SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Wireless Networking > ASUS Wireless > Asuswrt-Merlin

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 12-23-2012, 07:25 AM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default OpenVPN client set up - split tunnel does not function; wrong default route

Hi - I have set up the OpenVPN client on the RTN66U running 3.0.0.4.264.22. I have selected:

Redirect Internet traffic = No

I thought this would mean that no default route would be created for this client config. ie - I could bring up a tunnel but still have the default route go out my PPPoE connection on ppp0.

When I bring up the config and do a show route I see this:

tun11 is the VPN tunnel interface



And a traceroute with the VPN client running:

Straight to a 209.x.x.x address - my OpenVPN provider in the USA

Quote:
macbookair:~ ilium007$ traceroute suncorp.com.au
traceroute to suncorp.com.au (203.0.222.10), 64 hops max, 52 byte packets
1 www.asusnetwork.net (192.168.10.1) 0.501 ms 0.324 ms 0.258 ms
2 * * *
3 bukbukimachicken.me (209.159.150.233) 271.299 ms 271.139 ms 271.226 ms
4 core-04-teb2.us.as19318.net (66.45.224.177) 270.821 ms 269.985 ms 271.813 ms
5 64.20.47.17 (64.20.47.17) 272.187 ms 271.781 ms 271.406 ms
6 209.197.17.197 (209.197.17.197) 272.036 ms 272.582 ms 271.756 ms
7 e2-4.r1.ch.hwng.net (209.197.0.33) 298.210 ms 302.850 ms 298.562 ms
8 * * *
9 209.234.240.250 (209.234.240.250) 343.281 ms 344.287 ms 348.065 ms
10 gi5-2.sjc-core01.net.telstraglobal.net (206.223.116.11) 347.926 ms 347.557 ms 348.087 ms
11 i-0-1-2-0.eqnx-core01.bi.telstraglobal.net (202.84.251.97) 348.306 ms
i-0-4-4-0.eqnx-core01.bi.telstraglobal.net (202.84.251.41) 347.618 ms 347.778 ms
12 i-0-6-0-1.sydo-core02.bx.telstraglobal.net (202.84.140.134) 492.584 ms 497.166 ms 492.293 ms
13 tengige0-2-0-5.oxf-gw1.sydney.telstra.net (203.50.13.13) 496.637 ms 496.485 ms 651.195 ms
14 bundle-ether1.ken-core4.sydney.telstra.net (203.50.6.5) 502.042 ms 498.418 ms 504.646 ms
15 bundle-ether5.cha-core4.brisbane.telstra.net (203.50.11.73) 522.165 ms 523.227 ms 524.742 ms
16 tengigabitethernet2-1.woo6.brisbane.telstra.net (203.50.50.144) 514.824 ms 507.352 ms 507.311 ms
17 suncor10.lnk.telstra.net (139.130.185.70) 515.273 ms 510.304 ms 513.485 ms
18 suncor10.lnk.telstra.net (139.130.185.70) 510.303 ms !X 510.789 ms !X 508.383 ms !X
When I shut down the OpenVPN Client1 connection I see this route table change:



And a traceroute to the same host shows:

Straight out the ppoe interface to my ISP

Quote:
macbookair:~ ilium007$ traceroute suncorp.com.au
traceroute to suncorp.com.au (203.0.222.10), 64 hops max, 52 byte packets
1 www.asusnetwork.net (192.168.10.1) 0.800 ms 0.342 ms 0.328 ms
2 * * *
3 bri-sot-wic-csw2-gi-1-3.tpgi.com.au (202.7.173.137) 21.480 ms 20.656 ms 20.964 ms
4 bri-sot-wic-crt1-gi-2-0-0.tpgi.com.au (203.29.135.1) 21.392 ms 21.447 ms 21.710 ms
5 gigabitethernet3-3.woo7.brisbane.telstra.net (120.151.255.225) 36.399 ms 220.033 ms 174.475 ms
6 tengigabitethernet1-1.woo6.brisbane.telstra.net (203.50.51.144) 34.776 ms 34.793 ms 35.437 ms
7 suncor10.lnk.telstra.net (139.130.185.70) 38.098 ms 37.936 ms 37.191 ms
8 * suncor10.lnk.telstra.net (139.130.185.70) 38.280 ms !X *
9 * *^C
This is the nvram with the "Redirect Internet traffic" option set to NO:

