VPN Client with PBR - suddenly not working

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Riscol
DD-WRT Novice


Joined: 18 Nov 2017
Posts: 16

PostPosted: Thu Aug 05, 2021 12:40    Post subject: VPN Client with PBR - suddenly not working Reply with quote
Hi everyone,

I have moved from my previous appartment to a new one - and of course now have a new networking setup with issues:

Setup:

* Nighthawk R7000P as DD-WRT router behind ISP modem
* R7000P setup as local DNS server (in parallel to ISP modem as DNS Server - both with the same static routes defined) //disabling DNS server in my DD-WRT always breaks the network (?)
* DD-WRT setup as VPN Server and VPN Client
* VPN Client (NordVPN) defined for few devices with policy based routing (ip based)

Issues:

(a) I had many DNS leak problems, primanrily resulting in Netflix blocking my streaming.
(b) I have/had regular connection drops in meetings while PBR still worked (see below), i.e. video call dropped for 5-10 seconds every couple of minutes (and then it was okay again for some time)

Based on Issues (a) + (b) I initiated some trouble shooting and tried to fix it (see these guides in top post by egc): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

(c) With the applied fixes my PBR routed devices now use the VPN's DNS (VPN client is connected), but the devices still go via regular WAN suddenly. I have no idea why and how to fix this
(d) Also, my VPN server is not reachable anymore (I portforwarded in the ISP modem of course)
(e) Also, looking at the syslog I now regularly see warnings of possible rebind attacks (previously rather seldom) and ERROR that the time server is not reachable (network down)

Could you please help me?

I'd like to share logs/settings but Admin > Commands > Run (see commands below) do not return any output.

"ip route show
ip route show table 10
ip rule show"

Happy to supply logs if you tell me how (via GUI?).

Key issue for me is currently (c)

Thank you!


Firmware: DD-WRT v3.0-r47117 std (08/01/21)
Time: 14:38:47 up 29 min, load average: 0.02, 0.03, 0.00
WAN: Disabled
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Thu Aug 05, 2021 18:15    Post subject: Reply with quote
TIP: Avoid using the Administration->Commands input field to run arbitrary commands. I have no idea how that's implemented, but it's notorious for being VERY finicky about syntax and formatting. Instead, use telnet or ssh. You'll have a lot less problems.

In the case of (c), since I don't know specifically what you did, it's hard to critique it and explain the behavior. The fact you say the PBR devices now use the VPN'd DNS, but are routed over the WAN, is particularly confusing. How did you verify this? It's not always that easy to know for sure. Not unless you use a traceroute, or perhaps dump connection tracking on the router (cat /proc/net/nf_conntrack).

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
Riscol
DD-WRT Novice


Joined: 18 Nov 2017
Posts: 16

PostPosted: Thu Aug 05, 2021 21:32    Post subject: Reply with quote
Thanks eibgrad - good point regarding commands.

So I did some testing.

I realized the VPN Client was not connected successfully at all (?!).

To fix issues (a) and (b) as described above I (among others) added the following two codes to the VPN client additional config field (as described in trouble shooting guides linked in original post).

Code 1
Code:

#below code is for ensuring non-vpn routed devices to not try to use DNS servers that are provided by NordVPN (and only reachable via VPN)
route 103.86.96.100 255.255.255.255 vpn_gateway
route 103.86.99.100 255.255.255.255 vpn_gateway


Only adding code 1 still keeps the VPN client running

Code 2
Code:

#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server=9.9.9.9 255.255.255.255 net_gateway
server=176.103.130.130 255.255.255.255 net_gateway


Addding this breaks the VPN Client - I have not idea why?
As I understand, code 2 should be added to ensure non-PBR devices use the default WAN DNS (so I do not end up in the situation with only Code 1 and 5 DNS).

Also, I am getting constant disconnect messages in VPN Client log (see below)?


Code:

