Menu
What's new
By:
Filters Better Search

Solved Asus RT-AC86U OpenVPN server behind ISP modem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jorgemarmo said:
Not sure how to do that


... y e s . . . because I haven't had any good reason to change it, but if MArlin would make my life easier, I wouldn't have any problem to try it out
Click to expand...

I'm assuming the ASUS OEM/stock firmware doesn't support PBR. Once you install Merlin's firmware and configure the OpenVPN client, you can enable Policy Routing (it's an option) and specify the local IP network (e.g., 192.168.1.0/24) as a rule so it gets routed over the VPN. Anything else defaults to the WAN. The benefit is that the use of PBR takes the router off the VPN, so your OpenVPN server can be reached. Plus, you can implement a kill switch as a bonus (to prevent clients of the VPN from ever gaining access to the WAN, for example, if the VPN fails).
 
Just a follow-up:
- I installed Merlin 386.1: pretty straight forward
- I followed up this https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm to set up the VPN client (a bit different than for stock firmware)
- I added all Asus-wrt traffic under VPN, I expressly excluded the wrt itself (I guess kind of redundant, but I saw it on some other post that I cannot recall). I activated the KillSwitch
1612878675932.png
- I enabled the VPN Server and everything works like a charm!
- side note: on the laptop if I connected to NordVPN (for my internet traffic) OpenVPN was unable to connect, so I had to add it to the "Split tunneling" "Trusted apps" and again, working like a charm.
 
jorgemarmo said:
Just a follow-up:
- I installed Merlin 386.1: pretty straight forward
- I followed up this https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm to set up the VPN client (a bit different than for stock firmware)
- I added all Asus-wrt traffic under VPN, I expressly excluded the wrt itself (I guess kind of redundant, but I saw it on some other post that I cannot recall). I activated the KillSwitch
- I enabled the VPN Server and everything works like a charm!
- side note: on the laptop if I connected to NordVPN (for my internet traffic) OpenVPN was unable to connect, so I had to add it to the "Split tunneling" "Trusted apps" and again, working like a charm.
Click to expand...

Glad you got things working. But I just want to follow-up given what I now see are your PBR rules. For the following, I'm assuming 192.168.2.1 is the LAN ip of the router.

I *believe* the higher placed rules take precedence over the lower ones. Therefore, the second rule will never be executed given the first rule implicitly includes 192.168.2.1.

So let's say you switch the rules, making the first rule the second, and vice versa. A quirk of using PBR is that it takes the router itself OFF the VPN! IOW, all its internal processes that are directed upstream to the internet are bound to the WAN anyway, making (what is now) the first rule superfluous. But even if that wasn't the case, realize that specifying the router's *LAN* ip as a source in PBR is never going to work since its internal processes directed upstream to the internet are not bound to the LAN network interface anyway! They're bound to either the WAN or VPN network interfaces.

That's what makes it confusing and difficult for those new to PBR. You have to understand the consequences of using PBR, both wrt the clients behind the router, and the router itself. And the effect of how rules are ordered. And understand that the router's internal processes are usually bound to the WAN/VPN, not the LAN. All these factors come into play. And if you fail to appreciate them, you may get unexpected behavior/results.

Bottomline; you can eliminate the 192.168.2.1 rule. Now all devices in the 192.168.2.x network (except the router itself) will be bound to the VPN.
 
eibgrad said:
I *believe* the higher placed rules take precedence over the lower ones. Therefore, the second rule will never be executed given the first rule implicitly includes 192.168.2.1.
Click to expand...
I've never tested it but according to the PBR wiki the WAN rules take precedence over the VPN rules. @jorgemarmo's rules are the same as the example shown at the bottom of the wiki page.
 
You must log in or register to reply here.

Similar threads

O
HW issue on RT-AX58U
Replies
4
Views
676
Ola Malmstrom
O
B
Scribe /usr/bin/logger messages don't make it to the log file - intermittent issue
Replies
15
Views
1K
bibikalka
B
S
WAN Disconnections ASUS RT-AX86U Pro
Replies
4
Views
972
Lynx
Lynx
A
Asus XT12 Please review logs
Replies
1
Views
841
privacyguy123
P
L
Openvpn internal error add route
Replies
0
Views
269
lucian
L
Similar threads
Thread starter Title Forum Replies Date
C Wireguard on Asus: Can only see router, not LAN Devices! VPN 3
B Just got Nord ruuning on Asus now have one more issue VPN 2
M Asus- Open VPN and reaching network drives VPN 8
I Hardening Asus Merlin built in OpenVPN server VPN 1
B Does Asus AC5300 OpenVPN server support connect with IPV6 network? VPN 2
Diablo99 Asus RT-AX86U Router & VPN VPN 8
R allowing direct WAN access on Asus RT-AX86U VPN 7
A Port forwarding over proton VPN on Asus Merlin router. VPN 9
P Cannot get VPN to function properly from ASUS router to Apple TV VPN 3
J Asus AX88U VPN VPN 7

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 958 (members: 25, guests: 933)
Top