Vpn policies problems with ax1800

xize11 · March 8, 2022, 7:34pm

Hello,

When I use mullvad with nextdns enabled (also checked the override dns checkbox) and rebind protection off.

when I go to VPN policies and Enable VPN Policy and Use VPN for all processes on the router. and then in the dropdown I select Do not use VPN for the items in the list if I type a website in it, and do ipconfig /flushdns, and in my browser I use the brave://net-internals/#dns to clear browsers dns, for some reason the website always times out for me.

what could be wrong here?

thank you.

I’m using firmware: 3.212

alzhao · March 9, 2022, 10:35am

Just tried the same. But I used Azirevpn Wireguard.

I have no problem when checking using Brave.

Also my IP address check showing the correct IP.

xize11 · March 9, 2022, 12:30pm

I’m thinking maybe I broke something myself, recently I have added some rules to sysctl.conf against arp poisoning could it be related to this?


kernel.panic=3
net.ipv4.conf.default.arp_ignore=1 # edited
net.ipv4.conf.all.arp_ignore=1 # edited
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1 # edited
net.ipv4.icmp_ignore_bogus_error_responses=1 # edited
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=65535 #16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

kernel.sysrq=0

vm.min_free_kbytes=16384

I also changed the conntrack to a high number but that doesn’t fix it, it seems the bypass works but then it goes into a firewall dropped state.

-EDIT-

I think I might found the problem, I believe it does work I just entered example.com inside the filter and this one comes through (but it failed after I opened a anonymous window after checking further), but when I put watismijnip.nl it gives me a dropped connection and says connection reset, when I do the same to google.com it says connection ended, the strangest is that when I use nslookup I do resolve a ip, and at rare times I also get dns_probe_possible even after I flush in brave and in windows.

alzhao · March 10, 2022, 2:46am

Sorry but I cannot really understand the root reason.

xize11 · March 10, 2022, 1:32pm

I did a reset and now it works to a certain degree, for lan it works as expected.

but when I use a routed ap by this guide on my wireless network:

and also vlans seem not to get registered inside the vpn policy table.

-edit-

I totally forgot to mentoin I want a domain to bypass the vpn.

Ak007r · June 17, 2022, 6:19am

I encountered a similar issue with version 4 (beta). The VPN domain bypass is not working when you have VLANs in the mix. the policy works on bridge (br-lan) device but when you and add bridge vlan filtering and change the interface device setting to br-lan.(vlan id). the VPN policy bypass doesn’t work at all. it appears that the vlan segmentation doesn’t work well with the vpn bypass policy table.

It would be nice to have this capability. I hope Gl-inet addresses this issue in ver 4.0 stable release.

xize11 · June 17, 2022, 9:06am

Hmm I wonder which version of beta 4 are you using?

I only encountered one issue with the vpn policies so far and that was that it doesn’t register new routes/interfaces.

But when I restarted the wireguard service the bypass worked.

Ak007r · July 21, 2022, 2:50pm

I am using release 2. the issue is the domain bypass doesn’t apply to other bridges you create other than default bridge (br-lan) itself.

Ex: let say i create a new interface named “iot” and bridge device (br-iot)) associated with it.

xize11 · July 21, 2022, 8:00pm

you are 100% right, I just checked the script, its only doing things for br-lan and the guest interface as far as I can see, I manually added these via iptables rules but I hope it can be added in the future , (I had alot of troubles with cloudfront.net and mullvad on a certain site)

iptables -t mangle -I ROUTE_POLICY -i wlan0 -m set --match-set bypass_vpn_domain dst -j MARK --set-mark 0x80000/0x80000
iptables -t mangle -I ROUTE_POLICY -i wlan0 -p tcp --dport 53  -j MARK --set-mark 0x100000/0x100000
iptables -t mangle -I ROUTE_POLICY -i wlan0 -p udp --dport 53  -j MARK --set-mark 0x100000/0x100000

edited this is for mac:
iptables -t nat -A ROUTE_POLICY -i wlan0 -m set --match-set bypass_vpn_mac src -p tcp --dport 53  -j DNAT --to 192.168.1.1 (your wan ip)

I’m not 100% sure if it works, but it seems it does you can replace wlan0 for other interfaces but I need to check longer if it really is since I’m dealing with a cloudfront domain which keeps changing the dns entries.