Clientlog:
20210805 23:15:01 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20210805 23:15:01 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20210805 23:15:01 I OpenVPN 2.5.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 1 2021
20210805 23:15:01 I library versions: OpenSSL 1.1.1k 25 Mar 2021 LZO 2.09
20210805 23:15:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20210805 23:15:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210805 23:15:01 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20210805 23:15:01 I TCP/UDP: Preserving recently used remote address: [AF_INET]195.181.170.199:1194
20210805 23:15:01 Socket Buffers: R=[262144->262144] S=[262144->262144]
20210805 23:15:01 W --mtu-disc is not supported on this OS
20210805 23:15:01 I UDP link local: (not bound)
20210805 23:15:01 I UDP link remote: [AF_INET]195.181.170.199:1194
20210805 23:15:01 TLS: Initial packet from [AF_INET]195.181.170.199:1194 sid=fc672aaf c2779d63
20210805 23:15:01 VERIFY OK: depth=2 C=PA O=NordVPN CN=NordVPN Root CA
20210805 23:15:01 VERIFY OK: depth=1 C=PA O=NordVPN CN=NordVPN CA6
20210805 23:15:01 NOTE: --mute triggered...
20210805 23:15:01 5 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:01 D MANAGEMENT: CMD 'state'
20210805 23:15:01 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:02 D MANAGEMENT: CMD 'status 2'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:02 D MANAGEMENT: CMD 'log 500'
20210805 23:15:02 MANAGEMENT: Client disconnected
20210805 23:15:02 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1566' remote='link-mtu 1634'
20210805 23:15:02 W WARNING: 'auth' is used inconsistently local='auth [null-digest]' remote='auth SHA512'
20210805 23:15:02 W WARNING: 'comp-lzo' is present in remote config but missing in local config remote='comp-lzo'
20210805 23:15:02 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA512
20210805 23:15:02 I [de801.nordvpn.com] Peer Connection Initiated with [AF_INET]195.181.170.199:1194
20210805 23:15:03 SENT CONTROL [de801.nordvpn.com]: 'PUSH_REQUEST' (status=1)
20210805 23:15:03 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 103.86.96.100 dhcp-option DNS 103.86.99.100 sndbuf 524288 rcvbuf 524288 explicit-exit-notify comp-lzo no route-gateway 10.8.1.1 topology subnet ping 60 ping-restart 180 ifconfig 10.8.1.5 255.255.255.0 peer-id 5 cipher AES-256-GCM'
20210805 23:15:03 Pushed option removed by filter: 'redirect-gateway def1'
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 4 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Socket Buffers: R=[262144->524288] S=[262144->524288]
20210805 23:15:03 OPTIONS IMPORT: --ifconfig/up options modified
20210805 23:15:03 OPTIONS IMPORT: route-related options modified
20210805 23:15:03 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
20210805 23:15:03 NOTE: --mute triggered...
20210805 23:15:03 3 variation(s) on previous 3 message(s) suppressed by --mute
20210805 23:15:03 Data Channel: using negotiated cipher 'AES-256-GCM'
20210805 23:15:03 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210805 23:15:03 net_route_v4_best_gw query: dst 0.0.0.0
20210805 23:15:03 net_route_v4_best_gw result: via 192.168.178.1 dev br0
20210805 23:15:03 I TUN/TAP device tun1 opened
20210805 23:15:03 I net_iface_mtu_set: mtu 1500 for tun1
20210805 23:15:03 I net_iface_up: set tun1 up
20210805 23:15:03 I net_addr_v4_add: 10.8.1.5/24 dev tun1
20210805 23:15:03 net_route_v4_add: 195.181.170.199/32 via 192.168.178.1 dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: 103.86.96.100/32 via 10.8.1.1 dev [NULL] table 0 metric -1
20210805 23:15:03 net_route_v4_add: 103.86.99.100/32 via 10.8.1.1 dev [NULL] table 0 metric -1
20210805 23:15:03 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20210805 23:15:03 I Initialization Sequence Completed
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'state'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'status 2'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:15:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:15:13 D MANAGEMENT: CMD 'log 500'
20210805 23:15:13 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'state'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'status 2'
20210805 23:19:53 MANAGEMENT: Client disconnected
20210805 23:19:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210805 23:19:53 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00



Other screenshots of my config:









Return values regarding PBR config:

Code:

command: ip route show
10.8.1.0/24 dev tun1 scope link  src 10.8.1.5
103.86.96.100 via 10.8.1.1 dev tun1
103.86.99.100 via 10.8.1.1 dev tun1
127.0.0.0/8 dev lo scope link
192.168.10.0/24 dev tun2 scope link  src 192.168.10.1
192.168.178.0/24 dev br0 scope link  src 192.168.178.30
195.181.170.199 via 192.168.178.1 dev br0


command: ip route show table 10
0.0.0.0/1 via 10.8.1.1 dev tun1
10.8.1.0/24 dev tun1 scope link  src 10.8.1.5
103.86.96.100 via 10.8.1.1 dev tun1
103.86.99.100 via 10.8.1.1 dev tun1
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.8.1.1 dev tun1
192.168.10.0/24 dev tun2 scope link  src 192.168.10.1
192.168.178.0/24 dev br0 scope link  src 192.168.178.30
195.181.170.199 via 192.168.178.1 dev br0


command: ip rule show

0:      from all lookup local
32764:  from 192.168.178.46 lookup 10
32765:  from 192.168.178.45 lookup 10
32766:  from all lookup main
32767:  from all lookup default

eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9354

PostPosted: Thu Aug 05, 2021 23:55    Post subject: Reply with quote
Code:
#see for explanation page 2 of "DDWRT DNS Problems with Policy Based Routing v1.13.pdf"
server=9.9.9.9 255.255.255.255 net_gateway
server=176.103.130.130 255.255.255.255 net_gateway


The above is NOT valid OpenVPN syntax. It looks like a mix between a server directive used w/ DNSMasq, and a route command used w/ OpenVPN. If you want to bind 9.9.9.9 and 176.103.130.130 to the WAN via OpenVPN, you need the following in the Additional Config field.

Code:
route 9.9.9.9 255.255.255.255 net_gateway
route 176.103.130.130 255.255.255.255 net_gateway


As far as the connect/disconnects, those lines in the log are nothing to worry about.

OpenVPN provides a management UI (typically running as localhost (127.0.0.1), port 16) that you can call when it's running. The router is calling it to get updated statistics from OpenVPN, then updating the OpenVPN status page. Every time you visit that page or refresh it, you'll see these messages as it connects, issues the state command, and disconnects.

_________________
ddwrt-bind-static-routes-to-wan.sh (UPDATED! 11/12/24) * ddwrt-blacklist-domains.sh * ddwrt-dns-monitor.sh * ddwrt-ovpn-client-backup.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-server-watchdog.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-split-basic.sh * ddwrt-mount-usb-drives.sh * ddwrt-wol-port-forward.sh
Riscol
DD-WRT Novice


Joined: 18 Nov 2017
Posts: 16

PostPosted: Fri Aug 06, 2021 7:11    Post subject: Reply with quote
Ah - this is really embarrassing. I must have mixed up the syntax myself.

I'll adapt and get back to you with feedback.

In any case: many thanks eibgrad! Very Happy
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum