VPN Client Feature Issue - Broke Network Connectivity

[zahroc]

I was experimenting with using the OpenVPN Client feature set of the router to connect to my VPN.
I set it up and it worked as expected.
I had set the setting of "Block routed client if tunnel goes down" to Yes.
I decided to try a different configuration and when I set all the settings back to default so I could add a complete new one and reset the OpenVPN client settings, it seems to have locked the connection out on that particular machine.
None of the OpenVPN clients, 1-5, have any settings nor are they configured but I am no longer able to access the internet on the machine I was testing with.

Any ideas on how to reset it back so that the machine has connectivity again?

TIA!

 

[st3v3n]

zahroc: Yep, it's happening here. This is too strange to be a cooincidence. I've been testing various openvpn configs on our AT-AC3200 for about a month, and though the GUI has been stalling/crashing (different thread), after I upgraded to the newest build, 380.68 -4, what you report is brand new as of last night. The routes stopped routing as you wrote, yet the long-running tunnel/config I've kept on the first client still works fine. As of today, whenever I try to load a different openvpn config on the second openvpn client and save it, no matter the sequence I use, it either works partially, or not at all, for any or all of the machines/boxes on the LAN. When the router loads the new config, it always shows that it's on/connected and supposedly running. It should work, but doesn't; nothing else I load works. The saved backup, settings and configs match the new tunnels I try to load, and they're good configs. After about 6 hours with this silliness, I figured I should start searching for answers; I ran into your post on the first try. It seems others are having openvpn issues, and it's not just beginners. As for suggestions...I've tried everything in my experience covering Asus routers. I've written down and retraced my steps. I saved every change, every step of the way, logged out, rebooted the router, shut down the power to the router/modem/computer, waited, then powered up in sequence, etc. I've applied the best troubleshooting I know how, when things get wacky like this. I hope when it's all powered back on tomorrow, it just works; wouldn't that be nice. Speculation, unless several perfectcly functional routers decided to get singularly wonky at the same time, for different people, openvpn might have a new problem or there's something going on that hasn't yet been widely reported. I discount that there are faulty configs at the heart of this. The VPNs test them before putting them up. Just in case, I contacted our VPN provider this afternoon and asked him what he thought about this; he gave me a fresh openvpn config after he checked it in-house. I looked it over before installing it and was a match for what I used yesterday; it worked last night, but refuses to let anything out of the router tonight. Yesterday, as soon as I loaded and connected, it jumped up and ran like like a rabbit, as it usually does. It's the same with the other configs I tried today. I've always set the connection to strict and to drop if the tunnel fails. I've never had a config fail to work before, nor any leakage, but leakage isn't the problem at hand. I'll start researching it fresh tomorrow and if it's still acting like this, I'll roll back to RMerlin's prior FW build. If that doesn't improve matters, the backup router is going back up into service for testing. The primary tunnel still works, I hope that sticks. Perhaps others will report if they're having similar issues; maybe RMerlin or other senior members have an idea we could try. Good luck to us and Crossed fingers X

 

[Netbug]

I got an RT-AC68U running merlin latest firmware (380.68_4). I did a full reset (factory default), held wps button whilst powering on and cleared nvram via telnet back last week. manually reconfigured everything. Running Ab-Solution, Skynet - Asus Firewall Addition and dnscrypt installer for asuswrt.

Never had problems with VPN client but i think i have similar problems to you two, have noticed even when 'Accept DNS Configuration' is set to 'Strict' & 'Redirect Internet traffic' set to 'Policy Rules (strict)' & 'Block routed clients if tunnel goes down' set to 'yes' when i test on my laptop (macbook pro) it gives me my vpn ip address via ipleak.net but my isp ip via dnsleaktest and leaks dns. When testing via android phone it leaks isp dns when it should be using vpn dns but shows vpn ip. Not sure what's wrong but never had issues before and now it seems to leak real ip and dns, strang behaviour and was all fine before.

