What's new

VPN Client Routing Rules stopped working

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jappish84

Regular Contributor
For one of my devices I have been using client VPN routing rules without issues for quite some time now, but all of a sudden the routing rules stopped working and now all traffic seems to go through the VPN client and I can't figure out what happened :-/

I have double checked that the IPs have not changed/updated the IP's, so that's not the issue.

I've attached my routing table

VPNrouting.png



I'm running Merlin 384.6 on a RT-AC3200 router
 
For one of my devices I have been using client VPN routing rules without issues for quite some time now, but all of a sudden the routing rules stopped working and now all traffic seems to go through the VPN client and I can't figure out what happened :-/

I have double checked that the IPs have not changed/updated the IP's, so that's not the issue.

I've attached my routing table

I'm running Merlin 384.6 on a RT-AC3200 router
In the OpenVPN Client Web Gui, did you set Redirect Internet Traffic to All Traffic?

I use Policy Rules (Strict). One method I use to confirm my Policy Rules is to logon to an SSH session and use the commands below:
Code:
ip rule

ip route show table ovpnc1

ip route show table ovpnc2

ip route show table ovpnc3

ip route show table ovpnc4

ip route show table ovpnc5

This TorGuard OpenVPN 2.4 Client Setup for Asuswrt-Merlin Firmware may be of some help.

VPN Selective Routing rules are evaluated in strict order with VPN Client 1 being the highest priority and to VPN client 5 the lowest.
 
Last edited:
Thanks for the reply,

I'm using "policy rules (strict)" although since the issues started I have tried using "Policy Rules" aswell. Doesn't make a difference though.

The routing looks to be configured correctly when checking the tables via SSH, and also, like I mentioned earlier, everything was working well up until a few weeks back, not sure what changed.

I did find a few differences on the link you provided compared to my setup so I've changed "Accept DNS Configuration" to Strict instead of "Exclusive"

I also tried adding the routers IP to be routed through WAN

Unfortunately, this made no difference


I'm using PIA as a VPN provider if that makes a difference (Although, it did work before)
 
Thanks for the reply,

I'm using "policy rules (strict)" although since the issues started I have tried using "Policy Rules" aswell. Doesn't make a difference though.

The routing looks to be configured correctly when checking the tables via SSH, and also, like I mentioned earlier, everything was working well up until a few weeks back, not sure what changed.

I did find a few differences on the link you provided compared to my setup so I've changed "Accept DNS Configuration" to Strict instead of "Exclusive"

I also tried adding the routers IP to be routed through WAN

Unfortunately, this made no difference

I'm using PIA as a VPN provider if that makes a difference (Although, it did work before)
Can you post output of ip rule or, do you see the LAN client IP address in the output?

Do you have a static DHCP IP address assigned to the LAN client?

Maybe check the iptables settings?

iptables --line -t nat -nvL DNSVPNx (x = vpn client number)

iptables -nvL PREROUTING -t mangle --line

Code:
Chain PREROUTING (policy ACCEPT 195K packets, 84M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    37204   31M MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        1    60 MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        1    60 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5        1    60 MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
6        1    60 MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
iptables -nvL PREROUTING -t nat --line

Check the system log file for clues too!
 
Other thoughts...confirm traffic routing rule Redirect Internet Traffic:

X=VPN Client #
Code:
nvram show | grep vpn_clientX_rgw

0 = No
1 = All
2 = Policy Rules
3 = Policy Rules (Strict)
Do you have a policy rule entry to route for all IPv4 addresses on your network e.g. 192.168.1.0/24?
 
Last edited:
Ok, so hopefully I'm still following :)

Here's the output of "ip rule" - destination IPs masked

Code:
/tmp/home/root# ip rule

0:    from all lookup local

10001:    from 192.168.1.121 to 123.123.123.123 lookup main

10002:    from 192.168.1.121 to 121.121.121.121 lookup main

10003:    from 192.168.1.121 to 231.231.231.231. lookup main

10004:    from 192.168.1.121 to 222.222.222.222 lookup main

10005:    from 192.168.1.121 111.111.111.111.111 lookup main

10006:    from 192.168.1.121 to 233.233.233.233 lookup main

10007:    from 192.168.1.121 to 112.112.112.112 lookup main

10101:    from 192.168.1.121 lookup ovpnc1

32766:    from all lookup main

32767:    from all lookup default



Output of "iptables --line -t nat -nvL DNSVPN1"
Code:
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Feels like something is missing here ^^ ?



