All devices through VPN tunnell (with Kill Switch) except a bitcoin full node

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Frunk

New Around Here
Hi,

I am a non-techie and need some help. I have spent the last 3 weeks setting up a VPN router, and a few problems still remain. I am all Startpaged out and need direct answers.

Setup
Asus RT-AC5300, Asuswrt-Merlin firmware version 384.13 (just noticed .14 is out, I need to update), OpenVPN client with NordVPN as the provider.

Problem
What do I set these settings to:
Accept DNS Configuration: Strict or Exclusive?
Redirect Internet traffic: Policy Rules or Policy Rules (strict)?

Then I understand I need to add these two exceptions under "Rules for routing client traffic through the tunnel" (assuming the static IP address for the Bitcoin Full Node is 192.168.1.100):

LAN______________192.168.1.0/24___0.0.0.0___VPN
Bitcoin Full Node___192.168.1.100____0.0.0.0___WAN


But should I also add this(?):

Router___________192.168.1.1______0.0.0.0___WAN

Just a reminder (in case it matters), I have enabled Block routed clients if tunnel goes down (Kill Switch).

Thank you so much for any help!
 
Last edited:

Butterfly Bones

Very Senior Member
Hi,

I am a non-techie and need some help. I have spent the last 3 weeks setting up a VPN router, and a few problems still remain. I am all Startpaged out and need direct answers.

Setup
Asus RT-AC5300, Asuswrt-Merlin firmware version 384.13 (just noticed .14 is out, I need to update), OpenVPN client with NordVPN as the provider.

Problem
What do I set these settings to:
Accept DNS Configuration: Strict or Exclusive?
Redirect Internet traffic: Policy Rules or Policy Rules (strict)?

Then I understand I need to add these two exceptions under "Rules for routing client traffic through the tunnel" (assuming the static IP address for the Bitcoin Full Node is 192.168.1.100):

LAN______________192.168.1.0/24___0.0.0.0___VPN
Bitcoin Full Node___192.168.1.100____0.0.0.0___WAN


But should I also add this(?):

Router___________192.168.1.1______0.0.0.0___WAN

Just a reminder (in case it matters), I have enabled Block routed clients if tunnel goes down (Kill Switch).

Thank you so much for any help!
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

For your info, read the second paragraph, then see examples at bottom. From my personal experience and helping others here with issues, I say Yes, to adding the router line exclusive to WAN.
My setup (I have more for individual devices) the basic:
Code:
router 192.168.1.1 0.0.0.0 WAN
lan 192.168.1.0/24 0.0.0.0 VPN
 

Frunk

New Around Here
For your info, read the second paragraph, then see examples at bottom. From my personal experience and helping others here with issues, I say Yes, to adding the router line exclusive to WAN.
I have read that paragraph soo many times, but are too dumb to understand it. That is why I have posted my questions here. I assume your answer is to set "Redirect Internet traffic" to Policy Rules then? Not Policy Rules (strict)?

Does adding the router line exclusive to WAN add any privacy risks? I mean, your answer doesn`t sound binary. To me it sounds like I should add it, but I don`t have to. And adding it seems more risky in regards to privacy for some reason.

What about "Accept DNS Configuration"?
 

Martineau

Part of the Furniture
I have read that paragraph soo many times, but are too dumb to understand it. That is why I have posted my questions here. I assume your answer is to set "Redirect Internet traffic" to Policy Rules then? Not Policy Rules (strict)?

Does adding the router line exclusive to WAN add any privacy risks? I mean, your answer doesn`t sound binary. To me it sounds like I should add it, but I don`t have to. And adding it seems more risky in regards to privacy for some reason.

What about "Accept DNS Configuration"?
When the Router boots, it usually needs to access the internet to perform a DNS lookup for the time (NTP servers), and also resolve the VPN ISP's servers (if they are not explicit static IPs)

If the router is defined to only use the VPN ….then catch 22!.

Accept DNS configuration used to be a concern for DNS leaks visible to your WAN ISP, but with DoT over the WAN, then neither your WAN ISP nor the VPN ISP can track/hack the DNS requests.

I would recommend 'Policy Rules=Strict' as very few require the more relaxed 'Policy Rules'
 

Butterfly Bones

Very Senior Member
I have read that paragraph soo many times, but are too dumb to understand it. That is why I have posted my questions here. I assume your answer is to set "Redirect Internet traffic" to Policy Rules then? Not Policy Rules (strict)?

