Posted: Thu Jul 28, 2022 20:33 Post subject: [SOLVED]Policy based routing is routing everything
I was suggested to post here by egc. I've been trying to route just my TV through the VPN using PBR but for some reason it keeps routing everything. I have the TV set as a static lease using it's Mac address as 192.168.1.50 I've attached screencaps of my VPN settings and ip route show as suggested.
There's definitely something wrong w/ the main routing table. It has a direct change of the default gateway to the VPN, when table 10 is the only one that should override the WAN default gateway to the VPN. But I can't reproduce it.
Just tried disabling CVE mitigation and rebooting to factory resets. Still does the same thing. I don't really know what else would be causing it. It's only running a month old firmware so it's unlikely to be fixed by updating.
Could it have anything to do with it being double nat? I've had to end up using a DMZ ip passthrough from the isp provided modem/router because bridge mode doesn't work/the Netgear wasn't able establish a PPPOE convection. DHCP auto reservation is turned off though so it should still be fully controlled by the Netgear?[/i]
I tested it w/ a slightly older firmware (DD-WRT v3.0-r48432 std (03/01/22)) on my ASUS RT-AC68U, which is in my lab and double NAT'd wrt the primary router, and it works fine. So I doubt that has anything to do w/ it.
There has to be something deliberately adding that default route to the VPN in the main table. That's NOT normal for your configuration, and why everything is being routed over VPN. But I don't have a clue what that could be.
What you might do is post the syslog w/ the openvpn messages to see if there's something being push'd by the server that's causing it.
Code:
grep openvpn /var/log/messages
Might as well dump the OpenVPN client config file while you're at it too.
Don't know the. Est way to do this so here is the syslog just copy pasted.
WRT:~# grep openvpn /var/log/messages
Dec 31 16:00:19 DD-WRT user.info : [openvpn] : OpenVPN daemon (Client) starting/restarting...
Dec 31 16:00:19 DD-WRT user.info : [openvpn] : PBR via tunnel now using setroute_pbr(): 192.168.1.50/32
Dec 31 16:00:19 DD-WRT user.info : [openvpn] : PBR is active but NO killwitch: 192.168.1.50/32
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1038]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1038]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1038]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1038]: OpenVPN 2.5.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 29 2022
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1038]: library versions: OpenSSL 1.1.1p 21 Jun 2022, LZO 2.10
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1126]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1126]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1126]: WARNING: Your certificate is not yet valid!
Dec 31 16:00:21 DD-WRT daemon.warn openvpn[1126]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: TCP/UDP: Preserving recently used remote address: [AF_INET]24.20.191.153:1194
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: Socket Buffers: R=[262144->262144] S=[262144->262144]
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: UDPv4 link local: (not bound)
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: UDPv4 link remote: [AF_INET]24.20.191.153:1194
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: Network unreachable, restarting
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: SIGUSR1[soft,network-unreachable] received, process restarting
Dec 31 16:00:21 DD-WRT daemon.notice openvpn[1126]: Restart pause, 5 second(s)
Dec 31 16:00:26 DD-WRT daemon.warn openvpn[1126]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 31 16:00:26 DD-WRT daemon.warn openvpn[1126]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:26 DD-WRT daemon.warn openvpn[1126]: WARNING: Your certificate is not yet valid!
Dec 31 16:00:26 DD-WRT daemon.warn openvpn[1126]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: TCP/UDP: Preserving recently used remote address: [AF_INET]24.20.191.153:1194
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: Socket Buffers: R=[262144->262144] S=[262144->262144]
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: UDPv4 link local: (not bound)
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: UDPv4 link remote: [AF_INET]24.20.191.153:1194
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: Network unreachable, restarting
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: SIGUSR1[soft,network-unreachable] received, process restarting
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: Restart pause, 5 second(s)
Dec 31 16:00:26 DD-WRT user.info : [openvpn] : OpenVPN daemon (Client) successfully stopped
Dec 31 16:00:26 DD-WRT daemon.notice openvpn[1126]: SIGTERM[hard,init_instance] received, process exiting
Dec 31 16:00:27 DD-WRT user.info root: openvpn watchdog control /usr/bin/controlovpnwdog.sh started
Dec 31 16:00:27 DD-WRT user.info : [openvpn] : OpenVPN daemon (Client) starting/restarting...
