Asus Merlin using OpenVPN to split tunnel

[Calum]

Hi Everyone,

My first post/question and yes I have read, "read this first"! I would really appreciate your help pointing me in the right direction as I am sure this has been covered before and I have searched and searched. (I warn you my skills are limited).

I have an Asus RT-AC3200 with Merlin (380.68.4 - yes I am sure there is a newer version) and I have run into 2 issues. Installed Merlin (absolutely genius by the way) setup an OpenVPN client1 (VPNArea) used it then discovered how to setup Policy Rules to split tunnel 2 devices (NUC w/LibreElec, Roku Stick) - Wow not bad apart from the VPNArea speeds absolutely suck!! (Local speeds = 30-50mbps & through VPNArea = ~2mbps)
So I tried another VPN provider, like many I heard good things about ExpressVPN. The speeds are fantastic except I can't use the Merlin Policy Rules.

Issue 1: I set up OpenVPN Client2 and there seems to be an issue with 2 clients setup with Policy Rules - to the extent I cannot connect my Roku stick to wireless and the NUC I had to change from original LAN to wireless. Even when I revert to no policy rules I still have the same problem. I fear a factory reset!!

Issue 2: ExpressVPN will not work with Merlin policy rules. You can split tunnel but only through their app or older version routers not suitable for OpenVPN. I have tried changing Accept DNS config to exclusive because I read this might be a fix (without really knowing why). Can anyone help or point me to solutions already found or suggest a VPN provider that can use Merlin policy rules (apart from VPNArea)?

Any help for a struggling noob would be greatly appreciated!!!

Many thanks
Calum

 

[CaptainSTX]

Hi Everyone,

My first post/question and yes I have read, "read this first"! I would really appreciate your help pointing me in the right direction as I am sure this has been covered before and I have searched and searched. (I warn you my skills are limited).

I have an Asus RT-AC3200 with Merlin (380.68.4 - yes I am sure there is a newer version) and I have run into 2 issues. Installed Merlin (absolutely genius by the way) setup an OpenVPN client1 (VPNArea) used it then discovered how to setup Policy Rules to split tunnel 2 devices (NUC w/LibreElec, Roku Stick) - Wow not bad apart from the VPNArea speeds absolutely suck!! (Local speeds = 30-50mbps & through VPNArea = ~2mbps)
So I tried another VPN provider, like many I heard good things about ExpressVPN. The speeds are fantastic except I can't use the Merlin Policy Rules.

Issue 1: I set up OpenVPN Client2 and there seems to be an issue with 2 clients setup with Policy Rules - to the extent I cannot connect my Roku stick to wireless and the NUC I had to change from original LAN to wireless. Even when I revert to no policy rules I still have the same problem. I fear a factory reset!!

Issue 2: ExpressVPN will not work with Merlin policy rules. You can split tunnel but only through their app or older version routers not suitable for OpenVPN. I have tried changing Accept DNS config to exclusive because I read this might be a fix (without really knowing why). Can anyone help or point me to solutions already found or suggest a VPN provider that can use Merlin policy rules (apart from VPNArea)?

Any help for a struggling noob would be greatly appreciated!!!

Many thanks
Calum

If you are trying to run two or more VPN clients on your router from a single VPN provider you will need to run them on different Ports. However some VPN providers make only a single Port available.

If your issue is somethng else then perhaps someone else will be able to offer you advice.

 

[Calum]

If you are trying to run two or more VPN clients on your router from a single VPN provider you will need to run them on different Ports. However some VPN providers make only a single Port available.

If your issue is somethng else then perhaps someone else will be able to offer you advice.

Thanks Captain for your response, I am only using 1 VPN at a time not at the same time.

 

[st3v3n]

Calum, Welcome. Have you requested assistance from the technical staff at Express? They are exceedingly good, fast and help you with many issues such as this. Many of the long term regulars on the forum have work, side projects families and sometimes are unable to respond with a complicated/long/explicit reply. This issue really is covered in other threads, and you only have to take your time to search for it.

It's highly unlikely that Express has become incompatible with Merlin. As for fearing a rest; don't. It's part of working with the router. When issues such as yours aren't explainable, usually a factory/power reset solved the problem. The more you work with the router, the more reading/research you gain, the more confidence you'll have. Don't think you need to apply every single update, the day it's released. Alpha and test releases won't help you if you have a complex system or need it up all the time. As far as reading, that's part of it too; everything you might consider asking/posting in a long post, has already been answered many times over in many ways. The search function is your friend. If that doesn't work for you, typing simple questions into your search engine usually leads you back to a specific post on one or more sections of this forum, that will help you. Most VPN providers support Asus and have tutorials for Merlin.

Post doesn't mentioned what your provisioned for but 50 Mb down w/o OpenVPN isn't shabby for the RTAC3200 and only one OpenVPN config, but 2 Mb down with OpenVPN sounds like a problem with the configuration. If Express hasn't upgraded their OpenVPN it may/may not have that effect, but it doesn't hurt to ask your service. We've used Asus routers with Merlin FW for years. Our 3200 has run extremely well for most of two years and through several upgrades, we're on 384.5. It's easy to work with depending on how much time you devote to learning all the bits and pieces. Depending which build you upgraded from, if you put some time in reading the various other threads, you have nothing to fear by performing a factory reset and rebuilding all your settings; it's the first thing to try if your Exprress technician can't help you nail the config issue down.

If nothing else works, before you perform a reset, Take snapshots of all your pages, tabs, important settings so you cal easily set the router up from scratch; it shouldn't take more than 10-20 minutes if you're familiear with the GUI and know the drill.. Be sure to have a fresh download of the newest correct Express OpenVPN configuration, and an alternate, which you can load in one of the other clients for testing purposes, then save everything. Then you're good for a reset. You might perform a default reset of the current OpenVPN client, then reload that same (up to date) OpenVPN config into another client, for instance switch it from the number one to number two. It's unlikely the router is defective in this respect, but switching to a different client been known to make a difference.

