Excluding specific clients from VPN

[Martineau]

Thanks for the write-up on this. I suppose I fall into the 1% of this as well since I prefer all devices to go through the VPN tunnel unless otherwise specified.

Using your recommended settings, I was not successful though. I'm using the AC68U_380.65_4 firmware. Looking through the system log, I can see where the routes were applied without error. However, checking my IP on PIA's website shows that I am not accessing it through their VPN. Any suggestions?

EDIT:
After reading a previous post from @paulbates , it appears that after updating the route, the VPN service needs to be cycled for it to take effect. Doing so, I am confirmed that this does selectively use WAN for those devices specified and VPN for all others.

 

[RussellInCincinnati]

Well the clue is in the name 'Selective routing' and also in the GUI
'Rules for routing client traffic through the tunnel (Max Limit : 100)'
So if the table is empty then everything by default is routed via the WAN as is the case expected by 99% of users.
e.g. Everything will use the WAN except the Roku

Roku         192.168.1.xxx    0.0.0.0   VPN

P.S. for the 1% of users that want the meaning of the table entries to be reversed, i.e. everything goes via the VPN, except for those entries in the table that explicitly have a target WAN destination, they will also need an explicit VPN rule for the LAN otherwise the table is not reversed!

e.g. Everything will use the VPN except the Roku

Everything   192.168.1.0/24   0.0.0.0   VPN
Roku         192.168.1.xxx    0.0.0.0   WAN

What a great post. Finally got my VPN exemptions working.
/Russell

 

[Psy88]

Some great guides here, I now have my VPN working with all my desired devices.

Only problem I seem to have is that I can't get transmission, which is running on an ac3200 with Merlin 384.3 through entware, to route through the VPN.

If I set the policy rules to "All" it goes through the VPN but if I use:

Everything   192.168.1.0/24   0.0.0.0   VPN

then everything except transmission seems to get routed through the VPN

I would rather just get transmission and one other device to route through the VPN, with the other device it's no problem since I can just route it's IP through the VPN but I can't work out how to get transmission to route through the VPN.

Any help would be greatly appreciated

 

[Martineau]

Some great guides here, I now have my VPN working with all my desired devices.

Only problem I seem to have is that I can't get transmission, which is running on an ac3200 with Merlin 384.3 through entware, to route through the VPN.

I can't work out how to get transmission to route through the VPN.

Try the IP address alias technique to force transmission to use VPN

 

[Psy88]

Try the IP address alias technique to force transmission to use VPN

Thank you very much, having a go now

 

[sl4fko]

Hi.

I configured NordVPN OpenVPN client on my AC86U (Merlin 384.15) and it works just fine. However, since Netflix does not work on my Fire TV with VPN, I somehow have to exclude it from connecting to VPN.

My settings are as shown on screenshots in pasted links!


However, when I try to exclude FireTVs IP, VPN does not work anymore as it should, ipleak.net shows my ISP IP ("Force Internet traffic through tunnel" setting).

Is my configuration ok? The routers IP is 192.168.2.1, DHCP server is set from 192.168.2.10 to 192.168.2.240, Fire TVs IP is 192.168.2.10 (reserved in DHCP server). According to this site I calculated my IPv4 range for all clients from 192.168.2.11 to 2.240...


Hopefully it makes sense, what I wrote...


Thanks for your help!


VPN working

Policy rules (IP leak!)

 

[Martineau]

Hi.

I configured NordVPN OpenVPN client on my AC86U (Merlin 384.15) and it works just fine. However, since Netflix does not work on my Fire TV with VPN, I somehow have to exclude it from connecting to VPN.

My settings are as shown on screenshots in pasted links!


However, when I try to exclude FireTVs IP, VPN does not work anymore as it should, ipleak.net shows my ISP IP ("Force Internet traffic through tunnel" setting).

Is my configuration ok? The routers IP is 192.168.2.1, DHCP server is set from 192.168.2.10 to 192.168.2.240, Fire TVs IP is 192.168.2.10 (reserved in DHCP server). According to this site I calculated my IPv4 range for all clients from 192.168.2.11 to 2.240...


Hopefully it makes sense, what I wrote...


Thanks for your help!


VPN working

Policy rules (IP leak!)

