Asus RT-AX88U with Merlin Firmware + DDNS - VPN Issues

[PC Pilot]

Hi to all,

I have to confess to being a newbie to the Asus Routers and the super Merlin Firmware and so far have followed the advice offered here across a number of threads to configure my router which is currently installed with Merlin's 384.2 firmware. Having followed this advice I am up and running but have encountered several issues for which I would greatly appreciate your expert guidance as to how they might be resolved/overcome.

My Network Setup:

Modem: Draytek Vigor 130 (configured as default to bridge mode) connects to unmanaged switch, switch then connects to both WAN and LAN ports (so as to enable GUI access on same subnet as router)
Router: Asus RT-AX88U
DDNS: host.xxxx.com
Open VPN: IPVanish
PC 1: Intel X58 - 2 X Integrated Gigabit Realtek RTL8111C Ethernet Ports - Device Configured to "Static" IP (set below DHCP Pool Reservation (40-254))
PC 2: Intel X99 - 2 X Integrated Gigabit Intel I211/I218V Ethernet Ports - Device Configured to "Manual" IP (and bound to MAC)

The Issues

1. With the VPN configured and enabled I am unable to reach the PC's by Teamviewer (Wake on Public IP) to remote boot (UDP Port 7/9)
2. With the VPN configured and enabled I am unable to get access to Plex Media Servers outside of the Network

Both features work perfectly with the router VPN disabled, which suggests they are VPN related.

Actions taken

Scripts set to configure IP and MAC addresses of the primary Ethernet Devices for each PC to be permanently held in the ARP table (both show PERM).
Scripts set to configure Plex to bypass the VPN and with VPN enabled shows the correct "Public IP" NOT the VPN generated one but remains inaccessible.
Port Forwarding set up to the respective Ethernet Device IP's both for Plex Ports and for UDP Port 9 (PC1) and UDP Port 7 (PC2).
Wake On LAN configured in Network Tools to respective device MAC addresses.
DDNS configured and fuctioning correctly (as far as I can tell).

Thoughts (Assumptions)

I suspect that these issues may require some additional policy rules in the VPN to overcome the block which only occurs when the VPN is enabled. Interestingly, one PC based program WOL Magic Packet Sender V1.5 (www.MagicPacket.free.fr) appears unaffected by the VPN setting (probably because it is within the Network?), wheras Depicus (https://www.depicus.com/wake-on-lan/woli) with the same settings configured, RemoteBoot WOL (ios App) and Teamviewer Wake on Public IP will only do so with the VPN disabled within the router.

As this is new to me these assumptions are likely inaccurate so please feel free to educate me on the most appropriate steps and best practice to resolve!

Thanks for any assistance you can offer....

Seasons greetings and best regards to all,

PC Pilot

 

[PC Pilot]

Hi Folks.....Nobody suggest anything?

If I have mistakenly posted in the incorrect forum please advise so I can repost....

Any help appreciated

Thanks

PC Pilot

 

[Jack Yaz]

Hi Folks.....Nobody suggest anything?

If I have mistakenly posted in the incorrect forum please advise so I can repost....

Any help appreciated

Thanks

PC Pilot

Are you referring to a VPN Server or VPN Client on your router?

 

[PC Pilot]

Hi Jak Yaz,

Firstly thank you for taking the time to respond to my post(s)…..

Apologies for the omission on my part! I should have clarified that I meant I have set up IPVanish as a "VPN Client" using their OpenVPN Merlin guide.

Have to confess that this additional sophistication so far as router configuration is concerned is very new to me (but I am keen to learn from the experts here) and so I'm kind of finding my way through by trial and error (hopefully) to enjoy the wealth of features that this new router with Merlin firmware offers!

Best regards,

PC Pilot

 

[Jack Yaz]

Hi Jak Yaz,

Firstly thank you for taking the time to respond to my post(s)…..

Apologies for the omission on my part! I should have clarified that I meant I have set up IPVanish as a "VPN Client" using their OpenVPN Merlin guide.

Have to confess that this additional sophistication so far as router configuration is concerned is very new to me (but I am keen to learn from the experts here) and so I'm kind of finding my way through by trial and error (hopefully) to enjoy the wealth of features that this new router with Merlin firmware offers!

Best regards,

PC Pilot

No worries. Could you post screenshots of your configuration for the VPN Client? Remember to redact username/password.

 

[PC Pilot]

No worries. Could you post screenshots of your configuration for the VPN Client? Remember to redact username/password.

As requested...…….

 

[Jack Yaz]

Change redirect internet traffic to policy rules. Add rules for:
Router IP to route via WAN
LAN IP/Subnet (e.g. router IP/24) to route via VPN
Plex IP to 0.0.0.0 to route via WAN

Remove your custom config for plex gateway

 

[PC Pilot]

Change redirect internet traffic to policy rules. Add rules for:
Router IP to route via WAN
LAN IP/Subnet (e.g. router IP/24) to route via VPN
Plex IP to 0.0.0.0 to route via WAN

Remove your custom config for plex gateway

I think I have understood correctly...…..perfect result...….Separate Plex Media Servers on both Network PC's now visible outside network...….and trial Boot from Cell Phone 4G (with WiFi disabled) using RemoteBoot WOL iOS app successfully wakes X99 PC from shutdown!!

You are the man...…….thank you so much!!