Dec 31 16:00:27 DD-WRT user.info : [openvpn] : PBR via tunnel now using setroute_pbr(): 192.168.1.50/32
Dec 31 16:00:27 DD-WRT user.info : [openvpn] : PBR is active but NO killwitch: 192.168.1.50/32
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1427]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1427]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1427]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1427]: OpenVPN 2.5.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 29 2022
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1427]: library versions: OpenSSL 1.1.1p 21 Jun 2022, LZO 2.10
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1429]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1429]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1429]: WARNING: Your certificate is not yet valid!
Dec 31 16:00:27 DD-WRT daemon.warn openvpn[1429]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: TCP/UDP: Preserving recently used remote address: [AF_INET]24.20.191.153:1194
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: Socket Buffers: R=[262144->262144] S=[262144->262144]
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: UDPv4 link local: (not bound)
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: UDPv4 link remote: [AF_INET]24.20.191.153:1194
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: TLS: Initial packet from [AF_INET]24.20.191.153:1194, sid=4890a073 e5514b58
Dec 31 16:00:27 DD-WRT daemon.err openvpn[1429]: VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CN, ST=GD, L=ShenZhen, O=TP-Link, OU=SOHO-I18N, CN=ChangeMe, emailAddress=xxxx@xxxx, serial=9398477206775936058
Dec 31 16:00:27 DD-WRT daemon.err openvpn[1429]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
Dec 31 16:00:27 DD-WRT daemon.err openvpn[1429]: TLS_ERROR: BIO read tls_read_plaintext error
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: NOTE: --mute triggered...
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: 2 variation(s) on previous 3 message(s) suppressed by --mute
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: SIGUSR1[soft,tls-error] received, process restarting
Dec 31 16:00:27 DD-WRT daemon.notice openvpn[1429]: Restart pause, 5 second(s)
Jul 28 19:47:55 DD-WRT daemon.warn openvpn[1429]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jul 28 19:47:55 DD-WRT daemon.warn openvpn[1429]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 28 19:47:55 DD-WRT daemon.warn openvpn[1429]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: TCP/UDP: Preserving recently used remote address: [AF_INET]24.20.191.153:1194
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: Socket Buffers: R=[262144->262144] S=[262144->262144]
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: UDPv4 link local: (not bound)
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: UDPv4 link remote: [AF_INET]24.20.191.153:1194
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: TLS: Initial packet from [AF_INET]24.20.191.153:1194, sid=93e6e008 97bc6110
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: VERIFY OK: depth=1, C=CN, ST=GD, L=ShenZhen, O=TP-Link, OU=SOHO-I18N, CN=ChangeMe, emailAddress=xxxx@xxxx
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: VERIFY OK: depth=0, C=CN, ST=GD, L=ShenZhen, O=TP-Link, OU=SOHO-I18N, CN=server, emailAddress=xxxx@xxxx
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: NOTE: --mute triggered...
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: 1 variation(s) on previous 3 message(s) suppressed by --mute
Jul 28 19:47:55 DD-WRT daemon.notice openvpn[1429]: [server] Peer Connection Initiated with [AF_INET]24.20.191.153:1194
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,redirect-gateway def1,route 192.168.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,dhcp-option DNS 10.8.0.1,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: Pushed option removed by filter: 'redirect-gateway def1'
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: NOTE: --mute triggered...
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: 4 variation(s) on previous 3 message(s) suppressed by --mute
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: NOTE: --mute triggered...
