What's new

VPN Server (384.7_2) no longer routing traffic through VPN client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kingskib

Occasional Visitor
Hello,

I had some out of the blue router issues last week and I decided to update my AC68U from 384.5 to 384.7_2.

After restoring my configuration and testing my VPN client everything appeared fine until trying to connect to the VPN server on my mobile while out one day. I have the Asus DDNS service configured and connected to the Web portal and downloaded the server OpenVPN config file and made my connection but my internet access was gone. I have tried multiple settings, all with the same result. The only time the server client gets internet access is when they are removed from the "Rule for routing client traffic through the tunnel"

Below is the syslog from a recent connection, can anyone help me get this working again?

Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 TLS: Initial packet from [AF_INET6]::ffff:209.58.135.72:14610, sid=291dbcf7 23a34fa6
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_GUI_VER=OC30Android
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_VER=3.2
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_PLAT=android
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_NCP=2
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_TCPNL=1
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_PROTO=2
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 peer info: IV_LZO=1
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 TLS: Username/Password authentication succeeded for username 'vpnuser' [CN SET]
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Nov 5 19:38:14 ovpn-server1[4857]: 209.58.135.72 [vpnuser] Peer Connection Initiated with [AF_INET6]::ffff:209.58.135.72:14610
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 MULTI: Learn: 10.8.0.2 -> vpnuser/209.58.135.72
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 MULTI: primary virtual IP for vpnuser/209.58.135.72: 10.8.0.2
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 PUSH: Received control message: 'PUSH_REQUEST'
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 SENT CONTROL [vpnuser]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.5.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.248,peer-id 0,cipher AES-128-GCM' (status=1)
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 Data Channel: using negotiated cipher 'AES-128-GCM'
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Nov 5 19:38:14 ovpn-server1[4857]: vpnuser/209.58.135.72 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Nov 5 19:40:14 ovpn-server1[4857]: vpnuser/209.58.135.72 [vpnuser] Inactivity timeout (--ping-restart), restarting
Nov 5 19:40:14 ovpn-server1[4857]: vpnuser/209.58.135.72 SIGUSR1[soft,ping-restart] received, client-instance restarting


Thanks.
 
The only time the server client gets internet access is when they are removed from the "Rule for routing client traffic through the tunnel"
Connecting inbound OpenVPN Server client LAN/Internet access is controlled by the iptables OVPN chain:
Code:
iptables  --line -t filter -nvL OVPN
but if you need inbound OpenVPN Server Client 'pass thru' i.e. outbound via OpenVPN Client, then you need the appropriate MASQUERADE rule:
Code:
iptables  --line -t nat -nvL POSTROUTING
 
Thank you for the response. I have entered the code listed above, but still have the same issue. I am sorry I don't know the syntax or usage to determine if what I am doing is correct. Here is the output:

Code:
sshuser@RT-AC68U-23E0:/tmp/home/root# iptables  --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 22856 packets, 1816K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2117  201K MASQUERADE  all  --  *      tun11   192.168.5.0/24       0.0.0.0/0
2    52949 2751K MASQUERADE  all  --  *      tun13   192.168.5.0/24       0.0.0.0/0
3    19426 3676K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
4     9925 3034K MASQUERADE  all  --  *      eth0   !69.59.127.18         0.0.0.0/0
5     9117 2884K MASQUERADE  all  --  *      br0     192.168.5.0/24       192.168.5.0/24
sshuser@RT-AC68U-23E0:/tmp/home/root#

I have 2 vpn clients, which I assume are tun11 and tun13. I don't know what I am supposed to configure to route from the vpn server out through tun11
 
Last edited:
I have 2 vpn clients, which I assume are tun11 and tun13. I don't know what I am supposed to configure to route from the vpn server out through tun11

So from which Selective Routing GUI Client did you have to remove the IPs, and what were they...individual IPs or CIDR subnets?
 
Here are the screenshots from the VPN server and client GUI. All of the listed LAN clients are exiting VPN client as intended. It is when I add 10.8.0.2 to the list of clients in the VNP client list that I have issue.
 

Attachments

  • VPNServerConfig1.JPG
    VPNServerConfig1.JPG
    56.4 KB · Views: 330
  • VPNServerConfig.JPG
    VPNServerConfig.JPG
    70.2 KB · Views: 354
  • VPNClientConfig.JPG
    VPNClientConfig.JPG
    66.2 KB · Views: 301

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top