[boredwild]

Running Cyberghost VPN client on Netgear R7000P. Cannot seem to get PBR to work as I expect it should on a late version of dd-wrt (r45XXX). The IPs in the PBR field (in CIDR notation) pass to the VPN, but non-VPN traffic is blocked from the WAN.

Shortcut Forwarding Engine (SFE) has been disabled.

The following is what the VPN provider suggests as a firewall rule:

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE


Currently running r39960 kongAC, and it works with nothing more than the VPN-specific IPs in the PBR field; all other traffic goes to the WAN (as expected). It would be my preference, however, to run a current version of dd-wrt.

I expect I have missed something simple in the configuration. Suggestions, anyone?

[SurprisedItWorks]

You don't need the firewall rules, as modern dd-wrt releases take care of all that, at least if you enable "Inbound firewall on TUN" and "CVE-2019-14899 Mitigation" on the OpenVPN client setup page. If you still have issues, try removing all Additional Config and see how that goes. Most vpn providers post instructions that are old and are now obsolete, as dd-wrt has greatly improved and has solid defaults. If even that doesn't do it, post your vpn settings here (no more than 768 pixels wide if you use images) and see if one of the guys with more expertise than I have can jump in and advise.

Make sure your vpn is functioning first, but eventually you may want to research kill switches, which will use firewall rules different from what you are showing here. Many threads in the forum on it. Nothing special about mine really, but I do discuss some in the big first post, near the end, in the AirVPN how-to linked in my sig below.

[eibgrad]

As @SurprisedItWorks says, you don't need any of those firewall rules. However, it's not obvious how their presence could lead to the problem of non-VPN clients being denied access to the WAN. Makes me wonder if those same clients don't have access to the WAN even is the VPN is disabled, perhaps due to an inappropriate kill switch, one that's blocking *all* access to the WAN rather than being limited to only those enumerated in PBR.

FWIW, I have a rather old (but presumably still functioning) script that does just that.

https://pastebin.com/332rk3we

[egc]

[boredwild]

Applied r45767 with no firewall or startup scripts. With blank PBR field, all traffic goes through the VPN (expected). Enter one IP (ex 192.168.1.98/32) in the PBR field, apply settings and reboot router. Still all traffic goes through the VPN.

Firewall on TUN is enabled.

Have tried with SP! Firewall enabled and disabled - seems no difference.

Do i need to clear NVRAM? I have never done this.

Below is the "additional configuration" from Cyberghost VPN that I have always had applied to the configuration.

Thanks everyone for your suggestions so far.

[egc]

Ok so all traffic keeps going through the VPN although you entered one IP address in the the PBR Box right?

Now have a look what that crappy VPN provider advises you to put in the additional config (see picture below)

If you are not shocked you should be

Remove it all and I mean *everything*

Save/Apply and I think it should work now.

[egc]

@eibgrad's second law:
Do not put anything in the additional config

[eibgrad]

If I had to guess, I bet the "redirect-gateway def1" directive in Additional Config is the problem.

The router *used* to use the route-noexec directive (under the covers) to prevent the default gateway from changing to the VPN, so that PBR would work. And when that directive is specified, it doesn't matter if either the server or client happens to specify the "redirect-gateway def1" directive, it gets ignored. But more recently, the router no longer uses route-noexec, but a "pull" filter to prevent the server (and only the server) from pushing the "redirect-gateway def1" directive, and therefore if the *client* happens to specify it, now everything gets routed over the VPN! IOW, it breaks PBR.

That's why we tell ppl over and over, do NOT add anything to the Additional Config field unless it ultimately proves necessary.

[egc]

YES I know you would know it (of course I learned most of it from you)

I had a post waiting with that exact explanation but was a bit cautious that I could have it wrong so I waited for confirmation

Edit: this is not the only user struggling with Cyberghost's not up to date instructions but he is at the German forum so perhaps not easy to follow for non Germans (or dutchies like me)

[boredwild]

In my last post I made reference to the "additional configuration" recommended by Cyberghost VPN, but I neglected to post it; egc found it and posted it - thanks.

Remove all that and PBR functions correctly.

FYI, VPN Watchdog startup script is running, SPI Firewall enabled, CVE mitigation enabled, and all is well.

Thanks so much to a generous, dedicated community!

[tsht]

Just to let know, I switched from Kongac to stock latest firmware on my R7000. I had cyberghost with all their additional params and the firewall rules.

Things worked then suddently stopped working.
I removed all the crap as suggested here, either in firewall commands or in additional parameters, checked the firewall on tun rule, and now it works perfectly.

I also had this message in the logs :