1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Merlin 384.15 and VPN Client issues (Fixed)

Discussion in 'Asuswrt-Merlin' started by Chewie420, Feb 20, 2020.

  1. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Hey it's me again, The new guy that is lost lol. Sorry for the long post but I wanted to give as much info as I could. I had a lot of help on my last post trying to get Skynet and Diversion installed so I thought I would try this as well.

    So this issue is driving me crazy but I am not a networking guy so it is very possible I have mis-configured something in my setup. I am so close to having everything the way I want.

    I will let you know everything I have done because I'm not sure where to start and what info is relevant to helping ... so here it goes.

    Got a new Asus RT-AX88U router. Love it, but have so many IoT and other devices I knew it would be a pain to setup the way I wanted.

    I have my hard wired devices then I have my 5 GHz and 2.4 GHz Wireless networks along with 2 isolated Guest WiFi for my IoT devices.Had the Asus firmware settings configured and seem to be working great.

    Had some issues with VPN client set on router so I was told to try out Merlin (https://www.asuswrt-merlin.net/) so I installed 385.14 then then a day later .15 came out fix my WPA3 issue, what luck. After reading about Merling it did that open the door to some cool stuff. I stumbled on amtm (https://diversion.ch/amtm.html) and fumbled around and got Skynet and Diversion. Pretty much using default settings but as far as I can tell no issues with those.

    I also have DDNS service running on my router with no-ip.org, I am using the DoH settings in Merlin set to Quad9 DNS servers (9.9.9.9 & 149.112.112.112) and I also have and OpenVPN server running on my raspberry pi hardwired on my network with port forwarding to it.

    Everything is working the way I want, I am getting no DNS leaks (https://www.dnsleaktest.com/results.html), my phone is able to use the OpenVPN client I setup to connect back and access network resources and all my devices connected to LAN, WiFi or Guest WiFi is getting ads blocked (https://ads-blocker.com/testing/#ad-blocker-test-steps). Guest WiFi is slow for blocking ads and I am guessing it can't access the cert server I set up because I have isolated guest networks from talking to others. Anyway i am ok with that for now.

    Everything works until I use my VPN client on the router to connect to my provider. I get connected and when using whatismyip.com it shows the VPN IP but I not longer can use my OpenVPN on my phone to remote into my network and I get a red light on the WAN of my router that is go on and off even though I still appear to be online. When the red light is on the router the WAN icon in Merlin is greyed out as well but when I hover over it it says connected with the IP of my VPN provider's server.

    Is this where I am going wrong, I thought I had it working before but could be wrong. With DDNS activated is it ok for me to be connected to my VPN service on my router and also connect back home using VPN on my Pi? I could be wrong and it might not even be possible the way I am doing it.

    I have been playing with this router since I got it two weeks ago and just want things to work now lol All I really want to do is be able to have my router always connected to VPN Client and be able to VPN back in to my network when I am not home so I can access my local resources.

    Everything else is worked great, DHCP IP ranges setup the way I want with isolated guest networks, DoH, Network wide ad-block, I am soooo close to having it the way I was hoping.

    I really have learned a lot but I am at the point where I don't know what to do. The VPN service seems to be working fine other than not allowing me to VPN back in and the fact that red light comes on and goes back to white randomly and everything else works the way I want if I don't turn on the VPN client on router.

    I know this is a very specific setup just thought this would be the place to ask. Any suggestions I will gladly try.
     
    Last edited: Feb 20, 2020
  2. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    If you read my last post a lot of info is repeated. Sorry again for the novel but I didn't want to leave anything out.
     
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,053
    Location:
    UK
    So I'm presuming that you have configured the router's VPN client to send ALL traffic through the VPN.

    So when the phone connects to the VPN server on the Pi the return traffic is being routed through the router's VPN client.... which of course is completely the wrong interface so it never gets back to the phone.
     
  4. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Ok so if I want to be able to access my router remotely without turning on WAN access is there a way to do it while I am connected to VPN provider?

    Sorry for my lack of understanding, I thought if I had DDNS running that I could still do it the way I tried.

    And why do I get the red light on router WAN and this https://imgur.com/a/rRAdk76 when connected to VPN
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,053
    Location:
    UK
    DDNS has nothing to do with it really. DDNS is just a service that associates your router's public IP address with a name.

    Routing an incoming private VPN connection through a public VPN service (like NordVPN) is usually undesirable and often not even possible (if it is possible it's usually at an extra cost).

    So the simplest solution is to use VPN policy rules to exclude the target server (Pi) from the router's VPN client. If you wanted to only exclude the incoming VPN connection and have everything else on the Pi still going through the router's VPN client then you'd have to use some scripts. See "Example 2" in the link below.

    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)
     
  6. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Actually I changed the setting Accept DNS Configuration to Exclusive from Relaxed and the red light has not come one and I am connected to VPN client.
     
  7. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Hey thanks for the info and I am ok with all Pi traffic being excluded from VPN I just am not sure how to do that and I like that it is the simplest option as well.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,053
    Location:
    UK
  9. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    You sir are awesome!! Thanks it is working. I can't use the Asus App but I can get to it using a browser while on LTE on my phone. Wow. Everything is working!! Thank you so much.

    Last question. So you are telling me that this config is not a good idea?
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,053
    Location:
    UK
    Tunnelling one VPN inside another one is not going to be very efficient. Also, by going via a public VPN provider's exit node the path to your home router will be much longer than if you connected to it directly.
     
  11. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Colin sorry I have one more question. I do need to set a policy rule for every device on my network to use the VPN or WAN? Even with my VPN on it seems to default to WAN and I was hoping I would only need to tell my Pi to be WAN and the rest would default to VPN if on.

    I have Policies Rules (strict) on not sure if that is what I should be doing.
     
    Last edited: Feb 21, 2020
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    11,053
    Location:
    UK
    This is explained in the wiki. Read it all carefully and study the examples at the bottom of the page. Particularly note that when using policy rules:
     
  13. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
  14. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22
    Hi Colin I really hate to keep bugging you but I just can't get Diversion to work while connected to my VPN Client. Everything else is working the way I want. I thought it was working yesterday but when testing today I am not getting ads blocked while connected.

    I have read the wiki and added the following Rules for routing client traffic through the tunnel.

    Force Internet traffic through tunnel Option was set to Policy Rules (Strict)

    I added my router (192.168.2.1) to WAN, I read somewhere but can't find it now that if you have ad block issues that should be the first thing you try.

    I have also set my Raspberry (192.268.1.109) Pi to WAN so I can still use OpenVPN on it remotely. That works as well. I love it.

    All other IPs on in my policy have been set to use VPN (192.168.1.0/24).

    Does it matter the order I add them in and do I need to add my pixelserv-tls IP (192.168.1.5) to WAN, I tried it but didn't get any results but didn't reboot router after trying. I just don't get what I did wrong.
     
  15. Salles

    Salles Regular Contributor

    Joined:
    Apr 30, 2019
    Messages:
    94
    Your setup is bypassing DNSMASQ.
    Under VPN client, set Accept DNS Configuration to disabled.
    Read about it here.
    https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
     
    Last edited: Feb 23, 2020
  16. Salles

    Salles Regular Contributor

    Joined:
    Apr 30, 2019
    Messages:
    94
    It is possible to tunnel your Open VPN server through your Open VPN client.
    Read up on it here if you would like to set it up.
    https://www.snbforums.com/threads/openvpn-server-and-client-question.38378/page-3
     
  17. Chewie420

    Chewie420 Occasional Visitor

    Joined:
    Feb 16, 2020
    Messages:
    22