VPN kill switch not working and selectively bypassing VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3002
Location: Netherlands

PostPosted: Fri Mar 23, 2018 11:48    Post subject: Reply with quote
Is this your secondary router? If so give is your network setup.
_________________
Router Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR routing script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Patched SFE module to work with PBR: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318895
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Sponsor
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Fri Mar 23, 2018 12:44    Post subject: Reply with quote
Yes .. secondary .. the first for WAN uses 192.168.178.0/24 and the secondary is running on 192.168.178.6. Not sure how much information I should provide.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3002
Location: Netherlands

PostPosted: Fri Mar 23, 2018 13:33    Post subject: Reply with quote
The first line in your firewall rules gives that away, it is to prevent "local access" to your primary network

When you say that the guest wifi (probably ath0.1 on 192.168.2.x) is not getting internet access when the kill switch is enabled, that could be caused by the fact that it is not routed through the the VPN tunnel.

When you say you do not have local access when the kill switch is enabled do you mean you can not reach your primary network? (when on PBR you can not reach local clients on your own subnet by default, due to a bug)

_________________
Router Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR routing script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Patched SFE module to work with PBR: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318895
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Fri Mar 23, 2018 13:40    Post subject: Reply with quote
without the killswitch lines ...

ath0.1 routes via VPN (checked by IP location) and cannot access my LAN (primary network)

ath0 routes via VPN (checked by IP location) and can access my LAN (primary network)

A range of ath0 is in the PBR section. No entry for ath0.1 in PBR sections (breaks things).

This behaviour is exactly what I need. I spent so much time trying to get two subnets working in PBR .. which - in the end - wasn't necessary.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7444

PostPosted: Fri Mar 23, 2018 18:04    Post subject: Reply with quote
daniello wrote:
I'm a bit lost:

Being on v3.0-r35452 I noticed the following behaviour which seems to be a bit different than discussed.

I use this partial subnet in PBR:

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/25

This corrensponds to a dhcp range I provide by WAP.
I expect all other IPs in outside of that range within /24 to route to WAN directly (not tested).

I have a VAP 192.168.2.0/24 which also routes via VPN as desired (without entering anything in PBR .. which would break things).

I have a Firewall entry that prohibits VAP from accessing LAN.

Now for the killswitch:

would it suffice to enter this in "run commands"?

route 192.168.2.0/24 vpn_gateway
route 192.168.1.100/30 vpn_gateway
route 192.168.1.104/29 vpn_gateway
route 192.168.1.112/28 vpn_gateway
route 192.168.1.128/25 vpn_gateway

Would eg. 192.168.1.50 as a static IP still be routed to WAN?
How do I find the propoer name of vpn_gateway or is this a real IF name?


Could we back up for just a second?

The first thing that struck me was your indicting this is a WAP. IOW, this is NOT something you're configuring on the primary router.

So is it correct to say you have a primary router w/ DHCP, and now you've configured a WAP (connected LAN to LAN wrt the primary router), w/ DHCP enabled, and a VPN? If so, that's going to be a problem since the WAP is not the default gateway for the rest of the network.

This is why egc has asked for the specifics on this network config. Once you add a WAP and start messing w/ DHCP and/or a VPN on that WAP, that changes everything. Most of the discussion in this thread assumes a router configured *as* a router (WAN to LAN), not a WAP (LAN to LAN), supporting DHCP and the VPN. It's *vital* to known exactly how you have things configured, or else everyone will be making assumptions that are probably not correct.

And as an aside, egc is right about OpenVPN route directives not working when PBR is active. But in addition, afaik, you can't use CIDR notation w/ OpenVPN either. It has to be of the kind x.x.x.x 255.255.0.0, y.y.y.y 255.255.255.128, etc. Also, vpn_gateway is an OpenVPN reserved word. It will automatically substitute the actual VPN gateway IP for that word when the routes are added.
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Fri Mar 23, 2018 18:18    Post subject: Reply with quote
Admittedly I didn't understand everything. But attached is the pdf I had provided a couple of weeks ago with one update to PBC (egc had already checked my settings and if I recall well everything was ok). The change I did to PBC was to remove that second /24 network and that seems to work just the way I wanted it .. as a secondary router.

My primary is a cable fritz!box that is configured pretty much as default router. So in this case I assigned a static IP to my secondary and I can access it via my primary network.
I test what I'm doing by connecting my cell phone to my secondary. I use IPlocation to check VPN and I try to connect to my local ressources via both WAP or VAP .. the latter shouldn't work.

Hope this sheds some light and helps you help me Smile
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7444

PostPosted: Fri Mar 23, 2018 19:04    Post subject: Reply with quote
daniello wrote:
Admittedly I didn't understand everything. But attached is the pdf I had provided a couple of weeks ago with one update to PBC (egc had already checked my settings and if I recall well everything was ok). The change I did to PBC was to remove that second /24 network and that seems to work just the way I wanted it .. as a secondary router.

My primary is a cable fritz!box that is configured pretty much as default router. So in this case I assigned a static IP to my secondary and I can access it via my primary network.
I test what I'm doing by connecting my cell phone to my secondary. I use IPlocation to check VPN and I try to connect to my local ressources via both WAP or VAP .. the latter shouldn't work.

Hope this sheds some light and helps you help me Smile


Ok, so this *is* a router configuration, NOT a WAP. The secondary router is connected to the primary router WAN to LAN respectively. That's good to know.

I noticed, however, the firewall rule has a syntax error (the one trying to block access to the primary router's local IP network from ath0.1.

It says "iptables -I FORWARD - ath0.1 ...", when it needs to be "iptables -I FORWARD -i ath0.1 ..."

This is why it's important to always dump iptables after adding firewall rules to make sure they "took" and not assume they did.

Code:
iptables -vnL FORWARD
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Sat Mar 24, 2018 5:43    Post subject: Reply with quote
Oh .. I messed up since this wasn't the latest version .. egc had pointed out my typo (missing -i) formerly:

Code:
iptables -I FORWARD -i ath0.1 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT


So this was already fixed but I didn't remember to update the screenshot.

Please explain this .. I don't know what it's for:

Code:

iptables -vnL FORWARD


BTW good that it is a proper router config .. I thought having two wireless access points makes the first AP a WAP and the second one a VAP .. that's why I used that wording Sad
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7444

PostPosted: Sun Mar 25, 2018 0:59    Post subject: Reply with quote
The following ...

iptables -vnL FORWARD

... was only my attempt to show you how to dump iptables after adding a firewall rule, so you could verify it actually was added to the table. That's all moot at the moment since I now understand that's an old issue.

Let's get back to your initial post. Some of my remarks will be redundant since egc has already discussed them.

daniello wrote:
I'm a bit lost:

Being on v3.0-r35452 I noticed the following behaviour which seems to be a bit different than discussed.

I use this partial subnet in PBR:

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/25

This corrensponds to a dhcp range I provide by WAP.
I expect all other IPs in outside of that range within /24 to route to WAN directly (not tested).


Once you add anything to the PBR field, that stops the OpenVPN client from changing the default gateway from the WAN/ISP to the VPN. At that point, the *only* thing that will go over the VPN is those IPs you specify in PBR, *or*, any static routes directed over the VPN (iow, destination IPs).

However, because of the way dd-wrt implements PBR, it prevents any route directives in the OpenVPN Additional Config field from working. They just get ignored. So for all intents and purposes, once you're using PBR, nothing will use the VPN unless it's specified in PBR.

Quote:
I have a VAP 192.168.2.0/24 which also routes via VPN as desired (without entering anything in PBR .. which would break things).


This doesn't make sense given what I stated above. The only way 192.168.2.0/24 is going to use the VPN is if that network is specified in the PBR field.

Quote:
I have a Firewall entry that prohibits VAP from accessing LAN.


It might have been helpful to see that rule.

Quote:
Now for the killswitch:

would it suffice to enter this in "run commands"?

route 192.168.2.0/24 vpn_gateway
route 192.168.1.100/30 vpn_gateway
route 192.168.1.104/29 vpn_gateway
route 192.168.1.112/28 vpn_gateway
route 192.168.1.128/25 vpn_gateway

Would eg. 192.168.1.50 as a static IP still be routed to WAN?
How do I find the propoer name of vpn_gateway or is this a real IF name?


Again, route directives are ineffective while PBR is enabled. In fact, even if it worked, this makes no sense for two reasons. First, iirc, OpenVPN doesn't accept CIDR notation xx.xx.xx.xx/yy. Second, route commands are for *destination* IPs, not source IPs!

daniello wrote:
without the killswitch lines ...

ath0.1 routes via VPN (checked by IP location) and cannot access my LAN (primary network)

ath0 routes via VPN (checked by IP location) and can access my LAN (primary network)

A range of ath0 is in the PBR section. No entry for ath0.1 in PBR sections (breaks things).

