Multiple VPN clients active for different devices

[OGroteKoning]

Apologies for posting this if it has been asked already and apologies if I don't use the correct terminology.

I want to connect each of the below devices through different servers. Assume it will be the only devices that will be used on this router (Asus RT-n66u on Merlin 380.67):
Devices - iPhone, Android phone, Smart TV, NAS, Work Laptop

Client 1 - VPN on New Zealand Server for iPhone

Client 2 - VPN on Australian Server for Android phone

Client 3 - VPN on US server for Smart TV

Client 4 - VPN on Canada for NAS

And the work laptop should not go through a VPN as it doesn't need to since it connects to work VPN

My logic says that if I route all IPs through WAN and select the specific device I want to route through that VPN client, that it should work.

Is it fine to run all 4 clients at the same time to do what I intend to do above or was it designed to be an easy switch between any 1 of 5 clients? (1 of the clients being on while the other 4 is switched off)

VPN provider is NordVPN (Mods delete this line if you are opposed to the mentioning of VPN providers' names)

Just for info, currently I have the clients set up already but use only one at a time (1 of the clients being on while the other 4 is switched off). And I switch manually between clients as is required from time to time. I have also switched "Redirect Internet traffic" to "Policy rules". All IPs are routed through VPN and devices I do not want to connect through the VPN clients are listed in the "Rules for routing client traffic through the tunnel".

 

[CaptainSTX]

Assuming that you have the skills to write the script/ Iptables that would allow running multiple VPN clients simultaneously and select by each devices IP how to route it no SOHO router has the processing power to give you satisfactory speeds particularly for video streaming. Current SOHO routers with 1.4 Ghz processors, for most people, get at best 55 - 65 Mbps downloads for a single client.

Also would your VPN provider allow multiple VPN connections from the same device simultaneously? I know with StrongVPN while I can have five devices connected they all get routed through the same server. Astrill on the other hand allows each of the five simultaneous connections to be to different servers, but I have never tested to see if it would allow five connections to different servers from the same device. Perhaps you could spoof MAC addresses but that is going to make you script and Iptables even more complicated.

 

[OGroteKoning]

Oh boy... My script skill suck at best. I'd have to do a lot of research to do that. I was hoping that the multiple clients on Merlin fw would at least allow what my intended use is. If the answer to that question is yes, then I would be more confident to play around. I will ask my VPN provider if I could run more than one client at a time. They are familiar with Merlin's work as they have a tutorial and custom script for his firmware.

 

[Ted Danson]

I've been looking for a similar solution myself. I found this. Not tried it, but it may be of help:

http://www.dd-wrt.com/phpBB2/viewtopic.php?p=678782

 

[OGroteKoning]

Thanks Ted. Will check it out.

Update on previous post: VPN provider's initial response is no, I can't connect to multiple clients on one router. But referred me to their specialist support. Now waiting for them to come back ro me.

 

[Martineau]

Thanks Ted. Will check it out.

Update on previous post: VPN provider's initial response is no, I can't connect to multiple clients on one router. But referred me to their specialist support. Now waiting for them to come back ro me.

If your VPN provider does allow multiple concurrent client connections from the router to different geographical end-point servers, then you don't need any scripts/iptables knowledge, simply enable either of the 'Policy Rules' options for 'Redirect Internet traffic' for all 4 OpenVPN clients, and add the appropriate device/subnets to their respective tables:

e.g. All outbound traffic from the Roku will use this VPN Client 1 (New York)

 

[Ted Danson]

That's cool, but what about having more than one client active at the same time? E.g. Client 1 is connected to a VPN node in USA, Client 2 is connected to a VPN node in Japan and so on...

I don't think the firmware allows for it at the moment?

 

[Martineau]

That's cool, but what about having more than one client active at the same time? E.g. Client 1 is connected to a VPN node in USA, Client 2 is connected to a VPN node in Japan and so on...

I don't think the firmware allows for it at the moment?

