Asus Merlin basic VPN+device routing concerns

JoeBee

Regular Contributor
Hi I have an RT-AC86U router with latest merlin firmware (double flashed clean install), I just wanted to double check my existing set up is ok for my basic needs of running AirVPN openvpn client and policy device routing since I have few devices that can only work on WAN/ISP clear net namely Cable TV boxes and TV set. Rest of my devices (PC etc) are on AirVPN OpenVPN.

I have checked the AirVPN merlin guide from AirVPN forums but its from 2015 so basically out of date, so I am confused on a few areas so my existing set up could be incorrect.

Existing setup

All factory defaults on router.

Internet Status: Connected with WAN IP

VPN>VPN Client:




VPNDirector



I have pretty much just browsed my Openvpn ovpn config file and its automatically set it all up with those settings by default, only thing I have done is set Accept DNS configuration to Exclusive, Redirect internet traffic through to VPN director (Policy rules) Killswitch block routed clients if tunnel goes down to YES, I have then gone to VPN director and just added my a few devices I want on WAN (Cable TV, LGTV) and left a rule of All devices 192.168.1.0/24 to use OVPN1 (Airvpn).

LAN>DHCP Setup





WAN>Internet Connection





So I used the 2015 AirVPN Guide as a basic reference by setting up the WAN DNS servers, setting up 1st DNS address as AirVPN DNS:10.4.0.1 and they recommend a secondary one from OpenNIC :(195.10.195.195) and I set UPnP to off.

LAN DHCP setup, there is some conflicting advice on this one around the net, more recent guides like the ones from Mullvad merlin openvpn suggest you do need to set up
the LAN DHCP here and add a public DNS (OpenNIC etc), I also enable manual assignment since I can give my Cable boxes (360) my ISPS DNS address so they work properly.
Advertise my Routers IP in addition to user specified DNS set to YES.


My concerns below on the points embolden above :

I am unsure on Accept DNS Configuration to exclusive, I believe Exclusive allows me to use some devices on my AirVPN/OpenVPN and others WAN(ISP IP), is this correct?

All devices 192.168.1.0/24 rule under VPNDirector is this ok? It was set so any new devices that go on my network ie new mobile phone is protected on AirVPN. I also set my windows IPv4 network PC settings with a static IP address and add the same AirVPN dns 10.4.0.1 just in case.

I am confused about the LAN and WAN DNS servers part also, do I need both or only one, original Airvpn guide mentions only WAN setup. Multiple other guides/videos suggest you don't need to even do LAN DNS settings and only WAN DNS set up but Mulvads guide shows LAN Dhcp and LAN DNS set up here.

Any other settings that you can spot incorrect also if you can let me know please, I use ipleak and DNSleaktest and my Airvpn website confirm no leaks, its pretty much been stable but I do sometimes get no access to router (could be an router issue though) or bad config so just double checking all is well.
 

TonyK132

Senior Member
I have a situation like yours, where I have some IoT devices that must have WAN only access, and I have other devices that do not care if they sit behind a VPN. Here's what I did. If you want to do something similar, you should start over and reset the router to factory defaults.
1. I defined 3 address ranges within my subnet map:
- 192.168.2.1 - xx.31. This range contains my static IP devices that want WAN-only access, like my TVs, STBs, Rokus, etc.
- xx.32 - xx.191. This is the range that I use for serving up DHCP addrs that will use the VPN.
- xx.192 - xx.231. This is the range I use for static addr devices that will also use the VPN.
- you can adjust these ranges to suit your needs, as long as you pay attention to the CIDR rules for addrs
2. Set VPN1 per the instruction from your VPN provider. In VPN Director, set the addrs xx.32 - xx.231 to use VPN1. By default, all other addrs that are not in this range will use the WAN. You will need multiple statements to cover the addr range correctly. This like will help you with this:
https://www.ipaddressguide.com/cidr
3. For DNS, I use Unbound, but I think you should use DNSSEC with DNS-over-TLS, Profile=Strict, with the 2 Cloudflare addrs. That will give you good security using the Merlin DNS options. If you prefer, you could use any other DNS provider here rather than Cloudflare.
4. In DNS Filter page, turn that on, set to Router, and put in the addrs of your router for Custom DNS. That will tell all your devices to use your router to resolve their DNS requests.
5. In the VPN page, I use Exclusive, which means all DNS requests for devices that use the VPN will also use your router to resolve their DNS requests.
6. after you make these changes, be sure to reboot the router, then test all the addr ranges to ensure they are doing what you want.
7. If Buffer Bloat is an issue for you, you should turn on Cake QoS. That should solve that problem.

