OpenVPN configuration IP leak.

[Panhan]

Hello

I'm far from an expert in this field and I need help with this issue.

I have a problem with OpenVPN client configuration, my configuration leak my IP sometimes (as if the tunnel did not work). Did I make a mistake somewhere?

Here is my setup:

I have RT-AC68U with asus merlin software. 5PC are connected to my router, and I want two of them to connect ONLY via OPEN VPN client 1 configuration (vpn - torguard)

My router had default settings, and I made the following steps.

Step 1. in LAN > DHCP Server

Enable Manual Assignment > YES

And i Manually Assigned IPs for these 2 computers (I want them to connect through VPN tunnel all the time)

Step 2. in VPN > VPN Client

I set up my VPN and then,

Redirect Internet traffic > Policy Rules (I also tried strict too, same problem)

Block routed clients if tunnel goes down > YES

Then below in "Rules for routing client traffic through the tunnel"

I add assigned IPs from step 1 , leave destination ip empty , and Iface VPN.


And everything works, but sometimes these 2 computers connect without tunnel and leak my IP.
it looks like sometimes, VPN client Service state go OFF, then my ip leaks.


How can I solve this?

Thank you for your time and help

 

[Panhan]

Is there any option to force connection only via VPN for these 2 computers, OUTSIDE off OpenVPN client configuration? Just to add another layer of protection from IP leaks?

 

[Martineau]

Is there any option to force connection only via VPN for these 2 computers, OUTSIDE off OpenVPN client configuration? Just to add another layer of protection from IP leaks?

First I would attempt to try and identify how/why the 'Block routed clients if tunnel goes down=YES' isn't working.

e.g. if using VPN Client #1

ip rule

ip route show table 111

or use my script ChkVPNConfig.sh

...but in the interim you can use the old-skool method to explicitly block say 192.168.1.xxx and 192.168.1.yyy from using the WAN

e.g. /jffs/scripts/firewall-start

iptables -D FORWARD -i br0  -s 192.168.1.xxx,192.168.1.yyy -o $(nvram get wan0_ifname) -j DROP

iptables -I FORWARD -i br0  -s 192.168.1.xxx,192.168.1.yyy -o $(nvram get wan0_ifname) -j DROP

 

[Panhan]

I do not really know what's going on, and I have no ideas. I had IP leak again today, and here is log from this situation.

I had firewall script from above, to block ip's form using the WAN, but it DID NOT WORK this time. What to do now?

LOG

https://pastebin.com/tHjC9M56

 

[Martineau]

I do not really know what's going on, and I have no ideas. I had IP leak again today, and here is log from this situation.

I had firewall script from above, to block ip's form using the WAN, but it DID NOT WORK this time. What to do now?

LOG

https://pastebin.com/tHjC9M56

Apart from the fact that Torguard have pushed Cloudflare DNS servers.....

May 26 09:33:20 ovpn-client2[16941]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1, <snip>

For the perceived "IP leak", are you sure that you have correctly set the firewall WAN blocking rule for 192.168.1.33 and 192.168.1.16?

You will need to provide the output of the following commands:

ip rule

ip route show table 111

iptables --line -nvL FORWARD

nvram get vpn_client1_clientlist

 

[Panhan]

For the perceived "IP leak", are you sure that you have correctly set the firewall WAN blocking rule for 192.168.1.33 and 192.168.1.16?

I know leak happened, because gmail registered my true IP, "recent location" excactly on 9:33.

In /jffs/scripts/firewall-start i had exactly this:

#!/bin/sh

iptables -D FORWARD -i br0  -s 192.168.1.6,192.168.1.33,192.168.1.16 -o $(nvram get wan0_ifname) -j DROP

iptables -I FORWARD -i br0  -s 192.168.1.6,192.168.1.33,192.168.1.16 -o $(nvram get wan0_ifname) -j DROP

You will need to provide the output of the following commands:

Where to enter these commands, could you explain it to me?