The firmware does allow for multiple concurrent OpenVPN clients:

./VPN_Client_Switch.sh status

(VPN_Client_Switch.sh): 14619 Request..... [status]
(VPN_Client_Switch.sh): 14619 VPN Client Status:
(VPN_Client_Switch.sh): 14619 Waiting for response from 'http://ipecho.net'
(VPN_Client_Switch.sh): 14619 Client 5 connected via 100.120.65.115 (VPN WAN I/P 185.51.2xx.xxx) (UK)
(VPN_Client_Switch.sh): 14619 Waiting for response from 'http://ipecho.net'
(VPN_Client_Switch.sh): 14619 Client 4 connected via 10.166.0.2 (VPN WAN I/P 81.174.xxx.xxx) (Glenside)
(VPN_Client_Switch.sh): 14619 Waiting for response from 'http://ipecho.net'
(VPN_Client_Switch.sh): 14619 Client 2 connected via 100.124.32.199 (VPN WAN I/P 119.81x.xxx.xxx) (HongKong)
(VPN_Client_Switch.sh): 14619 Waiting for response from 'http://ipecho.net'
(VPN_Client_Switch.sh): 14619 Client 1 connected via 100.124.56.172 (VPN WAN I/P 185.51x.xxx.xxx) (NewYork)

So I have:

Three VPN ISP hosted geographical end-point connections
and
One private (family) OpenVPN RT-AC68U->RT-AC56U connection

concurrently running:

 

[Ted Danson]

How do you have them all connected at the same time? That would be great to know. Apologies OP for hijacking your thread!

 

[Martineau]

How do you have them all connected at the same time? That would be great to know. Apologies OP for hijacking your thread!

Since I wish to have greater control of the OpenVPN clients, I use an enhanced script that can be scheduled by cru (cron) or called from /jffs/scripts/nat-start or based on errors in Syslog etc.

Spoiler: VPN client management script

#====================================================================================================
#
# Switch between VPN Clients
#
#   e.g.   VPN_Switch   [stopall|status|fix|help | 1 | 2 | 3 | 4 | 5 ] [off|on|restart]
#
#          VPN_Switch
#                       Restart current ACTIVE VPN Client but if none ACTIVE, then Start VPN Client 1
#          VPN_Switch   5
#                       Terminate current ACTIVE VPN Client then switch to VPN Client 5
#          VPN_Switch   off
#                       Terminate current ACTIVE VPN Client.
#          VPN_Switch   3   on
#                       Start VPN Client 3
#          VPN_Switch   3   off
#                       Stop VPN Client 3
#          VPN_Switch   2   restart
#                       Bounce VPN Client 2 (for ISP HMA a 30 sec delay occurs after the disconnect before the actual restart)
#          VPN_Switch   status
#                       List the status of ALL VPN Clients
#          VPN_Switch   stopall
#                       Terminate ALL VPN Clients
#          VPN_Switch   fix
#                       Change any VPN client from state=-1(Error Conflict) to state=2(UP) ....use with caution!
#          VPN_Switch   help
#                       Show syntax help

but the GUI allows enabling 'Start with WAN' for each OpenVPN client config, or they can obviously be started manually either via the GUI or executing the appropriate service request command via SSH for the OpenVPN client instance:

service start_vpnclient1
service restart_vpnclient2
etc.

 

[Ted Danson]

That's really cool! Would you be willing to share your script and a few instructions? I'd be really keen to set that up on my RT-AC5300 as I've a genuine requirement to use this sort of set up.

Apologies again to OP for robbing the thread.

 

[OGroteKoning]

No worries Ted... You asked the same questions I was interested in.

Further from my VPN provider:

You can activate more than one VPN profile at the time, however OpenVPN protocol is using high encryption and if you will use few at the same time it may stuck or even brick due to overload. Therefore I would not recommend using couple profiles at the same time.

As for routing - To setup policy based routing on Merlin router, do the following:
1. Navigate to VPN -> OpenVPN Client.
2. Under Advanced Settings select "Redirect Internet Traffic: Policy Rules".
3. A new option will appear "Block routed clients if tunnel goes down" which has to be enabled.
4. Then under the "Rules for routing client traffic through the tunnel" add the devices which you want to route through the VPN.
For example add a new device and select the following settings:
Description: device description
Source IP: device local IP address
Destination IP: blank
Iface: VPN
I would recommend using static LAN IPs when setting up policy based routing, because LAN IPs might change after reconnecting.

I am just a little concerned that I might overload the router though

 

[OGroteKoning]

Referencing back to 1st post. Do I use 192.168.1.0/24 for all IPs with WAN on every client (1-5) and then select the IPs of the devices individually for VPN interface for the different clients? Or do I just start selecting IPs in the clients where I want to use them?

