still struggling with 2nd VPN fallback - strange routing effect



  • So I have the following setup which works perfectly with a single VPN.

    • WAN allows few exceptions to pass i.e. China GeoIPs, work laptop VPN,
    • default route is set to VPN Gateway Group with member down, VPN1 Tier 1, VPN 2 Tier 2
    • static route for the pfsense packages over the WAN (so package manager works with VPN up or down)
    • VPN directs all WAN traffic to the VPN Gateway Group (with exception of above to goes through WAN)
    • 2 x DNS is configured for each WAN, VPN1, VPN2 interfaces
    • DNS is redirected to pfsense box, DNS Resolver used
    • google safe search is forced redirect

    with only VPN1 enabled, everything works as it should i.e.

    • no browser traffic passes if VPN1 is down, but all works if VPN is up
    • work laptop can still reach its own VPN if VPN1 is down but can't not browse, etc if its own VPN is down

    Here is where the problem begins;

    • if i bring VPN2 up, even though it is Tier 2, Member Down in the gateway group, strange routing issues occur.
      i.e. Linux Mint client can not do its own package refresh anymore.

    VPN client Config

    Tolopogy = subnet One IP
    Don't Pull Routes = unchecked
    Don't Add/Remove Routes = unchecked
    Compression LZO
    UDP Fast IO = checked
    Send/Receive Buffer 512Kb
    
    Custom Options
    remote-random;
    pull;
    verify-x509-name Server name-prefix;
    remote-cert-tls server;
    key-direction 1;
    route-method exe;
    route-delay 2;
    tun-mtu 1500;
    fragment 1300;
    mssfix 1450;
    auth-nocache;
    

    below is the apt-get update with only VPN1 enabled

    Ign:1 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease
    Hit:2 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa Release                                                                   
    Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease                                                                 
    Hit:4 http://archive.canonical.com/ubuntu bionic InRelease                                                                                  
    Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease                                                                                 
    Hit:6 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease                                                                      
    Hit:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease                                                                         
    Hit:8 http://security.ubuntu.com/ubuntu bionic-security InRelease                                                                           
    Hit:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease                                                                       
    Hit:10 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease                                                                     
    Hit:11 https://repo.skype.com/deb stable InRelease                                                                                   
    Hit:12 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease                                  
    Hit:14 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease   
    Hit:15 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease                 
    Hit:16 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease
    Hit:17 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease       
    Hit:18 https://updates.signal.org/desktop/apt xenial InRelease                        
    Reading package lists... Done 
    

    below is the apt-get update with both VPN1 and 2 enabled.

    I don't understand why the routing is being effected, as the path is not even supposed to be available unless VPN1 is down.

    I should also mention, it doesn't matter which VPN is up or down, so long as only one is for it to work correctly.

    Hit:1 http://archive.canonical.com/ubuntu bionic InRelease
    Get:2 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]                                                                 
    Hit:3 http://ppa.launchpad.net/heyarje/makemkv-beta/ubuntu xenial InRelease                                                                 
    Hit:4 https://repo.skype.com/deb stable InRelease                                                                                           
    Hit:5 http://ubuntu.mirror.tudos.de/ubuntu bionic InRelease                                                                                 
    Get:6 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates InRelease [88.7 kB]                                                               
    Get:7 http://ubuntu.mirror.tudos.de/ubuntu bionic-backports InRelease [74.6 kB]                                                             
    Hit:8 https://updates.signal.org/desktop/apt xenial InRelease                                                                               
    Get:9 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main amd64 Packages [682 kB]                                                      
    Get:10 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main i386 Packages [559 kB]                                                      
    Get:11 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/main Translation-en [251 kB]                                                     
    Get:12 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe amd64 Packages [970 kB]                                                 
    Get:13 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe i386 Packages [954 kB]                                                  
    Get:14 http://ubuntu.mirror.tudos.de/ubuntu bionic-updates/universe Translation-en [293 kB]                                                 
    Err:15 http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages tessa InRelease                                                                
      Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out
    Err:16 http://ppa.launchpad.net/jtaylor/keepass/ubuntu xenial InRelease                                          
      Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80]
    Err:17 http://ppa.launchpad.net/libreoffice/ppa/ubuntu bionic InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Err:18 http://ppa.launchpad.net/obsproject/obs-studio/ubuntu xenial InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Err:19 http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu xenial InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Err:20 http://ppa.launchpad.net/team-xbmc/ppa/ubuntu bionic InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Err:21 http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu xenial InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Err:22 http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu xenial InRelease
      Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    Fetched 3,960 kB in 31s (127 kB/s)                 
    Reading package lists... Done
    W: Failed to fetch http://ppa.launchpad.net/jtaylor/keepass/ubuntu/dists/xenial/InRelease  Could not connect to ppa.launchpad.net:80 (91.189.95.83), connection timed out [IP: 91.189.95.83 80]
    W: Failed to fetch http://ppa.launchpad.net/libreoffice/ppa/ubuntu/dists/bionic/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Failed to fetch http://ppa.launchpad.net/obsproject/obs-studio/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Failed to fetch http://ftp.nluug.nl/os/Linux/distr/linuxmint/packages/dists/tessa/InRelease  Cannot initiate the connection to ftp.nluug.nl:80 (2001:67c:6ec:221:145:220:21:40). - connect (101: Network is unreachable) Could not connect to ftp.nluug.nl:80 (145.220.21.40), connection timed out
    W: Failed to fetch http://ppa.launchpad.net/stebbins/handbrake-releases/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Failed to fetch http://ppa.launchpad.net/team-xbmc/ppa/ubuntu/dists/bionic/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Failed to fetch http://ppa.launchpad.net/thomas.tsai/ubuntu-tuxboot/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Failed to fetch http://ppa.launchpad.net/webupd8team/tor-browser/ubuntu/dists/xenial/InRelease  Unable to connect to ppa.launchpad.net:http: [IP: 91.189.95.83 80]
    W: Some index files failed to download. They have been ignored, or old ones used instead.
    

Log in to reply