VPN Client policy based routing not working

[Tagilso]

System: ASUSWRT-Merlin RT-AC68U 380.68-4
Gateway IP: 192.168.10.1
Asus Router subnet: 192.168.20.0/24
VPN subnet: 192.168.30.0/24 (the Asus is connected as a client)

Using VPN Client and Redirect Internet Traffic option, I'm trying to redirect the host 192.168.20.251/32 over the VPN 192.168.30.0/24.

What I expect: the traffic coming from .251 is forwarded over the VPN.
What I see: the traffic is forwarded through my gateway and leaks my ISP IP.

Options on the router:
https://imgur.com/a/QaVxt

Routing tables on the ASUS
https://pastebin.com/csvsPxGy
(192.168.40.0 is another VPN subnet, for which the Asus is the server).

 

[Xentrk]

System: ASUSWRT-Merlin RT-AC68U 380.68-4
Gateway IP: 192.168.10.1
Asus Router subnet: 192.168.20.0/24
VPN subnet: 192.168.30.0/24 (the Asus is connected as a client)

Using VPN Client and Redirect Internet Traffic option, I'm trying to redirect the host 192.168.20.251/32 over the VPN 192.168.30.0/24.

What I expect: the traffic coming from .251 is forwarded over the VPN.
What I see: the traffic is forwarded through my gateway and leaks my ISP IP.

Options on the router:
https://imgur.com/a/QaVxt

Routing tables on the ASUS
https://pastebin.com/csvsPxGy
(192.168.40.0 is another VPN subnet, for which the Asus is the server).

Try setting Accept DNS Configuration to Exclusive.

How come you are not specifying cipher encryption?

 

[Tagilso]

Try setting Accept DNS Configuration to Exclusive.

How come you are not specifying cipher encryption?

Hi, thanks for the reply!
I tried with DNS, no luck, but I think it should not matter here though.
I am not using any cipher over this VPN because I don't need any security for this application.

 

[Tagilso]

Anyway look at my routes on the ASUS regarding the redirected host

1. admin@RT-AC68U-1678:/tmp/home/root# ip route ls table ovpnc1
2. 192.168.10.1 dev vlan2 proto kernel scope link
3. 192.168.20.0/24 dev br0 proto kernel scope link src 192.168.20.1
4. 192.168.30.0/24 dev tun11 proto kernel scope link src 192.168.30.3
5. 192.168.10.0/24 dev vlan2 proto kernel scope link src 192.168.10.2
6. 192.168.40.0/24 dev tun22 proto kernel scope link src 192.168.40.1
7. 127.0.0.0/8 dev lo scope link
8. default via 192.168.10.1 dev vlan2

They are defaulting via 192.168.10.1 (my ISP gateway), how could this work? Maybe there's some other mangling happening into the iptables?

 

[Xentrk]

I have used no encryption over the tunnel in the past when I had lower speeds from my ISP. I looked at one of my old screen prints and see that I did specify SHA1 for Auth Digest even though I was not using encryption. I also use userid and password authentication in addition to specifying a CA certificate. This setting differs by provider. I use the site whatismyipaddress.com to verify if my traffic is ISP or VPN IP Address. What happens when you specify Redirect Internet Traffic = All Traffic? Do all clients then go thru the tunnel or ISP?

Is the IP address of the OpenVPN Tunnel displayed on the OpenVPN Status page?

 

[Tagilso]

I have used no encryption over the tunnel in the past when I had lower speeds from my ISP. I looked at one of my old screen prints and see that I did specify SHA1 for Auth Digest even though I was not using encryption. I also use userid and password authentication in addition to specifying a CA certificate. This setting differs by provider. I use the site whatismyipaddress.com to verify if my traffic is ISP or VPN IP Address. What happens when you specify Redirect Internet Traffic = All Traffic? Do all clients then go thru the tunnel or ISP?

Is the IP address of the OpenVPN Tunnel displayed on the OpenVPN Status page?

Yes, the VPN client is up and running. It is shown into the recap page with its addresses.
When I choose to redirect All the traffic it works as expected.

 

[Xentrk]

Yes, the VPN client is up and running. It is shown into the recap page with its addresses.
When I choose to redirect All the traffic it works as expected.

Good that all traffic works. Something is not right with the policy routing.

Do you assign a static IP address for the client you are trying to route thru the tunnel? Or, do you use dynamic DHCP?

 

[Tagilso]

Unfortunately tried both ways with no luck.

 

[Xentrk]

What is the OS of the client device you want to route thru the VPN tunnel? Did you try with another device?

Over in the Selective Routing thread, I recently posted examples of using ipset for selective routing. That is the method I use now.

 

[Tagilso]

What is the OS of the client device you want to route thru the VPN tunnel? Did you try with another device?

Over in the Selective Routing thread, I recently posted examples of using ipset for selective routing. That is the method I use now.

Android 8.0, getting IP address from DHCP.
The same setup done by me, using a RaspberryPi as a VPN gateway and custom iptables/routes, works without issues using my Android device.

 

[Xentrk]

You may have the same iptables issue as other AC68U users. This is one example, a few more in the Selective Routing thread

https://www.snbforums.com/threads/using-ipset-to-selectively-route-domains-to-a-vpn-client.41560/

 

[Xentrk]

Android 8.0, getting IP address from DHCP.
The same setup done by me, using a RaspberryPi as a VPN gateway and custom iptables/routes, works without issues using my Android device.

I ran into a situation where a user changed a setting on their windows 10 laptop that caused the MAC address to be random. It messed up my static IP address assignment for this user. Yesterday, I ran into a counterfeit phone that had a different MAC address from what was reported by the phone.