Posted: Thu Oct 18, 2018 19:27 Post subject: Openvpn, policy based routing problem connection
Hi, I have a problem with my vpn, I hope you can help me. I have plenty with nordvpn and I set it all up and it works fine (nordvpn requires specific dns, I write it as this is the problem). Now I wanted 4 devices to navigate under vpn and the rest no. I assigned a specific ip to each device, set the rule in the policy based routing and actually device are under vpn. The problem is that everyone who is not under vpn does not navigate. Reading around I found a solution that said to set in the dns 1 the dns of google. Actually now the devices out vpn surf. The problem is that now the devices under vpn do not surf ....
To recap:
dns 1: 8.8.8.8
dns 2: nordvpn dns
dns 3: 0.0.0.0
The problem should be the dns ... how do I point the devices under vpn to the dns of the vpn and the devices out vpn to the dns of google. I state that I installed 3 days ago dd wrt so I do not know anything ... if you know how to solve try to explain step by step what to do ... thanks
The logic of selecting the dns is that if DNS1 is not found (or takes long), use DNS2 and thereon. By setting DNS1 as google, DNS2 as NordVPN, you have defeated the purpose of using a VPN.
2. Under Policy based routing on Services>>VPN page, enter the IP addresses that should use the VPN. All the IP addresses entered here will be under the VPN and the others will not use VPN.
* If you have a long list to be used under the VPN, you may want to use the CIDR notation as explained here: https://www.ipaddressguide.com/cidr
* If you have dynamic DHCP you (i.e.) if IP address of client device is decided by the router, you will bind the IP Address to a client MAC address in Services>>Services under the static lease section. Yes this means that you need to find out the MAC addresses of each client device that needs the VPN and link this to a certain IP address.
3. Reboot - and that is all there is to it.
4. Go to the site http://ipleak.net to verify whether you are on VPN or not.
You did not mention your router or the dd-wrt build. I use a Netgear R6400v2 and (thanks to this forum) have configured OpenDNS on the 2.4 GHz channel _ 2 LAN connectors 3 and 4. OpenVPN is on the 5 GHz channel with LAN connectors 1 and 2). You could read this thread and the links there for more information.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316655
Unfortunately, this forum is not a helpline for dd-wrt. So you will need to read, understand and try out stuff. But it is interesting if you have the patience. All the best. Fortunately, people help each other, as I am sure you will be doing after a couple of months. _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
thanks for the reply, but I did everything you wrote;)
Now something strange happened to me, I set in the routing to try a single device, restarted the router, the device was not under vpn. I do not understand what is happening. I deleted the rule and came back under vpn ... a question: can you explain what the Shortcut Forwarding Engine option was, first it was activated, then I read that it could depend on that and I deactivated it ...
Maybe I'm changing too many things together, it's better to start all over again, even if the things I had done at the beginning were the ones you wrote me and I had problems ...
If PBR is blank, all IP addresses are by default under VPN.
You are right - SFE needs to be disabled. I never needed to use it and always kept it disabled.
Check under the Services>>VPN tab in additional config. There should be a line "route-nopull". If it is not there, please add it (needed for PBR)
Good thing that you are reading and trying to understand. You may find the following link useful.
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-3/ _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
Good evening, I'm sorry but I still do not solve the problem ... I restarted from the basic configuration of nordvpn, I added the ip that I wanted were under vpn using the notation cidr. Added the route-nopull rule. The ips that are not in the routing navigate out from vpn perfectly. The ips that are over vpn do not surf ... I do not know where to bump my head;) I noticed that if I delete them from routing without removing the route -nopull rule all ip surf but navigate without being under vpn .... Is this behavior normal? some other idea to help me ?? thank you so much
If I get your comment right, all IP addresses were getting internet except those that you put under PBR (Please confirm I understood this correctly)
1. Did you reboot after PBR or just did "Apply Settings". Reboot is must for PBR to work
2. Is your main page (Setup>>Basic Setup) having the NordVPN DNS (only NordVPN entries 103.86.96.100 and 103.86.99.100 need to be here. Third DNS can be left blank)
If problems still persist
3. NordVPN has different certificates and tls-auth.key files for each server. Please check that you are using the correct ones (Avoid the defaults given as NordVPN may have changed some server details but not updated the tutorial). You can get the server details and name from https://nordvpn.com/servers/ _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
Thanks for the reply.