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: 1 variation(s) on previous 3 message(s) suppressed by --mute
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_best_gw query: dst 0.0.0.0
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_best_gw result: via 50.38.80.253 dev vlan2
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: TUN/TAP device tun1 opened
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_iface_mtu_set: mtu 1400 for tun1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_iface_up: set tun1 up
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_addr_ptp_v4_add: 10.8.0.6 peer 10.8.0.5 dev tun1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_add: 24.20.191.153/32 via 50.38.80.253 dev [NULL] table 0 metric -1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_add: 0.0.0.0/0 via 10.8.0.5 dev [NULL] table 0 metric -1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_add: 192.168.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_add: 10.8.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: net_route_v4_add: 10.8.0.0/24 via 10.8.0.5 dev [NULL] table 0 metric -1
Jul 28 19:47:56 DD-WRT daemon.warn openvpn[1429]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: Initialization Sequence Completed
The server is pushing a default route in a NON traditional manner.
Jul 28 19:47:56 DD-WRT daemon.notice openvpn[1429]: PUSH: Received control message: 'PUSH_REPLY,route 0.0.0.0 0.0.0.0,redirect-gateway def1,route 192.168.0.0 255.255.255.0,route 10.8.0.0 255.255.255.0,dhcp-option DNS 10.8.0.1,dhcp-option DNS 8.8.8.8,route 10.8.0.0 255.255
Notice the route 0.0.0.0 0.0.0.0. Normally the router looks for a directive called redirect-gateway def1 (which is also there), which tells it to change the VPN to the default gateway. But in this case, we don't want that to happen. So the router specifies the following in the OpenVPN client config file.
Code:
pull-filter ignore "redirect-gateway"
But again, the VPN provider for some odd reason doubles down and adds the 0.0.0.0/0 route too.
Try adding the following to the Additional Config field to ignore it.
I'm using the built in OpenVPN server on my TPlink AX11000. There's no settings for me to configure so I have had no idea what it's been doing, but it never gave my phone or iPad issues in the past simply using the OpenVpn app so I haven't ever felt the need to try and flash it with new firmware. I never imagined it would give me so many problems.
I wonder if there's some other wierd overide server setting that's been forcing the router to use compression? All my mobile devices have run fine with compression disabled, but the Netgear will connect but will only allow a miniscule amount of bits through so it's effectively unusable.
It's just I've been wracking my head trying to find out why it wasn't working and scoured tons of other threads on this forum thinking the PBR was a fault of the client and it turns out it was my server. Now I have to wonder if the other issues I've had like compression needing to be on are server oddities or not.
Joined: 18 Mar 2014 Posts: 12910 Location: Netherlands
Posted: Fri Jul 29, 2022 6:13 Post subject:
Just awake and started reading
I told you to post your details here as I was sure the DDWRT Gurus's would crack this (and @eibgrad is the best)
After your first post I thought that the server was pushing "redirect-gateway" without "def1" which could explain the default route in your main table and that there was some strange bug in DDWRT where "pull-filter ignore redirect gateway" was not set or not working.
But the log showed the pushing by the server of "route 0.0.0.0 0.0.0.0 vpn_gateway"
I cannot believe that is standard TPLink practice, it surely must be a misconfiguration of some sort.
About compression, compression must be the same on client and server side, however compression should be disabled (on Client and Server) as it is a safety concern and will be deprecated in future OpenVPN versions.
To the first part I would hope so, but having interacted with their customer support I'm not as confident.
So I get similar poor results using both no and disabled, while adaptive seems to work, that makes sense. The confusing part is that implies I should need to have compression configured for any client devices, but all of my android and ios devices are fine with it being set as no in the app settings for them to connect to the server. Does that mean the app is just automatically determining it needs compression and using it or is something else going on?
Oh trust me I'm not expecting anything amazing. It's currently hooked up to dsl for starters so it's not like it needs to be anything other than average, but it seems to struggle to manage 6-10 mbs on the tunnel. Occasionally it'll hit peaks in the high 20 low 30mbs which is much closer to the 40mbs up I average from home. I haven't been able to figure out what the bottleneck is yet, maybe it's just dying.