With Policy rules, a LAN device or CIDR range that is NOT defined in the GUI will be routed via the WAN by default.

i.e. there is no need to explicitly define the FireTV (192.168.2.10) via the WAN

However, if you wish to force all LAN devices in the range 192.168.2.11-192.168.2.240 (inclusive) via the VPN, then you need 9 rules

192.168.2.11/32
192.168.2.12/30
192.168.2.16/28
192.168.2.32/27
192.168.2.64/26
192.168.2.128/26
192.168.2.192/27
192.168.2.224/28
192.168.2.240/32

 

[Xentrk]

Hi.

I configured NordVPN OpenVPN client on my AC86U (Merlin 384.15) and it works just fine. However, since Netflix does not work on my Fire TV with VPN, I somehow have to exclude it from connecting to VPN.

My settings are as shown on screenshots in pasted links!


However, when I try to exclude FireTVs IP, VPN does not work anymore as it should, ipleak.net shows my ISP IP ("Force Internet traffic through tunnel" setting).

Is my configuration ok? The routers IP is 192.168.2.1, DHCP server is set from 192.168.2.10 to 192.168.2.240, Fire TVs IP is 192.168.2.10 (reserved in DHCP server). According to this site I calculated my IPv4 range for all clients from 192.168.2.11 to 2.240...


Hopefully it makes sense, what I wrote...


Thanks for your help!


VPN working

Policy rules (IP leak!)

You can create a rule bypassing the VPN for NF traffic using x3mRouting shell script method.

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

 

[sl4fko]

Sorry, does not work. As soon as I turn on Policy Rules (Strict), my IP changes to ISP IP, it is not from VPN anymore...

 

[Xentrk]

Sorry, does not work. As soon as I turn on Policy Rules (Strict), my IP changes to ISP IP, it is not from VPN anymore...

Do you have the router defined to use the VPN? A common configuration where you want your entire LAN to go through the VPN, but not the router itself.

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

 

[sl4fko]

Ok, that... THAT actually worked. I set both parameters from above (mine is 192.168.2.x...) and VPN stayed connected, dnsleak AND ipleak shows VPN dns and ip. I also included a third parameter (reserved an ip in LAN settings for my Fire TV and then in VPN client added its ip for wan;
Fire_TV-----------------192.168.2.11-----------------WAN)

Now all clients are connected to VPN only Fire TV not because of Netflix. I tried installing x3mRouting (I installed all option just in case ) and ran this command in putty:


sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net


The Netflix still did not work on my FireTV...

 

[New2This]

I have Nordvpn. What I did was setup another client instance for the Firestick with but I have DNS Configuration set to Disabled so it uses Unbound.

No issues streaming here, with whatever server config.ovpn

 

[Xentrk]

Ok, that... THAT actually worked. I set both parameters from above (mine is 192.168.2.x...) and VPN stayed connected, dnsleak AND ipleak shows VPN dns and ip. I also included a third parameter (reserved an ip in LAN settings for my Fire TV and then in VPN client added its ip for wan;
Fire_TV-----------------192.168.2.11-----------------WAN)

Now all clients are connected to VPN only Fire TV not because of Netflix. I tried installing x3mRouting (I installed all option just in case ) and ran this command in putty:


sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net


The Netflix still did not work on my FireTV...

NordVPN requires you use the DNS provided by the VPN tunnel to circumvent NF VPN blocks. Set Accept DNS Configuration = Exclusive. But when combined with Policy Rules enabled, dnsmasq is bypassed. You should use the ASN method for Netflix instead.

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 NETFLIX AS2906

There may be compromise solution depending on your use case.

Set up OpenVPN Client 1 with Policy Rules + Accept DNS Configuration = Exclusive. Diversion ad blocker won't work on this interface as dnsmasq is being bypassed.

Similarly, set up OpenVPN Client 2 with Policy Rules + Accept DNS Configuration = Disabled. It will default to the DNS specified on the WAN page. You can setup DoT to encrypt DNS. Cloudflare and Quad9 are both good choices. Diversion ad blocker and the DNSMASQ method of x3mRouting will work with this setup. Repeat this step if you have other servers you want to connect to.

Now, assign the route for each LAN client to OpenVPN Client 1 or 2, etc. You can use the Policy Routing section of the GUI or use Method 1 of x3mRouting.

