VPN Client with PBR - suddenly not working

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
DD-WRT Novice

Joined: 18 Nov 2017
Posts: 16

PostPosted: Thu Aug 05, 2021 12:40    Post subject: VPN Client with PBR - suddenly not working Reply with quote
Hi everyone,

I have moved from my previous appartment to a new one - and of course now have a new networking setup with issues:


* Nighthawk R7000P as DD-WRT router behind ISP modem
* R7000P setup as local DNS server (in parallel to ISP modem as DNS Server - both with the same static routes defined) //disabling DNS server in my DD-WRT always breaks the network (?)
* DD-WRT setup as VPN Server and VPN Client
* VPN Client (NordVPN) defined for few devices with policy based routing (ip based)


(a) I had many DNS leak problems, primanrily resulting in Netflix blocking my streaming.
(b) I have/had regular connection drops in meetings while PBR still worked (see below), i.e. video call dropped for 5-10 seconds every couple of minutes (and then it was okay again for some time)

Based on Issues (a) + (b) I initiated some trouble shooting and tried to fix it (see these guides in top post by egc): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

(c) With the applied fixes my PBR routed devices now use the VPN's DNS (VPN client is connected), but the devices still go via regular WAN suddenly. I have no idea why and how to fix this
(d) Also, my VPN server is not reachable anymore (I portforwarded in the ISP modem of course)
(e) Also, looking at the syslog I now regularly see warnings of possible rebind attacks (previously rather seldom) and ERROR that the time server is not reachable (network down)

Could you please help me?

I'd like to share logs/settings but Admin > Commands > Run (see commands below) do not return any output.

"ip route show
ip route show table 10
ip rule show"

Happy to supply logs if you tell me how (via GUI?).

Key issue for me is currently (c)

Thank you!

Firmware: DD-WRT v3.0-r47117 std (08/01/21)
Time: 14:38:47 up 29 min, load average: 0.02, 0.03, 0.00
WAN: Disabled

Joined: 18 Sep 2010
Posts: 9357

PostPosted: Thu Aug 05, 2021 18:15    Post subject: Reply with quote
TIP: Avoid using the Administration->Commands input field to run arbitrary commands. I have no idea how that's implemented, but it's notorious for being VERY finicky about syntax and formatting. Instead, use telnet or ssh. You'll have a lot less problems.

In the case of (c), since I don't know specifically what you did, it's hard to critique it and explain the behavior. The fact you say the PBR devices now use the VPN'd DNS, but are routed over the WAN, is particularly confusing. How did you verify this? It's not always that easy to know for sure. Not unless you use a traceroute, or perhaps dump connection tracking on the router (cat /proc/net/nf_conntrack).

ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
DD-WRT Novice

Joined: 18 Nov 2017
Posts: 16

PostPosted: Thu Aug 05, 2021 21:32    Post subject: Reply with quote
Thanks eibgrad - good point regarding commands.

So I did some testing.

I realized the VPN Client was not connected successfully at all (?!).

To fix issues (a) and (b) as described above I (among others) added the following two codes to the VPN client additional config field (as described in trouble shooting guides linked in original post).

Code 1

#below code is for ensuring non-vpn routed devices to not try to use DNS servers that are provided by NordVPN (and only reachable via VPN)
route vpn_gateway
route vpn_gateway

Only adding code 1 still keeps the VPN client running

Code 2

#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server= net_gateway
server= net_gateway

Addding this breaks the VPN Client - I have not idea why?
As I understand, code 2 should be added to ensure non-PBR devices use the default WAN DNS (so I do not end up in the situation with only Code 1 and 5 DNS).

Also, I am getting constant disconnect messages in VPN Client log (see below)?


