Feature Request for OpenVPN Client - selected IP tonneling

[Sky1111]

Merlin, is it possible to ask you to add a feature to Merlin firmware?

Feature Description: add a device/MAC address/IP address selector to OpenVPN client so it is possible to configure which clients go thru VPN and which ones are directly connected. Astrill has implemented such feature in their app, (albeit buggy): http://blog.astrill.com/wp-content/uploads/2012/07/astrill-router-applet-v2.jpg

Why this is needed: Running VPN on the router inevitably adds latency, and often performance drop. While it may be acceptable for some devices on the network, not all devices have to go thru VPN and hence can experience unrestricted speeds.
Example: Netflix client (SmartTV) traffic to go thru VPN, while online gaming PC - direct connection to minimize lag.

The other reason is a possible router CPU load reduction (as less traffic goes thru the VPN)

Device Selector: I suggest the device selector to use MAC address or device name (vs. IP address). The reason is very simple - internal IP addresses may or may not be static, but routing thru VPN should always follow the device.

Million thanks in advance!

 

[bashywash]

I would also like to add +1 for this request for the exact same reasons stated above

Thank you in advance.

 

[RMerlin]

Not a priority at this time, but I wouldn't rule it out entirely for the future. Will depend on how doable that is in practice.

 

[bashywash]

Not a priority at this time, but I wouldn't rule it out entirely for the future. Will depend on how doable that is in practice.

Totally understand how this would not be a priority as it's a feature not many would use, however for VPN users it would be great when time allows for you!

PS. I used this great http://strongvpn.com/forum/viewtopic.php?id=968 reference to implement this on my network setup last year before upgrading my routers, but I believe the foundation has been implemented in regards to OPENVPN and maybe it will be of assistance if you ever decide on implementation

 

[primitivo]

This is one of the reason I went with Astrill, seamless configuration. I agree though that it should not be a big deal for someone linux savvy to write a similar plugin. I guess someone could just write a plugin which RMerlin would incorporate into his firmware.

 

[RMerlin]

This is one of the reason I went with Astrill, seamless configuration. I agree though that it should not be a big deal for someone linux savvy to write a similar plugin. I guess someone could just write a plugin which RMerlin would incorporate into his firmware.

One of the big hurdles is developing the webui. Doing any webui development is quite time-consuming within the current "framework".

 

[wizin]

One of the big hurdles is developing the webui. Doing any webui development is quite time-consuming within the current "framework".

I am in for donation, this feature would be god sent

 

[Sky1111]

I am in for donation, this feature would be god sent

Definitely I am in too.

The main concern with custom scripts people are using for this purpose it that (supposedly) they know what they are doing and I am not so sure; VPN serves security/privacy purposes and if it is not done right, you are exposed to bad people

 

[RMerlin]

I am in for donation, this feature would be god sent

It's not about the money. It's about time and efforts involved. This project is a hobby and a one-man show at this point, so I have to work based on priorities.

 

[Sky1111]

Merlin - we understand that and we greatly appreciate everything you do - and I mean it. You still have job, and you still have life, etc. - and you are spending so much time helping people whom you do not even know... that is amazing!

Do you mind sharing what your priorities/plans (for ASUS-WRT) are?

 

[RMerlin]

Merlin - we understand that and we greatly appreciate everything you do - and I mean it. You still have job, and you still have life, etc. - and you are spending so much time helping people whom you do not even know... that is amazing!

Do you mind sharing what your priorities/plans (for ASUS-WRT) are?

Priorities are Stabilities > performance > features.

I'm VERY picky about any new features.

- They have to be maintained afterward - code changes from Asus might conflict with my own, introducing new bugs, so I try to keep changes at a minimum
- 100% backward compatibility with the Asus firmware. You must be able to switch back and forth between both without having to erase nvram.
- It's more about tweaking than about rewriting.
- There are plenty of features available through DD-WRT and Tomato. There is no point in me trying to redo the same thing these two other projects already offer by adding tons of features that the majority of users don't use. So, I simply offer an enhanced Asuswrt experience.
- I don't care about business/professional use. The home user is my primary target.
- I must always be able to merge new Asus code in with as little headaches as possible. I'm not forking from them, I'm (once again) enhancing on top of theirs.

 

[wizin]

It's not about the money. It's about time and efforts involved. This project is a hobby and a one-man show at this point, so I have to work based on priorities.

I will give you $1 Million Dollars

( ..indecent proposal ) hahaha

I got it working but a GUI feature with IP options, man that would be so sweet

Really appreciate all the hard work, once whenever you have spare time

 

[janosek]

I think we should focus on issues that can be solved with scripts. For example WAN NAT loopback when openvpn client is active

 

[RMerlin]

I think we should focus on issues that can be solved with scripts. For example WAN NAT loopback when openvpn client is active

NAT loopback in my firmware is tagged with 0xd001. You could in theory use the same trick to route such marked traffic through the regular WAN interface.

 

[janosek]

would it be possible to add this behaviour by default? I would be happy to test it.

Thanks!

 

[RMerlin]

would it be possible to add this behaviour by default? I would be happy to test it.

Thanks!

That would require overhauling routing. I might eventually take a look at it, but it's not at the top of my current list of priorities as it will require a lot of testing.

 

[gweilo8888]

Count me in the crowd who'd like to see per-IP or per-MAC VPN tunneling happen. This would be an extremely useful feature -- it's important for me that none of my traffic is tunneled through the VPN other than one specific machine on my network, for which all traffic must be tunneled.