What's new

Beta VPN Director testing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
I am uploading refreshed builds, they should appear on Onedrive over the next couple of minutes.

Code:
fdb13d8f24 webui: improve field validation on VPNDirector rule entry
063eec2e60 libovpn: remove vpn_client?_clientlist handling from OpenVPN reset to default function
f00d702d3d libovpn: update DNS exclusive handling to use VPN Director instead of the previous clientlist rules
0ec46963c8 rc: fix typo in format.c preventing compiling
40295d0ea3 libovpn: fix OVPN routes not being configured if DNS mode was set to "Ignore"
300bbf3a73 libovpn: don't specify a /32 subnet to route_net_gateway as it may be provided as a hostname instead of an IP

One thing to note: if you make changes to Director Rules and you are using Exclusive DNS mode, the firewall doesn't get updated to match the new rules. You need to restart the client to refresh firewall rules related to Exclusive DNS mode. This will be fixed later.
 
Are you using a VPN provider, if so which one? It was working for me when using NordVPN.
I'm using VPNUnlimited - and have done at "App" level for many years on Apple, Android and Windows devices.
In testing on the AX86U I tried to setup on the basis that everything would go through VPN Client1 via VPNUnlimited by simply selecting "Yes" to Redirect thru tunnel. After a delay next to Service State it claimed "Connected (Local: 0.0.0.0-Public: Unknown)" and didn't work.

About a year or so ago I did setup VPNUnlimited on my then AC86U by doing precisely the above - and it worked correctly.
All traffic was redirected via tunnel to internet.

With the new firmware on the AX86U - it worked as soon as I created a Policy Rule to redirect all internet traffic through the tunnel and linked that rule to VPN Vlient1 while changing "Yes" to "Policy Rules". Adding more rules and editing them - all works perfectly so MANY thanks for a enabling a FAR easier VPN Client routing methodology that us non-coders can enjoy.

PLEASE don't worry - I'm sure your code is 100% spot on and it was just some aberration on my side. It is easy to replicate - right now if I go back to advanced settings and change Redirect to "Yes" from Policy Rules - Apply - wait - I get a slightly improved response saying "Connected (Local: 10.200.0.6 - Public: unknown)" and the tunnel does not work. Revert to "Policy Rules" and I'm back in the tunnel ;).
 
If I have two VPN clients running, OVPN1 and OVPN5, and I want all devices on the LAN to connect through OVPN1 except one device that should use OVPN5.

vpn director1.PNG


Now I have one device, let's say 192.168.1.24, that should be routed through OVPN5. The only way I can achieve that seems to be to add each device separately. That quickly becomes cumbersome.

vpn director2.PNG

vpn director3.PNG


It would be sweet if the rule logic allowed for something like this:

vpn director4.PNG

vpn director5.PNG


All devices on the LAN routed through OVPN1 except 192.168.1.24. The rule for a specific device would need to have higher priority than a rule redirecting the whole LAN.
 
If I have two VPN clients running, OVPN1 and OVPN5, and I want all devices on the LAN to connect through OVPN1 except one device that should use OVPN5.

View attachment 34454

Now I have one device, let's say 192.168.1.24, that should be routed through OVPN5. The only way I can achieve that seems to be to add each device separately. That quickly becomes cumbersome.

View attachment 34455
View attachment 34456

It would be sweet if the rule logic allowed for something like this:

View attachment 34457
View attachment 34458

All devices on the LAN routed through OVPN1 except 192.168.1.24. The rule for a specific device would need to have higher priority than a rule redirecting the whole LAN.
can you swap 1 with 5, so the single device takes priority as it is higher in the list?
 
can you swap 1 with 5, so the single device takes priority as it is higher in the list?
Yes, that's what I actually did - and it works since OPVN1 rules have higher priority than OPVN5 rules.

Edit 1:
No, it actually didn't work since "OpenVPN clients set to redirect all traffic have the highest priority."

