furniture
[email protected]:/tmp/mnt# iptables-save | grep 192.168.1.99
[email protected]:/tmp/mnt#

no doesn't seems like. I was using a different VPN provider few months ago, didnt have these problems. Could be the configuration of the OPVNFILE? I found strange that the problem is still there if I turn off the VPN or if the tunnel goes down it blocks all clients rather than just the one I have in the policy rules...
If the VPN tunnel is DOWN, and everything is blocked, then you need to check the FORWARD chain for a possible interface blocking rule (br0 outbound via $(nvram get wan0_ifname) ?), or is it simply that DNS isn't working?
 

clvk07

Senior Member
If the VPN tunnel is DOWN, and everything is blocked, then you need to check the FORWARD chain for a possible interface blocking rule (br0 outbound via $(nvram get wan0_ifname) ?), or is it simply that DNS isn't working?

Asus page shows Internet disconnected so I guess is the full internet. Will do more test and report. I changed the policy rule to strict and change not to block routed clients if tunnel goes down
 

clvk07

Senior Member
I switched back to the old vpn provider and issue is gone. Must be some rules on the custom configuration which was causing the problem. Strange that it would bring the internet connection of the router down
 

sirmclouis

Occasional Visitor
I believe I have a similar issue. My provider is NordVPN and I also have YazFi configured so a guess wifi is connected to the VPN. I have also two other clients connected to the VPN directly…

If the VPN goes down, the entire internet is block for all the other devices and not only the ones connected to the VPN. The WAN connection is still showing as connected in the router page.

If I turn down the VPN client manually, everything works, but of course the VPN clients aren't connected to the internet.

I believe that the relevant part of the log is this one: https://gist.github.com/luispuerto/5ca2d1833b5dfd0287be4b1b359bb1ad
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top