What's new

openvpn multiple client default behavior?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dasus

Occasional Visitor
When I have client 1-5 all connected to 5 different VPN servers with the default settings on a fresh install, what exactly is the behavior? For me it appears to randomly direct all my devices to one of the VPN servers at random.
 
I didn't know you could run more than two, but as you mention, I may be wrong. If you route the VPN to a device then it should stick to that device. VPN's run on CPU and I believe one VPN will take up one CPU. If you have 5 VPN's then that may be the issue.
 
When I have client 1-5 all connected to 5 different VPN servers with the default settings on a fresh install, what exactly is the behavior?

For me it appears to randomly direct all my devices to one of the VPN servers at random.

If ALL 5 VPN clients have Selective Routing enabled ('Redirect Internet traffic=Policy Rules*'), then if there are overlapping source IP ranges defined for Selective Routing, then for routing decisions, VPN Client 1 will have the highest priority with VPN Client 5 having the lowest priority.

If however, 'Redirect Internet traffic=ALL', then the selective routing will depend on which VPN Client connection is enabled/ACTIVE last and may be the cause of the seemingly random selective routing you have described.

NOTE: CPU affinity has no bearing on the routing rules, but can affect VPN tunnel throughput performance.

Unless you're also running a Dual-WAN environment, the Policy routing rules are always static and are processed in descending order of priority.

I suggest you verify/check the Routing Policy rules and routes:
Code:
ip rule

for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done

EDIT: Corrected typo in command 'ip rules'
 
Last edited:
If however, 'Redirect Internet traffic=ALL', then the selective routing will depend on which VPN Client connection is enabled/ACTIVE last and may be the cause of the seemingly random selective routing you have described.
I have all VPNs connected but Redirect Internet traffic to "No" on all of them. I just disconnected and reconnected them all and all traffic goes strait out the WAN until I hit apply on one of the VPN configs so it seems like the behavior is the last VPN config you hit apply on?
If ALL 5 VPN clients have Selective Routing enabled ('Redirect Internet traffic=Policy Rules*'), then if there are overlapping source IP ranges defined for Selective Routing, then for routing decisions, VPN Client 1 will have the highest priority with VPN Client 5 having the lowest priority.
Does this mean I can use Policy Rules or Policy Rules strict and turn the kill switch only on VPN config 5 to have backups leading to a final failure?
NOTE: CPU affinity has no bearing on the routing rules, but can affect VPN tunnel throughput performance.
Unless you're also running a Dual-WAN environment, the Policy routing rules are always static and are processed in descending order of priority.
I suggest you verify/check the Routing Policy rules and routes:
Code:
ip rules
for ID in 254 111 112 113 114 115;do echo "Table "$ID;ip route show table $ID | grep -E "default|^128|^0";done
I am getting an error on the command "ip rules" or was this just the title of the next command? The output I get is:
Code:
Table 254
0.0.0.0/1 via 10.8.2.1 dev tun14
default via **my ISP** dev eth0
128.0.0.0/1 via 10.8.2.1 dev tun14
Table 111
Table 112
Table 113
Table 114
Table 115
Thanks for your assistance.
 
I have all VPNs connected but Redirect Internet traffic to "No" on all of them. I just disconnected and reconnected them all and all traffic goes strait out the WAN until I hit apply on one of the VPN configs so it seems like the behavior is the last VPN config you hit apply on?

Correct - 'Redirect Internet Traffic=No' doesn't do what you would expect....it is the same as 'Redirect Internet Traffic=ALL' :rolleyes:

and is clearly shown in your output

i.e. everything is routed via VPN Client 4

Table 254
0.0.0.0/1 via 10.8.2.1 dev tun14
default via **my ISP** dev eth0
128.0.0.0/1 via 10.8.2.1 dev tun14
Table 111
Table 112
Table 113
Table 114
Table 115
Does this mean I can use Policy Rules or Policy Rules strict and turn the kill switch only on VPN config 5 to have backups leading to a final failure?
Yes
I am getting an error on the command "ip rules"
Abject apologies, I have corrected the silly typo in the command:oops:[/QUOTE]
 
Correct - 'Redirect Internet Traffic=No' doesn't do what you would expect....it is the same as 'Redirect Internet Traffic=ALL' :rolleyes:

To be more accurate, it's the same as "Redirect Internet Traffic = whatever your remote server tells us to do". If they redirect traffic (like a typical VPN tunnel provider does), it will get redirected.

This might be more obvious if you read this setting as "Force Internet traffic redirection" perhaps. I should perhaps reword it that way.
 
This might be more obvious if you read this setting as "Force Internet traffic redirection" perhaps. I should perhaps reword it that way.

I think adding the word Force makes a lot of sense. Makes me wonder, theoretically could a VPN provider selectively not encrypt certain traffic?

New Question #1
Online somewhere they recommended routing the default gateway/router IP to WAN for better performance... but I don't really understand what that means? Was that site mistaken? What exactly is the pro/con of encrypting the default gateway, by default it will encrypt the router/default gateway the way I currently have it set up?

New Question #2
in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic
I can't quite understand this, is there a simple example to show the difference between strict mode and regular policy mode, what is an example of a rule "not specifically" targeting a tunnel interface?
 
Last edited:
I think adding the word Force makes a lot of sense. Makes me wonder, theoretically could a VPN provider selectively not encrypt certain traffic?

Not a provider. However the original, REAL use for a VPN is to connect to a remote office, in which case you typically do not want traffic to be redirected through the tunnel.

Online somewhere they recommended routing the default gateway/router IP to WAN for better performance... but I don't really understand what that means?

Can't say, not knowing what they exactly wrote, and in what context.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top