So my rule 192.168.1.24 - OVPN1
is over-ridden by
192.168.1.0/24 - OVPN5

Edit 2:
It's a bit confusing now when the rules I add to the VPN Director are not added to the firewall right away. I need to restart both clients to refresh the firewall rules - yes, I'm using exclusive DNS mode.

And there's something that still doesn't work.

vpn director6.PNG


Here M900Tiny will be routed through OVPN5 (that would be consistent with "OpenVPN clients set to redirect all traffic have the highest priority.")
Note that LAN rule for OVPN1 is disabled here.

But if I add another device to OVPN1 like this:

vpn director7.PNG


then both M900Tiny and Huawei will be routed through OVPN1.

Furthermore, with this ruleset, when I use another device in my LAN (e.g. 192.168.1.26), it's also routed through OVPN1 and not OVPN5! Shouldn't be possible.

So there's something with the rule logic that isn't right?
 
Last edited:
If I have two VPN clients running, OVPN1 and OVPN5, and I want all devices on the LAN to connect through OVPN1 except one device that should use OVPN5.
Swap their order. Use the most specific VPN client first, and the broadest client last.

It's a bit confusing now when the rules I add to the VPN Director are not added to the firewall right away. I need to restart both clients to refresh the firewall rules - yes, I'm using exclusive DNS mode.
Known issue, I haven`t had time to work on it yet.
 
Issue with spdMerlin possibly related to VPN Director.

I have an AC86 with settings for five VPN clients. Only clients 1 & 3 start when router is booted.

If I use either the VPN Director or go into VPN client 2 and start this client starts just fine.

However if I go into the addons and try to do a manual speedtest for just VPN client 2 it will not let me select the radio button for client 2. Clients 1 & 3 can be selected.

If however I tell spdMerlin to test all, it runs speedtest for the WAN plus the three running VPN clients including VPN client 2.

I don't remember seeing this behavior before the VPN director was installed.
 
I am uploading refreshed builds, they should appear on Onedrive over the next couple of minutes.

One thing to note: if you make changes to Director Rules and you are using Exclusive DNS mode, the firewall doesn't get updated to match the new rules. You need to restart the client to refresh firewall rules related to Exclusive DNS mode. This will be fixed later.
Just loaded new build and I have VPN-IP and no DNS-leak.
Anyway openvpn-event seems not working.
Is vpn environment variables working?
My vpn-script not working no trigger from openvpn-event.

I got this error but seems to work anyway.
Error: any valid prefix is expected rather than "pool-1.prd.se.sthlm.ovpn.com".
Error: any valid prefix is expected rather than "pool-2.prd.se.sthlm.ovpn.com".

Chain DNSVPN1 (2 references)
pkts bytes target prot opt in out source destination
220 15545 DNAT all -- * * 192.168.12.0/24 0.0.0.0/0 to:46.227.67.134
I have reverted back to 386_2_6
 
Last edited:
So tried the new alpha (RT-AC5300_386.3_alpha2-gfdb13d8f24) just now. It broke the Nord vpn when run from the router. Here are the router logs:

Jun 17 12:29:44 ovpn-client1[3019]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

Jun 17 12:29:44 ovpn-client1[3020]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jun 17 12:29:44 ovpn-client1[3020]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1618', remote='link-mtu 1634'

Jun 17 12:29:44 ovpn-client1[3020]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'

Jun 17 12:29:48 ovpn-client1[3020]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Ideas?

Went back to RT-AC5300_386.2_6, restored config and jffs, rebooted everything, and now all is well again, with Nord router vpn functioning as usual...
And, here is some more weirdness. After the restore, went to the logs and found:

Jun 17 13:24:46 ovpn-client1[7207]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

Jun 17 13:24:46 ovpn-client1[7208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jun 17 13:24:46 ovpn-client1[7208]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1618', remote='link-mtu 1634'

Jun 17 13:24:46 ovpn-client1[7208]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'

Jun 17 13:24:50 ovpn-client1[7208]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Essentially the same entries?? Here are the standard Nord VPN Custom Config entries:

tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

NO IDEAS HERE, for sure!?!
 
