Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Exclude client from VPN, except for particular IP address

Discussion in 'Asuswrt-Merlin' started by hursey013, Jan 13, 2018.

  1. hursey013

    hursey013 Occasional Visitor

    Joined:
    May 12, 2017
    Messages:
    10
    I would like to have all of my traffic routed through OpenVPN except one client - that part is working fine. On that excluded client I would also like to route a particular IP through the VPN, which I am having trouble getting working correctly. Here's what my policy rules look like:

    Code:
    All 192.168.1.0/24 0.0.0.0 VPN
    Router 192.168.1.1 0.0.0.0 WAN
    Excluded-device 192.168.1.201 0.0.0.0 WAN
    Excluded-device-bypass 192.168.1.201 xxx.xxx.xxx.xxx VPN
    Should this work? If not, is there a better approach to accomplish this? Right now the bypass rule is still being sent through WAN, I suspect since the WAN rules are taking priority over VPN rules?
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. hursey013

    hursey013 Occasional Visitor

    Joined:
    May 12, 2017
    Messages:
    10
    Any ideas on this?
     
  4. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    5,188
    Location:
    United States
    Can't do it easily the way policy routing works.....WAN rules always take precedence over VPN rules.
    Only way to do it in the gui is to specify each client address you want to use the VPN separately, then for your special case also specify/include the single address that you want to use the VPN in the line.

    EDIT: Or restrict the addresses you want to use the VPN, so you can use a smaller subnet instead of the 192.168.1.0/24 for the global VPN rule with your special case outside of that subnet.
     
    Last edited: Jan 19, 2018
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,530
    Location:
    UK
    You will need to manually add rule in the openvpn-event script
    e.g. for VPN Client 1

    vpnclient1-route-up
    Code:
    ip rule del prio 9999
    ip rule add from 192.168.1.201 to xxx.xxx.xxx.xxx table ovpnc1 prio 9999
    
    ip route flush cache
    EDIT: Added 'ip route flush cache' command to be complete for 'best-practice'
     
    Last edited: Jan 21, 2018
    hursey013 likes this.
  6. hursey013

    hursey013 Occasional Visitor

    Joined:
    May 12, 2017
    Messages:
    10
    Wow, this worked like a charm, thank you! I came across some of your guidance here as well which was also very helpful : https://www.snbforums.com/threads/selective-routing-netflix-amazon-etc.36608/#post-346532 - sorry I missed that on my initial searches.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!