At this point, you have two options.

You can assign your streaming devices to client 1 or 2. If you do this, you will need to use the x3mRouting scripts to create the IPSET lists for Netflix, Amazon, Hulu, etc and assign the interface to OpenVPN Client 1.

Alternatively, you could just assign your Streaming devices to use OpenVPN Client 1 and you shouldn't have to use the x3mRouting scripts.

 

[sl4fko]

NordVPN requires you use the DNS provided by the VPN tunnel to circumvent NF VPN blocks. Set Accept DNS Configuration = Exclusive. But when combined with Policy Rules enabled, dnsmasq is bypassed. You should use the ASN method for Netflix instead.

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 NETFLIX AS2906

There may be compromise solution depending on your use case.

Set up OpenVPN Client 1 with Policy Rules + Accept DNS Configuration = Exclusive. Diversion ad blocker won't work on this interface as dnsmasq is being bypassed.

Similarly, set up OpenVPN Client 2 with Policy Rules + Accept DNS Configuration = Disabled. It will default to the DNS specified on the WAN page. You can setup DoT to encrypt DNS. Cloudflare and Quad9 are both good choices. Diversion ad blocker and the DNSMASQ method of x3mRouting will work with this setup. Repeat this step if you have other servers you want to connect to.

Now, assign the route for each LAN client to OpenVPN Client 1 or 2, etc. You can use the Policy Routing section of the GUI or use Method 1 of x3mRouting.

At this point, you have two options.

You can assign your streaming devices to client 1 or 2. If you do this, you will need to use the x3mRouting scripts to create the IPSET lists for Netflix, Amazon, Hulu, etc and assign the interface to OpenVPN Client 1.

Alternatively, you could just assign your Streaming devices to use OpenVPN Client 1 and you shouldn't have to use the x3mRouting scripts.

Wow, did not know I can do that...


Ok, still, few things are not clear:

1.) If I create Client 2 in VPN are both of them working simultaneously? This means I use 2 clients from my NordVPN account?


2.) So if I understand correctly:

OVPN Client 1 (for Smart TV or Fire TV with Netflix): ------------------------------------- Policy Rules (Strict) + Accept DNS Configuration = Exclusive. Both DNS configured in WAN page with NordVPN DNSs. Install x3mRouting, execute command "
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 NETFLIX AS2906"

Reserved IPs in Policy Rules for Smart TV and Fire TV, connection over WAN.



OVPN Client 2 (all other clients protected with VPN): ------------------------------------- Policy Rules (Strict) + Accept DNS Configuration = Strict, where do I configure and enter Cloudflare DNSs?! VPN Policy Rules -> LAN_IPs___________192.168.2.0/24___________VPN



Sorry, but I'm really new at this...

 

[Xentrk]

Wow, did not know I can do that...


Ok, still, few things are not clear:

1.) If I create Client 2 in VPN are both of them working simultaneously? This means I use 2 clients from my NordVPN account?


2.) So if I understand correctly:

OVPN Client 1 (for Smart TV or Fire TV with Netflix): ------------------------------------- Policy Rules (Strict) + Accept DNS Configuration = Exclusive. Both DNS configured in WAN page with NordVPN DNSs. Install x3mRouting, execute command "
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 NETFLIX AS2906"

Reserved IPs in Policy Rules for Smart TV and Fire TV, connection over WAN.



OVPN Client 2 (all other clients protected with VPN): ------------------------------------- Policy Rules (Strict) + Accept DNS Configuration = Strict, where do I configure and enter Cloudflare DNSs?! VPN Policy Rules -> LAN_IPs___________192.168.2.0/24___________VPN



Sorry, but I'm really new at this...

1) Yes. I have four VPN tunnels running concurrently. Just use a different port number for each client. The VPN Client 1 setup will use the DNS provided by NordVPN. List your streaming device to use this client. The following will route Netflix to the VPN Client 1 interface

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906"

Enter a 0 instead of a 1 to route to the WAN interface.
2) You can then assign the other LAN clients to use the VPN Client 2 with Accept DNS Config = Disabled or Exclusive. This will allow you to use the Diversion adblocker over the vpn connection since dnsmasq is not being bypassed.