1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

openvpn multiple client default behavior?

Discussion in 'Asuswrt-Merlin' started by dasus, Jul 16, 2019.

Tags:
  1. dasus

    dasus Occasional Visitor

    Joined:
    Jul 16, 2019
    Messages:
    12
    When I have client 1-5 all connected to 5 different VPN servers with the default settings on a fresh install, what exactly is the behavior? For me it appears to randomly direct all my devices to one of the VPN servers at random.
     
  2. ASadani

    ASadani Regular Contributor

    Joined:
    Apr 27, 2017
    Messages:
    170
    I didn't know you could run more than two, but as you mention, I may be wrong. If you route the VPN to a device then it should stick to that device. VPN's run on CPU and I believe one VPN will take up one CPU. If you have 5 VPN's then that may be the issue.
     
  3. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,272
    Location:
    UK
    If ALL 5 VPN clients have Selective Routing enabled ('Redirect Internet traffic=Policy Rules*'), then if there are overlapping source IP ranges defined for Selective Routing, then for routing decisions, VPN Client 1 will have the highest priority with VPN Client 5 having the lowest priority.

    If however, 'Redirect Internet traffic=ALL', then the selective routing will depend on which VPN Client connection is enabled/ACTIVE last and may be the cause of the seemingly random selective routing you have described.

    NOTE: CPU affinity has no bearing on the routing rules, but can affect VPN tunnel throughput performance.

    Unless you're also running a Dual-WAN environment, the Policy routing rules are always static and are processed in descending order of priority.

    I suggest you verify/check the Routing Policy rules and routes:
    Code:
    ip rule
    
    for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done
    EDIT: Corrected typo in command 'ip rules'
     
    Last edited: Jul 16, 2019
  4. dasus

    dasus Occasional Visitor

    Joined:
    Jul 16, 2019
    Messages:
    12
    I have all VPNs connected but Redirect Internet traffic to "No" on all of them. I just disconnected and reconnected them all and all traffic goes strait out the WAN until I hit apply on one of the VPN configs so it seems like the behavior is the last VPN config you hit apply on?
    Does this mean I can use Policy Rules or Policy Rules strict and turn the kill switch only on VPN config 5 to have backups leading to a final failure?
    I am getting an error on the command "ip rules" or was this just the title of the next command? The output I get is:
    Code:
    Table 254
    0.0.0.0/1 via 10.8.2.1 dev tun14
    default via **my ISP** dev eth0
    128.0.0.0/1 via 10.8.2.1 dev tun14
    Table 111
    Table 112
    Table 113
    Table 114
    Table 115
    
    Thanks for your assistance.
     
  5. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,272
    Location:
    UK
    Correct - 'Redirect Internet Traffic=No' doesn't do what you would expect....it is the same as 'Redirect Internet Traffic=ALL' :rolleyes:

    and is clearly shown in your output

    i.e. everything is routed via VPN Client 4

    Table 254
    0.0.0.0/1 via 10.8.2.1 dev tun14
    default via **my ISP** dev eth0
    128.0.0.0/1 via 10.8.2.1 dev tun14
    Table 111
    Table 112
    Table 113
    Table 114
    Table 115
    Yes
    Abject apologies, I have corrected the silly typo in the command:oops:[/QUOTE]
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,825
    Location:
    Canada
    To be more accurate, it's the same as "Redirect Internet Traffic = whatever your remote server tells us to do". If they redirect traffic (like a typical VPN tunnel provider does), it will get redirected.

    This might be more obvious if you read this setting as "Force Internet traffic redirection" perhaps. I should perhaps reword it that way.
     
  7. dasus

    dasus Occasional Visitor

    Joined:
    Jul 16, 2019
    Messages:
    12
    I think adding the word Force makes a lot of sense. Makes me wonder, theoretically could a VPN provider selectively not encrypt certain traffic?

    New Question #1
    Online somewhere they recommended routing the default gateway/router IP to WAN for better performance... but I don't really understand what that means? Was that site mistaken? What exactly is the pro/con of encrypting the default gateway, by default it will encrypt the router/default gateway the way I currently have it set up?

    New Question #2
    I can't quite understand this, is there a simple example to show the difference between strict mode and regular policy mode, what is an example of a rule "not specifically" targeting a tunnel interface?
     
    Last edited: Jul 16, 2019
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,825
    Location:
    Canada
    Not a provider. However the original, REAL use for a VPN is to connect to a remote office, in which case you typically do not want traffic to be redirected through the tunnel.

    Can't say, not knowing what they exactly wrote, and in what context.
     
  9. dasus

    dasus Occasional Visitor

    Joined:
    Jul 16, 2019
    Messages:
    12
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
    What is the effect of making an exception for the router? I thought everything would be going through the VPN anyway even with making such an exception?