Asus RT-AX88U w/ Nord VPN - When setting a particular device to bypass the VPN, all device are no longer routed through VPN

Woofer Wrecker

Occasional Visitor
Greetings All, my first post here, and I apologize in advance for my ignorance. I know just enough to be dangerous. Hence why I have come begging for help!

I have successfully set up my RT-AX88U running Merlin 386.7, to run the Nord VPN OVPN on board. All my devices are currently run through the tunnel.

My issue arises when I set a specific device IP to not use the VPN, which I do by setting the router to use VPN director polices, and then adding the device IP as a new rule. I set the interface to the client I want, and do not enter a remote IP. Add the rule, apply it, and re boot the router. When restarted all devices are now bypassing the VPN tunnel, exposing my real IP address, which I do not want.

I need to exclude certain devices as wifey works remotely and has complained that she can not access certain work related sites due to VPN.

If there is any suggestions anyone has to help me get this resolved, I would be most grateful.

Thank you in advance!
WW
 

Attachments

  • VPN Settings.PNG
    VPN Settings.PNG
    95.8 KB · Views: 43
  • Wifey VPN Rule.PNG
    Wifey VPN Rule.PNG
    64.4 KB · Views: 42

eibgrad

Part of the Furniture
To exclude IPs, you set those to use the WAN (not the VPN), then create a rule to route everything else through the VPN.

192.168.1.103 WAN
192.168.1.0/24 OVPN1

Even though the VPN rule (192.168.1.0/24) includes 192.168.1.103, the WAN rules take precedence over any VPN rules. That's why it works.
 
Last edited:

Woofer Wrecker

Occasional Visitor
To exclude IPs, you set those to use the WAN (not the VPN), then create a rule to route everything else through the VPN.

192.168.1.103 WAN
192.168.1.0/24 OVPN1

Even though the VPN rule (192.168.1.0/24) includes 192.168.1.103, the WAN rules over take precedence over any VPN rules. That's why it works.
Ahh okay, I did also try setting the interface to WAN for the device previously, but I did not realize I needed to create additional rules. So are you saying I need to add every other device I want to go through the VPN as its own rule?

And thank you for the quick reply! I really appreciate it!
 

Woofer Wrecker

Occasional Visitor
Edit: if I am understanding correctly, the "0/24" would encompass all devices assigned IPs within that range. In my case, I would need to add /255 as a rule because the router has assigned all random IP addresses to my devices. Is this thinking correct?
 

ddebacker

Occasional Visitor
You need something like this.
One rule for the exclusion targeting your device exception IP address using WAN as interface and another one with a CIDR block (IP range) using your VPN interface. Since WAN IF takes precedence it doesn't matter whether your exception device is in that range.
1656766960164.png
 

Woofer Wrecker

Occasional Visitor
Thank you both! I will try these settings now.

Edit correctly this time: So settings like this? Will this work even though I have devices that have IP addresses that are outside 24?
 

Attachments

  • Rules.PNG
    Rules.PNG
    59.2 KB · Views: 25
Last edited:

ddebacker

Occasional Visitor
You need to ensure that you network mask does include the devices that you want your rule to apply to. But if the first two entries need to go to AN directly and the rest in the range should go through your VPN this should work. If you have device that are OUTSIDE of 192.168.1.0/24 then those devices will go to WAN by default I believe
 

Woofer Wrecker

Occasional Visitor
I tried setting the rule to 192.168.1.0/255 to encompass all devices in my network, but the router tells me it is an invalid IP. I do not want any devices outside the VPN unless I specify a rule for it allowing it. These are all of the IP addresses my router has assigned...
 

Attachments

  • Invalid Ip.PNG
    Invalid Ip.PNG
    15 KB · Views: 19
  • Random Ip Assignments.PNG
    Random Ip Assignments.PNG
    44.6 KB · Views: 20

Woofer Wrecker

Occasional Visitor
I understand that, but DDEBACKER said the mask needs to encompass all IP's or else they will default to WAN. As you can see, I have IP's way outside /24. Or am I missing something? Won't any deice with an IP ending beyond 24 default to WAN?

These are current settings.
 

Attachments

  • Current Settings.PNG
    Current Settings.PNG
    56.5 KB · Views: 17

eibgrad

Part of the Furniture
The following might help to understand the CIDR notation.


IOW, /24 *does* cover the entire 192.168.1.x IP network. The /24 is just another way of representing the alternative notation, 192.168.1.0 255.255.255.0, but the GUI is built to expect the former CIDR notation.
 
Last edited:

Bitrudeuk

Occasional Visitor
You need something like this.
One rule for the exclusion targeting your device exception IP address using WAN as interface and another one with a CIDR block (IP range) using your VPN interface. Since WAN IF takes precedence it doesn't matter whether your exception device is in that range.
View attachment 42391

Thank you for posting this, I have been trying to understand the picture on the Wiki page about how to get the rules to ensure everything else is captured. This makes it nice and idiot proof.

Technically, it should be 192.168.1.0/24, NOT 192.168.1.1/24. The latter is actually NOT valid, but some parts of the system will accept the latter and handle it, others won't. So the former is always safer.

I've tried 0/24 and I loose access to the router via the LAN? Something is obviously conflicting or should I try and use 1/24? Would this not be right as the router is assigned 1 after all? Or am I just putting 2 and 2 together and getting 3??

I wanted to carve out my Firestick, but leave everything else on the VPN, which it seems to have done. All my other devices appear to be going via the VPN, so it's just the router access i've lost, Any ideas? Did yours work out ok?? @Woofer Wrecker

I'm on the latest Merlin 386.7 via an AX86U. I'm also using Asus DDNS, if that would cause the conflict, but I think this is VPN director related?
 
Last edited:

eibgrad

Part of the Furniture
Thank you for posting this, I have been trying to understand the picture on the Wiki page about how to get the rules to ensure everything else is captured. This makes it nice and idiot proof.



I've tried 0/24 and I loose access to the router via the LAN? Something is obviously conflicting or should I try and use 1/24? Would this not be right as the router is assigned 1 after all? Or am I just putting 2 and 2 together and getting 3??

I wanted to carve out my Firestick, but leave everything else on the VPN, which it seems to have done. All my other devices appear to be going via the VPN, so it's just the router access i've lost, Any ideas? Did yours work out ok?? @Woofer Wrecker

I'm on the latest Merlin 386.7 via an AX86U. I'm also using Asus DDNS, if that would cause the conflict, but I think this is VPN director related?

If your LAN is using 192.168.1.1 255.255.255.0, as defined on the LAN > LAN IP page, then you reference the entire IP network as 192.168.1.0/24. 192.168.1.1/24 is NOT valid CIDR notation. As I said, sometimes the system will accept it because it knows users will make this mistake, and knowing your intent, treats it as 192.168.1.0/24. That's why using 192.168.1.1/24 will work in *some* cases.

For example, the firewall rules don't care, they'll convert 192.168.1.1/24 to 192.168.1.0/24 on your behalf. But the routing system (except for ip rule) *does* care. It will reject the use of 192.168.1.1/24 until you correct it yourself! It's just not that user-friendly or accommodating as the firewall when it comes to this issue.

For myself, I use 192.168.1.0/24 w/ the VPN Director all the time, I have no issues. So something else has to be wrong w/ how you set this up if you do the same and the router then becomes inaccessible. But having no other knowledge of your configuration, it's hard to imagine what that might be.

Perhaps a dump of your config might provide a clue.

Code:
ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers

I admit it's quite extensive, but then I don't know what might be relevant at this point. It might make sense to post the output on PasteBin (given its size) and provide a link back here.
 
Last edited:

Bitrudeuk

Occasional Visitor
I fear i'm going to have to do a factory reset in order to gain access?? I have no way of accessing other than via the App, as I don't know how to code via SSH etc..

That means the config file will be gone when I log back in, doesn't it? I assume I can get one when I have uploaded my previous settings, though the VPN director won't be set up and therefore not showing? That said, it may show that something else is wrong behind the scenes and what is causing the conflict??

Thanks as always for your assistance on these technical matters @eibgrad As soon as I try and be too clever, it inevitably goes wrong somehow!
 

