how does vpn/client exclusive work?

128bit

Regular Contributor
i'm on my 2nd go round using the internal vpn client to deploy that service to specific clients on my lan (intranet), i have one hold out! granted, it was a bit problematic before i invoked vpn but now it's persistent. i use nord and on the 2nd try (2 resets and 4 reconfigures) i've got it working for every client (g/n/ac/ax) except one (ac/n) device. it may be the device, a poor signal, or something else but it did work fine until the reconfigure. it requires my iphone to configure and at times, there may be a weak signal but it always connected eventually. as i troubleshoot this ad nauseum, i have a couple questions:
  1. when using director with exclusive, how do unlisted devices work? are they vpn'd or not??
  2. when using exclusive, "wan" appears to be a non-vpn option. does "wan" work like any configuration prior to enabling the vpn client?
i'm using the udp nord configuration as depicted online with their latest "smart" dns ip's and all is well for all ax/ac/n/g clients that are vpn'd. this iot device (rachio sprinkler) is purposely not listed in the directory. i will keep testing but it's killing me. and yes, it's troubling on either band.

thanks, folks.
 
Last edited:

eibgrad

Part of the Furniture
When discussing how Exclusive works, we have to consider two possible configurations; with and without the VPN Director.

Also, understand that Exclusive is only relevant to how DNS is handled and NOT whether a given WLAN/LAN device is bound to the VPN in general. The latter is solely a function of whether you specify "Yes (all)" or "VPN Director" (and include those devices in the rules) for the routing policy.

If the VPN routing policy is configured as "Yes (all)", then DNSMasq is reconfigured to *only* use the push'd DNS server(s) from the VPN provider, NOT those defined on the WAN (which would normally be the case w/o the VPN active). In this way, ALL LAN/WLAN clients are routed over the VPN, ALL use the VPN provider's DNS server(s), and ALL have access to DNSMasq's features (local name resolution, caching, ad blocking, etc.).

In contrast, if the VPN routing policy is configured as "VPN Director", then DNSMasq is left exactly as configured before the VPN was active. The only LAN/WLAN devices that use the VPN are those defined in the VPN Director rules. And those same devices have their DNS bound to *one* (and only one) of the DNS server(s) push'd by the VPN provider using a redirect on the firewall. This is why those same devices lose access to DNSMasq! It also means they have no backup DNS server available to them. If that DNS server fails for any reason, they lose access to DNS. All those devices NOT bound to the VPN by the VPN Director continue functioning normally, using the WAN for all their traffic, and DNSMasq for their DNS.

Also, be aware the router itself only ever participates in the VPN (and uses its DNS servers) when NOT using the VPN Director. IOW, the VPN Director necessarily removes the router itself from the VPN. That *might* be an issue for some ppl. But if your only concern is the WLAN/LAN clients behind it, then obviously it's inconsequential.

This is why Exclusive is the only option that guarantees no DNS leaks. But when using the VPN Director, there may be undesirable side-effects you need to be aware of.
 

Kal1975

Regular Contributor
And, just to be clear, if you are using the VPN Director, if there is no rule specified, a device goes through the WAN and not the VPN. When using the VPN Director, just by starting a VPN client doesn't mean that any devices are going through a VPN client.

You have to create a rule for the VPN active client for each device that you want to go through that active VPN client. That binds the device the the VPN. If you stop one client and then activate another VPN client, it will only be bound to the devices specified for the device and client in the rule. When you go to web page for one of the five VPN clients available, the active rules that apply to that client are displayed near the bottom of the page.

If you only have a few clients that you want to go through the VPN, then you only have to create rules for those clients.

If you want all of your clients, except a few, to go through the VPN, you can specify a general rule to specify all devices go through the VPN and then create specific rules for those that you want to go through the WAN.

Using one of the two methods will minimize the rules you need to create.
 

128bit

Regular Contributor
wow! great responses, guys. certainly cleared up a lot for me. well done. i do have rules for a select subset of devices on my lan. your comments reinforce observed behavior but now i'm sure.

that pretty much confirms my "personal problem" with the sprinkler is not with the director as it was never defined by a rule. will go kick it again for the humpteenth time later today. i should have its mac, and perhaps a log will provide some more info.
 

128bit

Regular Contributor
wow! great responses, guys. certainly cleared up a lot for me. well done. i do have rules for a select subset of devices on my lan. your comments reinforce observed behavior but now i'm sure.

that pretty much confirms my "personal problem" with the sprinkler is not with the director as it was never defined by a rule. will go kick it again for the humpteenth time later today. i should have its mac, and perhaps a log will provide some more info.
<SOLVED> :oops: and very embarrassing

as one who works on his own vehicles, there's an old adage i've come to embrace when bringing your vehicle to a mechanic. "they tighten-up the loose stuff, and loosen-up the tight stuff." well, that's exactly what i did here!

in trying everything including the basics to resolve this one client issue, i had to step back and reassess. this go round i completely followed the vendor's directions and put the cell into airplane mode. made a huge difference when trying to gauge signal strength. y'all see where this is going, right?
shockingly, i had a very weak signal. so weird since it's been working better than the old ac-86u. lo and behold (dating myself), i noticed all 3 antennae were a bit loose (like that old adage). in adjusting the antennae over the last several days to see some change, i inadvertently loosened them up. folks, i'm talking several turns for each one!! bottom line, it made a connectable difference and all's well at the home front again. signal is marginal, but this thing doesn't transmit a lot of data. remarkably, the 5g radio worked best.

thanks again.
 

128bit

Regular Contributor
last post, if anyone cares. had to put that errant sprinkler device on another router that was closer (not mesh) as the router signal degraded. since then, everything's stable.

fwiw, the ax86u was more solid with its connection than the ac86u it replaced which made the purchase "worth it;" but after adding vpn support, including director, transmission power clearly decreased. again, this is a fringe device on an outside wall but we had some untapped redundancy with the cable modem.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top