Menu
What's new
By:
Filters Better Search

POLICY RULES IN VPN NOT WORKING

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

Ali

New Around Here
I have an ASUS RT 88u. I have been on merlin wrt for 1 year now with no complaints. Recently I upgraded the firmware to 380.58. I have noticed that internet has been slow. I have one VOIP ATA connected to my network through VPN, because VOIP is blocked by my ISP. I have used policy rules to route only the VOIP traffic through VPN. This was mainly why I flashed merlin on my routher. After further investigation, I have found out that occasionally the router routes all traffic through VPN, and not only the ones in policy rules. This behavior can be repeated any time if you create 2 open vpn clients, both with policy rules. You can then check your ip address by searching what is my ip in google from a computer that is not suppose to go through the VPN.
Has any saw this behavior?
 
Ali said:
I have an ASUS RT 88u. I have been on merlin wrt for 1 year now with no complaints. Recently I upgraded the firmware to 380.58.
Click to expand...

Why did you upgrade to a 10 months old firmware?
 
Ali said:
....occasionally the router routes all traffic through VPN, and not only the ones in policy rules. This behavior can be repeated any time if you create 2 open vpn clients, both with policy rules
Click to expand...

Check the RPDB rules when Selective routing is working, and again when the Selective routing fails:
Code: 
ip rule

and VPN Client routing tables e.g. VPN Client 1 and 2
Code: 
ip route show table 111
ip route show table 112

NOTE: If Selective PORT routing is used, then check
Code: 
iptables -nvL PREROUTING -t mangle --line
 
Sorry for the necrobump, but I'm having the exact same problem as the OP and a Google search brought me here.

This has been frying my head for the past week. Running two VPN clients simultaneously with Policy Rules and for some unknown reason, some IP addresses not selected in the Rules are randomly pushed through one or the other VPN client.

The last resort is me now asking for help!
 
RimRider said:
Sorry for the necrobump, but I'm having the exact same problem as the OP and a Google search brought me here.

This has been frying my head for the past week. Running two VPN clients simultaneously with Policy Rules and for some unknown reason, some IP addresses not selected in the Rules are randomly pushed through one or the other VPN client.
Click to expand...

You have not stated if the issue is with LAN (device) IPs or destination IPs (or both) but the diagnostic commands shown in Post #4 should be able to identify if there is a mismatch between the RPDB rules and the kernel routing tables.
 
I'm trying with LAN IPs.

I have a UK VPN (Client 1) running and I want my Homeserver going through that. I also want my FireTV sticks to go via my US VPN (Client 2).

It configured as the pics below. Randomly, I have my Study PC, (the one I'm currently typing on) going through the UK VPN too, whereas I want it to use my default ISP.

Edit: I've booted up the laptop (connected via LAN) and that is also routed via the UK VPN... :(

2017-11-30_15-16-02.png


2017-11-30_15-16-27.png
 
Last edited:
Bought an AC86U.

Same settings, same problem.

Seems like this issue is common in the forums. I've seen loads of posts regarding it but no real solution.

@yorgi seems to be the most knowledgeable regarding this error so I've sent him a PM.

Has ANYONE successfully used policy rules on 2 "ACTIVE" clients?
 
RimRider said:
Has ANYONE successfully used policy rules on 2 "ACTIVE" clients?
Click to expand...

You have to understand that the rules are all in the same table, therefore you must take care of ensuring there is no overlap in your rules. That includes the default route. If you have both tunnels rely on their default routes, then only the first one will ever be used.

Multiple tunnels were never intended for that kind of usage. Primary use was for tunnelling, not for intercepting and redirecting Internet connections. To get that working, you will need to have some fairly good understanding of Linux routing.
 
Thanks for the firmware RMerlin.

Just to clarify, if I have 3 computers - Computer A, Computer B and Computer C.

Are you saying it is not possible to have Computer A go through Client 1 (UK VPN), Computer B go through Client 2 (US VPN) and have Computer C just use my normal ISP and go through neither client?

Will Computer C will always go through Client 1?
 
RimRider said:
Bought an AC86U.

Same settings, same problem.

Seems like this issue is common in the forums. I've seen loads of posts regarding it but no real solution.

@yorgi seems to be the most knowledgeable regarding this error so I've sent him a PM.

Has ANYONE successfully used policy rules on 2 "ACTIVE" clients?
Click to expand...

I have three VPN clients running with certain static IPs routed to each client plus other connected devices routed using local ISP.

For testing purposes I have three different VPN providers and I allow connections even if the tunnel is down.
 
RimRider said:
I don't want two different VPN providers though.
Click to expand...
Then you are going to have to setup two different ports. One for each server you want to use. With some VPN providers that is easier than others. Using Port 443 may not be a good option if that is what is suggested.
 
OK, I'll try that. I'm with NordVPN and they definitely allow 1194 and 443. Thanks for the suggestion...
 
RimRider said:
I have 3 computers - Computer A, Computer B and Computer C.

Are you saying it is not possible to have Computer A go through Client 1 (UK VPN), Computer B go through Client 2 (US VPN) and have Computer C just use my normal ISP and go through neither client?

Will Computer C will always go through Client 1?
Click to expand...

RMerlin is not saying that your required routing will NOT work.

Many users have successfully implemented Selective Routing; simply using the GUI to define which LAN devices should use a specific VPN connection.

connect 2 vpn at the same time?

However, RMerlin has alluded to the fact that in some cases, the 'default route' inserted into the ovpncX tables may in fact incorrectly redirect everything to the first VPN Client connection that is established.

To debug you will need to again provide the output of the diagnostic commands (preferably as text rather than a GIF) to identify if ovpnc2 clients are (incorrectly) actually using the ovpnc1 route.
 
You must log in or register to reply here.

Similar threads

C
VPN Policy rules director
Replies
1
Views
418
RMerlin
RMerlin
B
Download Master escapes VPN Director 192.168.50.1/24 Rule and bypasses VPN
Replies
7
Views
895
pavlfz
P
E
VPN Killswitch not working on RT-AC68U 386.12_4
Replies
0
Views
344
eddy3702
E
A
Domain VPN Routing Question
Replies
0
Views
78
Armandooooo
A
Q
VPN Fusion and firewall/port forwarding
Replies
0
Views
186
qpeg
Q
Similar threads
Thread starter Title Forum Replies Date
C VPN Policy rules director Asuswrt-Merlin 1
A Policy-based port routing to bypass NordVPN client Asuswrt-Merlin 10
A PS5 port forwarding and VPN rules Asuswrt-Merlin 4
devhell How I can dynamically manage VPN director rules list by CLI Asuswrt-Merlin 0
mixels Possible to configure RT-AX86U w/ Merlin with more than 64 port forwarding rules? Asuswrt-Merlin 9
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
D Network Services Filter - rules don't persist? Asuswrt-Merlin 13
P VPN Director enable/disable rules from iPhone shortcut Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,067 (members: 26, guests: 1,041)
Top