Solved AX86U Pro - Surfshark VPN for Guest Wifi & wired, EXCEPT for some wired clients

[ibex]

Hi,

I am learning Asus router ecosystem. Just setup a brand new Asus RT-AX86U Pro. Operation Mode: Wireless router, stock firmware 3.0.0.6.102_34349, current as of 2025-04-21

I was able to setup a a Custom Guest network, which works perfectly. As I have a Surfshark VPN account. I created Guest network of type "VPN Network". The Asus webUI is friendly enough to guide me though the procedure. I was able to create a VPN Fusion profile. Then associate it to the 2nd Guest network, which is also working well.

I would like to extend further the use of the VPN Profile to wired clients. But how to do it? In the Advanced settings for LAN and WAN, I don't see any setting related to VPN. Furthermore, among the wired clients, I would like to exclude some. For example a desktop used for work. Because my work requires an enterprise VPN and I think that it would not play well if it is piggy-backed on the personal Surfshark VPN. In short, can you please help me for the following:

Q1. How to enable VPN for wired clients?
Q2. How to allow some wired clients to bypass VPN?

NOTE: 1 & 2 must not affect Wifi clients. ie. ALL Wifi clients on the Guest VPN Network (which is currently working fine) must use the VPN configured for this Guest network.

 

[ibex]

Read from the post VPN fusion and guest network pro it appears that the VPN Fusion profile option "Add devices to this profile" could be used to add wired clients to use VPN. The VPN opt-in must be enabled explicitly for every client, providing that the option "Apply to all devices is UNchecked). There is no opposite option (default VPN to all, except for an exclusion list).

Strangely enough, the VPN Fusion profile I have created has zero client selected. And yet wifi clients joining the Guest VPN network all inherit the VPN tunnel. I find this behavior convenient. But this make rather confusing the settings "Add devices to this profile" in the VPN profile.

 

[inakaya]

I'm using the latest Merlin firmware (3004.388.8_4) on my RT-AX86U Pro and a combination of VPN Director and the YazFi guest network script to route: -

1. manually assigned fixed IP wired/or WiFi LAN devices to WAN using VPN Director (most of these devices have the Surfshark app installed so it's easier to turn on/off or change VPN servers on each device and I have a few devices that I don't need VPN for)
2. DHCP LAN devices (192.168.50.0/24 range) to VPN using VPN Director (mopping up everything else connected to the LAN, whether wired or using WiFi, to route to VPN)
3. WiFi guest networks for both Visitor devices (192.168.2.0/24) and IoT devices (192.168.3.0/24) to VPN automatically using YazFi/VPN Director.

Pretty much what @CaptainSTX proposed in the Fusion post you referenced. Anyway, the setup above works well for my use case.

Let me know if you need more of an explanation/have questions when you've looked at it and will provide more detail when I get time.

 

[ibex]

Hi,

I would need to read up more about VPN Director and YazFi of Merlin to better understand their function. For now I am still on stock 3.0.0.6.102_34349. And so far, surprisingly it has all the functions I need. I am still not through the learning curve of this router. After I get comfortable with the stock firmware, I would attempt the Merlin firmware. Therefore no question to you for now.

With stock firmware, besides the little details I mentioned in my previous post. I wish there is a setting that enables VPN to all clients by default. And only define a whitelist for a few ones. The stock firmware has the opposite, default VPN to zero client. VPN must be enabled per client or per Wifi guest network.

In appearance both approaches look similar, especially I have only a dozen of clients. In fact the inconvenience appears when new wired clients are added, for example when I am playing around with VMs. As per Asus design, the new VMs are excluded from VPN by default, and I must remember to add them into the VPN Fusion profile to enroll them into the VPN tunnel.

Before I had the RT-AX86U Pro, I had to install Surfshark app per client. Now thanks to the VPN Fusion of the Asus router firmware, those clients (whether wired or WiFi) inherit automatically the VPN connection setup in the router. I have uninstalled all the Surfshark app on desktop machines. But leave them active on the Android phones. So that VPN is still active when outside of home. The slight inconvenience is that when at home those phones have a "double VPN", one from the Surfshark app installed on the phone, one from the Asus Guest VPN Network. Surprisingly this works perfectly, the bandwidth reduction is barely noticeable when measured with speedtest.net.

 

[Tech9]

I'm using the latest Merlin firmware (3004.388.8_4) on my RT-AX86U Pro and a combination of VPN Director and the YazFi guest network script

There is a good chance you'll lose YazFi on your next firmware update to 3006 base.

 

[inakaya]

There is a good chance you'll lose YazFi on your next firmware update to 3006 base.

@Tech9 - The joy; although it was good while it lasted. Think I can work around it but will miss YazFi for the added flexibility it afforded .

Thanks for letting me know in advance.

 

[inakaya]

Hi,

I would need to read up more about VPN Director and YazFi of Merlin to better understand their function. For now I am still on stock 3.0.0.6.102_34349. And so far, surprisingly it has all the functions I need. I am still not through the learning curve of this router. After I get comfortable with the stock firmware, I would attempt the Merlin firmware. Therefore no question to you for now.

With stock firmware, besides the little details I mentioned in my previous post. I wish there is a setting that enables VPN to all clients by default. And only define a whitelist for a few ones. The stock firmware has the opposite, default VPN to zero client. VPN must be enabled per client or per Wifi guest network.

In appearance both approaches look similar, especially I have only a dozen of clients. In fact the inconvenience appears when new wired clients are added, for example when I am playing around with VMs. As per Asus design, the new VMs are excluded from VPN by default, and I must remember to add them into the VPN Fusion profile to enroll them into the VPN tunnel.

Before I had the RT-AX86U Pro, I had to install Surfshark app per client. Now thanks to the VPN Fusion of the Asus router firmware, those clients (whether wired or WiFi) inherit automatically the VPN connection setup in the router. I have uninstalled all the Surfshark app on desktop machines. But leave them active on the Android phones. So that VPN is still active when outside of home. The slight inconvenience is that when at home those phones have a "double VPN", one from the Surfshark app installed on the phone, one from the Asus Guest VPN Network. Surprisingly this works perfectly, the bandwidth reduction is barely noticeable when measured with speedtest.net.

@ibex - OK so sounds like my setup is more convoluted than you need and probably I do

If I've not misread your reply, on stock firmware, could you not set a range in VPN Director for the entirety of your LAN e.g. 192.168.50.0/24 to pick up any wired or wireless devices on your LAN that you want to connect via VPN as default (including any temporary VMs) then manually configure fixed LAN IP addresses for the remaining devices to bypass VPN and connect straight to your WAN?

See this similar post for everything through VPN apart from one client to detail what I mean (thanks @JohnDoe789 / @Viktor Jaep for the hard yards)

Hope that helps.

 

[ibex]

If I've not misread your reply, on stock firmware, could you not set a range in VPN Director for the entirety of your LAN e.g. 192.168.50.0/24 to pick up any wired or wireless devices on your LAN that you want to connect via VPN as default (including any temporary VMs) then manually configure fixed LAN IP addresses for the remaining devices to bypass VPN and connect straight to your WAN?

Unfortunately there is no way to define a range for VPN. As of Apr 2025, stock firmware 3.0.0.6.102_34349, the Asus VPN Fusion profile allows:

1) either Apply to ALL devices
2) or you must select individually EACH wired device to opt-in VPN

#1 not OK for me b/c of work machine which needs work VPN which is not working well when it is nested within the personal Surfshark VPN. #2 is the only way for me to exclude some wired devices. But it is inconvenient b/c I must remember to add new wired devices.

Another inconvenience is wired devices get their IP addresses via dynamic DHCP. I am not sure how the router remembers the VPN selected wired devices (like shown in screenshot below), it is my MAC address or by IP address? I have noticed that after a router reboot the wired devices are no longer on VPN. I had to disable VPN Fusion profile, re-select devices, apply and re-enable VPN profile.

 

[inakaya]

Sorry you've reached the limit of my expertise - hopefully someone else can suggest a solution. Good Luck.

 

[ibex]

Sorry you've reached the limit of my expertise - hopefully someone else can suggest a solution. Good Luck.

Thanks, you actually already gave the better solution. Using Merlin's VPN Director. I will eventually flash Merlin one day.