still struggling with 2nd VPN fallback - strange routing effect
-
So I have the following setup which works perfectly with a single VPN.
- WAN allows few exceptions to pass i.e. China GeoIPs, work laptop VPN,
- default route is set to VPN Gateway Group with member down, VPN1 Tier 1, VPN 2 Tier 2
- static route for the pfsense packages over the WAN (so package manager works with VPN up or down)
- VPN directs all WAN traffic to the VPN Gateway Group (with exception of above to goes through WAN)
- 2 x DNS is configured for each WAN, VPN1, VPN2 interfaces
- DNS is redirected to pfsense box, DNS Resolver used
- google safe search is forced redirect
with only VPN1 enabled, everything works as it should i.e.
- no browser traffic passes if VPN1 is down, but all works if VPN is up
- work laptop can still reach its own VPN if VPN1 is down but can't not browse, etc if its own VPN is down
Here is where the problem begins;
- if i bring VPN2 up, even though it is Tier 2, Member Down in the gateway group, strange routing issues occur.
i.e. Linux Mint client can not do its own package refresh anymore.
VPN client Config
Tolopogy = subnet One IP Don't Pull Routes = unchecked Don't Add/Remove Routes = unchecked Compression LZO UDP Fast IO = checked Send/Receive Buffer 512Kb Custom Options remote-random; pull; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; auth-nocache;
below is the apt-get update with only VPN1 enabled
Ign:1 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease Hit:2 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa Release Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease Hit:4 http://archive.canonical.com/ubuntu bionic InRelease Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease Hit:6 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease Hit:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease Hit:8 http://security.ubuntu.com/ubuntu bionic-security InRelease Hit:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease Hit:10 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease Hit:11 https://repo.skype.com/deb stable InRelease Hit:12 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease Hit:14 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease Hit:15 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease Hit:16 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease Hit:17 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease Hit:18 https://updates.signal.org/desktop/apt xenial InRelease Reading package lists... Done
below is the apt-get update with both VPN1 and 2 enabled.
I don't understand why the routing is being effected, as the path is not even supposed to be available unless VPN1 is down.
I should also mention, it doesn't matter which VPN is up or down, so long as only one is for it to work correctly.
Hit:1 http://archive.canonical.com/ubuntu bionic InRelease Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB] Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease Hit:4 https://repo.skype.com/deb stable InRelease Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease Get:6 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease [88.7 kB] Get:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease [74.6 kB] Hit:8 https://updates.signal.org/desktop/apt xenial InRelease Get:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main amd64 Packages [682 kB] Get:10 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main i386 Packages [559 kB] Get:11 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main Translation-en [251 kB] Get:12 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe amd64 Packages [970 kB] Get:13 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe i386 Packages [954 kB] Get:14 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe Translation-en [293 kB] Err:15 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out Err:16 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80] Err:17 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Err:18 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Err:19 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Err:20 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Err:21 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Err:22 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] Fetched 3,960 kB in 31s (127 kB/s) Reading package lists... Done W: Failed to fetch http://ppa.launchpad.net/jtaylor/keepass/ubuntu/dists/xenial/InRelease Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80] W: Failed to fetch http://ppa.launchpad.net/libreoffice/ppa/ubuntu/dists/bionic/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Failed to fetch http://ppa.launchpad.net/obsproject/obs-studio/ubuntu/dists/xenial/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Failed to fetch http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages/dists/tessa/InRelease Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out W: Failed to fetch http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu/dists/xenial/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Failed to fetch http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/bionic/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Failed to fetch http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu/dists/xenial/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Failed to fetch http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu/dists/xenial/InRelease Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80] W: Some index files failed to download. They have been ignored, or old ones used instead.