 

[st3v3n]

Netbug, Appreciate your posting. I went another 8 hours with mine today, with little to show for afterwards. I'd hoped the gemlins would be gone today, but no. I like to stay with the stock settings the vpn provider builds in his configs, but learned from past research here, that sometimes you can get results experimenting with 'relaxed' setting on a config as opposed to strict. Making everything stop, is as good a killswitch we can get in these boxes instead of taking the fall to WAN/ISP. I like to use https.www.doileak.com, which gives decent test results, and there are other leak sites. If you shut down all the ads, cookies, etc coming in/going out of your computer, tablets, phones etc, you've done what you can. My 34 year old never saw a screen not filled with ads, but won't make time to learn basic routing and firewall skills, yet. This strange client tunnel behavior is worse than anything I've dealt with for a while. Failing GUI and faltering openvpn configs is deeper than I care to get into the acane art, since there's no explanation for any of it. I found similar issues listed on an Asus site; hopefully they're noticing/investigating. I don't get how the GUI and faltering tunnels are connected, but it seems connected on my unit. I don't usually set DNS in WAN to anything (not a purist in case anyone yelps). You don't have to set anything since the router usually takes care of it, but depends on how your tablets, phones are set up or will behave. It's hard to test how much leakage is going to the ISP but it's difficult to obscure much from them while testing. My gear is all in-house and never goes elsewhere, but it's why we try to secure these things. I've never had ill effects, errors or leakage by pointing to the VPN provider's network at 10.10.10 etc, and their 'smart' DNS handles everything in the tunnel, usually, when the GUI and configs aren't stalling about. The IPs in ours are all set in LAN DHCP, the DNS/WINS server fields point directly to 10.10. etc, in the provider configs, with a secondary of 8.8.8.8, to get lost in everyone's google's noise if a tunnel fails. I've had surprisingly poor luck lately with Opennic DNS. Many secure sites won't allow sign ins, clock times from other sites don't always sync as well as they could. Forget netflix on a laptop, tablet or box, unless your VPN provider makes quiet arrangements; only a few are left that can do so. If if your device or router leaks, you and the VPN provider are picked up and blacklisted by netflix and buds. Just an example, an Opennic DNS we used for a long time, showed we were making DNS queries from Antarctica, Oceania or Nigeria; that won't do, so google DNS was the least of our worries. A couple of our in-house units won't work without setting google's DNS internally. I tried an older android tablet today, it leaked and was a bit too slow, given the GUI/tunnel issues. The older android units aren't supposed to leak as much as the new ones, but I get to play with new ones only when the grandkids call to say their phones aren't working very well. The AC3200 did fairly well for the first 3 hours today, then murphy's law kicked it back to yesterday. The openvpn configs wouldn't load or save, then they wouldn't turn on. Both client1/client2 buttons took many clicks before changing, then the GUI locked up. The config 'ON' button exhibited the same balky behavior. I reset the configs to default, saved, rebooted, then loaded the configs, keys and certs from scratch, several times. It's a broken record and not a good sign. Last I removed the power, waited 15 minutes then did all again, but no change. The router has a fan sitting near it that keeps it at a steady 50C, so it's not overheating. It's like the innards are stuck in mud. If there are no IP or range conflicts/collisons, since one can't easily run two openvpn configs in one normal Asus router, it's the end of my tests for a while. I'm rolling back to 380.68, then the backup router is going into service. If this is a result of someone's hacking attempts directed at openvpn or Asus, it's new, nasty, and I hope they're caught soon. (Didn't mean to go on). Good luck to all of us.

 

[Jack Yaz]

