Multiple OpenVPN clients on RT-AC86U running Asuswrt-Merlin

[Ro berto]

Hello all,

I'm trying to set up an OpenVPN client for my TV to connect to an US NordVPN server and a second OpenVPN client for my laptop to connect to a german NordVPN server.

I read about policy rules and some practices but I still have problems, for example:

Eventhough my laptop is not specified in the Policy rules of the US OpenVPN client, it is connecting to the US NordVPN server instead of the german NordVPN server

Someone has a guide to help me out?

Thanks

Ro berto

 

[Seamaster]

Hello all,

I'm trying to set up an OpenVPN client for my TV to connect to an US NordVPN server and a second OpenVPN client for my laptop to connect to a german NordVPN server.

I read about policy rules and some practices but I still have problems, for example:

Eventhough my laptop is not specified in the Policy rules, it is connecting to the US NordVPN server instead of the german NordVPN server

Someone has a guide to help me out?

Thanks

Ro berto

Hi,
Try NordVPNs guide, https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/
In the end of the guide you put in your laptop ip instead of 192.168.1.0/24, in the openvpn client of German nordvpn server.

I hope it helps,

 

[CaptainSTX]

If both the VPN clients are trying to use the same port it isn't going to work.

What you need to find out from NordVPN are what other port and option settings are available. Also be aware that certain open VPN settings required for using certain ports are not available using the GUI in Merlin. PIA can be run on eleven ports but the settings for only four or five are supported using Merlin, but this is still better than Astrill which only supports one port.

 

[Ro berto]

If both the VPN clients are trying to use the same port it isn't going to work.

What you need to find out from NordVPN are what other port and option settings are available. Also be aware that certain open VPN settings required for using certain ports are not available using the GUI in Merlin. PIA can be run on eleven ports but the settings for only four or five are supported using Merlin, but this is still better than Astrill which only supports one port.

Oh I see, it makes sense.
Both OpenVPN clients are using UDP protocol with port 1194.

According to NordVPN OpenVPN files, they offer UDP protocol with port 1194 and TCP protocol (slower but more stable) with port 443, maybe I can set up the client for the TV with TCP/443 and the other client with UDP/1194.

Thanks for your insight CaptainSTX.

 

[Ro berto]

Hi,
Try NordVPNs guide, https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/
In the end of the guide you put in your laptop ip instead of 192.168.1.0/24, in the openvpn client of German nordvpn server.

I hope it helps,

Thanks, I tried that but it wasn't working.

 

[CaptainSTX]

Oh I see, it makes sense.
Both OpenVPN clients are using UDP protocol with port 1194.

According to NordVPN OpenVPN files, they offer UDP protocol with port 1194 and TCP protocol (slower but more stable) with port 443, maybe I can set up the client for the TV with TCP/443 and the other client with UDP/1194.

Thanks for your insight CaptainSTX.

If that doesn't work you can try a different VPN provider as most of them use different Ports. For example PIA's go to port is 1198 and Astrill uses 8292.

 

[RMerlin]

The client port doesn't matter. What matters are the network subnets used by the server - they must not overlap.

 

[Ro berto]

The client port doesn't matter. What matters are the network subnets used by the server - they must not overlap.

Oh, so if NordVPN uses the same subnet for their different servers, there is nothing I can do?

Sorry if I didn't get it right, just started to gather information for VPNs

 

[RMerlin]

Oh, so if NordVPN uses the same subnet for their different servers, there is nothing I can do?

That's correct. It may or it may not work depending on the exact topology, but general rule is if it's the same subnet, expect it to not work.

 

[Ro berto]

That's correct. It may or it may not work depending on the exact topology, but general rule is if it's the same subnet, expect it to not work.

Is there a way to see what subnet is NordVPN using for their servers?

for example, the US server has IP 209.58.144.227 and the DE server has IP 185.232.23.45.
From the information I read ( ), the subnet can be read from the IP and is usually the third octet and 144 is different from 244 (I double checked it with my wife )

Ro berto

 

[RMerlin]

Is there a way to see what subnet is NordVPN using for their servers?

for example, the US server has IP 209.58.144.227 and the DE server has IP 84.16.244.42.
From the information I read ( ), the subnet can be read from the IP and is usually the third octet and 144 is different from 244 (I double checked it with my wife )

Ro berto

Check what IPs are returned by the tunnel (both private and public). The server IPs itself doesn't have any impact, what matters is what's used by the tunnel itself.

 

[Seamaster]

Hmm tried the TCP/443 and the UDP/1194 and still doesn't work, now my Laptop will not connect to the German server.

Both clients have "Policy rules" (not the strict one), here is the syslog in case you can see the problem.

Please try "Accept DNS Configuration to Exclusive" on both clients. Check what you have one client to TCP and the other client to UDP and that you are connected. And also that you add local IP address of your laptop and Iface to VPN in rules for routing under VPN Client.

 

[Ro berto]

Check what IPs are returned by the tunnel (both private and public). The server IPs itself doesn't have any impact, what matters is what's used by the tunnel itself.

Is the "Local IP" on the "VPN Status" tab the private IP from the tunnel (attached pic)? in case it is, I think I'm screwed since they are in the same subnet apparently:

US VPN client1 Local IP 10.8.8.98
DE VPN client2 Local IP 10.8.8.9

 

[Ro berto]

Please try "Accept DNS Configuration to Exclusive" on both clients. Check what you have one client to TCP and the other client to UDP and that you are connected.

It works!
I checked the TV and I am able to see the US Netflix and with my laptop and smartphone I am with the german server.

The only downside is that Diversion works with DNSMASQ and that will be bypassed by the tunnel when setting the "Accept DNS Configuration" to "Exclusive", is there a way to have it all?

 

[Ro berto]

It works!
I checked the TV and I am able to see the US Netflix and with my laptop and smartphone I am with the german server.

The only downside is that Diversion works with DNSMASQ and that will be bypassed by the tunnel when setting the "Accept DNS Configuration" to "Exclusive", is there a way to have it all?

Apparently yes, you can have it all

After playing with the different settings for TCP/UDP and "Accept DNS Configuration", I noticed that when changing client1 from UDP to TCP, the local IP would change from 10.8.8.98 to 10.7.7.12 (apparently a different subnet) and that is all it needs, the "Accept DNS Configuration" can remain at "Disabled" and therefore Diversion ad blocking still works with the VPN client active.

If someone needs additional info, feel free to let me know.

Ro berto

 

[Ro berto]

Just FYI, the network subnets assigned by NordVPN are somehow dependent on the server (not just if it's TCP/UDP), I thought it was based on TCP/UDP but apparently it's random. I have been able to set up 3 concurrent VPN clients (two of them with UDP and one with TCP).

Hopefully the networks subnets don't change that often because if two of them have the same subnet them I'll not be able to connect to one of them.