Quote:
admin@(none):/# nvram show | grep client1
vpn_client1_poll=0
vpn_crt_client1_static=
vpn_client1_nm=255.255.255.0
vpn_client1_cipher=DES-CBC
vpn_client1_addr=us3.vpnsecure.me
vpn_client1_reneg=-1
vpn_client1_username=
vpn_client1_comp=yes
vpn_client1_retry=30
vpn_client1_gw=
vpn_client1_adns=0
vpn_client1_tlsremote=0
vpn_client1_if=tun
vpn_crt_client1_crt=-----BEGIN CERTIFICATE-----
vpn_client1_custom=comp-lzo
vpn_client1_rgw=0
vpn_client1_remote=10.8.0.1
vpn_client1_rg=0
vpn_client1_crypt=tls
vpn_client1_useronly=0
vpn_client1_bridge=1
vpn_crt_client1_ca=-----BEGIN CERTIFICATE-----
size: 46592 bytes (18944 left)
vpn_client1_firewall=auto
vpn_client1_proto=udp
vpn_client1_port=1191
vpn_client1_password=
vpn_client1_hmac=-1
vpn_client1_userauth=0
vpn_client1_nat=1
vpn_crt_client1_key=-----BEGIN RSA PRIVATE KEY-----
vpn_client1_local=10.8.0.2
admin@(none):/#

This is the nvram with the "Redirect Internet traffic" option set to YES:

Quote:
admin@(none):/# nvram show | grep client1
vpn_client1_poll=0
vpn_crt_client1_static=
vpn_client1_nm=255.255.255.0
vpn_client1_cipher=DES-CBC
vpn_client1_addr=us3.vpnsecure.me
vpn_client1_reneg=-1
vpn_client1_username=
vpn_client1_comp=yes
vpn_client1_retry=30
vpn_client1_gw=
vpn_client1_adns=0
vpn_client1_tlsremote=0
vpn_client1_if=tun
vpn_crt_client1_crt=-----BEGIN CERTIFICATE-----
vpn_client1_custom=comp-lzo
vpn_client1_rgw=1
vpn_client1_remote=10.8.0.1
vpn_client1_rg=0
vpn_client1_crypt=tls
vpn_client1_useronly=0
vpn_client1_bridge=1
vpn_crt_client1_ca=-----BEGIN CERTIFICATE-----
vpn_client1_proto=udp
vpn_client1_firewall=auto
vpn_client1_port=1191
vpn_client1_password=
vpn_client1_hmac=-1
vpn_client1_userauth=0
vpn_client1_nat=1
vpn_crt_client1_key=-----BEGIN RSA PRIVATE KEY-----
size: 46592 bytes (18944 left)
vpn_client1_local=10.8.0.2
admin@(none):/#
The difference is in the line:

vpn_client1_rgw=1

This says to me that with the OpenVPN client running and the "Redirect Internet traffic" option set to NO I still get a default route out the VPN interface.

Am I looking at this wrong ?

Last edited by ilium007; 12-23-2012 at 09:31 AM.
Reply With Quote
  #2  
Old 12-23-2012, 08:03 AM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

I have just confirmed also that it is specific to the router as when I set up the exact same client on my Mac using an OpenVPN client and then look at the local routing table it is fine - the default route is not being changed.

This confirms that the OpenVPN server is not pushing anything to the client that will force the default route.

I basically want to be able to split tunnel on the RT-N66U whilst I have a VPN Client set up.
Reply With Quote
  #3  
Old 12-23-2012, 08:55 AM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

If anyone else wants to test this I have a trial OpenVPN account and I can give you my certs and keys for you to test on your RT-N66U. My account is valid for another 1.5 days.

I did some more low tech testing using this site:

http://fmbip.com/

With the "Redirect Internet traffic" turned Off I still get the US based IP come up in that site. When I disconnect the client OpenVPN tunnel I get my usual ISP IP.



I am trying to get Hulu working in Australia but I cant do it with all my internet traffic routing out over the VPN tunnel. I want to set up specific routes for the Hulu traffic only - not ALL my network traffic.
Reply With Quote
  #4  
Old 12-23-2012, 03:26 PM
RMerlin's Avatar
RMerlin RMerlin is offline
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 8,577
Thanks: 44
Thanked 4,480 Times in 1,900 Posts
RMerlin is just starting out
Default

I can't reproduce that behaviour here. I just configured a tunnel, and my default route is only the regular one on eth0:


admin@RT-N66U:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.108.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
192.168.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun11
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.108.0.0 10.108.0.2 255.255.255.0 UG 0 0 0 tun21
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0


I suspect it could be your VPN provider pushing the route to you (servers can push routes to the clients). Check Syslog for the details of what settings get pushed to you.

You can reject routes being pushed to you through a config option:

http://www.jbmurphy.com/2010/08/11/i...penvpn-client/
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.

Last edited by RMerlin; 12-23-2012 at 03:28 PM.
Reply With Quote
  #5  
Old 12-23-2012, 04:13 PM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

I had also lodged a question with the VPN vendor asking if they pushed a routeand just got a reply to say they did. I will need to use a script specified in the client config to remove the routes when then tunnel comes up.
Reply With Quote
  #6  
Old 12-23-2012, 05:07 PM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

Is there anything special I need to do in the script I call after the tunnel comes up ? I was going to simply put something in the /jffs/scripts folder. Do I only need to remove the one default route out through tun11 ?
Reply With Quote
  #7  
Old 12-23-2012, 05:08 PM
RMerlin's Avatar
RMerlin RMerlin is offline
Very Senior Member
 
Join Date: Apr 2012
Location: Canada
Posts: 8,577
Thanks: 44
Thanked 4,480 Times in 1,900 Posts
RMerlin is just starting out
Default

Quote:
Originally Posted by ilium007 View Post
I had also lodged a question with the VPN vendor asking if they pushed a routeand just got a reply to say they did. I will need to use a script specified in the client config to remove the routes when then tunnel comes up.
Just add the config option from the URL I linked, it should prevent your client from accepting the route pushed to it.
__________________
Asuswrt-Merlin: Customized firmware for Asus routers
Github: github.com/RMerl - Twitter: RMerlinDev
See the sticky post for more info.
Reply With Quote
  #8  
Old 12-23-2012, 05:09 PM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

Cool - I hadn't gotten as far as the link yet ! Cheers.
Reply With Quote
  #9  
Old 12-23-2012, 05:11 PM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

Quote:
Add “route-nopull” to your client’s config and you will no longer be a slave to the server’s “redirect-gateway”
I will add this in tonight and see how it goes. Thanks again.
Reply With Quote
  #10  
Old 12-24-2012, 08:23 AM
ilium007 ilium007 is offline
Member
 
Join Date: Dec 2012
Posts: 50
Thanks: 0
Thanked 2 Times in 2 Posts
ilium007 is just starting out
Default

So that option worked fine. I am now having a small issue whereby I add a route option to the client config, for example, I want to route traffic to a certain host address across the tunnel:

Quote:
route 87.106.130.14 255.255.255.255 vpn_gateway
All good - my route table looks like:

Quote:
admin@(none):/tmp/home/root# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
87.106.130.14 10.8.0.157 255.255.255.255 UGH 0 0 0 tun11
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
10.8.0.157 0.0.0.0 255.255.255.255 UH 0 0 0 tun11
202.7.179.98 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 202.7.179.98 0.0.0.0 UG 0 0 0 ppp0
admin@(none):/tmp/home/root#

But if I do a traceroute to 87.106.130.14 I get no responses:

Quote:
traceroute to 87.106.130.14 (87.106.130.14), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4
Do I need to manually set up NAT rules ?

Last edited by ilium007; 12-24-2012 at 09:07 AM.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -4. The time now is 03:21 AM.

Top 10 Stats
Top Posters* Top Thanked
RMerlin  393
stevech  154
thelonelycode...  151
L&LD  125
azazel1024  119
KGB7  85
jim769  76
DrTeeth  69
Adamm  66
speedingcheet...  63
RMerlin  4480
stevech  275
ryzhov_al  199
TeHashX  194
RogerSC  166
L&LD  163
joegreat  105
jlake  101
PrivateJoker  93
sinshiva  88
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  31342
Old ASUS...  21981
Old Asuswrt-Merli...  20136
Old Beta Version...  17439
Old 'Heartbleed'...  14085
Old Linksys...  9098
Old Potential...  7884
Old Asus-Merlin...  6967
Old Groundhog...  6378
Old Linksys...  5271
Old Asuswrt-Merli...  218
Old Asuswrt-Merli...  158
Old Linksys...  142
Old ASUS...  124
Old Beta Version...  112
Old Potential...  98
Old Linksys...  76
Old Groundhog...  49
Old Asus router...  43
Old USB drive...  38



Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.