Output of "iptables -nvL PREROUTING -t mangle --line"

Code:
Chain PREROUTING (policy ACCEPT 493K packets, 64M bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1     1836 1637K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2    20029 1973K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7


Output of "iptables -nvL PREROUTING -t nat --line"

Code:
Chain PREROUTING (policy ACCEPT 23637 packets, 3359K bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1     118K 4939K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2     168K 9718K VSERVER    all  --  *      *       0.0.0.0/0            MY.WAN.IP.NR  
3        0     0 PCREDIRECT  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC MACADDRESSOFWANBLOCKEDDEVICE
4        0     0 PCREDIRECT  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC MACADDRESSOFWANBLOCKEDDEVICE


Do you have a static DHCP IP address assigned to the LAN client?
Yes, the device is assigned a static address in the network


Output "nvram show | grep vpn_clientX_rgw"
Code:
size: 73056 bytes (58016 left)
vpn_client1_rgw=3


I changed router log level to "debug" and tried accessing the IPs that should be routed through WAN but the log didn't show any new line.

It's still accessing the IPs using the VPN-tunnel


Do you have a policy rule entry to route for all IPv4 addresses on your network e.g. 192.168.1.0/24

Not in the VPN section, only under NFS
 
Last edited:
Ok, so hopefully I'm still following :)

Here's the output of "ip rule" - destination IPs masked

Code:
/tmp/home/root# ip rule

0:    from all lookup local

10001:    from 192.168.1.121 to 123.123.123.123 lookup main

10002:    from 192.168.1.121 to 121.121.121.121 lookup main

10003:    from 192.168.1.121 to 231.231.231.231. lookup main

10004:    from 192.168.1.121 to 222.222.222.222 lookup main

10005:    from 192.168.1.121 111.111.111.111.111 lookup main

10006:    from 192.168.1.121 to 233.233.233.233 lookup main

10007:    from 192.168.1.121 to 112.112.112.112 lookup main

10101:    from 192.168.1.121 lookup ovpnc1

32766:    from all lookup main

32767:    from all lookup default



Output of "iptables --line -t nat -nvL DNSVPN1"
Code:
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Feels like something is missing here ^^ ?



Output of "iptables -nvL PREROUTING -t mangle --line"

Code:
Chain PREROUTING (policy ACCEPT 493K packets, 64M bytes)
num   pkts bytes target     prot opt in     out     source               destination   
1     1836 1637K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2    20029 1973K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7


Output of "iptables -nvL PREROUTING -t nat --line"

Code:
Chain PREROUTING (policy ACCEPT 23637 packets, 3359K bytes)
num   pkts bytes target     prot opt in     out     source               destination   
1     118K 4939K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
2     168K 9718K VSERVER    all  --  *      *       0.0.0.0/0            MY.WAN.IP.NR
3        0     0 PCREDIRECT  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC MACADDRESSOFWANBLOCKEDDEVICE
4        0     0 PCREDIRECT  all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC MACADDRESSOFWANBLOCKEDDEVICE



Yes, the device is assigned a static address in the network


Output "nvram show | grep vpn_clientX_rgw"
Code:
size: 73056 bytes (58016 left)
vpn_client1_rgw=3


I changed router log level to "debug" and tried accessing the IPs that should be routed through WAN but the log didn't show any new line.

It's still accessing the IPs using the VPN-tunnel




Not in the VPN section, only under NFS
Everything looks okay from what you posted. I set up a test config on OVPNC1 to route whatismyip.com traffic from my laptop to the WAN and all other traffic to the VPN

upload_2018-9-26_10-20-59.png


Code:
<snip>
10001:  from 192.168.22.152 to 104.27.193.92 lookup main
10002:  from 192.168.22.152 to 104.27.192.92 lookup main
10101:  from 192.168.22.152 lookup ovpnc1
<snip>
I recommend that you try placing the routers IP address as the first rule in the OVPNC1 client

See post below as the system is preventing my from pasting the pic when editing the post o_O

Any clues when you run the command ip route show table ovpnc1?

Are there any settings in the Custom Config Section that may be causing the behavior? Try testing with another VPN Server to see if you experience the same behavior.

Not in the VPN section, only under NFS
What is NFS?
 
Last edited:
upload_2018-9-26_11-4-46.png
 
Output of "iptables --line -t nat -nvL DNSVPN1"
Code:
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Feels like something is missing here ^^ ?

The table is only populated if 'Accept DNS Configuation=EXCLUSIVE' and the Selective routing table (Policy Rules) contains at least one entry with the 'VPN' target.

I changed router log level to "debug" and tried accessing the IPs that should be routed through WAN but the log didn't show any new line.

It's still accessing the IPs using the VPN-tunnel
Have you checked the routing tables?
Code:
ip route show table main

ip route show table ovpnc1

or you could try VPN checker script
 
The other thing I just noticed is the tun21 entry. Are the OpenVPN Server and Client using the same port number? If so, change the port assignment for either the Server or the Client.
 
Ok, so I've tried editing the list according to your instructions earlier, made no difference, everything is still routed through VPN:

vpnlist.jpg


You can see my custom config here aswell


I have made sure my VPN server is running on port 1194 while the VPN Client 1 is running on port 1198. I also made a disturbing discovery that someone is trying to connect to my VPN server? See screenshot, I noticed multiple attempts to connect, but as far as I can see, no data is being sent/received so I guess the connections are denied? I have temporarily disabled the VPN server.

Ska_rmavbild_2018_09_26_kl_21_42_34.png



@Martineau
Have you checked the routing tables?

What exactly am I looking for here? Not sure how to read it

Here's the output:
Code:
ip route show table ovpnc1
10.34.11.1 via 10.34.11.5 dev tun11
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
0.0.0.0/1 via 10.34.11.5 dev tun11
128.0.0.0/1 via 10.34.11.5 dev tun11
default via 10.34.11.5 dev tun11

This doesn't add up with my local ip:
connected.jpg



@Xentrk

NFS = Network file sharing (not related to VPN at all)
 
@Martineau

What exactly am I looking for here? Not sure how to read it

Here's the output:
Code:
ip route show table ovpnc1
10.34.11.1 via 10.34.11.5 dev tun11
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
0.0.0.0/1 via 10.34.11.5 dev tun11
128.0.0.0/1 via 10.34.11.5 dev tun11
default via 10.34.11.5 dev tun11

You need to provide the output of both tables - ovpnc1 and main
Code:
ip route show table main
 
Sorry for the delay, here are the outputs:

Code:
ip route show table main
MY.VPN.PROVIDER.IP via 83.209.162.129 dev eth0
83.209.162.129 dev eth0  proto kernel  scope link
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
83.209.162.128/25 dev eth0  proto kernel  scope link  src MY.WAN.IP.NR
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
127.0.0.0/8 dev lo  scope link
default via 83.209.162.129 dev eth0


Code:
ip route show table ovpnc1
10.34.11.1 via 10.34.11.5 dev tun11
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
0.0.0.0/1 via 10.34.11.5 dev tun11
128.0.0.0/1 via 10.34.11.5 dev tun11
default via 10.34.11.5 dev tun11
 
Sorry for the delay, here are the outputs:

Code:
ip route show table main
MY.VPN.PROVIDER.IP via 83.209.162.129 dev eth0
83.209.162.129 dev eth0  proto kernel  scope link
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
83.209.162.128/25 dev eth0  proto kernel  scope link  src MY.WAN.IP.NR
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
127.0.0.0/8 dev lo  scope link
default via 83.209.162.129 dev eth0


Code:
ip route show table ovpnc1
10.34.11.1 via 10.34.11.5 dev tun11
10.34.11.5 dev tun11  proto kernel  scope link  src 10.34.11.6
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
0.0.0.0/1 via 10.34.11.5 dev tun11
128.0.0.0/1 via 10.34.11.5 dev tun11
default via 10.34.11.5 dev tun11

If the OpenVPN server pushes the following directive:
Code:
redirect-gateway def1
then two routes 0.0.0.0/1 and 128.0.0.0/1 are (temporarily) added to routing table 'main' (254).
As per the OpenVPN man page: 'This has the benefit of overriding but not wiping out the original default gateway.'

So you can see that the two rules are present (yet technically redundant) in table 'ovpnc1' (111) since its 'default' rule is identical, but in some cases they incorrectly remain in table 'main' (254) which is usually the cause when ALL traffic is unexpectedly routed via the Selective VPN Client.

So given your listed RPDB rules, Raspberry Pi (192.168.1.121) should have ALL traffic routed excluding those 7 target IP target IPs.
I assume those 7 target IPs are still valid and the RPDB rules (not shown in post #11) that you changed (as per @Xentrk's advice) since your post #6 are actually valid.

I can only suggest that you remove ALL Selective routing rules from the GUI, and restart VPN Client #1.

With an empty Selective routing table, ALL LAN traffic should be routed via the WAN - if it isn't then try a reboot.
 
Thanks @Martineau

I had to read it a few times to follow =)

Routing to WAN does work if I choose to route all ips through WAN, but not if I select a few.

Since you think everything looks fine, I'll try deleting and reconfiguring the VPN client and see if that helps.

I'll report back

Thanks

Skickat från min LG-H815 via Tapatalk
 
Ok, I've done some more testing and there seems to be no problems with how the routing is handled, instead it seems that the servers I'm contacting (in the WAN list) somehow seem to sense the VPN? I'm not sure. Could it be a redirecting issue?

Like I mentioned before, my setup has been working for quite some time, but suddenly stopped working.

Is there any way I can try to log detailed traffic info when I connect to to the server with VPN disabled/enabled?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top