 

[Martineau]

Referencing back to 1st post. Do I use 192.168.1.0/24 for all IPs with WAN on every client (1-5) and then select the IPs of the devices individually for VPN interface for the different clients? Or do I just start selecting IPs in the clients where I want to use them?

By default, when 'Policy Rules' is enabled, all traffic is via the WAN...

https://www.snbforums.com/threads/excluding-specific-clients-from-vpn.38375/#post-316533

So in your case simply add the clients/subnets you wish to selectively route via the appropriate VPN Client.

 

[OGroteKoning]

Thanks @Martineau for all your time and help!

 

[Martineau]

Thanks @Martineau for all your time and help!

For a comprehensive tutorial/manual, I recommend @yorgi's excellent guide....particularly useful with respect to 'DNS leak' considerations etc.

https://www.snbforums.com/threads/h...and-other-vpn-providers-380-67_0-07-18.30851/

 

[Xentrk]

@Martineau, I wish I could do the Vulcan Mind Meld to learn all that you know about VPN on ASUS Merlin. Thank you for sharing your knowledge and master scripting skills with us all. The selective routing script I recently implemented has been working great.

@OGroteKoning, I use TorGuard. They allow up to five active connections at a time. I currently run two clients on my router with AES-128-CBC, SHA1. I route most traffic to my Private IP server (which allows me to get around the vpn blocks put in place by two streaming services) and traffic from another streaming media service to the second vpn site in order to get a larger channel selection, since it is in a major market area. Here are the links to the TorGuard setup guide if you decide to try their service.

https://www.snbforums.com/threads/t...for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/t...or-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/t...r-asus-merlin-380-65-380-65_2-part-iii.38283/

 

[Martineau]

@Martineau The selective routing script I recently implemented has been working great.

Many thanks for the unsolicited praise, although I may have to trial TorGuard and follow your comprehensive/detailed guide.
(HMA upgraded their service in July, and ever since I have weirdly been unable to use my VPN Selective port routing script whilst using Exclusive DNS mode. )

 

[Jack Bauer]

Thank god I found this thread as my issue is related to this.
I set up everything and all is working as intended. Note that I didn't have to do any scripting to achieve what I want. The GUI would suffice. I can have 3 VPNS running concurrently with traffic passing. I can redirect the traffic of specific hosts to whichever VPN I want, then the rest of the /24 LAN ip wouild bypass and go to WAN directly.

- I created 3 openVPN IPvanish sessions on my Merlin-asusAC68u all tunnels are connected concurrently.
- on each VPN profile, I created redirect internet traffic , policy rules (i tried policy rules strick as well) in this manner
-TV/Android use vpn to California
- Android phone /ipad connect to Singapore
- macbook connect to HK
- all the rest of devices /24 block bypass the VPN.

at first, all happy days, each device will use the intended VPN when i checked on ipleak.net. I tested a new device as well, it joins the Wireless network, it would get IP from DHCP then bypass the VPN. All good.

My main issue is after few hours of operating fine. things will go haywire. A guest laptop will join California, the MacBook which is supposed to be in HK VPN would join California.
At times, when I reconfigure my settings it would work fine at first, then eventually all devices would all connect to California or Singapore it depends there is no pattern of behaviour.

I have tried the below solutions but none seems to work:
updated the merlin firmware.
removed all my open VPN settings and started all over,
tried policy rules strict and non-strict.
placed explicitly /24 block to go to WAN interface on all profiles.

none of the solutions seems to get my router to stay in working condition. it would only work fine few hours into setting it up.
I'd greatly appreciate any comments.

 

[Martineau]

My main issue is after few hours of operating fine. things will go haywire. A guest laptop will join California, the MacBook which is supposed to be in HK VPN would join California.
At times, when I reconfigure my settings it would work fine at first, then eventually all devices would all connect to California or Singapore it depends there is no pattern of behaviour.

Usually this is caused by a 'corruption' of the Selective Routing configuration - i.e. the firewall has unexpectedly restarted (due to manual tinkering with QOS or other features in the GUI?) but it depends on the router model/firmware/features enabled etc.

EDIT: 12/02/2018 Code moved to pastebin
You could try this crude debugging/diagnotic ChkVPNConfig script when it fails, or schedule it using cru/cron to track/dump the status of the Selective Routing environment to Syslog.

You may get a clue in finding the issue either in the RPDB rules (less likely though can happen) or the actual individual Selective routing tables (highly likely).