Does adding the router line exclusive to WAN add any privacy risks? I mean, your answer doesn`t sound binary. To me it sounds like I should add it, but I don`t have to. And adding it seems more risky in regards to privacy for some reason.

What about "Accept DNS Configuration"?
I use "Policy Rules (Strict) to insure all clients not specifically excluded go to through VPN.
I have experimented with the router to VPN, you do NOT want to do that, ever. Bad JuJu!

About "Accept DNS Configuration" I set to "Disabled", since I use an ad blocker and DNS over TLS to specific DNS servers. Other settings compromise those two features. Here is another excellent reference with more through explanations.
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

Note in Xentrk section about “Accept DNS Configuration” set to “Disabled” he recommends Stubby for DNS over TLS. That was before Asuswrt-Merlin had it built in into the WAN page. That will help with your concerns about privacy, encrypting DNS queries , along with sending all traffic via VPN.

You will hide most data from your ISP and others, however using ANY ISP and ANY commercial VPN means you are still compromising some privacy, but much much less than without using those two measures
 

Frunk

New Around Here
Thank you for the article, @Butterfly Bones! I must have totally missed it, or only read it at the start of my VPN router journey and never gotten back to it later. It helps in regard to questions I have in this thread: https://www.snbforums.com/threads/confused-as-to-how-to-make-the-kill-switch-work.46544/#post-533619

So now we have cleared up that I probably need to add:

Router___________192.168.1.1______0.0.0.0___WAN

But I am still confused about the two others. Redirect Internet traffic:

"...The Policy Rules (Srtict) mode is the preferred setting. However, this will interfere with any route you may have manually configured on your WAN interface, which is why it is listed as a separate option."

Isn`t that exactly what I have done? Manually configured a route to my Bitcoin Full Node? Will Policy Rules (strict) interfere with that?

And what about Accept DNS Configuration when you are not using an adblocker?

Accept DNS configuration used to be a concern for DNS leaks visible to your WAN ISP, but with DoT over the WAN, then neither your WAN ISP nor the VPN ISP can track/hack the DNS requests.
I do not understand what you are saying here. Strict or Exclusive? What does DoT mean?
 
Last edited:

Frunk

New Around Here
In case anybody else are wondering the same thing, here is my conclusion. A few weaks ago I set

Accept DNS Configuration: to Exclusive, and
Redirect Internet traffic: to Policy Rules (strict),

and up until this day this has worked fine. WiFi seems stable, so does the communication with my bitcoin node (it is accepting incoming connections).

How I have checked/tested
In addition to regular WiFI use, I have once a day visited/checked:
- ipleak(dot)net (to check for IP leaks)
- bitnodes(dot)earn(dot)com (to check that my node accepts incoming connections)
- That my node have >8 incoming connections (by logging on to the node itself)
- Sent a "Node Heartbeat" via an app that is connected to my node (Sats app, Casa node)

This is probably not an extensive way of testing, but with my limited knowledge on the subject it is all I can do. Hope this can be of help to anybody else who are on their journey to regain their financial sovereignity and privacy.
 

SheikhSheikha

Regular Contributor
Thank you for the article, @Butterfly Bones! I must have totally missed it, or only read it at the start of my VPN router journey and never gotten back to it later. It helps in regard to questions I have in this thread: https://www.snbforums.com/threads/confused-as-to-how-to-make-the-kill-switch-work.46544/#post-533619

So now we have cleared up that I probably need to add:

Router___________192.168.1.1______0.0.0.0___WAN

But I am still confused about the two others. Redirect Internet traffic:

"...The Policy Rules (Srtict) mode is the preferred setting. However, this will interfere with any route you may have manually configured on your WAN interface, which is why it is listed as a separate option."

Isn`t that exactly what I have done? Manually configured a route to my Bitcoin Full Node? Will Policy Rules (strict) interfere with that?

And what about Accept DNS Configuration when you are not using an adblocker?



I do not understand what you are saying here. Strict or Exclusive? What does DoT mean?
DOT can be found under WAN - Internet Connection

The DNS servers can be selected from the Preset Servers button.

Further under LAN - DNS Filter set your DNS filter on ROUTER and do NOT add any dns servers there!

Last but not least: search this forum for
RT-AC5300 Performance & Security Guide which contains a ton of valuable information and configuration choices.
 

Attachments

Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top