Vpn policy excluded addresses not working on brume 2

BerryPact · 2022-12-05T19:45:19.577Z

the problem with vpn policy on the new brume 2 is that when the vpn fails to connect, excluded ips and hosts do not bypass this like on previous devices from glinet

unfortunately the static route workaround doesnt work for tcp connections due to some firewall change i have yet to discover. even if tracert shows its working for icmp, the tcp packets arent getting routed back to the client or something so the connection just hangs

BerryPact · 2022-12-06T06:19:51.262Z

I but the bullet and backed up my custom config and factory reset.

I can confirm the vpn policy exclusions dont work. I thought that the feature to enforce vpn was just broken at first, but its clear that the excluded ips arent actually excluded from the tunnel or enforce vp n features

Looks like glinet needs to fix this on the new product

alzhao · 2022-12-06T10:26:41.692Z

Can you just post a screenshot of your setting? It is much eaiser to understand.

Brume 2 is no different to other routers in this part.

K3rn3l_Ku5h · 2022-12-06T16:47:27.279Z

Do you have the wireshark log still? Can you share?
What is the VPN provider?

BerryPact · 2022-12-07T10:22:32.300Z

Heres a screenshot of my vpn config attached

Heres traceroute
First is an example of where it should go, note there is another router upstream at 192.168.8.1. The brume has

Screenshot_20221207_012212_Brave1276×1544 118 KB

no ip conflct with this device

Second is a traceroute of an ip that is not excluded from vpn which hits the von gateway as the first hop

Third is an ip that should route outside of the vpn tunnel but as you can see its first hop is the same as
Note this is an easy tether device, but shouldnt be an issue with the ping routing outside vpn

root@npancwangw01:~# traceroute -n -q 1 xx.xx.xx.xx
traceroute to 167.88.49.14 (167.88.49.14), 30 hops max, 46 byte packets
1 192.168.8.1 0.804 ms
2 *
3 *
4 *
5^C
root@npancwangw01:~# traceroute -n 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 46 byte packets
1 10.8.0.1 90.569 ms 85.569 ms 72.215 ms
2 193.29.61.3 66.380 ms 71.915 ms 93.420 ms
3 72.29.198.69 78.291 ms 83.323 ms 73.736 ms
4 208.116.131.82 72.996 ms 68.543 ms 65.687 ms
5 172.71.144.3 90.254 ms 172.71.148.3 68.787 ms 108.162.243.11 118.057 ms
6 1.1.1.1 73.409 ms 67.000 ms 80.629 ms
root@npancwangw01:~# traceroute -n 192.168.117.1
traceroute to 192.168.117.1 (192.168.117.1), 30 hops max, 46 byte packets
1 10.8.0.1 69.062 ms 64.088 ms 70.522 ms
2 * * *

alzhao · 2022-12-07T10:37:52.812Z

Are you doing traceroute on the router?

Can you do on the client that is connected to the router?

Also can you give some info about the vpn? e.g. wireguard or ovpn? Basic config info?

BerryPact · 2022-12-07T14:49:22.334Z

The vpn is just a default nordvpn open configuration.

The tests need to be from the router because the most important configuration is another luci configured wireguard vpn that routes a unique subnet. This can’t be routed over the nord vpn tunnel.

But here is a trace route to an excluded vpn on a client

Screenshot_20221207_054523_Network Analyzer840×1089 128 KB

BerryPact · 2022-12-08T02:55:09.171Z

No more input? I’m kind of frustrated because i bought the brume 2 on the success of the mango i had before

K3rn3l_Ku5h · 2022-12-08T14:56:49.193Z

I think your VPN Provider might have a kill swich bult into the config file. I don’t think you can use the GUI VPN policy need to do it in openwrt:

OpenWrt Forum – 15 Jun 19

Exclude some IPs from the OpenVPN

Hello. Cisco SPA112 Phone Adapter is connected to Asus RT-AC56U with OpenWRT. How can I exclude Cisco SPA112 Phone Adapter or other devices from OpenVPN? Do I need a vpn-policy-routing package? I had no success with the package. How do I configure...

Reading time: 1 mins 🕑 Likes: 1 ❤

wcs2228 · 2022-12-08T18:59:34.588Z

BerryPact:

I can confirm the vpn policy exclusions dont work. I thought that the feature to enforce vpn was just broken at first, but its clear that the excluded ips arent actually excluded from the tunnel or enforce vp n features

In my tests on Brume 2 running Firmware 4.1.1-1105, VPN policy exclusions are working. Domain names/IP addresses that are on the exclusion list go directly out to my ISP, while other names/IP addresses go through the NordVPN tunnel. I used tracert on a WIndows 10 client PC. The GL.iNet “Kill Switch” has not been enabled.

BerryPact:

The tests need to be from the router because the most important configuration is another luci configured wireguard vpn that routes a unique subnet. This can’t be routed over the nord vpn tunnel.

