OpenVPN: 2 questions...

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Wed May 16, 2018 22:07    Post subject: OpenVPN: 2 questions... Reply with quote
Hi all,

just configured OpenVPN-client on my AP/gateway. All is fine. DD-WRT is r35927, currently latest. Previously OpenVPN was established by the PC.

Just 2 issues, which I can't explain and I'd love to hear answers.

1.
While the OpenVPN-connection is established to my VPN-provider, I can see that I do have the right external public IP (I'm on v4 only), e.g. with https://my-ip-is.com/. Also the bandwidth is normal, much lower than without VPN.

Now, I run a traceroute to that external public IP from a PC via the AP. I would expect that I only see internal IPs of the tunnel (TUN is selected as device, protocol UDP).

Problem: I do see IPs of my local internet-provider while traceroute crawls. First IP is the AP, last is the VPN-server, my public IP. What is the reason? Is it a layer thing?

2.
The OpenVPN-connection is only shown as 'established' in Status/VPN when I use button 'Apply Settings' in Services/VPN. It is never established just after rebooting the AP. It does not matter whether 'Start type' is set to 'WAN up' or 'System' in Services/OpenVPN or how long I wait, I HAVE to click 'Apply Settings'.
Was it always like that? Is there a start-script to fix this?

Many thanks in advance. Apologies if these questions have been answered already... I did have a quick search on both topics.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7384

PostPosted: Wed May 16, 2018 23:48    Post subject: Reply with quote
So just to confirm, that dd-wrt router is configured as a router (NOT a WAP), where its WAN is patched to a LAN port on the ISP's modem (or modem+router)?
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Thu May 17, 2018 5:02    Post subject: Reply with quote
eibgrad wrote:
So just to confirm, that dd-wrt router is configured as a router (NOT a WAP), where its WAN is patched to a LAN port on the ISP's modem (or modem+router)?


Wireless mode is AP; Setup/Advanced is set to Gateway; it is the DHCP server for my network and it is patched to my ISP's modem (DSL) with LAN on the WAN-port.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7384

PostPosted: Fri May 18, 2018 17:47    Post subject: Reply with quote
Normally when using the VPN and doing a trace from a PC I wouldn't expect to see your local ISP's ip(s). But I don't normally trace my public IP over that VPN either. When I tried it, the only hop that returned anything was the first, my router. All others timed out, suggesting the VPN provider is preventing it.

Anyway, very difficult to describe what you're seeing based solely on your current description. Without seeing the trace, knowing your ISP and VPN public IPs, etc., I just don't know how to interpret what you're seeing.

As far as the startup problem, I've seen this before. It seems to happen randomly on certain builds. I have no idea why. But to get around the problem, I threw together a small script a few weeks ago for someone else having the same problem, to force it to start.

https://pastebin.com/mqmmCpnc

Note, this script isn't particularly sophisticated. Just a quick and dirty solution. For example, it doesn't discriminate between an OpenVPN process that's running as an OpenVPN server vs. an OpenVPN client. So if you happen to also be running an OpenVPN server while running the OpenVPN client, the killall command will kill *both* processes!
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Sun May 20, 2018 8:07    Post subject: Reply with quote
Woahh!

Thank you lots, eibgrad!
-For confirming that something is wrong when I see IPs
of ISP while traceroute to my public IP.

-For confirming start OpenVPN was an issue also in the past and for your script to force start OpenVPN. I'm only using the client.

I may be able to test your script tomorrow, will try traceroute again and supply a screenshot.

Thanks again!
Have a nice day... Cool

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Mon Jun 04, 2018 21:08    Post subject: Reply with quote
Hey eibgrad,

sorry, still could not find time to verify traceroute-issue, showing IPs of my ISP.

Question: Is your trac-ticket
https://svn.dd-wrt.com/ticket/6320
related to this?

This is a serious issue, putting users on unexpected risks...
I can't understand why kong's and bs' builds are that different.