Final note, there are many folks who don't know that power spikes/surges play havoc with settings in their modems, routers, etc, and has been known to damage them. A quality UPS battery backup unit can pay for itself the first time you have a surge or significant line noise. We have a UPS battery backup unit on our modem/router/firewall and switches, computers, TVs, refrigerators, any electronic device we own. In 30 years we've never lost a setting or had problems caused by power problems during an upgrade. When lightning comes around, we unplug all of it. Good luck.

 

[Calum]

Calum, Welcome. Have you requested assistance from the technical staff at Express? They are exceedingly good, fast and help you with many issues such as this. Many of the long term regulars on the forum have work, side projects families and sometimes are unable to respond with a complicated/long/explicit reply. This issue really is covered in other threads, and you only have to take your time to search for it.

It's highly unlikely that Express has become incompatible with Merlin. As for fearing a rest; don't. It's part of working with the router. When issues such as yours aren't explainable, usually a factory/power reset solved the problem. The more you work with the router, the more reading/research you gain, the more confidence you'll have. Don't think you need to apply every single update, the day it's released. Alpha and test releases won't help you if you have a complex system or need it up all the time. As far as reading, that's part of it too; everything you might consider asking/posting in a long post, has already been answered many times over in many ways. The search function is your friend. If that doesn't work for you, typing simple questions into your search engine usually leads you back to a specific post on one or more sections of this forum, that will help you. Most VPN providers support Asus and have tutorials for Merlin.

Post doesn't mentioned what your provisioned for but 50 Mb down w/o OpenVPN isn't shabby for the RTAC3200 and only one OpenVPN config, but 2 Mb down with OpenVPN sounds like a problem with the configuration. If Express hasn't upgraded their OpenVPN it may/may not have that effect, but it doesn't hurt to ask your service. We've used Asus routers with Merlin FW for years. Our 3200 has run extremely well for most of two years and through several upgrades, we're on 384.5. It's easy to work with depending on how much time you devote to learning all the bits and pieces. Depending which build you upgraded from, if you put some time in reading the various other threads, you have nothing to fear by performing a factory reset and rebuilding all your settings; it's the first thing to try if your Exprress technician can't help you nail the config issue down.

If nothing else works, before you perform a reset, Take snapshots of all your pages, tabs, important settings so you cal easily set the router up from scratch; it shouldn't take more than 10-20 minutes if you're familiear with the GUI and know the drill.. Be sure to have a fresh download of the newest correct Express OpenVPN configuration, and an alternate, which you can load in one of the other clients for testing purposes, then save everything. Then you're good for a reset. You might perform a default reset of the current OpenVPN client, then reload that same (up to date) OpenVPN config into another client, for instance switch it from the number one to number two. It's unlikely the router is defective in this respect, but switching to a different client been known to make a difference.

Final note, there are many folks who don't know that power spikes/surges play havoc with settings in their modems, routers, etc, and has been known to damage them. A quality UPS battery backup unit can pay for itself the first time you have a surge or significant line noise. We have a UPS battery backup unit on our modem/router/firewall and switches, computers, TVs, refrigerators, any electronic device we own. In 30 years we've never lost a setting or had problems caused by power problems during an upgrade. When lightning comes around, we unplug all of it. Good luck.

Hi st3v3n,
Thank you for responding in detail, any pointers are welcome! Understand that everyone has day jobs and I didn't post until I spent quite a few hours scraping the internet without definitive answers. So my main aim was if somebody could quickly and painlessly point me to previous threads so I could continue my search.

I have enlisted the customer help of ExpressVPN and they were great but whilst they support 3200 with Merlin for a normal OpenVPN manual setup, it is not compatible using Policy Rules - so everything goes through the tunnel.

I do like your point regarding power surges and I have put my modem and router on a protector just in case.

I think I will have to bite the bullet regarding resetting to get rid of the saved Client 1 data since I have no use for the is slow VPN service. However, I will still continue to search for answers for split tunneling.

Many thanks!

 

[kfp]

I think I will have to bite the bullet regarding resetting to get rid of the saved Client 1 data since I have no use for the is slow VPN service. However, I will still continue to search for answers for split tunneling.

Maybe just update to the latest firmware, factory reset and start over?

“continue to search for answers for split tunneling” is not likely to bear fruit because your problem is hard for others to reproduce.

Unless I’m mistaken on your requirements, what you’re looking for is generally called “selective routing” which there are numerous posts in the forums. And the configuration is greatly simplified in newer releases so one more reason for you to update.

 

[Calum]

Thanks kfp

 

[st3v3n]

Calum, glad you received some help, even if Express couldn't help as you needed. With the older FW (380.68_4) on our 3200, we never had any issues with any of the VPNs we've had re policy rules. Every VPN has their quirks or way of doing things. Everything goes through our tunnels so if they fail or drop, then everything just stops for us since we send nothing to the ISP's network. It doesn't happen often but it does happen. Very curious Express configs won't work with policy rules from Express's config. Something we haven't had to contend with. When I get some time after the holiday am thinking about adding another config/tunnel, since we have several to choose from rather than the original two. We had to replace one of our UPS surge/battery-backup units this week, it was almost 4 years old, but the replacement battery was half as much as a new unit. Considering the cost of replacing the gear connected to it that it's saved during the time it was online, it was $100 well spent, and amazon had it reduced. (The heat wave is bad for gear, humans and the grid). Good luck, cheers.