Posted: Fri May 18, 2018 23:26 Post subject: Startup script stopped working after FW Upgrade
Hi experts, I cannot for the life of me figure this out. I have a simple setup at home. Basically, I have 2 different VPNs and I want to have both of them up at the the same time in the router. All devices go over VPN1 while one Amazon firestick goes over VPN2. There is a single default WiFi access point and I dont want any traffic to go over the ISP.
Im a networking noob but I scratched around and used instructions from this blog post to get my setup running.
However, I was taking around 10-15 Mbps throughput hit compared to using the VPN application on the PC. I figured that the FW was old (around 2016) so upgraded to v3.0-r35916. However, the startup script that was previously working is not working anymore. Heres the routing part from the script:
# Create fwmark to table bindings
ip rule add fwmark 2 table 2 # Tunnel 0
ip rule add fwmark 3 table 3 # Tunnel 1
# Create table to tunnel bindings
ip route add default dev tun0 table 2 #Send out VPN1
ip route add default dev tun1 table 3 #Send out VPN2
ip route flush cache
#VPN1 tunnel rules for all other devices
iptables -A PREROUTING -t mangle -s 192.168.1.0/24 -j MARK --set-mark 2
#VPN2 Tunnel rules for firestick
iptables -A PREROUTING -t mangle -s 192.168.1.111 -j MARK --set-mark 3
From SSH, I can see that the TUNs are coming up. The only way I can get one VPN up is by removing the second VPN completely and removing the --route-nopull option, so basically the routing commands are not working.
Strangely, tracert is showing the ping going through the right interface but then times out.
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Sat May 19, 2018 11:13 Post subject:
You probably have a new version of OpenVPN. Current is 2.4. It have several changes to the configuration file. Proto UDP is now Proto UDP4. It may fail to start with old configuration files.
Thanks a lot for the detailed response eibgrad and guys and sorry about omitting some important details about my OpenVPN config. In response to the concerns raised by eibgrad:
1. yes the tun's were named tun0 and tun1 in the OpenVPN config.
2. Im basically using the dumb method of sleeping enough so both VPNs would be up before doing the routing.
Please refer to this paste for my config. Ive removed the certs
After FW upgrade, I had to make some changes like --down-pre to --route-pre-down since OpenVPN was not accepting --down-pre any more.
Again since I can see both TUNs coming up and manually running the openvpn command is also not throwing any errors, I am inclined to believe that the routing part is the culprit.
I tried eibgrad's script ddwrt-ovpn-split-basic.sh by commenting out all other rules and just using 'add_rule from 192.168.1.111' but its basically just blocking device 192.168.1.111 from accessing both the WAN and the VPN while all other devices on the network are going over VPN. Perhaps I am reading the script wrong and its supposed to do something else? If you know the FW version with which this was tested, I can downgrade and test again.
Thanks for suggesting GUI + Commandline openvpn for this and I will try it out. However, my final goal is to do destination-based routing to Germany, UK and US VPNs which I think will require a script based approach. I would appreciate any suggestions to achieve that.
Thanks again for your suggestions. The root of the problem was the Shortcut Forwarding Engine. After disabling that, my script is working fine. For me, the Shortcut Forwarding Engine was completely breaking PBR. Everything was getting blocked on any PBRed IPs.
Regarding your script, I also tried with a single VPN configured from GUI and not 2 VPNs. It was throwing an error with a single startup based OpenVPN instance. To make it work there, I had to do this, which I think should work with both GUI and startup OpenVPN.
Although I haven't tested again, I think failure cause again was the Shortcut Forwarding Engine here. There is a patch to fix that but I don't really know how to apply it. Any suggestions would be appreciated.
Regarding destination based routing, I spent a few hours on it last night to try and get B.B.C I.Player working but it was a big ask to collect all the IPs from Wireshark. I was wondering maybe it would be possible do destination based routing by rerouting DNS requests, something like:
route <domain_regex> 255.255.255.255 VPN_GW
Would something like this work? Or collecting all IPs is the only solution?