1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Exclude Single Computer from VPN

Discussion in 'Asuswrt-Merlin' started by Thunderclap, Jun 26, 2019.

  1. Thunderclap

    Thunderclap Occasional Visitor

    Joined:
    Aug 31, 2017
    Messages:
    15
    I want to configure my router so all traffic on my network goes through my VPN (PIA). However, I would like a single machine to be excluded from the VPN, my Plex server, so it can be accessed remotely. Is there a way to set up the VPN to exclude a specific machine?
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,847
    Location:
    UK
    Thunderclap likes this.
  3. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    Yes, very easy with Policy Based Routing. Description and examples here.
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

    Here is how mine looks (with one IP redacted).
    Code:
    Router        192.168.1.1     0.0.0.0  WAN
    LAN           192.168.1.0/24  0.0.0.0  VPN
    Vizio         192.168.1.xx    0.0.0.0  WAN
    
     
    Thunderclap and ColinTaylor like this.
  4. Thunderclap

    Thunderclap Occasional Visitor

    Joined:
    Aug 31, 2017
    Messages:
    15
    Well I must be doing something wrong since when I enable that setting and configure it the VPN says it’s working but everything still goes through my ISP. I’ll have to play with it some more to figure out what I’m doing wrong. Thanks for the link though. It’s helpful!
     
    Butterfly Bones likes this.
  5. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    Do you have this setting, "Redirect Internet traffic" set to Policy Rules (strict)?

    That is near the bottom under the Advanced Features heading.
     
  6. Thunderclap

    Thunderclap Occasional Visitor

    Joined:
    Aug 31, 2017
    Messages:
    15
    I do, yes.
     
    Butterfly Bones likes this.
  7. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    Hmmm. Looked at my client config and nothing pops else pops out at me. Someone will know.
     
  8. Val D.

    Val D. Regular Contributor

    Joined:
    Jun 16, 2019
    Messages:
    80
    Location:
    Canada
    It is working properly as described above.
    I have 7 devices excluded from VPN using Policy Rules (Strict).

    - make sure each device has Manually Assigned IP in DHCP list
    - route all traffic through VPN first - 192.168.1.0/24 - 0.0.0.0 - VPN -> Add
    - exclude router for remote access - 192.168.1.1 - 0.0.0.0 - WAN -> Add
    - exclude devices you need on WAN - 192.168.1.x - 0.0.0.0 - WAN -> Add
    - click Apply at the bottom of the page to save/activate rules

    No need to reboot the router. VPN only will reconnect after you click Apply.
     
  9. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    834
    Location:
    USA
    Not meaning to correct you, just to reiterate that order does not matter WAN rules process before VPN rules. See last sentence of first paragraph in parenthesis.
     
  10. Val D.

    Val D. Regular Contributor

    Joined:
    Jun 16, 2019
    Messages:
    80
    Location:
    Canada
    Correct. The sequence above is in case he wants to test after every step. All devices through VPN first, then exceptions. It’s just easier to diagnose where the error is.
     
    Butterfly Bones likes this.
  11. Thunderclap

    Thunderclap Occasional Visitor

    Joined:
    Aug 31, 2017
    Messages:
    15
    Okay, so I first tried to configure my router manually using the instructions here, however there are a few inconsistencies in the instructions. It says to turn Create NAT on Tunnel to YES but I have no option to do that. It also says that Extra HMAC Authorization should be DISABLED which is also missing. Negotiable ciphers breaks the two strings with a comma when it should be a colon, and it says Compression should be set to ADAPTIVE but that isn't an option, however the only thing is LZO Adaptive.

    I've also tried downloading the OVPN file from here. It configures the settings but it still doesn't work. Here is what my settings look like:
    [​IMG]
    [​IMG] [​IMG]

    I thought my Pi-Hole DNS was causing the problem so I defaulted to just having the DNS empty but that didn't help, so I switched it to Google's and still nothing. I am seeing the following error under DNS Privacy Protocol: Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers.

    I'm not sure what else to try. It appears as if it's connected but for some reason when I check my IP on PIA's site it still shows my carriers assigned IP.

    Thoughts?
     
  12. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    872
    This means you have DNS servers defined on your LAN DHCP Server page, which would bypass the router for DNS. I’m not a VPN user, so not sure how that may be influencing your problem. But generally you want LAN DHCP DNS blank.
     
  13. Val D.

    Val D. Regular Contributor

    Joined:
    Jun 16, 2019
    Messages:
    80
    Location:
    Canada
    You didn't tell your clients what to do with this VPN tunnel.

    - Policy Rules (Strict)
    - Block routed clients if the tunnel goes down -> Yes
    - Rules for routing client traffic -> All Devices - 192.168.1.0/24 - 0.0.0.0 - VPN

    Now you have all devices going through VPN with Kill Switch.

    Next you can exclude specific device by IP address -> Xbox One - 192.168.1.20 - 0.0.0.0 - WAN (for example)
    If you need remote access to the router -> Router - 192.168.1.1 - 0.0.0.0 - WAN (DDNS access, for example)

    Don't forget Manually Assigned IP in LAN -> DHCP Server for devices you need to exclude.
     
    Last edited: Jun 27, 2019
    Thunderclap and Butterfly Bones like this.
  14. Thunderclap

    Thunderclap Occasional Visitor

    Joined:
    Aug 31, 2017
    Messages:
    15
    Ah! That was the missing piece. It's working now, thanks so much!
     
  15. doczenith1

    doczenith1 Very Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    552
    Location:
    MI
    I'm also using PIA. I gained a little speed by using the newer GCM cipher. My setting are:

    upload_2019-6-27_23-47-21.png
     
    Thunderclap and L&LD like this.