Exclude Single Computer from VPN

[Thunderclap]

I want to configure my router so all traffic on my network goes through my VPN (PIA). However, I would like a single machine to be excluded from the VPN, my Plex server, so it can be accessed remotely. Is there a way to set up the VPN to exclude a specific machine?

 

[ColinTaylor]

Yes. Use policy based routing.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

 

[Butterfly Bones]

I want to configure my router so all traffic on my network goes through my VPN (PIA). However, I would like a single machine to be excluded from the VPN, my Plex server, so it can be accessed remotely. Is there a way to set up the VPN to exclude a specific machine?

Yes, very easy with Policy Based Routing. Description and examples here.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Here is how mine looks (with one IP redacted).

Router        192.168.1.1     0.0.0.0  WAN
LAN           192.168.1.0/24  0.0.0.0  VPN
Vizio         192.168.1.xx    0.0.0.0  WAN

 

[Thunderclap]

Well I must be doing something wrong since when I enable that setting and configure it the VPN says it’s working but everything still goes through my ISP. I’ll have to play with it some more to figure out what I’m doing wrong. Thanks for the link though. It’s helpful!

 

[Butterfly Bones]

Well I must be doing something wrong since when I enable that setting and configure it the VPN says it’s working but everything still goes through my ISP. I’ll have to play with it some more to figure out what I’m doing wrong. Thanks for the link though. It’s helpful!

Do you have this setting, "Redirect Internet traffic" set to Policy Rules (strict)?

That is near the bottom under the Advanced Features heading.

 

[Thunderclap]

I do, yes.

 

[Butterfly Bones]

I do, yes.

Hmmm. Looked at my client config and nothing pops else pops out at me. Someone will know.

 

[Val D.]

It is working properly as described above.
I have 7 devices excluded from VPN using Policy Rules (Strict).

- make sure each device has Manually Assigned IP in DHCP list
- route all traffic through VPN first - 192.168.1.0/24 - 0.0.0.0 - VPN -> Add
- exclude router for remote access - 192.168.1.1 - 0.0.0.0 - WAN -> Add
- exclude devices you need on WAN - 192.168.1.x - 0.0.0.0 - WAN -> Add
- click Apply at the bottom of the page to save/activate rules

No need to reboot the router. VPN only will reconnect after you click Apply.

 

[Butterfly Bones]

It is working properly as described above.
I have 7 devices excluded from VPN using Policy Rules (Strict).

- make sure each device has Manually Assigned IP in DHCP list
- route all traffic through VPN first - 192.168.1.0/24 - 0.0.0.0 - VPN -> Add
- exclude router for remote access - 192.168.1.1 - 0.0.0.0 - WAN -> Add
- exclude devices you need on WAN - 192.168.1.x - 0.0.0.0 - WAN -> Add
- click Apply at the bottom of the page to save/activate rules

No need to reboot the router. VPN only will reconnect after you click Apply.

Not meaning to correct you, just to reiterate that order does not matter WAN rules process before VPN rules. See last sentence of first paragraph in parenthesis.

The "Iface" field (short for Interface) lets you determine if matching traffic should be sent through the VPN tunnel or through your regular Internet access (WAN). This allows you to define exceptions (WAN rules being processed before the VPN rules).

By default, all traffic go through the WAN. What you define there with a VPN iface will be routed through the VPN. Use the WAN iface to configure exceptions to configured VPN rules (for instance, if you configure a /24 to be routed through the VPN, but want one IP within that /24 to be routed through the WAN instead).

 

[Val D.]

Correct. The sequence above is in case he wants to test after every step. All devices through VPN first, then exceptions. It’s just easier to diagnose where the error is.

 

[Thunderclap]

Okay, so I first tried to configure my router manually using the instructions here, however there are a few inconsistencies in the instructions. It says to turn Create NAT on Tunnel to YES but I have no option to do that. It also says that Extra HMAC Authorization should be DISABLED which is also missing. Negotiable ciphers breaks the two strings with a comma when it should be a colon, and it says Compression should be set to ADAPTIVE but that isn't an option, however the only thing is LZO Adaptive.

I've also tried downloading the OVPN file from here. It configures the settings but it still doesn't work. Here is what my settings look like:

I thought my Pi-Hole DNS was causing the problem so I defaulted to just having the DNS empty but that didn't help, so I switched it to Google's and still nothing. I am seeing the following error under DNS Privacy Protocol: Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers.

I'm not sure what else to try. It appears as if it's connected but for some reason when I check my IP on PIA's site it still shows my carriers assigned IP.

Thoughts?

 

[dave14305]

I am seeing the following error under DNS Privacy Protocol: Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers.

This means you have DNS servers defined on your LAN DHCP Server page, which would bypass the router for DNS. I’m not a VPN user, so not sure how that may be influencing your problem. But generally you want LAN DHCP DNS blank.

 

[Val D.]

Thoughts?

You didn't tell your clients what to do with this VPN tunnel.

- Policy Rules (Strict)
- Block routed clients if the tunnel goes down -> Yes
- Rules for routing client traffic -> All Devices - 192.168.1.0/24 - 0.0.0.0 - VPN

Now you have all devices going through VPN with Kill Switch.

Next you can exclude specific device by IP address -> Xbox One - 192.168.1.20 - 0.0.0.0 - WAN (for example)
If you need remote access to the router -> Router - 192.168.1.1 - 0.0.0.0 - WAN (DDNS access, for example)

Don't forget Manually Assigned IP in LAN -> DHCP Server for devices you need to exclude.

 

[Thunderclap]

You didn't tell your clients what to do with this VPN tunnel.

- Rules for routing client traffic -> All Devices - 192.168.1.0/24 - 0.0.0.0 - VPN

Ah! That was the missing piece. It's working now, thanks so much!

 

[doczenith1]

I'm also using PIA. I gained a little speed by using the newer GCM cipher. My setting are: