Can't Access Cable Modem Configuration While VPN is Active

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
pcbored
DD-WRT Novice


Joined: 01 Jan 2019
Posts: 4

PostPosted: Fri Jun 28, 2019 20:05    Post subject: Can't Access Cable Modem Configuration While VPN is Active Reply with quote
I don't know if this has been an issue with anyone else or what I may be doing wrong, but ...

I have configured my Linksys WRT3200ACM with DD-WRT Firmware: DD-WRT v3.0-r39654 std (04/25/19). I have enjoyed internet access to any site ever since. I have been able to access my cable modem configuration page with no trouble.

Then I subscribed to a VPN provider. I can still access ALMOST any site with no issues. I can NO LONGER access my cable modem configuration page while the VPN service is active. There are also some web sites for which I get a connection time out error message when the VPN service is active. If I disable the VPN service, then once again everything is fine.

I get the following ping response to the cable modem from my internal network when The VPN service is inactive:

C:\>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

That is the expected response. As I said, everything works correctly while the VPN service is disabled.

I get the following ping response to the cable modem from my internal network when The VPN service is active:

C:\>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I have no idea where the 10.8.1.1 address comes from. That address is not in any configurations on my DD-WRT router. My internal network is on the 192.168.3.x network.

Where is this address coming from while the VPN is active? How can I re-establish connection to my cable modem web interface at 192.168.100.1 while the VPN is active?

Let me know if you need any additional information.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jun 28, 2019 20:20    Post subject: Reply with quote
Once connected to the OpenVPN client, by default, all unknown networks are routed over the VPN, which includes your modem's network (192.168.100.0/24).

Try adding the following static route under Setup->Advanced Routing.

Code:
Route Name: modem
Metric: 0
Masquerade Route (NAT): (unchecked)
Destination LAN NET: 192.168.100.0
Subnet Mask: 255.255.255.0
Gateway: 0.0.0.0
Interface: WAN

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jun 28, 2019 20:37    Post subject: Reply with quote
The more I think about it, the more I realize you might need the following as well (depends on the modem), but first try it w/ just the static route.

Add the following to the startup script.

Code:
ifconfig $(get_wanface):1 192.168.100.2 netmask 255.255.255.0 broadcast 192.168.100.255


Add the following to the firewall script.

Code:
iptables -t nat -I POSTROUTING -o $(get_wanface) -d 192.168.100.0/24 -j SNAT --to 192.168.100.2

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 758

PostPosted: Fri Jun 28, 2019 21:45    Post subject: Reply with quote
I solved this issue by adding an additional IP to my WAN interface. The following will do that for you if inserted into the firewall script box. Adjust IPs where appropriate. The IP in the ifconfig line should be an IP on the same subnet as the modem's admin page. I went one IP above the modem. The CIDR after the -s should match your LAN's CIDR, and the IP after the -d should be the IP of your modem's admin page. After this is setup you will see that you have an additional eth0:0 interface if you run an ifconfig at the shell.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT
pcbored
DD-WRT Novice


Joined: 01 Jan 2019
Posts: 4

PostPosted: Sun Jun 30, 2019 0:07    Post subject: Reply with quote
Thank you both for you help. The first suggestion worked well. I can now access the configuration page of my modem without disabling the VPN service. Still, though, there are some web sites I can not access without disabling the VPN.

On another note: where is the firewall script? I've seen it referred to frequently, and I have looked for it in the file system. But, I do not know what I am looking for. What is the name and path of the script? Is it accessible from the router configuration pages?

Also, what is the specific shell used in this embedded linux? I am familiar with sh, bash, ksh, etc. What is the specific name of the command shell on this platform. (I know "echo $SHELL" returns "/bin/sh". Is it the Bourne shell)? Is it ash? I want to research it to familiarize myself with what it can do and its limitations.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun Jun 30, 2019 1:01    Post subject: Reply with quote
pcbored wrote:
On another note: where is the firewall script? I've seen it referred to frequently, and I have looked for it in the file system. But, I do not know what I am looking for. What is the name and path of the script? Is it accessible from the router configuration pages?


Both the startup and firewall scripts are accessible via the GUI, Administration->Commands.

Quote:
Also, what is the specific shell used in this embedded linux? I am familiar with sh, bash, ksh, etc. What is the specific name of the command shell on this platform. (I know "echo $SHELL" returns "/bin/sh". Is it the Bourne shell)? Is it ash? I want to research it to familiarize myself with what it can do and its limitations.


ash

Note, due to the limited flash of these small routers, don't expect the full capabilities of bash or any other shells you may be used to on larger platforms. Most utilities are linked to BusyBox, which are stripped down versions. A *lot* of things you may have come to expect as commonplace features simply aren't there. That makes it particularly challenging to work w/ the shell, both interactively and via scripting. If you want the full breadth of shell features, consider install Entware and the bash package.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
pcbored
DD-WRT Novice


Joined: 01 Jan 2019
Posts: 4

PostPosted: Sun Jun 30, 2019 22:54    Post subject: Reply with quote
Once again, thank you for your help. OK, now i know how to add things to the firewall and startup scripts. But does anyone know the full paths to the scripts? I guess I'm just very curious.