This behaviour is exactly what I need. I spent so much time trying to get two subnets working in PBR .. which - in the end - wasn't necessary.


Again, I don't see how this could be. How the VAP could be routed through the VPN without being in PBR. Once PBR is activated, the default gateway on that secondary router is pointing to the WAN/ISP. That's why anything not specified in PBR defaults to the WAN/ISP. So something is amiss here. But it's hard to know exactly what. There may be others issues as well, but until we figure out how it's possible the VAP could be using the VPN when it's not specified in PBR, there's not much point in going any further.
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Sun Mar 25, 2018 7:21    Post subject: Reply with quote
>>This doesn't make sense given what I stated above.

I ran my test again and this time it failed as you expected. I can connect but I don't get internet access. No idea why it worked the days before most probably I made a mistake.

Next I added 192.168.2.0/24 to the PBR field and did my test over.

[+] Cell connects to both networks and shows location of VPN Server (Finland).
[+] The second PBR network is not allowed to access LAN (iptables) and this works.
[-] The first PBR network 192.168.1.100/30, 192.168.1.104/29, 192.168.1.112/28, 192.168.1.128/25 should be allowed to access LAN resources on the primary network but that doesn't work. There is difference in behaviour though: .2 gives an immediate error message while .1 somewhat tries to connect to the NAS share but is not succesful. My test resource is immediately accessible via primary router.

>> It might have been helpful to see that rule.

I meant the one that you corrected:
Code:
iptables -I FORWARD -i ath0.1 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT


This is the only iptables entry I have.

>> Again, route directives are ineffective while PBR is enabled.

Understood.

First thing that I would like to facilitate is that .1 PBR range has unlimited access to my primary network 192.168.178.0/24. Kill switch would be next.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7444

PostPosted: Sun Mar 25, 2018 18:29    Post subject: Reply with quote
Check out the following known bug in PBR. The included fix might address some of your current problems.

http://svn.dd-wrt.com/ticket/5690
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 48

PostPosted: Wed Mar 28, 2018 10:04    Post subject: Reply with quote
Thanks .. I also found this one

http://svn.dd-wrt.com/ticket/6247

To be honest I'm not tech savvy enough to benefit. What I understand is that fixes are required related to PBR that may remedy my issues. Which is good .. if the fixes are made Smile

What I also notice in 35452 ist that the VPN connection closes by itself. If I recall correctly in former builds it stayed connected.
pigbait
DD-WRT Novice


Joined: 08 Nov 2014
Posts: 14

PostPosted: Mon Jan 07, 2019 4:30    Post subject: Reply with quote
Well clearly im to stupid to copy and paste a script.. I'm on the pastebin site.. what part of the code do i want to install in the firewall command?? Im use PBR so would only like those IP on killswitch..

Right now i have everything selected from line 1. To line 60.

But its not working...

If anyone could elaborate on what the actual code is that i need it would be greatly appreciated..

Thanks allot Smile pigbait
portsup
DD-WRT Novice


Joined: 20 Oct 2018
Posts: 25

PostPosted: Fri Jan 11, 2019 12:21    Post subject: Reply with quote
You can write over the existing route up and route down scripts so you can use them to execute various things. I use the up option to run a script to do this. You could for instance disable a kill switch in route up and then enable it in the route down. Best solution as I think has been mentioned is to use pbr and then limit that routing to only go out on the VPN.

If you look inside the route up script you will see what creates the pbr.

for IP in `cat /tmp/openvpncl/policy_ips` ; do
ip rule add from $IP table 10
done
ip route add default via $route_vpn_gateway table 10
ip route flush cache

This pulls the pbr address/es from policy_ips which stores what you enter from the webui. Limits them to only go out on table10 which is limited to the vpn. This is effectively the start of a killswitch.

The problem if you look at the route down script is.

iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route flush table 10

It may be all of it or just the last bit that destroys table10 effectively allowing your pbr addresses to go where ever they want. I would think deleting that or all of it would effectively throw the pbr into limbo.

Other option would be to use addresses for the pbr that have no routing setup without the vpn putting them into table10. So if table 10 is deleted they have no where to go.

I am not an expert on this so may be wrong. But I have a killswitch setup for just transmission which is working well.

eibgrad wrote:
Second, route commands are for *destination* IPs, not source IPs!


ip rule add from , to route from source ip/s. Which is how pbr is setup.
Goto page Previous  1, 2, 3, 4 Display posts from previous:    Page 4 of 4
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum