1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-AC5300. Dual WAN leaks my real IP despite the strict mode of OpenVPN Firewall.

Discussion in 'Asuswrt-Merlin' started by scareferatis, Feb 19, 2019.

  1. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6
    Hello. So, the title says it's all. I have 2 ISP GPON terminals I want to merge into one net with my ASUS router. When I had only one such box, I decided to protect my connection with OpenVPN. By utilizing Strict Policy mode inside the built-in OpenVPN firewall, I created a killswitch and forbid any of my devices to use internet if my VPN connection is down. However, since I started using Dual WAN with Load Balancer mode, it leaks my second GPON box's IP address despite the rule I set up. My firmware version is 384_5b1 (update is impossible for me, because it deprecates OpenVPN Firewall and refers to some "postconf scripts" which I have zero clue of.) System Log's openvpn part doesn't have any info about my secondary WAN connection, like if it is non existent.

    What's the reason for this problem? How can I fix it and continue to use OpenVPN Firewall like before?
     
    Last edited: Feb 19, 2019
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    7,457
    I am not sure of your logic in running old, beta firmware and also be concerned about security/privacy issues?

    I would suggest upgrading to the latest firmware, 384.9, perform a full reset to factory defaults and then manually configure your router(s) again as needed. You may need to learn or relearn a few things about the updated (everything) from your old config, but I think it will be time well spent.

    Others will be better able to help out then, imo.
     
  3. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6

    Thanks for your answer. The thing is, there's NO GUI OpenVPN Firewall at the latest version, it needs to be configured via some postconf scripts, which is a big hit for privacy, IMO.
     
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    7,457
    I won't pretend to understand this fully, but I can't believe that something as seemingly important as this feature would be dropped for no reason?

    How is configuring postconf scripts yourself a hit on privacy?
     
  5. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6
    Not everyone has the knowledge to do it's setup. I guess, the coder knows this. I tried googling these scripts, but there's only a tad bit of info with high risk of bricking the router.
     
  6. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    7,457
    You are right. I certainly do not know.

    But, you're in the right place to ask nicely how to do this and more. In the end, you'll have a much more secure network and have learned a little too. :)
     
    Dave Parker likes this.
  7. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6

    Thanks for your advice, my friend. But, like some wise people say, "if it ain't broke, don't fix it".
     
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    7,457
    You're welcome! Just trying to help out.

    From my end though, it seems like it is already broken. By the simple fact that your firmware is almost a year old, let alone the specific issue you need to be fixed. ;)
     
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    29,276
    Location:
    Canada
    The firewall rules are the same as under older version, the only difference is I no longer offer an option to disable it. Postconf scripts are only intended for people needing to customize these, and should not be needed by normal users. For instance people who need to disable the firewall for some reason.

    The biggest source of leaks is if you have clients using IPv6, which will completely bypass the VPN tunnel.
     
  10. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6

    Thanks for your answer, but I don't have any IPv6 client in my net. The problem is, that the second connection doesn't route via OpenVPN tunnel at all. The only thing I see in the log is "bound 172.0.0.x via 172.0.0.1", which is a standard DCHP lease. And that's it. It doesn't connect to my VPN account.
     
  11. roguetr

    roguetr Regular Contributor

    Joined:
    May 6, 2018
    Messages:
    152
    Just for my own curiosity, where is the tunnel established? Are you connecting in or this a tunnel going out?

    I've read your post a few times and I can't figure out how you've implemented OpenVPN and it's intended use.

    Sorry I know this doesn't help but curiosity got the better of me :)

    Sent from my MI 5 using Tapatalk
     
  12. scareferatis

    scareferatis New Around Here

    Joined:
    Feb 19, 2019
    Messages:
    6

    No problem. I have a subscription to a certain VPN provider, whose OVPN Config is used in my RT-AC5300 to protect my traffic 24/7. Up untill 3 days ago, I had 1 ISP with proprietary GPON terminal. Gateway IP was 192.168.1.1. It was connected to my Asus and my traffic was tunneled by VPN with protection of leaks via Policy Rules (Strict) mode. Now I have 2 ISP'S. I want to combine them via Dual WAN with VPN working. But for some reason that rule doesn't work for my NEW SECOND connection. If I will disable VPN, Internet still works at the second one. If it's enabled, I can see both VPN IP from my first connection and a REAL ONE OF THE SECOND. Which is a big no-no. And I don't see any tunnel assignments in system log for the second ISP, except for DHCP Lease.