I apologize for asking such novice questions. I was a *nix admin for 20+ yrs. so I know it takes alot of research to learn a new system. Current documentation for DD-WRT is difficult to locate. I keep trying to extrapolate from the old documentation but not always successfully.

Anyway, thank you so much for your assistance.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jul 01, 2019 0:51    Post subject: Reply with quote
pcbored wrote:
But does anyone know the full paths to the scripts? I guess I'm just very curious


The router is a strange beast. You have to put aside some of your common notions of using *nix and understand a few basic principles when it comes to dd-wrt (and most other third party firmware).

In order to minimize the chance of corruption by the end user, most of the system is read-only. Upon bootup, the router loads the system into memory, specifically a ram drive called /tmp. It also maintains settings in nvram (non-volatile ram). On some routers, there's also jffs2, which is a filesystem mapped onto whatever unused flash remains after the firmware install. So the only thing that is actually persistent across a reboot is nvram and (if you have it) jffs2 (/jffs).

The basic idea is to make it possible to recover from either the firmware or the end-user corrupting the system. A simple reboot usually just puts things back to normal. As anyone who uses a full *nix desktop or server knows, *all* changes are persistent, and as a result, the following in the hands of root can mean a very bad day.

Code:
rm -rf /*


So let's consider the startup script. That's actually stored in nvram, and retrievable w/ the following command.

Code:
nvram get rc_startup


When you save or edit the startup script in the GUI, that's where it's stored. When the router boots, it uses that data to create a file called .rc_startup (it's a hidden file, use "ls -a" to see it) in the /tmp folder. If you were to make changes to /tmp/.rc_startup , they would be *lost* on a reboot, because as I said, the router always rebuilds the file from whatever is in the nvram variable rc_startup.

If you wanted to make a change, and didn't want to use the GUI, you could instead update the nvram variable, then commit the change.

Code:
nvram set rc_local='echo $(date) > /tmp/current_date'
nvram commit


Upon the next reboot, the startup script in the GUI would contain that information, and the code would be executed.

Of course, most ppl would not do it this way. They'd use the GUI, it's just simpler. I'm only trying to give an explanation of how things work, the relationship between stored settings and what you see in the GUI, etc.

The firewall script is the same, only it's called rc_firewall and is created as /tmp/.rc_firewall.

This is what makes dealing w/ the router so difficult for newbs. Invariably they can't figure out how to make a file persistent. They keep creating files somewhere in /tmp (since it's the only writable location), then wonder why it disappears upon reboot. You either have to use jffs2 (/jffs) to store it, or perhaps a mounted USB drive, or worst case, rebuild the file on each bootup using the startup script.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
pcbored
DD-WRT Novice


Joined: 01 Jan 2019
Posts: 4

PostPosted: Mon Jul 01, 2019 1:10    Post subject: Reply with quote
Thank you, eibgrad. This paradigm makes perfect sense. I feel enlightened.

This way, if one wants to make a change, it may be best to modify the /tmp/.rc* file(s) then run them to see the results before committing them to nvram. If there is a problem, just reboot.

Thanks again. Smile
Morphlingg
DD-WRT Novice


Joined: 17 Jul 2019
Posts: 4

PostPosted: Wed Jul 17, 2019 17:33    Post subject: Re: Can't Access Cable Modem Configuration While VPN is Acti Reply with quote
pcbored wrote:
I don't know if this has been an issue with anyone else or what I may be doing wrong, but ...

I have configured my Linksys WRT3200ACM with DD-WRT Firmware: DD-WRT v3.0-r39654 std (04/25/19). I have enjoyed internet access to any site ever since. I have been able to access my cable modem configuration page with no trouble.

Then I subscribed to a VPN provider. I can still access ALMOST any site with no issues. I can NO LONGER access my cable modem configuration page while the VPN service is active. There are also some web sites for which I get a connection time out error message when the VPN service is active. If I disable the VPN service, then once again everything is fine.

I get the following ping response to the cable modem from my internal network when The VPN service is inactive:

C:\>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

That is the expected response. As I said, everything works correctly while the VPN service is disabled.

I get the following ping response to the cable modem from my internal network when The VPN service is active:

C:\>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.
Reply from 10.8.1.1: Destination port unreachable.

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

I have no idea where the 10.8.1.1 address comes from. That address is not in any configurations on my DD-WRT router. My internal network is on the 192.168.3.x network.

Where is this address coming from while the VPN is active? How can I re-establish connection to my cable modem web interface at 192.168.100.1 while the VPN is active?

Let me know if you need any additional information.

I have got the same thing. When i have changed VPN client
the problem has gone, because bad VPN does not provide you access throught many of blocks. Check Veepn.com if you are intrested. On my experience can tell you that you won't see error pages)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum