Posted: Thu Aug 05, 2021 12:40 Post subject: VPN Client with PBR - suddenly not working
Hi everyone,
I have moved from my previous appartment to a new one - and of course now have a new networking setup with issues:
Setup:
* Nighthawk R7000P as DD-WRT router behind ISP modem
* R7000P setup as local DNS server (in parallel to ISP modem as DNS Server - both with the same static routes defined) //disabling DNS server in my DD-WRT always breaks the network (?)
* DD-WRT setup as VPN Server and VPN Client
* VPN Client (NordVPN) defined for few devices with policy based routing (ip based)
Issues:
(a) I had many DNS leak problems, primanrily resulting in Netflix blocking my streaming.
(b) I have/had regular connection drops in meetings while PBR still worked (see below), i.e. video call dropped for 5-10 seconds every couple of minutes (and then it was okay again for some time)
(c) With the applied fixes my PBR routed devices now use the VPN's DNS (VPN client is connected), but the devices still go via regular WAN suddenly. I have no idea why and how to fix this
(d) Also, my VPN server is not reachable anymore (I portforwarded in the ISP modem of course)
(e) Also, looking at the syslog I now regularly see warnings of possible rebind attacks (previously rather seldom) and ERROR that the time server is not reachable (network down)
Could you please help me?
I'd like to share logs/settings but Admin > Commands > Run (see commands below) do not return any output.
"ip route show
ip route show table 10
ip rule show"
Happy to supply logs if you tell me how (via GUI?).
TIP: Avoid using the Administration->Commands input field to run arbitrary commands. I have no idea how that's implemented, but it's notorious for being VERY finicky about syntax and formatting. Instead, use telnet or ssh. You'll have a lot less problems.
I realized the VPN Client was not connected successfully at all (?!).
To fix issues (a) and (b) as described above I (among others) added the following two codes to the VPN client additional config field (as described in trouble shooting guides linked in original post).
Code 1
Code:
#below code is for ensuring non-vpn routed devices to not try to use DNS servers that are provided by NordVPN (and only reachable via VPN)
route 103.86.96.100 255.255.255.255 vpn_gateway
route 103.86.99.100 255.255.255.255 vpn_gateway
Only adding code 1 still keeps the VPN client running
Code 2
Code:
#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server=9.9.9.9 255.255.255.255 net_gateway
server=176.103.130.130 255.255.255.255 net_gateway
Addding this breaks the VPN Client - I have not idea why?
As I understand, code 2 should be added to ensure non-PBR devices use the default WAN DNS (so I do not end up in the situation with only Code 1 and 5 DNS).
Also, I am getting constant disconnect messages in VPN Client log (see below)?
Code:
Clientlog:
20210805 23:15:01 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20210805 23:15:01 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20210805 23:15:01 I OpenVPN 2.5.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 1 2021
20210805 23:15:01 I library versions: OpenSSL 1.1.1k 25 Mar 2021 LZO 2.09
20210805 23:15:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20210805 23:15:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210805 23:15:01 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 I TCP/UDP: Preserving recently used remote address: [AF_INET]195.181.170.199:1194
20210805 23:15:01 Socket Buffers: R=[262144->262144] S=[262144->262144]
20210805 23:15:01 W --mtu-disc is not supported on this OS
20210805 23:15:01 I UDP link local: (not bound)
20210805 23:15:01 I UDP link remote: [AF_INET]195.181.170.199:1194
20210805 23:15:01 TLS: Initial packet from [AF_INET]195.181.170.199:1194 sid=fc672aaf c2779d63
20210805 23:15:01 VERIFY OK: depth=2 C=PA O=NordVPN CN=NordVPN Root CA
20210805 23:15:01 VERIFY OK: depth=1 C=PA O=NordVPN CN=NordVPN CA6
20210805 23:15:01 NOTE: --mute triggered...