BTW1: PBR was not on in my config.
BTW2: I did not check which DNS have been active, because I did not think about that.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7384

PostPosted: Mon Jun 04, 2018 22:21    Post subject: Reply with quote
Frankly, the whole issue of dealing w/ DNS leaks on dd-wrt is a mess. Besides the fact that BS and Kong are not even handling it the same (if at all in the case of BS), you have other complications as well (e.g., PBR).

When PBR is enabled, that takes the router itself off the VPN, and then it depends on the pushed DNS server(s) from the OpenVPN server whether there is or isn't a DNS leak. If the OpenVPN server pushes a *public IP* (e.g., Google DNS, 8.8.8.8 ), that gets routed over the WAN. But if it pushes a private IP on its own network, intended for only its own users, it gets routed over the VPN since that's the only route to that DNS server.

Even if you wanted to bind a public DNS server like 8.8.8.8 to the VPN to get around this problem, you can't. The fact the router uses route-noexec when implementing PBR means you can't add routes to Additional Config. They just get ignored!

https://svn.dd-wrt.com/ticket/6247

I even found in Kong's working DNSMasq code a temporary DNS leak. By default, DNSMasq periodically "polls" for changes in the name servers by monitoring (in the case of dd-wrt) the file /tmp/resolv.dnsmasq. And Kong's script dutifully updates that file. But those changes only take effect once the next polling interval comes around, which in my own experimentation, sometimes took up to TWO MINUTES! Thus, why I call it a temporary DNS leak. But this could easily have been avoided by NOT using polling (by specifying the no-poll directive) and instead sending a SIGHUP signal to DNSMasq to make it reread /tmp/resolv.dnsmasq immediately.

Combine all these issues, and all the variables at play, and it's next to impossible to predict if you will or won't have a DNS leak. One thing's for sure. You had better use a kill switch over the WAN if you're in a situation where you can't afford any DNS leaks.

As I said, the whole thing is a mess. And I don't have a perfect workaround short of just completely circumventing the GUI and handling it all on the command line, nuts to bolts. If you must use the GUI, the best thing to do is monitor connection tracking to see where port 53 traffic is being routed, then work backwards to figure out how your particular configuration could be affecting that decision.

Code:
# sorted  by age, newest to oldest
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"


Or for those builds that don't support the watch command...

Code:
#!/bin/sh
while :; do
    clear
     # sorted by age, newest to oldest
    cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3
    sleep 5
done


I'm even considering putting a script together to monitor for DNS leaks and report them to the user.
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Wed Jun 06, 2018 22:11    Post subject: Reply with quote
eibgrad wrote:
...

I'm even considering putting a script together to monitor for DNS leaks and report them to the user.


Yes, PLEASE!

This would be really of help, since it is never easy to detect DNS leaks, considering zillions of OpenVPN options.
Do you think it is NOT a dd-wrt issue? (Your comment2 on trac #6247 seems to point to OpenVPN).

Apart from that, working scripts MUST be in sync between kong and bs.

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
kooper2013
DD-WRT Novice


Joined: 10 Jan 2013
Posts: 48
Location: DE

PostPosted: Sun Aug 12, 2018 11:06    Post subject: Reply with quote
Hi eibgrad,

traceroute to my public IP via VPN tunnel does NOT show IPs of my DSL-provider with r36527 (bs) any more. Reason: the local IP of my DSL-router was set as DNS on my DD-WRT router. So, somehow traceroute used both DNS, the DNS of my ISP and of my VPN.

Your DNS-leak script reveals, that only the 2 correct DNS IPs (pushed by VPN) are used for DNS requests on port 53. (This is also valid if the local IP of my DSL-router is set as DNS in my DD-WRT router.)

Code:
watch -tn5 "cat /proc/net/ip_conntrack | grep ' dport=53 ' | sort -nrk3"


Thanks a lot!

_________________
3xBuffalo WLI-H4-D1300
1xBuffalo WZR-D1800H
1xBuffalo WHR-HP-G300N
1xBuffalo WHR-1166D (stock f/w)
1xASUS RT-AC87U
1xTP710
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum