VPN Policy Issues (GL-MT1300)

djmode · 2021-04-18T18:26:53.430Z

Hi, I did a quick search around the forums for anything that went over this type of issue and found many similar ones, but none exactly like this one. Please forgive me if this is the wrong place for this or if you have any links that I may have missed!!

I use Wireguard and currently have VPN policies configured to keep only ONE device (my AppleTV) behind the VPN. No other devices should use VPN. This was working to the best of my recollection up until I upgraded my Beryl (MT1300) firmware to version 3.201. I cannot say exactly whether it worked or not for about 48 hours before/after I upgraded, though. The issue is that even with the limited-access policies enabled, it puts every device on my LAN behind the VPN. All devices still have internet but they are all persistently behind the VPN unless I disable the VPN completely. I’ve toggled all of the policy options, reloaded VPN configurations and rebooted the router to death to see if it was a hiccup, but it seems to be persistent. Verified this by checking a “whatismyip” website which outputs the VPN location rather than my actual on every device connected, as well as my ping responses out to the internet before/after VPN is enabled on the devices that should not be behind the VPN. I’ve confirmed that the same result happens with both Wireguard and OVPN.

Quick edit: I attempted to implement the policy in “reverse” and set all devices except for the AppleTV to “Do not use VPN”, and it still puts everything behind the VPN, so no dice there.

Anyone have any ideas? Thank you so much in advance!

alzhao · 2021-04-19T08:48:53.312Z

Seems it is strange.

firmware 3.201 fixed the policy specifically. I just check and it worked.

I have two client and I tried Mac address based policy. I also choose rules to “do not use” or “only use”. All behave correctly.

Maybe you can reset the router and start over?

image957×660 30.2 KB

SenseOfScience · 2021-09-19T20:31:32.674Z

I’m also using MT1300 and having this problem fairly frequently but intermittently.

Meaning that it will work for a while and then the chosen VPN policy will randomly stop working. This happens with both “Do not use VPN for the following” and “Only allow the following use VPN”. Same with “Mac Address” and “Domain/IP”. So something definitely seems to be broken with “VPN Policies” and when it breaks all devices will be routed behind the VPN regardless of chosen policy.

I’m using WireGuard, Mullvad, and 3.203 firmware.

I found this post describing a similar issue with the MT300N-V2:

Problem with mt300n v2, openvpn and vpn policy Technical Support for Routers

OK, based on my unscientific try. if the openvpn disconnect, then if i want to have my openvpn-vpnpolicy working again then i have to do this step : Disconnect the openvpn turn off vpn policy connect openvpn turn on vpn policy then it is working again. it’s a hassle, but for now i have to live with it because i don’t know any other router than can have vpn policy/split tunneling based on domain AND ip like gl-inet. hopefully it can be patched in the next firmware. ps : i have try 3.102 stab…

If I follow those steps it works again, until it randomly decides to quit working again.

alzhao · 2021-09-20T06:51:10.912Z

Did you reboot before vpn polices does not work?

We found a bug that the policies are broken because reboot.

SenseOfScience · 2021-09-20T14:43:37.350Z

Now that you mention it, I have noticed it doesn’t work after reboot. However, I only reboot when I’m trying to fix something, so whatever is breaking VPN policies is happening before the reboot.

I haven’t noticed a discernible pattern. Maybe if the connection drops the same bug occurs? I don’t know.

Can the bug be fixed? Thanks

alzhao · 2021-09-21T01:54:17.544Z

Yes vpn policy will be fixed asap

Mikey · 2021-09-26T13:58:34.450Z

Today i tested a little bit again with wireguard and vpn policy.
If you fix the policy thing please take care of the following:

I found a difference between openvpn and wireguard tunnel. If i use Wireguard with vpn policy enabled and try to reach my server which has the same ip as the Wireguard Endpoint it is not possible to reach it. Traceroute stopps at 192.168.8.1. All other is working. With openvpn and policy enabled its working without problems. Actually i need to change back to openvpn so that my IOT devices can reach my server.

alzhao · 2021-09-27T06:44:43.195Z

Mikey:

With openvpn and policy enabled its working without problems

I tested my. I have openvpn and wireguard server running on one of my router. Then I use another router to connect to it.

I enabled vpn policies on my vpn client router.

But I have a different result.

When using openvpn, I cannot ping my endpoint weather vpn policies are enabled or not.

When using wireguard, I can ping my endpoint if no vpn policy. But when vpn policy is enabled, I cannot ping the end point.

But I can ping the LAN IP of my server router anytime. Why don’t you use the internal IP address of your vpn server?