Screenshot of changes attached......in case I fouled up!!

PC Pilot

 

[Jack Yaz]

If you want all devices to go via VPN then you'd need to use 192.168.50.1/24 - this will cover the whole range for 192.168.50.X

Just checking, your AX88U is using .223?

 

[PC Pilot]

Hi Jack Yaz,

Apologies for the rather late response.....was caught up in the New Year festivities and so all work on Router config was put aside!!

Just trying to get my mind back in gear on this so apologies if my responses are somewhat lacking!!

To clarify:

If you want all devices to go via VPN then you'd need to use 192.168.50.1/24 - this will cover the whole range for 192.168.50.X

I trust that you mean the "LAN IP" VPN Rule I created? This might explain a situation I was going to raise concerning the VPN even though both the Remote Boot and Plex access are now up and running it appears that when I look up my IP Address (https://whatismyipaddress.com/) I no longer have the VPN generated address but the actual ISP IP address

Having deleted the 192.168.50.1 VPN rule replacing it with 192.168.50.1/24 as per your suggestion PC 1 (X58) now has the VPN generated IP (the same is true for a WiFi connected iPhone 8 Plus) but is unable to access the Plex Media Server from outside of the network. PC 2 (X99) - The remote boot machine - Still remote boots over the internet and has Plex Media Server access outside the network BUT https://whatismyipaddress.com/ returns the ISP IP Address not the VPN generated one..... What am I missing/doing wrong here?

Just checking, your AX88U is using .223?

I assume that you are referring to the firmware in use? I am using the latest (current) Merlin release 384.8_2 (released 08.12.18) shown for this router (https://sourceforge.net/projects/asuswrt-merlin/files/RT-AX88U/Release/)

Your advice/assistance is very much appreciated

PC Pilot

 

[Jack Yaz]

Which IP address do you use to access the Asus Router UI?

 

[PC Pilot]

Hi J Y

192.168.50.1

…...reference my previous post concerning PC1 and VPN generated IP since shutdown/reboot cycle PC1 is now also returning the ISP generated IP Address and the plex server is once again accessible outside of the network......the iPhone continues to generate the VPN IP Address though....

I guess I must have slipped up in following your guidance correctly??

Thanks again

PC Pilot

 

[PC Pilot]

Hi J Y

192.168.50.1

…...reference my previous post concerning PC1 and VPN generated IP since shutdown/reboot cycle PC1 is now also returning the ISP generated IP Address and the plex server is once again accessible outside of the network......the iPhone continues to generate the VPN IP Address though....

I guess I must have slipped up in following your guidance correctly??

Thanks again

PC Pilot

Just wondering if there is any further advice as yet?...………..

 

[Jack Yaz]

Just wondering if there is any further advice as yet?...………..

Sorry! These rules will:
1. Ensure router-originating traffic uses WAN
2. Force all LAN clients except Plex and Plex X99 to use VPN

 

[PC Pilot]

Hi JY…...

Thanks again for your response...and sorry to be a hassle!

Just missed your reply yesterday hence this belated response. I do have a couple of further questions which hopefully you guide me on.

Both the X58 and X99 PC are connected by wired internet (in fact each machine is dual Gigabit via 2 ethernet ports) both also have WiFi access. In each case both Gigabit Ethernet clients have a wired connection (i.e. 4 in total) to the router. It also appears that Windows assigns those Ethernet clients defined in the VPN Rules as Plex and Plex X99 as the 'primary' connection so far as internet access is concerned.

By way of experimentation I have confirmed that the 'secondary' Ethernet's (with both the primary's disconnected) return the VPN generated IP Address on myip.com whilst otherwise the ISP 'Public' Address is returned. With both wired connections entirely disconnected connecting to the internet by WiFi alone returns the VPN generated IP.

Bizarrely, before replying, I attempted to sign in to Plex (internet) only to find that it triggered a device security alert citing the VPN generated IP Address whereas myip.com confirmed the public ISP Address. The Plex server was not available outside of the network. As I pen this I have tried this again (after a short delay) and all is again connected so I suspect some sort of lag rather than a VPN issue?

Your earlier post presented the opportunity for me to lookup the router's IP Address (see attached Partial Network Map) which I then incorporated into the VPN's WAN Rules replacing 192.168.50.1 (Router Access IP) - see attached JPG. This does not appear to have caused any change to the behaviour described above, but you can most likely comment upon this!

The VPN appears to correspond with that reported in your reply yesterday. However, what I was ideally hoping to achieve was to route ALL internet traffic (with the exception of the Plex connections) through the VPN and so enjoy the added security provided is this possible?

Thinking out of the box, is it possible to configure the 'secondary' ethernet clients to be the default internet client (perhaps through Windows) such that Plex/Plex X99 ethernet clients (VPN exceptions) handle the Plex server connection and the 'internet' Wake on LAN which, in the X99's case, specifically requires this IP Address as it is always active in the 'off' state.

Finally, I have observed a (related?) strange behaviour since configuring an IPV6 connection (Hurricane Electric) yesterday (15.01) the internet connection - myisp.com etc. now shows the VPN generated (IPV4) IP Address....and so Plex does not connect any longer. I should add that my VPN (IPVanish) currently only supports IPV4 and not the IPV6 connection. All other settings as per this post and the behaviour persists beyond router reboot. I can not think of an explanation any thoughts?

Best regards

PC Pilot