Selective Routing with Asuswrt-Merlin

[Martineau]

I know you're kidding! (and so was I)
I followed up on your post telling that; I want to be able to selectively rout ports. I haven't laid out the complete network, not to make things more complicated than they already are. But to shed some light: I have a few applications (that use a unique port) that connect to the office, these require a VPN. BUT I also have my personal VPN. So when travelling abroad (for a living that is, not the occasional holiday (*) ) I want uhm...need to be able to redirect ports to WAN, VPN1 and VPN2 from the same computer. And that's just one computer.
I already achieved that with both the script and the GUI. Thanks to your suggestions I was able to do that in multiple ways; selectively routing devices is not the problem.
Exactly! Question remains: how do I do that, is it as simple as altering the script with the few lines (as I wrote in the post in red)?

Thanks for helping me out Martineau, I really appreciate it.

Regards,
Erwin

(*) We (me and 2 to 3 collegues) set up shop at the client's office, and we bring our own router (so we can connect to eachother without the hassle of security, permission etc.). Every team member (team members rotate) requires VPN access to the office, but we'd like to watch national television remote as well, hence the 2 VPNs and selective port routing.

Well I'm sure that's not a breach of professional conduct ...watching TV on a client's premises while you are supposed to be working?

 

[Bogey]

Well I'm sure that's not a breach of professional conduct ...watching TV on a client's premises while you are supposed to be working?

Nope, we're paid for the results we make, not for the time we spend.
And sometimes we've to wait for others to come through, then we either go out for a meal or catch up with home.

 

[mfucci]

Total noob question: I have one client set up under policy rules to route all traffic through the VPN. When I look in System Log --> Connections, I see that the destination address for all udp traffic is the DNS server (State: Assured). The destination addresses for TCP traffic varies (State: ESTABLISHED or TIME_WAIT). Does this mean that some traffic (TCP) from this client is not routing through the VPN? I have no clue what I'm looking at, obviously. Again, total noob so go easy on me.

 

[RMerlin]

Total noob question: I have one client set up under policy rules to route all traffic through the VPN. When I look in System Log --> Connections, I see that the destination address for all udp traffic is the DNS server (State: Assured). The destination addresses for TCP traffic varies (State: ESTABLISHED or TIME_WAIT). Does this mean that some traffic (TCP) from this client is not routing through the VPN? I have no clue what I'm looking at, obviously. Again, total noob so go easy on me.

The info on that page has nothing to do with routing.

 

[mfucci]

The info on that page has nothing to do with routing.

Thanks so much. I figured I was asking an inane question.

 

[giopas]

Hi,

I was wondering to know if it would be possible to set up a VPN just for surfing a specific website ("You said Netflix?" "Of course not!..." :lol: ).

I have seen (so many) useful posts in this threads but I would need to know how to do it just for this specific domain.

I actually still need to find a good, reliable and possibly cheap VPN for streaming (any advice is really appreciated), but I would like at first know it this would be possible.

Thanks,

giopas

 

[MajesticBob]

Sorry for my ignorance. is there a simple way to have only one computer use the vpn and all others automatically use wan? without me adding every single device in my home to the routing list? It seems like a simple setting to have but whenever I try these things it seems that is not how the world works.

I tried 0.0.0.0 for source and that didnt work
tried 192.168.1.20/32 that didnt work (had no idea what i was trying there)

I prayed there would be a simple "only route selected" option. but alas.... i am too idealistic.

 

[RMerlin]

Sorry for my ignorance. is there a simple way to have only one computer use the vpn and all others automatically use wan? without me adding every single device in my home to the routing list? It seems like a simple setting to have but whenever I try these things it seems that is not how the world works.

I tried 0.0.0.0 for source and that didnt work
tried 192.168.1.20/32 that didnt work (had no idea what i was trying there)

I prayed there would be a simple "only route selected" option. but alas.... i am too idealistic.

That feature was added over three months ago... Read the documentation.

 

[MajesticBob]

That feature was added over three months ago... Read the documentation.

Thanks you for your very helpful reply. very supportive

 

[MajesticBob]

you see.... I AM looking through the documentation. I open up the section i believe would have the answer. "
Configuring OpenVPN" and that has two paragraphs and a link to another site.

 

[RMerlin]

you see.... I AM looking through the documentation. I open up the section i believe would have the answer. "
Configuring OpenVPN" and that has two paragraphs and a link to another site.

Copy and repasted from the documentation.

OpenVPN client policy routing
-----------------------------
When configuring your router to act as an OpenVPN client (for instance
to connect your whole LAN to an OpenVPN tunnel provider), you can
define policies that determines which clients, or which destinations
should be routed through the tunnel, rather than having all of your
traffic automatically routed through it.

On the OpenVPN Clients page, set "Redirect Internet traffic" to
"Policy RUles". A new section will appear below, where you can
add routing rules. The "Source IP" is your local client, while
"Destination" is the remote server on the Internet. The field can be
left empty (or set to 0.0.0.0) to signify "any IP". You can also
specify a whole subnet, in CIDR notation (for example, 74.125.226.112/30).

The Iface field lets you determine if matching traffic should be sent
through the VPN tunnel or through your regular Internet access (WAN).
This allows you to define exceptions (WAN rules being processed
before the VPN rules).

Here are a few examples.

To have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

Or, to have a computer routed through the tunnel except for requests sent
to your ISP's SMTP server (assuming a fictious IP of 10.10.10.10 for your
ISP's SMTP server):

PC1 192.168.1.100 0.0.0.0 VPN
PC1-bypass 192.168.1.100 10.10.10.10 WAN

Another setting exposed when enabling Policy routing is to prevent your
routed clients from accessing the Internet if the VPN tunnel goes down.
To do so, enable "Block routed clients if tunnel goes down".

 

[MajesticBob]

Copy and repasted from the documentation.

cool....

I did try that as stated in my original post.

I tried 0.0.0.0 to 0.0.0.0 WAN
and 192.168.1.10 to 0.0.0.0 VPN

Nothing but the VPN worked

but thank you (sincerely) for your reply

EDIT - I will admit my original post left a LOT of detail out! I do apologise for that.

 

[RMerlin]

cool....

I did try that as stated in my original post.

I tried 0.0.0.0 to 0.0.0.0 WAN
and 192.168.1.10 to 0.0.0.0 VPN

Nothing but the VPN worked

but thank you (sincerely) for your reply

EDIT - I will admit my original post left a LOT of detail out! I do apologise for that.

Don't put a 0.0.0.0 - 0.0.0.0 WAN, because that will overrule every other rules. Just put one single rule for the VPN access - everything else by default will use the WAN.

 

[MajesticBob]

ill try that again... that's what I had last night, but I awoke to nothing working (bar, the vpn) this morning.

So to recap a whole day of tryiong to understand the many webpages of confusing (to me) information. I probably had it correct last night but something went wrong..... poo.

So in the policies if I ONLY have the 192.168.1.10 in there as VPN EVERY other device should still go through the wan as per normal?

 

[RMerlin]

To clarify the rule priorities, in that order:

1) Everything (by default) goes through WAN
2) Any VPN rules will override that
3) Any WAN rules will override the two previous ones

 

[MajesticBob]

mt son is going to be sick of Terraria going down today as I put the VPN up and down.....

 

[RMerlin]

ill try that again... that's what I had last night, but I awoke to nothing working (bar, the vpn) this morning.

So to recap a whole day of tryiong to understand the many webpages of confusing (to me) information. I probably had it correct last night but something went wrong..... poo.

So in the policies if I ONLY have the 192.168.1.10 in there as VPN EVERY other device should still go through the wan as per normal?

Correct. Also don't use CIDR notation when specifying a single IP, just in case for some odd reason it would break something. My usual feature testing is done with the IP of my development VM as the source, and 0.0.0.0 as the destination, routed through VPN.

 

[MajesticBob]

ok so I may need to double check the rest of my settings. the only ones that I can see that I cannot measure against the VPN provider are the "Custom Configuration" ones. thank you for your help..

 

[MajesticBob]

Here is the settings.

When switched on, the server connects to the net. Every other device loses internet connection after a period of time or a reset. I'm flummoxed

 

[MajesticBob]

Alright Here's a curley one for you! I found one possible flaw, I had a static key setup, I believe it was from when I originally tried to learn how to use the openvpn in merlin and gave up months ago.... that has been deleted and I have reset the router.

My Windows laptop is connecting, well at least for the last 20 minutes. but android phones and tablets dont. Wireless says 'no internet' again.... flummoxed!!