20210805 23:15:01 5 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:02 D MANAGEMENT: CMD 'status 2'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:02 D MANAGEMENT: CMD 'log 500'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1566' remote='link-mtu 1634'
20210805 23:15:02 W WARNING: 'auth' is used inconsistently local='auth [null-digest]' remote='auth SHA512'
20210805 23:15:02 W WARNING: 'comp-lzo' is present in remote config but missing in local config remote='comp-lzo'
20210805 23:15:02 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA512
20210805 23:15:02 I [de801.nordvpn.com] Peer Connection Initiated with [AF_INET]195.181.170.199:1194
20210805 23:15:03 SENT CONTROL [de801.nordvpn.com]: 'PUSH_REQUEST' (status=1)
20210805 23:15:03 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 103.86.96.100 dhcp-option DNS 103.86.99.100 sndbuf 524288 rcvbuf 524288 explicit-exit-notify comp-lzo no route-gateway 10.8.1.1 topology subnet ping 60 ping-restart 180 ifconfig 10.8.1.5 255.255.255.0 peer-id 5 cipher AES-256-GCM'
20210805 23:15:03 Pushed option removed by filter: 'redirect-gateway def1'
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 4 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Socket Buffers: R=[262144->524288] S=[262144->524288]
20210805 23:15:03 OPTIONS IMPORT: --ifconfig/up options modified
20210805 23:15:03 OPTIONS IMPORT: route-related options modified
20210805 23:15:03 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 3 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Data Channel: using negotiated cipher 'AES-256-GCM'
20210805 23:15:03 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 net_route_v4_best_gw query: dst 0.0.0.0
20210805 23:15:03 net_route_v4_best_gw result: via 192.168.178.1 dev br0
20210805 23:15:03 I TUN/TAP device tun1 opened
20210805 23:15:03 I net_iface_mtu_set: mtu 1500 for tun1
20210805 23:15:03 I net_iface_up: set tun1 up
20210805 23:15:03 I net_addr_v4_add: 10.8.1.5/24 dev tun1
20210805 23:15:03 net_route_v4_add: 195.181.170.199/32 via 192.168.178.1 dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: 103.86.96.100/32 via 10.8.1.1 dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: 103.86.99.100/32 via 10.8.1.1 dev [NULL] table 0 metric -1
20210805 23:15:03 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20210805 23:15:03 I Initialization Sequence Completed
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'status 2'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'log 500'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'status 2'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
Other screenshots of my config:
Return values regarding PBR config:
Code:
command: ip route show
10.8.1.0/24 dev tun1 scope link src 10.8.1.5
103.86.96.100 via 10.8.1.1 dev tun1
103.86.99.100 via 10.8.1.1 dev tun1
127.0.0.0/8 dev lo scope link
192.168.10.0/24 dev tun2 scope link src 192.168.10.1
192.168.178.0/24 dev br0 scope link src 192.168.178.30
195.181.170.199 via 192.168.178.1 dev br0
command: ip route show table 10
0.0.0.0/1 via 10.8.1.1 dev tun1
10.8.1.0/24 dev tun1 scope link src 10.8.1.5
103.86.96.100 via 10.8.1.1 dev tun1
103.86.99.100 via 10.8.1.1 dev tun1
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.8.1.1 dev tun1
192.168.10.0/24 dev tun2 scope link src 192.168.10.1
192.168.178.0/24 dev br0 scope link src 192.168.178.30
195.181.170.199 via 192.168.178.1 dev br0
command: ip rule show
0: from all lookup local
32764: from 192.168.178.46 lookup 10
32765: from 192.168.178.45 lookup 10
32766: from all lookup main
32767: from all lookup default
#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server=9.9.9.9 255.255.255.255 net_gateway
server=176.103.130.130 255.255.255.255 net_gateway
The above is NOT valid OpenVPN syntax. It looks like a mix between a server directive used w/ DNSMasq, and a route command used w/ OpenVPN. If you want to bind 9.9.9.9 and 176.103.130.130 to the WAN via OpenVPN, you need the following in the Additional Config field.