Then if I start the vpn and leave the empty pbr all the devices go under vpn and everything works perfectly. If I enter the ip under the pbr (to be clearer 192.168.0.100 for example), the device with ip 192.168.0.110 navigates without being under vpn, the device with ip 192.168.0.100 instead does not have internet access.
My configuration of the dns is as you say, dns1 and dns2 taken from nordvpn, dns3 white.
The server certificates I've connected to are correct, I've been careful about that step. Every time I edit the pbr save, I apply and reboot the router.
I do not know if I've ever written it but I have a linksys wrt3200amc and the firmware version is v3.0 -37304 std (10/10/2018)
1. Can you telnet to the router and check if policy_ips shows the PBR clients. You could run the following from telnet:
nvram show | grep "" /tmp/openvpncl/policy_ips
(Your PBR entries should show up here)
2. Your Administration>>command should have the following line in firewall (If it is not there, first click edit firewall, enter this line in command window at the end of other lines and then click "save firewall")
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
(in your case, it could be tun0 instead of tun 1. You can check this first. Type ifconfig in the command window on Administration>>Commands, click "run command", and check the output displayed) _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sat Oct 20, 2018 8:48 Post subject:
@m0eb@ wrote:
1. Can you telnet to the router and check if policy_ips shows the PBR clients. You could run the following from telnet:
nvram show | grep "" /tmp/openvpncl/policy_ips
(Your PBR entries should show up here)
2. Your Administration>>command should have the following line in firewall (If it is not there, first click edit firewall, enter this line in command window at the end of other lines and then click "save firewall")
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
(in your case, it could be tun0 instead of tun 1. You can check this first. Type ifconfig in the command window on Administration>>Commands, click "run command", and check the output displayed)
DDWRT takes care of the POSTROUTING rule (in modern builds, i.e. builds from 2017 onwards).
you can always check by telnetting to your router and do:
DDWRT takes care of the POSTROUTING rule (in modern builds, i.e. builds from 2017 onwards).
Thanks. Coming back after a gap of 3 years - a lot seems to have changed. You pointed out in several threads about such changes and I had also asked a question if someone could help where to find these changes. Did not get the responses I needed. I follow the wiki which is probably being updated slowly.
About this thread:
First issue was with the wrongly set DNS. That is corrected. Now only PBR clients fail to get internet access.
* NordVPN settings are correct (as user says)
* Checking policy.ips to ensure that PBR clients are properly entered and are being considered at runtime.
* You have already asked to check the DNS
* Next steps would be the firewall (probably some line there blocking the internet - or some missing line that does not allow VPN to find the internet)
That was my chain of thought.
Maybe also check whether route-up.sh is showing the right stuff. Finally - switch over to a more 'stable' dd-wrt version start from scratch and see. User has the latest beta version which may have issues and/or may be the right firmware is not being used.
If that too failed, I would check all the files in openvpncl(except user.conf and credentials) for anomalies. That would be time-taking for me, but the surest way to check the reason. _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
1. Can you telnet to the router and check if policy_ips shows the PBR clients. You could run the following from telnet:
nvram show | grep "" /tmp/openvpncl/policy_ips
(Your PBR entries should show up here)
2. Your Administration>>command should have the following line in firewall (If it is not there, first click edit firewall, enter this line in command window at the end of other lines and then click "save firewall")
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
(in your case, it could be tun0 instead of tun 1. You can check this first. Type ifconfig in the command window on Administration>>Commands, click "run command", and check the output displayed)
If I run the command you suggested, it tells me that the file does not exist: no souch file or directory.
Now I try to check the firewall and in case add the string