There may be more things that you need to do but this should get you started. Good luck.
 

JoeBee

Regular Contributor
I have a situation like yours, where I have some IoT devices that must have WAN only access, and I have other devices that do not care if they sit behind a VPN. Here's what I did. If you want to do something similar, you should start over and reset the router to factory defaults.
1. I defined 3 address ranges within my subnet map:
- 192.168.2.1 - xx.31. This range contains my static IP devices that want WAN-only access, like my TVs, STBs, Rokus, etc.
- xx.32 - xx.191. This is the range that I use for serving up DHCP addrs that will use the VPN.
- xx.192 - xx.231. This is the range I use for static addr devices that will also use the VPN.
- you can adjust these ranges to suit your needs, as long as you pay attention to the CIDR rules for addrs
2. Set VPN1 per the instruction from your VPN provider. In VPN Director, set the addrs xx.32 - xx.231 to use VPN1. By default, all other addrs that are not in this range will use the WAN. You will need multiple statements to cover the addr range correctly. This like will help you with this:
https://www.ipaddressguide.com/cidr
3. For DNS, I use Unbound, but I think you should use DNSSEC with DNS-over-TLS, Profile=Strict, with the 2 Cloudflare addrs. That will give you good security using the Merlin DNS options. If you prefer, you could use any other DNS provider here rather than Cloudflare.
4. In DNS Filter page, turn that on, set to Router, and put in the addrs of your router for Custom DNS. That will tell all your devices to use your router to resolve their DNS requests.
5. In the VPN page, I use Exclusive, which means all DNS requests for devices that use the VPN will also use your router to resolve their DNS requests.
6. after you make these changes, be sure to reboot the router, then test all the addr ranges to ensure they are doing what you want.
7. If Buffer Bloat is an issue for you, you should turn on Cake QoS. That should solve that problem.

There may be more things that you need to do but this should get you started. Good luck.

Thank you very much for the detailed guide ill keep those pointers in mind next time, for now I have reset my router and left all with defaults and just done the very basic raw set up but within just WAN DNS set up per the old VPN providers guide. Everything it working for now so will just see if its stable.

QoS is switched off but I did get the issue where my router won't always access the web ui or 192.168.1.1
I believe its a known bug of the AC86U router, so I have installed scMerlin so I can reset the web ui through putty and also set check merlin updates to off and a scheduled reboot once a week, hopefully it doesn't web ui doesn't lock up again.
 

TonyK132

Senior Member
That bug's been there forever. I decided to create a script to reset the GUI every 4 hrs. Since I did that, I've had no lockup problems. Now the only GUI problem I have is that GUI webpages do not always completely display properly, but I've learned to live with that.
 

JoeBee

Regular Contributor
That bug's been there forever. I decided to create a script to reset the GUI every 4 hrs. Since I did that, I've had no lockup problems. Now the only GUI problem I have is that GUI webpages do not always completely display properly, but I've learned to live with that.
ahh that makes sense I was not 100% of the bug when I read it on other threads, I was thinking it might be something config wise I was doing wrong till I read others had the same issue.

4 hour script sounds a great idea, does one need to redo it that often though? someone suggested if you disable merlin update check and schedule a weekly reboot the issue is fixed of lessened so have done that but also installed the scmerlin addon.
 

TonyK132

Senior Member
I do not know if 4 hrs is the magic time. I just know that it works for me. It happens automatically as a cron job so I do not know that it happened.

A weekly reboot is a good idea in theory, but another problem you might encounter if you do that is that once in a while, it does not wake up from the reboot. This then requires manual intervention to power cycle the router. For this reason, I do not do it.
 

JoeBee

Regular Contributor
I do not know if 4 hrs is the magic time. I just know that it works for me. It happens automatically as a cron job so I do not know that it happened.

A weekly reboot is a good idea in theory, but another problem you might encounter if you do that is that once in a while, it does not wake up from the reboot. This then requires manual intervention to power cycle the router. For this reason, I do not do it.

oh good to know, I will keep an eye on it perhaps set up the schedule so its always on a day I am at home at least.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top