[Solved]Not all traffic goes through VPN Client on DD-WRT AP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Wed Sep 14, 2022 21:47    Post subject: [Solved]Not all traffic goes through VPN Client on DD-WRT AP Reply with quote
Hello,

I hope you're doing well,

So I will explain my problem, I have the following configuration attached.

EDIT : I reset Router C, and followed the "DDWRT OpenVPN Client Setup guide by egc" which actually says not to use Router mode but Gateway mode. But that doesn't solve my problem.

When I simply connect a device to any of these routers, everything works fine.

When I want to use the VPN, I connect the device I want by assigning it an IP myself (which I first reserve via the MAC address on Router A), I set the gateway to point to router C (192.168 .0.11), and I set the DNS to 10.0.254.2 and 198.245.51.147 as in the tutorial. All traffic over IPv4 correctly passes through the VPN tunnel (tun1). For the traffic over IPv6, this is random.

I've attached captures from the IVPN app when everything goes through the tunnel, and when it doesn't.

For those who can help me, you should know that:
- I can't switch router A to bridge mode
- it is not possible to disable IPv6 on Router A

I found that Router A's IPv6 address started with fe80, and the various prefixes in the prefix delegation settings all started with 2a01 and a few other common characters. (Capture of attached IPv6 configuration). And I found at the same time, that when all the traffic goes through the VPN tunnel, it was granted only an IPv6 address with fe80 to the connected device, whereas when the traffic does not partly go through the VPN tunnel, the device is granted two IPv6 addresses simultaneously, one in fe80, one in 2a01.

I hope I have given enough information, do not hesitate to ask me for captures or additional details if necessary.

Sorry for my English, if I don't have any trouble reading it, I don't know how to write it and I have to use Google Translate.

Thanks in advance

Kind regards

Solved : I set router/modem A to bridge mode, router B to gateway mode (IPv6 disabled), and router C as an Access Point (IPv6 disabled) with the OpenVPN client, now everything goes through the VPN (provided I choose an IP manually and define router C as a gateway on the clients of course).


Last edited by j.about on Sun Sep 18, 2022 2:21; edited 2 times in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Sep 15, 2022 17:52    Post subject: Reply with quote
I had to reread this post several times to be sure I understood the fundamental problem here. And even so, I'm still not so sure I do.

First, when it comes to Gateway vs. Router mode w/ DD-WRT, this only affects the router if in fact the router has an *active* WAN. Router mode disable NAT over the WAN. But if the WAN is disabled, as it is w/ routers B and C, this issue is utterly irrelevant.

Secondly, I don't understand why IPv6 is enabled on routers B and C. I didn't get the impression you're assigning IPv6 addresses to your clients. And I assume even if the primary router has enabled IPv6 on its WAN (maybe that's all the ISP offers), it shouldn't necessarily require IPv6 on the LAN side. I would assume you could still use IPv4 on the LAN, exclusively.

All that said, I therefore don't understand why there is some issue here wrt IPv6 and the VPN. AFAIK, the DD-WRT doesn't even support IPv6 from a selective routing perspective (I don't use IPv6, so I can't say that definitively, but that's my current understanding). And so any local device bound to IPv6 would seem to me to be unroutable over the VPN, at least using PBR (policy based routing).

Anyway, it would help if you were more precise as to how your network is actually configured. Whether in fact you have devices using IPv6, and NOT just the WAN of the primary router. And whether it's your intent to route IPv6 over the VPN at all. There are just some missing details that make it difficult to know if IPv6 is an essential part of the config, or simply incidental, and perhaps we're just talking about an IPv6 leak over the WAN that's making it difficult mask the fact you're using a VPN w/ your streaming content provider (a common problem for those who only intend to support IPv4, but their ISP requires IPv6, and so clients that are bound to the VPN w/ IPv4 will leak their IPv6 connection over the WAN).

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12795
Location: Netherlands

PostPosted: Fri Sep 16, 2022 6:55    Post subject: Reply with quote
I concur, it could be an IPv6 leak.

