Problem adding third VPN client (tunnel) with VPN Director

[Namrustler]

I'm having problems adding a third VPN client (tunnel) and then using the VPN Director to force a client to use the new tunnel.

I previously had VPN client 1 using Private Internet Access and VPN client 2 using StrongVPN. Within each of these two clients I have:

• Automatic start at boot time: Yes
• Accept DNS Configuration: Exclusive
• Redirect Internet traffic through tunnel: VPN Director (policy rules)
• Killswitch - Block routed clients if tunnel goes down: Yes

I added a second VPN Client for StrongVPN with a different location than VPN client 2 and used the same settings as for the the first two clients, with the obvious exception of the server name.

On the VPN Status tab I can see all three clients are connected and their respective public IP addresses, which are all different as expected.

On the VPN Director tab I have three disabled rules and a single enabled rule. The single enabled rule specifies the IP address of a Windows 10 VM and the interface is one of the three VPN clients.

When I edit this rule and change the interface to OVPN3 and click Apply, the Windows 10 VM is still stuck on OVPN2, even though the log says its IP address is going through OVPN3.

I've been able to reproduce this behavior on my RT-AC86U and RT-AC3100, each running firmware 386.3.

I've occasionally been able to get the Windows 10 VM using OVPN3 by stopping the other VPN clients, but its unpredictable and I haven't determined a pattern. Sometimes, traffic isn't going through any VPN client, which is bad news.

Any ideas on could be happening? I must be doing something wrong, or not understanding a key concept about the VPN Director. I thought it would provide an easy way to flip a device from one VPN client to another. And I have clicked the Apply button every time I make a change on the VPN Director tab.

 

[eibgrad]

Anytime you have more than one concurrent OpenVPN client, you have to make 100% sure that each is using a unique IP network on its respective tunnel! Esp. when more than one is using the same OpenVPN provider. It's very easy to end up w/ more than one using the same IP network, thus creating a routing ambiguity in the configuration.

I'm not saying this is definitely the problem. But I have seen many users overlook this small detail when configuring multiple, concurrent OpenVPN clients for the first time. So let's first eliminate that possibility before going any further.

 

[Namrustler]

Anytime you have more than one concurrent OpenVPN client, you have to make 100% sure that each is using a unique IP network on its respective tunnel! Esp. when more than one is using the same OpenVPN provider. It's very easy to end up w/ more than one using the same IP network, thus creating a routing ambiguity in the configuration.

I'm not saying this is definitely the problem. But I have seen many users overlook this small detail when configuring multiple, concurrent OpenVPN clients for the first time. So let's first eliminate that possibility before going any further.

Thanks for your reply, @eibgrad.

Just to clarify, are you saying that when I want to change the Windows 10 VM from one VPN client to another, that I have to also change the IP address of the VM's network adapter?

I previously had my VM configured with three network adapters, each with a unique IP, and each IP was assigned to one and only one VPN client. To change the VPN client, I simply enabled the correct network adapter and disabled the adapter I'd been using. So with three adapters, there was never more than one enabled adapter at a time, and this worked without issue as far as I could tell. I would also verify the external IP.

I was hoping to get away with the complexity of multiple adapters in my VM.

Is it really the IP address or is it a combination of the IP and MAC addresses?

In the meantime I will add a couple of additional adapters to this particular VM, make sure they each get their own unique IP, configure this in the VPN Director, and test.

 

[eibgrad]

This has *nothing* to do w/ the Windows 10 VM, or any client trying to leverage one of the tunnels via PBR. What I'm talking about is how the tunnels associated w/ each OpenVPN client are configured on the router.

When you configure any OpenVPN client, the router, in conjunction w/ the OpenVPN server, establishes a tunnel w/ its own IP network (e.g., 10.8.0.0/24). If you dump ifconfig or the routing table(s) on the router while the OpenVPN clients are active, you'll see the networks assigned to these tunnels (tun11, tun12, etc.). All these tunnels *must* have unique, non-overlapping IP networks so you don't end up w/ a routing ambiguity. You can't just blindy assume that you can connect to multiple OpenVPN clients and not have this happen, esp. when using the *same* OpenVPN provider!

ifconfig
ip route

 

[Namrustler]

This has *nothing* to do w/ the Windows 10 VM, or any client trying to leverage one of the tunnels via PBR. What I'm talking about is how the tunnels associated w/ each OpenVPN client are configured on the router.

When you configure any OpenVPN client, the router, in conjunction w/ the OpenVPN server, establishes a tunnel w/ its own IP network (e.g., 10.8.0.0/24). If you dump ifconfig or the routing table(s) on the router while the OpenVPN clients are active, you'll see the networks assigned to these tunnels (tun11, tun12, etc.). All these tunnels *must* have unique, non-overlapping IP networks so you don't end up w/ a routing ambiguity. You can't just blindy assume that you can connect to multiple OpenVPN clients and not have this happen, esp. when using the *same* OpenVPN provider!

ifconfig
ip route

I ran ifconfig and found the IP addresses for the tunnels. There were only four tunnels configured and the IP addresses were unique. I then loaded another config for StrongVPN so I had three StrongVPN tunnels (different locations) and two PIA tunnels.

Guess what? The third StrongVPN tunnel shared the same IP with one of the other StrongVPN tunnels. These IP addresses are also displayed on the VPN Status tab as the local IP, but I was only focusing on the public IP.

I guess that was the problem. I didn't look at the local IP because I didn't understand its significance.

This might also explain when I had only two tunnels, one for PIA and the other for StrongVPN. Their local IP addresses are quite different, beginning with the first octet. The subnet mas is also different

Thanks for the solution. It would be easier if I just flipped between the Windows apps for my two VPN providers on this VM, but I still need to use a VPN client (tunnel) on the router because I have a collection of devices that I want to send through the router because it counts as a single connection.

Thanks a lot.