Maybe the LuCI-configured VPN interferes with the Admin Panel-configured VPN. Can you test with no LuCI-configured VPN?

I do not work for and I do not have formal association with GL.iNet

wcs2228 · 2022-12-08T23:54:05.347Z

I tested again using traceroute in SSH on the Brume 2. VPN policy exclusions are not working, with all domain names/IP addresses going through the NordVPN tunnel.

It looks like VPN policy works on traffic from a client device connected to the router, but not on traffic from within the router itself.

BerryPact · 2022-12-09T07:45:50.436Z

Hmm, is this only from the default lan network? I have disabled it and setup my network on vlans, which could be related to your discovery.

This is pretty disappointing that the policy is configured like this.

BerryPact · 2022-12-11T01:26:31.259Z

I looked at the glinet scripts that handle the vpn policy and they only take a network on LAN and Guest network into account. So ive moved all of my config to luci for nordvpn

It seems the reason i didnt have any issues before is because i had an upstream router before, and now that ive consolidated my vlan routing and wan connectivity into the brume two, im discovering the limitations of the glinet customizations.

The brume2 is great hardware limited by the hard coded glinet software. Hopefully a “clean” build of openwrt will become available for the brume 2 so i can run this without ripping out the custom scripts.

As of now, this is working configured with luci and the vpn policy addon. Im also workjng on a script that will change the gateway for vpn policy exclusions and the static route for mwan failover between ethernet and easytether.

jdub · 2022-12-11T01:48:49.617Z

BerryPact:

The brume2 is great hardware limited by the hard coded glinet software. Hopefully a “clean” build of openwrt will become available for the brume 2 so i can run this without ripping out the custom scripts

gl-infra-builder to the rescue! I’ve got a clean build running right now. It includes the proprietary driver stack, but other than that you can pretty much do anything you’d normally do with a stock build. I can share what I’ve got if you’re interested, or you certainly seem competent enough to build your own.

https://github.com/gl-inet/gl-infra-builder

alzhao · 2022-12-12T03:49:05.934Z

@BerryPact @jdub

Thanks for your sharing!

The vpn policy on GL.iNet router is designed for the client devices, not the router itself.

But I am glad that you can do it either manually in luci or compile a firmware by yourself.

hob · 2023-02-07T22:59:50.577Z

Thank you for your reply!

I actually bought the Brume 2 for this exact purpose: VPN client router besides my main router, with domain exclusions. Trying the Drop-in gateway mode as well does not achieve my purpose.

Is there an easy way to achieve this at the moment ? Knowing that I use the Brume 2 as a secondary router (the primary being my 3-in-1 ISP router)

alzhao · 2023-02-08T08:34:46.755Z

Here is my test, 4.2.0 firmware MT3000

Not using vpn for Google and Youtube.

image752×421 15.5 KB

When vpn is disconnected

image1402×671 42.8 KB

I can still access Google and Youtube but not other domains.

So it appears that this works just right. Can you pls check if this is what you are doing?

hob · 2023-02-08T22:21:21.034Z

Thank you for the quick reply. I appreciate it!

alzhao:

I can still access Google and Youtube but not other domains.

Yes, it works ONLY if you are on the LAN network for the router.

What I wasn’t aware of before buying the Brume 2 is that VPN policy exclusions do NOT work for WAN interface (which is my case). I use the Brume 2 as a second router besides my modem router to provide VPN capabilities and much more to my network. If only this was written somewhere…

I installed the beta firmware yesterday (4.2.0 beta2). I am glad I found that exact note written when configuring the Drop-in Gateway feature.

offtopic: speaking of beta firmwares, all my devices today keep connecting/disconnecting to the wifi network (on my ISP router) while using the Drop-in Gateway feature. It seems there are some stability problems. How can I help ?

alzhao · 2023-02-09T04:04:39.103Z

vpn and vpn policy only works for LAN of course.

If you want it work with WAN, drop-in mode is needed.

In 4.2, drop-in mode use DHCP. So can you turn off dhcp in your ISP router? It should work OK if your ISP still have DHCP on, but it is possible two router is racing for DHCP requests.

hob · 2023-02-15T09:45:23.372Z

Sorry for the late reply. No, VPN policies do not work when drop-in gateway mode is enabled

image1213×654 55.9 KB

Here is the note I wished it was written somewhere. Here are the configurations for both routers:

ISP

LAN

Asssign Brume 2 to 192.168.1.102
DHCP
Gateway: 192.168.1.102
Start: 192.168.1.100
End: 192.168.1.199
DNS: 0.0.0.0

WAN
ISP settings

Brume 2

LAN

image1086×726 24.5 KB

DHCP

image1067×500 21.1 KB

The WAN on Brume 2 is connected to a LAN port on the ISP router. VPN client is enabled without a kill switch. If you think anything is missing, I can open a new topic. Sorry again for the delay