Bitrudeuk

Occasional Visitor
Ok, so I have done a reset and then upped the previous settings, so I am back in. That said, at some point very soon, I will do a fresh install!

One thing I noticed in the recent update, was the change to the WAN DNS settings area. Mine has defaulted to "Get the DNS IP from your ISP automatically." and I am unable to enter my VPN suggested DNS servers. As when I enter them, I can't access any web pages? Could this be because my VPN client is set to "Accept DNS Configuration" Exclusive and therefore I am using the VPN ones automatically, rather than my ISP's? I've done a couple of leak tests and there are no leaks that I can tell with this set up.

Could it be that when I change the VPN client to use the VPN Director, rather than all traffic going through the tunnel, I should amend the DNS Config to Strict and then add the VPN servers in manually on the WAN section?

Perhaps a dump of your config might provide a clue.

Code:
ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers

To get the config info, can I get the data via cmd in windows or does it have to be via SSH?? I've never accessed the router this way, so that would need to be researched first...
 

eibgrad

Part of the Furniture
One thing I noticed in the recent update, was the change to the WAN DNS settings area. Mine has defaulted to "Get the DNS IP from your ISP automatically." and I am unable to enter my VPN suggested DNS servers. As when I enter them, I can't access any web pages? Could this be because my VPN client is set to "Accept DNS Configuration" Exclusive and therefore I am using the VPN ones automatically, rather than my ISP's? I've done a couple of leak tests and there are no leaks that I can tell with this set up.

Could it be that when I change the VPN client to use the VPN Director, rather than all traffic going through the tunnel, I should amend the DNS Config to Strict and then add the VPN servers in manually on the WAN section?

AFAIK, you can still assign your own custom DNS servers to the WAN.

Starting w/ 386.5 (IIRC), ASUS decided to statically bind any DNS servers defined on the WAN (either ISP or your custom DNS servers) to the WAN. That's problematic for anyone following their VPN providers advice to specify *their* DNS servers on the WAN. Once the OpenVPN client gets connected, the VPN provider is *assuming* you are routing ALL your traffic over the VPN (i.e., NOT using the VPN Director), and that those same DNS servers will now be routed over the VPN. But they WON'T! They are statically bound to the WAN! Hence, a DNS leak.

What I recommend is that you *ignore* the VPN provider's advice, and either use your normal ISP DNS servers on the WAN, or perhaps something else (e.g., 1.1.1.1 and 1.0.0.1), or even DoT (but specify Disabled for "Accept DNS configuration" in that case).

If NOT using DoT, and if you want to prevent DNS leaks, the only setting guaranteed to work for "Accept DNS configuration" is Exclusive. Strict or Relaxed will inevitably lead to DNS leaks because the DNS servers defined on the WAN (which remember are statically bound to the WAN) will be used in conjunction w/ the DNS server of VPN provider. In contrast, the use of Exclusive means *only* the VPN provider's DNS servers will be used.

That's why all this is so tricky. There are lot of low level details regarding various settings and how they all relate and behave that make it a complex subject. That's why I created the DNS monitor, to help visualize what's actually happening.


To get the config info, can I get the data via cmd in windows or does it have to be via SSH?? I've never accessed the router this way, so that would need to be researched first...

You need to use an SSH client to access the router's SSH server, and thus its command line. IIRC, Windows 10/11 does provide an SSH client via its own command line (CMD). There's also one available via PowerShell, or even the PuTTY app.
 

eibgrad

Part of the Furniture
One more thing.

I'm assuming the push'd DNS servers of the VPN provider are themselves bound to the VPN's tunnel. IOW, if the tunnel is 10.8.0.0/24, those IPs are within the scope of that tunnel. For example, 10.8.0.1 or 10.8.0.10.

However, sometimes the VPN provider pushes *public* DNS servers that are NOT within the scope of the tunnel (e.g., 8.8.8.8), or perhaps their own public DNS servers. If using the VPN Director and Exclusive, those DNS servers will be accessed over the WAN! Again, the VPN provider is *assuming* the router itself is bound to the VPN. But that's NOT the case when the VPN Director is active.

Again, the DNS monitor would reveal this type of potential problem.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top