Last edited:
It seems very interesting to me but I have two questions:

1) I currently on version 386.2_04 am using the excellent VPN_failover script to manage the possible VPN fall. In this new management of the VPN will it be useful again or will it be you directly to manage the possible fall with a restart of the OpenVPN itself ???

2) If you were to use Unbound, would there still be DNS leak problems or not?
 
Scenario 1.

VPN Director.JPG


With this my laptop receives VPN IP + DNS IP from OVPN 1, but should be from OVPN 5 to my understanding?
  • Settings on OVPN 1 page: DNS exclusive and policy rules. 192.168.1.0/24
  • Settings on OVPN 5 page: DNS disabled and through tunnel: policy rules

Scenario 2. Swap 5 to 1

With this my laptop recieves VPN IP from OVPN 1 + DNS IP from OVPN 5, but should by DOT dns to my understanding?
  • Settings on OVPN 5 page: DNS exclusive and policy rules. 192.168.1.0/24
  • Settings on OVPN 1 page: DNS disabled and through tunnel: policy rules

Now brain freeze.o_O

Going back to 386.2_6 for now, need to do calls tomorrow.

Thanks!
 
If im not mistaken doesnt vpn 1 have the higher vpn 2 - 5 thus any device with a rule in more than 1 vpn group going to use the higher priority while that tunnel is active?
If correct and your device is in active vpn groups 1 & 5, it should always use 1. Until 1 is inactive.
 
I did a dirty update on my AX88U from 386_2_6 and all seems good.

Had 1 device using policy based routing on VPN (OVPN Client 1 using Nord UDP config) and it appears to have imported just fine.

I had block (killswitch) enabled previously and when I stopped the service from VPN Director Tab the block worked fine and starting again it was unblocked.

All worked as expected.
 
With this my laptop receives VPN IP + DNS IP from OVPN 1, but should be from OVPN 5 to my understanding?
As people have suggested already: don't put a wide ranging rule on OVPN1 and a more specific rule on OVPN5. This will not work, the first rule will be applied first.
With this my laptop recieves VPN IP from OVPN 1 + DNS IP from OVPN 5, but should by DOT dns to my understanding?
Don't use conflicting rules either. If two rules can affect a client, and the two rules have different DNS behaviour, then the end result as to which DNS gets used is unpredictable, as the DNS redirections are not prioritized. I might try to see it could be prioritized, but no guarantee that it will be doable.
 
Last edited:
All of these are normal and aren't problems. They come from the hardcoded settings not being in sync with what is being negotiated at connect time, which is what will ultimately be used.

I do all of my tests with NordVPN. You might want to erase your setting and update an up-to-date config file from them.
 
I got this error but seems to work anyway.
Something seem really broken with that provider or your setup. They push a hostname instead of an IP as the gateway. Hostnames cannot be combined with a prefix (since they aren't IPs), and your connection flats out fail to connect with the prefix, while it generates that error message if there's no prefix.
However if I go into the addons and try to do a manual speedtest for just VPN client 2 it will not let me select the radio button for client 2. Clients 1 & 3 can be selected.
That will have to be sorted out by the addon dev, and I doubt he'll look at it before I have finalized changes on my own end.
 
The only way I can achieve that seems to be to add each device separately.
You need to use subnetting, and then create rules using CIDRs.
 
Is vpn environment variables working?
My vpn-script not working no trigger from openvpn-event.
Can you add a "logger" call to see if the script gets called at all?

Which environment variable are you trying to acesss?

I got this error but seems to work anyway.
Are you using a third party script? That string does not exist anywhere within the firmware code.

Code:
merlin@ubuntu-dev:~/amng/release/src/router$ grep "valid prefix is expected rather than" * -rs
merlin@ubuntu-dev:~/amng/release/src/router$
 
Refreshing DNS exclusive iptables redirections has been updated. Making rule changes will now properly add/remove DNS redirections accordingly.
 
Status
Not open for further replies.

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top