20210805 23:15:01 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20210805 23:15:01 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20210805 23:15:01 I OpenVPN 2.5.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 1 2021
20210805 23:15:01 I library versions: OpenSSL 1.1.1k 25 Mar 2021 LZO 2.09
20210805 23:15:01 MANAGEMENT: TCP Socket listening on [AF_INET]
20210805 23:15:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210805 23:15:01 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 I TCP/UDP: Preserving recently used remote address: [AF_INET]
20210805 23:15:01 Socket Buffers: R=[262144->262144] S=[262144->262144]
20210805 23:15:01 W --mtu-disc is not supported on this OS
20210805 23:15:01 I UDP link local: (not bound)
20210805 23:15:01 I UDP link remote: [AF_INET]
20210805 23:15:01 TLS: Initial packet from [AF_INET] sid=fc672aaf c2779d63
20210805 23:15:01 VERIFY OK: depth=2 C=PA O=NordVPN CN=NordVPN Root CA
20210805 23:15:01 VERIFY OK: depth=1 C=PA O=NordVPN CN=NordVPN CA6
20210805 23:15:01 NOTE: --mute triggered...
20210805 23:15:01 5 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:02 D MANAGEMENT: CMD 'status 2'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:02 D MANAGEMENT: CMD 'log 500'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1566' remote='link-mtu 1634'
20210805 23:15:02 W WARNING: 'auth' is used inconsistently local='auth [null-digest]' remote='auth SHA512'
20210805 23:15:02 W WARNING: 'comp-lzo' is present in remote config but missing in local config remote='comp-lzo'
20210805 23:15:02 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA512
20210805 23:15:02 I [de801.nordvpn.com] Peer Connection Initiated with [AF_INET]
20210805 23:15:03 SENT CONTROL [de801.nordvpn.com]: 'PUSH_REQUEST' (status=1)
20210805 23:15:03 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS dhcp-option DNS sndbuf 524288 rcvbuf 524288 explicit-exit-notify comp-lzo no route-gateway topology subnet ping 60 ping-restart 180 ifconfig peer-id 5 cipher AES-256-GCM'
20210805 23:15:03 Pushed option removed by filter: 'redirect-gateway def1'
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 4 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Socket Buffers: R=[262144->524288] S=[262144->524288]
20210805 23:15:03 OPTIONS IMPORT: --ifconfig/up options modified
20210805 23:15:03 OPTIONS IMPORT: route-related options modified
20210805 23:15:03 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 3 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Data Channel: using negotiated cipher 'AES-256-GCM'
20210805 23:15:03 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 net_route_v4_best_gw query: dst
20210805 23:15:03 net_route_v4_best_gw result: via dev br0
20210805 23:15:03 I TUN/TAP device tun1 opened
20210805 23:15:03 I net_iface_mtu_set: mtu 1500 for tun1
20210805 23:15:03 I net_iface_up: set tun1 up
20210805 23:15:03 I net_addr_v4_add: dev tun1
20210805 23:15:03 net_route_v4_add: via dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: via dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: via dev [NULL] table 0 metric -1
20210805 23:15:03 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20210805 23:15:03 I Initialization Sequence Completed
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:13 D MANAGEMENT: CMD 'status 2'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]
20210805 23:15:13 D MANAGEMENT: CMD 'log 500'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]
20210805 23:19:53 D MANAGEMENT: CMD 'status 2'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]
20210805 23:19:53 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00

Other screenshots of my config:

Return values regarding PBR config:


command: ip route show dev tun1 scope link  src via dev tun1 via dev tun1 dev lo scope link dev tun2 scope link  src dev br0 scope link  src via dev br0

command: ip route show table 10 via dev tun1 dev tun1 scope link  src via dev tun1 via dev tun1 dev lo scope link via dev tun1 dev tun2 scope link  src dev br0 scope link  src via dev br0

command: ip rule show

0:      from all lookup local
32764:  from lookup 10
32765:  from lookup 10
32766:  from all lookup main
32767:  from all lookup default


Joined: 18 Sep 2010
Posts: 9357

PostPosted: Thu Aug 05, 2021 23:55    Post subject: Reply with quote
#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server= net_gateway
server= net_gateway

The above is NOT valid OpenVPN syntax. It looks like a mix between a server directive used w/ DNSMasq, and a route command used w/ OpenVPN. If you want to bind and to the WAN via OpenVPN, you need the following in the Additional Config field.

route net_gateway
route net_gateway

As far as the connect/disconnects, those lines in the log are nothing to worry about.

OpenVPN provides a management UI (typically running as localhost (, port 16) that you can call when it's running. The router is calling it to get updated statistics from OpenVPN, then updating the OpenVPN status page. Every time you visit that page or refresh it, you'll see these messages as it connects, issues the state command, and disconnects.

ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
DD-WRT Novice

Joined: 18 Nov 2017
Posts: 16

PostPosted: Fri Aug 06, 2021 7:11    Post subject: Reply with quote
Ah - this is really embarrassing. I must have mixed up the syntax myself.

I'll adapt and get back to you with feedback.

In any case: many thanks eibgrad! Very Happy
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum