Application of routing rules in VPN Director

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

timevacuum

Occasional Visitor
I currently have several working VPN clients setup in the latest MerlinWRT and I have some questions on how VPN Director routing rules are processed/applied.

1. Is the order of rules on the VPN Director screen, the order that they are applied? This appears to be the case but just wanted to confirm.

2. Below I have copied the wiki documentation on the order of rules. Are rules applied from top to bottom such that a rule near the bottom can trump a rule applied earlier? From my perspective this gives a rule further down the list a higher "priority" as it can modify (or trump) a rule further up the list. Am I understanding this correctly?

3. If "2." is correct then how is it possible to create rules that set all clients devices (/24) to use VPN and then has rules for select device IPs to use WAN? (Since the WAN rules are applied first.)

4. If it is possible to do "3." then how is it possible to do the opposite: set all clients devices to use WAN and then have rules for select device IPs to use VPN?


Rules are applied in the following order:
  • Rules with a WAN destination
  • Rules with an OpenVPN 1 destination
  • Rules with an OpenVPN 2 destination
  • ...
  • Rules with an OpenVPN 5 destination
Also note that any routes configured on the Dual WAN page will have a higher priority than all of these.

Edit 21/07/28: changed to use the term devices
 
Last edited:

RMerlin

Asuswrt-Merlin dev
The only order parameter that matters is the interface, as described in what you quoted. Within a given client, there is no specific order - it wouldn't matter anyway, since they are all applied to the same client, so there is nothing to "override" within a client.

3. If "2." is correct then how is it possible to create rules that set all clients (/24) to use VPN and then has rules for select IPs to use WAN? (Since the WAN rules are applied first.)
WAN rules are applied first, so it will accomplish exactly that. Once a WAN rule is matched, then no other rule gets processed for that particular client.
If it is possible to do "3." then how is it possible to do the opposite: set all clients to use WAN and then have rules for select IPs to use VPN?
WAN is the default policy. If no VPN rule is matched, then the client will go through the WAN.
 

timevacuum

Occasional Visitor
I noticed you said "for that particular client". If there are conflicting rules between clients, eg. same ip with rules on two clients to use VPNs or same ip to be routed to WAN on one client (due to an explicit rule) and VPN on another, how is this resolved? Would the policy on the client with the highest number then trump the lower number due to the order of application?
 

kernol

Very Senior Member
If I may throw in my 2 cents worth ... it seems to me that the term "client" is the culprit in causing some confusion when it appears to be used in two different contexts? On the one hand it refers to a VPNclient and sometimes seems to refer to a LAN device as a client [ for eg the OP's sentence "set all clients to use WAN and then have rules for select IPs to use VPN"].

Clearly - you cannot set all VPNClients to use WAN or you will have no tunnels at all!?

So what helps me unpack the wiki is to refer to VPNClients 1 through to 5 as distinct VPN tunnels 1 to 5 - so you may have the same VPN service provider [say NordVPN] but setup 5 different VPN tunnels - each going to different public ip destinations from unique local private ip addresses.

It then makes sense to me that for a particular tunnel you may have many VPN Director Rules configured to cater for different local devices - for e.g. here is a quote from the wiki changed to my preferred terminology [no offence to author - just my personal trick to get through my own thick skull] ...
  • Clients Tunnels affected by DNS Exclusive mode are also prioritized (so if a client tunnel is affected by DNS Exclusive mode, it will be applied even if a later client device rule for that same tunnel would make it not Exclusive)
This works for my setup in that I have one NordVPN tunnel with UK destination [OPVN3] and DNS "Exclusive" mode / with another separate NordVPN tunnel to a local destination [OPVN5] with DNS set to "Disabled". Any and all devices directed to these separate tunnels behave as expected.

EDIT: However if you setup a another VPNClient using the same tunnel under say OPVN4 for another device and changed DNS to anything other than "Exclusive" - the rule with "Excusive" will override for that tunnel and all devices connected to it [whether under OPVN3 or 4].
 
Last edited:

RMerlin

Asuswrt-Merlin dev

timevacuum

Occasional Visitor
Thank you both for the comments.
You are correct and despite my proper understanding of "client", I have botched my terminology in the original post. I will correct that. I agree that "tunnel" could be a less ambiguous term but as I am a humble beginner I'm going to work with the terminology set by the wizards. I will however keep the idea of "client" being a "tunnel".

"First match wins", even with multiple clients, clarifies things a lot.

I will sometimes need to turn one of the clients (tunnels) on and off. Therefore my goal was to understand whether that client should be first or last and how this would then interact with other clients.
Knowing the "first matching rule wins" even with multiple clients, I can figure this out.

Thanks again.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top