Turn off IPv6 on your PC so that it only connects via IPv4 and is forced through the VPN

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Fri Sep 16, 2022 15:51    Post subject: Reply with quote
First of all thank you for your answers.

eibgrad wrote:
Secondly, I don't understand why IPv6 is enabled on routers B and C. I didn't get the impression you're assigning IPv6 addresses to your clients. And I assume even if the primary router has enabled IPv6 on its WAN (maybe that's all the ISP offers), it shouldn't necessarily require IPv6 on the LAN side. I would assume you could still use IPv4 on the LAN, exclusively.


I thought it was better to enable IPv6 on routers B and C as it is mandatory on router A.

eibgrad wrote:
Anyway, it would help if you were more precise as to how your network is actually configured. Whether in fact you have devices using IPv6, and NOT just the WAN of the primary router. And whether it's your intent to route IPv6 over the VPN at all. There are just some missing details that make it difficult to know if IPv6 is an essential part of the config, or simply incidental, and perhaps we're just talking about an IPv6 leak over the WAN that's making it difficult mask the fact you're using a VPN w/ your streaming content provider (a common problem for those who only intend to support IPv4, but their ISP requires IPv6, and so clients that are bound to the VPN w/ IPv4 will leak their IPv6 connection over the WAN).


I don't see how to be more specific about my configuration, which router configuration page would be useful to you that I can post here?

egc wrote:
I concur, it could be an IPv6 leak.

Turn off IPv6 on your PC so that it only connects via IPv4 and is forced through the VPN


Indeed, it seems to be what is called an IPv6 leak. I disabled IPv6 on my computer, or my NAS, the problem is that IPv6 is impossible to disable on some devices.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12795
Location: Netherlands

PostPosted: Fri Sep 16, 2022 17:26    Post subject: Reply with quote
You can consider setting up the VPN router as gateway so with its WAN attached to the main router and on its own subnet with IPv6 disabled.

On that router you can make a VAP, e.g. a wireless guest network that network you then route via the VPN.

So by switching to the guest net work you switch to VPN, using the normal wifi you connect the regular way.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Fri Sep 16, 2022 19:32    Post subject: Reply with quote
Previously, I had this router set up as a gateway with its own subnet, with the VPN always on for all devices connected (by Ethernet or Wi-Fi) to it, so I had no issues with leak.

The problem with this configuration is that I did not have access to the devices connected to routers A and B from router C. In the other direction the same, except by opening the port of the services concerned (SMB for example).

I've seen topics about Static routing, but from what I understand, it would take a setting to be done on router C and one on router A, but the latter does not have this type of settings.

Also, it seems that services like Bonjour, UPnP/DLNA, or others don't work.

For example, I have an LG TV connected to router B, and my smartphone connected to router C, currently I can control it, depending on your configuration, I won't be able to anymore.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12795
Location: Netherlands

PostPosted: Sat Sep 17, 2022 6:54    Post subject: Reply with quote
If you cannot set a static route on your main router A then indeed that is difficult.
(For services like Bonjour DDWRT has Avahi/mDNS, but DLNA does not work across subnets)

Other things you can consider is disabling IPv6 on the main router A, setting main router A in bridge mode and let the DDWRT routers do all the work, or if that is not possible set one of the DDWRT in the DMZ of the main router A as gateway and connect all your clients and router C to this router so also taking router A out of the loop.

On the client side you can try to set not only the default gateway for IPv4 but also for IPv6 to the VPN router.
IPv6 on the DDWRT routers should be disabled which effectively should result in IPv6 being blocked.

I do not have IPv6 so have no experience with it

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
j.about
DD-WRT Novice


Joined: 14 Sep 2022
Posts: 10

PostPosted: Sat Sep 17, 2022 11:48    Post subject: Reply with quote
At first, I didn't want to put router A in bridge mode, but I think that's what I'm going to have to do, in order to put router B as a gateway and disable IPv6 on the entire network.

Thanks anyway, and have a nice day!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum