Brume 2 vpn policy is unreliable, even in the supported configuration. Have to restart VPN and toggle policy to allow IP's to connect

BerryPact · 2023-01-03T20:50:44.394Z

Lets pause for now, its improved greatly

Original issue: after some hours, excluded ips wouldnt connect until reboot
Current status: working for days in a row without reboot. Im still seeing connectivity loss every few hours, but i cant yet determine if its a brume issue or cellular network.

Ill update if i can confirm the issue is not cellular related and we can troubleshoot via team viewer. I have zabbix monitoring connections to all my networks, so i just need to see if vpn internet is more consistent than excluded ips connections

BerryPact · 2023-01-08T05:36:38.766Z

Hello, Unfortunately this is still not working on a minimally configuration. I’m not too keen on using a remote session like team viewer, but I would be more open to using a chat like discord, matrix.im or similar? I’ve installed/reinstalled easy tether about 50 times, so I can explain well.

from a factory reset I complete the following steps

install easytether ipk
add network uci interface for easytether-tap as DHCP
add mwan3 config
add glinet openvpn configuration
configure vpn policy
set timezone and hostname
optional: add my easytether hotplug script, just restarts easytether if it crashes
reboot
confirm mwan3 brings route up and vpn works. Also test vpn policy (traceroute to tunnel ip, traceroute to excluded ip)

Android setup

enable developer options
enable usb debugging
ensure USB mode is set for Android Auto/etc…
connect USB and accept debug authorization, set to remember device
launch easy tether, and ensure usb is turned on. Should indicate “device connected”
confirm that easytether-tap device is up in glinet brume: ip link

BerryPact · 2023-01-08T10:24:27.236Z

I think the version of httping in this old version of openwrt may be buggy, because I discovered that when the issue occurs, there is a hung httping process that can only be stopped with kill -9 signal.

When I killed this hung process, the addresses I’ve been having trouble with started responding. I’m trying to confirm this by running a scheduled task to kill httping periodically and will report back

BerryPact · 2023-01-08T16:58:19.673Z

Here is the fix/workaround

Add this line inside mwan.user within the existing disconnect action script

killall -9 httping

BerryPact · 2023-01-09T06:49:07.230Z

Actually, the real issue is that on a cellular connection latency can be over 10seconds, so even though the VPN was able to remain connected over the default policy gateway, MWAN was frequently marking the interface down with even a 3 second timeout

I changed my mwan config to check every 30 seconds with a 10 second timeout. This has resolved the issue without any scripts needed.

BerryPact · 2023-01-13T06:45:46.461Z

I need to re-open this, unfortunately. I’ve continued to have the issue even after changing the cellular mwan3 check to use localhost ping checks (no longer using httping)

I discovered that there is infact a packet routing issue while troubleshooting a connection to a new wireguard connection via my upstream router (on a linksys openwrt, not brume2)

after about 8 to 12 hours from the last reset the following occurs for all IP’s/domains in the exclusion:

Set far end router IP as VPN policy exclusion
packets are sent from my network, thru brume 2 which I captured in tcpdump
packets are seen in the Brume2 leaving towards the internet
The packets are seen on the other end, and reply packets are seen sent back to my local network in tcpdump
The reply packets are seen on the brume2 WAN interface via tcpdump (easytether)
the reply packets are not seen on the brume2 LAN interface

Once I restart the openvpn client on Brume2 AND toggle VPN policy to Global and then to exclude IPs, the connection is restored for ALL excluded IP’s in the VPN Policy No reboot is necessary, but both have to be restarted/toggled, the order doesn’t seem to matter.

Some additional observations: This does not effect IPs that have a persistent connection, it only effects new connections that hadn’t been made until after the 8-12 hours it works.

hansome · 2023-01-14T04:05:32.982Z

Could we start anydesk sesssion, please PM me.

fuzzygel · 2023-02-08T07:04:15.516Z

another dump and newbie question from me

How do I set vpn policies ? I don’t even see that on the gui , do I need to do it in cli and where to start cli screen? so I need to install any plugins first?

CleanShot 2023-02-08 at 18.03.47@2x2568×944 209 KB

Sorry again for such dumb questions

alzhao · 2023-02-08T08:45:12.654Z

Pls go to VPN dashboard, find it at the vpn client section.

conrad.siegfried · 2023-03-11T21:26:22.512Z

I’m having the same problem, MAC clients excluded via VPN Policy from using the VPN are dropped after few hours and the only solution is to reboot. This is an extremely annoying issue!! I made the switch from PfSense for similar problems I had where the only solution was to reboot it. Seems I’m cursed. Do fix this asap, please!
PS: added this functionality to the Android app too, I was pissed off that I cannot manage my exclusion list from my phone.
Thanks.

hansome · 2023-03-13T03:08:33.415Z

conrad.siegfried:

MAC clients excluded via VPN Policy from using the VPN are dropped after few hours

Hi What do you mean by dropped?

conrad.siegfried:

I was pissed off that I cannot manage my exclusion list from my phone.

This bug has been fix in beta version firmware.

conrad.siegfried · 2023-03-14T18:55:57.916Z

Not true, I’m using the 4.2.0 release3 and I’m having this problem.

conrad.siegfried · 2023-03-21T21:05:59.922Z

Ver. 4.2.0 release4, same issue

alzhao · 2023-03-22T10:40:54.897Z

Don’t understand what you mean “droped”. Pls explain.

conrad.siegfried · 2023-03-26T10:05:12.925Z

I mean that it works for a while, then the connections are dropped. Example, I can watch 2 episodes of Netflix using the “VPN Policy Base On The Client Device” or policy “defined by IP address or domain name”, the when on the 3rd I lose connection to Netflix altogether.

On ver 4.2.1 rel2 beta now, and still same sh*t.

antifascista · 2023-03-26T11:01:52.027Z

VPN Policy and Android (TV) and Netflix Technical Support for Routers

FYI actualized List with Disney+ too. manual-list.conf.zip (1.6 KB)

Netflix&Co. has various public IPs…

conrad.siegfried · 2023-03-28T10:39:20.920Z

conrad.siegfried:

“defined by IP address or domain name”

So? “defined by IP address or domain name”

antifascista · 2023-03-28T20:20:56.823Z

Few domains but a lot of IP’s. The file on the post that I’ve linked is a good starter point.

conrad.siegfried · 2023-04-30T20:24:06.543Z

So, do you plan to solve this problem or you don’t give a bleep?

conrad.siegfried · 2023-05-10T21:56:33.915Z

Issue still unresolved.