Policy rules

[Kid3t3rnity]

Hi

I'm rather new to merlin and will try my best to explain my issue.

Asus rt-ac68u running legacy 380.70 merlin version.

I have setup 3 VPN clients which I only ever have 1 service state running at a time but like to switch servers so I turn off existing and then turn on desired client.

On each of my clients I have enabled to same policy rules for 3 devices to use the VPN and all other devices to connect to normal isp,
I have set accept DNS config to Exclusive and also to block routed clients if tunnel goes down.

The policy works on the 1st client it's setup on great.

The issue is when I turn off one client and connect another client the devices in my policy rules now fail to get any connection from VPN and ISP even though they have the same rule as working client.

Example:
Client 1 on and VPN is routed to only the 3 devices in policy list all other devices get isp,
Turn off client 1 and enable client 2 and NO connections at all for the devices in policy list from VPN or ISP,
Turn off client 2 and enable client 1 and all is working as it should.

Hope I explained well and someone can reproduce and/or help.

Regards

Sent from my ONEPLUS A5000 using Tapatalk

 

[Martineau]

Hi

I'm rather new to merlin and will try my best to explain my issue.

I have setup 3 VPN clients which I only ever have 1 service state running at a time but like to switch servers so I turn off existing and then turn on desired client.

On each of my clients I have enabled to same policy rules for 3 devices to use the VPN and all other devices to connect to normal isp,
I have set accept DNS config to Exclusive and also to block routed clients if tunnel goes down.


The issue is when I turn off one client and connect another client the devices in my policy rules now fail to get any connection from VPN and ISP even though they have the same rule as working client.

Without immediately resorting to openvpn-event scripting, have you tried the following GUI config?

e.g. the device(s) that must only use any of the available VPN Client connections are duplicated in the VPN Client configs:

VPN Client 1

Accept DNS Configuration=EXCLUSIVE
Block routed clients if tunnel goes DOWN=NO
UseVPN12or3ONLY xxx.xxx.xxx.xxx 0.0.0.0 VPN

VPN Client 2

Accept DNS Configuration=EXCLUSIVE
Block routed clients if tunnel goes DOWN=NO
UseVPN12or3ONLY xxx.xxx.xxx.xxx 0.0.0.0 VPN

VPN Client 3

Accept DNS Configuration=EXCLUSIVE
Block routed clients if tunnel goes DOWN=YES
UseVPN12or3ONLY xxx.xxx.xxx.xxx 0.0.0.0 VPN

 

[Martineau]

I'm sorry I do not understand !
I'm relatively new to router settings and no experience in scripts as such.
Are you suggesting that I enter those lines of text somewhere ?

No

The options are ALL on the GUI screen for the VPN Client.

 

[Martineau]

Ah ok I see what you mean now but I don't see the use vpn12or3 option [emoji848]

Do I manually enter this into the description field ?

No

It is just an example of a free-form description to make it clear that you should have identical device entries in this part of the GUI

Have you managed to confirm the other two settings in each of the three VPN Client GUI panels?

 

[Martineau]

3 clients with same policies [emoji106]

<sigh>

OK one last time...

You have not followed my instruction to only have

Block routed clients if tunnel goes DOWN=YES set for VPN Client 3

With ALL three VPN clients DOWN, issue

ip rule

ip route show table ovpnc1

ip route show table ovpnc2

ip route show table ovpnc3

and post the output.

At this point none of the devices (192.168.1.109,192.168.1.122,192.168.1.219) should have any Internet access until you start one of the VPN Clients (it doesn't match which one).

 

[Martineau]

I have now removed client 3 so I'm just on 2 clients so will set client 1 to no and client 2 to yes on block routed.....etc

Is this what you mean ?

Yes.

 

[Kid3t3rnity]

Yes.

[emoji41][emoji41][emoji41][emoji41][emoji41][emoji41][emoji41][emoji41]

I love you man [emoji106][emoji106]

It's working and I've just had the lightbulb turn on in my train of thought lol, it makes sense now mate.
Thank you very much for your perseverance and patience [emoji106]

Big respect and as always regards [emoji109]

Sent from my ONEPLUS A5000 using Tapatalk

 

[Kid3t3rnity]

If I now add the 3rd or 4th client I set trailing client to no and newest client to yes [emoji106]

Sent from my ONEPLUS A5000 using Tapatalk

 

[Martineau]

If I now add the 3rd or 4th client I set trailing client to no and newest client to yes [emoji106]

VPN Selective Routing rules are evaluated in strict order with VPN Client 1 rules being the highest priority and VPN client 5 rules the lowest.

Remember "computers only do what you tell them to do, not what you want/expect them to do"!

So when you specify VPN Client 1 to block its client devices if the VPN is DOWN, then that is what the router does, even if there is a perfectly valid Selective Routing rule for those now blocked devices to use the available VPN Client 2 connection.