Netbug, Appreciate your posting. I went another 8 hours with mine today, with little to show for afterwards. I'd hoped the gemlins would be gone today, but no. I like to stay with the stock settings the vpn provider builds in his configs, but learned from past research here, that sometimes you can get results experimenting with 'relaxed' setting on a config as opposed to strict. Making everything stop, is as good a killswitch we can get in these boxes instead of taking the fall to WAN/ISP. I like to use https.www.doileak.com, which gives decent test results, and there are other leak sites. If you shut down all the ads, cookies, etc coming in/going out of your computer, tablets, phones etc, you've done what you can. My 34 year old never saw a screen not filled with ads, but won't make time to learn basic routing and firewall skills, yet. This strange client tunnel behavior is worse than anything I've dealt with for a while. Failing GUI and faltering openvpn configs is deeper than I care to get into the acane art, since there's no explanation for any of it. I found similar issues listed on an Asus site; hopefully they're noticing/investigating. I don't get how the GUI and faltering tunnels are connected, but it seems connected on my unit. I don't usually set DNS in WAN to anything (not a purist in case anyone yelps). You don't have to set anything since the router usually takes care of it, but depends on how your tablets, phones are set up or will behave. It's hard to test how much leakage is going to the ISP but it's difficult to obscure much from them while testing. My gear is all in-house and never goes elsewhere, but it's why we try to secure these things. I've never had ill effects, errors or leakage by pointing to the VPN provider's network at 10.10.10 etc, and their 'smart' DNS handles everything in the tunnel, usually, when the GUI and configs aren't stalling about. The IPs in ours are all set in LAN DHCP, the DNS/WINS server fields point directly to 10.10. etc, in the provider configs, with a secondary of 8.8.8.8, to get lost in everyone's google's noise if a tunnel fails. I've had surprisingly poor luck lately with Opennic DNS. Many secure sites won't allow sign ins, clock times from other sites don't always sync as well as they could. Forget netflix on a laptop, tablet or box, unless your VPN provider makes quiet arrangements; only a few are left that can do so. If if your device or router leaks, you and the VPN provider are picked up and blacklisted by netflix and buds. Just an example, an Opennic DNS we used for a long time, showed we were making DNS queries from Antarctica, Oceania or Nigeria; that won't do, so google DNS was the least of our worries. A couple of our in-house units won't work without setting google's DNS internally. I tried an older android tablet today, it leaked and was a bit too slow, given the GUI/tunnel issues. The older android units aren't supposed to leak as much as the new ones, but I get to play with new ones only when the grandkids call to say their phones aren't working very well. The AC3200 did fairly well for the first 3 hours today, then murphy's law kicked it back to yesterday. The openvpn configs wouldn't load or save, then they wouldn't turn on. Both client1/client2 buttons took many clicks before changing, then the GUI locked up. The config 'ON' button exhibited the same balky behavior. I reset the configs to default, saved, rebooted, then loaded the configs, keys and certs from scratch, several times. It's a broken record and not a good sign. Last I removed the power, waited 15 minutes then did all again, but no change. The router has a fan sitting near it that keeps it at a steady 50C, so it's not overheating. It's like the innards are stuck in mud. If there are no IP or range conflicts/collisons, since one can't easily run two openvpn configs in one normal Asus router, it's the end of my tests for a while. I'm rolling back to 380.68, then the backup router is going into service. If this is a result of someone's hacking attempts directed at openvpn or Asus, it's new, nasty, and I hope they're caught soon. (Didn't mean to go on). Good luck to all of us.

Please separate text into paragraphs, this is very difficult for others to read and follow.

 

[Butterfly Bones]

I had this happen on a RT-68U Merlin version 380.68_4 when I cleared the VPN to test a new provider and I could not access the net from any client, but pings from the router Network Tools page worked and Skynet was still busily blocking inbound attempts.

I went to the Network Map page, clicked on the Globe in the Internet Status section, then turned off the WAN on the right hand side. Waited 2 minutes and turned WAN back on and all connections to clients were back.

Seems that after VPN client has been set to block clients when tunnel goes down that settings persists even when the VPN proved data is deleted, which seems is a good thing and likely intentional. Turning the WAN off for a couple minutes and back on resets it.

 

[st3v3n]

Please separate text into paragraphs, this is very difficult for others to read and follow.

Jack Yaz, I try respond to folks who seem to have genuine issues to assist them when they can't seem to garner any replies; many here are too busy with coding, or jobs. I regret reading my paragraph causes you concerns, but as for the 'others' I haven't seen others complains. If you'd rather not read my paragraph, please feel free to skip what I write in the future; that won't offend anyone. Far be it from me to appear to criticize you for criticizing how I have to accomplish what I do. I say this for clarity and understanding, and don't want pity nor sympathy. I've one usable hand to work with, among other disabilities. I have to use voice-recognition, then copy/paste my posts into a very small window on the web. Needless to say, it's quite time-consuming and I don't do it often. I'm unable to spend an hour re-editing a post on the web. Your critique of my editorial skills is the only such dislike until now. College lit was decades ago, and was the last time a prof graded me; I've done nothing wrong. At one time, before becoming disabled, I typed at 70 wpm, and wrote professionally. Now, dictating into an array is the best I can do once or twice a day. If you like my post, but find the formatting not to your liking, please copy my post into your word processor, and reshape, reedit to your taste, to make reading easier for you. I'm not being snippy; if the content in my post is wrong, I'll be happy to look at it. I'm not planning to garner hundreds of posts as you've done in a very short period, and have follwed this forum for years before I made a single post. I won't address this issue again. An admin or moderator will contact a member if they've committed a violation. I hope you understand, thanks.