What's new

OpenVPN client connection works for Ethernet connections but not WiFi

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

MReprogle

New Around Here
My router is the RT-AC66U, and everything seems to be working perfectly on Ethernet connections. I have 4 devices that I put static IPs on and have set to the WAN interface on OpenVPN so that it will skip past the VPN (Sony servers have many VPN IPs blocked, so I put my PS4 and a few streaming devices on WAN for my Playstation Vue service). However, anything that connects through my router on WiFi seems to also be skipping past the VPN, even though they are not listed as WAN devices.

Does anyone else have this issue or know of something that I am missing?

Also, I use Personal Internet Access for a VPN provider, and have had a good experience so far, but the VPN seems to disconnect at least once a day and comes back with an authentication error. Is there a way to force the VPN to reauthenticate on a regular basis to avoid this, or know of another way to keep it connected? Even if I lose internet connection for a few seconds while it is reauthenticating, I don't really mind at all.

Attached is a screenshot of the policy rules, if that helps at all (I have it set to regular ' Policy rules' and not the strict version).
 

Attachments

  • Capture.PNG
    Capture.PNG
    306.4 KB · Views: 375
And, as for the authentication issues, here is a screenshot of my settings. If anyone else uses PIA and doesn't have this issue, could you check to be sure that I am setting this up the right way? Thanks!
 

Attachments

  • Capture.PNG
    Capture.PNG
    350.1 KB · Views: 654
However, anything that connects through my router on WiFi seems to also be skipping past the VPN, even though they are not listed as WAN devices.

Does anyone else have this issue or know of something that I am missing?

By default everything is routed via the WAN!

You need to add the 'missing' VPN rule to ensure everything else apart from the 4 entries is routed via the VPN!

https://www.snbforums.com/threads/excluding-specific-clients-from-vpn.38375/#post-316533
 
By default everything is routed via the WAN!

You need to add the 'missing' VPN rule to ensure everything else apart from the 4 entries is routed via the VPN!

https://www.snbforums.com/threads/excluding-specific-clients-from-vpn.38375/#post-316533

Does the order of these rules matter? I had mine set up this way a few days ago, with my PS4 set to WAN, yet it wouldn't connect to PSN and when I checked the IP, it showed that it was in fact going through the VPN. I am at work now, but will test again tonight and report back with results.
 
Yes, the order does matter. First rule that match will be applied

Verstuurd vanaf mijn A0001 met Tapatalk
 
Does the order of these rules matter?

No.

The WAN target rules will always be grouped/applied before the VPN rules in the order they are defined.
 
Yes, the order does matter. First rule that match will be applied

Verstuurd vanaf mijn A0001 met Tapatalk
In the example given, they show it like this:

e.g. Everything will use the VPN except the Roku

Code:
Everything  192.168.1.0/24   0.0.0.0   VPN

Roku        192.168.1.xxx    0.0.0.0   WAN

Since the first rule literally covers everything, wouldn't this be the first match for every device? I would think that setting this first would negate anything after it. I'm probably wrong, but I am just trying to understand how this works a bit better.
 
Yes, the order does matter. First rule that match will be applied

No.

The WAN target rules will always be grouped/applied before the VPN rules in the order they are defined.

You're actually both half-right :)

Yes, the order matters, because the first match will be used. However, WAN rules will all have priority over the VPN rules. So, it's the order in which the WAN rules are set, followed by the order in which VPN rules are set.
 
You're actually both half-right :)

Yes, the order matters, because the first match will be used. However, WAN rules will all have priority over the VPN rules. So, it's the order in which the WAN rules are set, followed by the order in which VPN rules are set.

A moot point given that I don't believe you could ever have the following ambiguous table:

e.g. two entries deliberately with the same I/P address:
Code:
Device1     192.168.1.99     0.0.0.0     VPN
Device2     192.168.1.99     0.0.0.0     WAN


So since it is a binary decision WAN or VPN the order doesn't matter unless you had CIDR overlap between entries?

i.e. what is the actual difference between these two tables?

Code:
Device1     192.168.1.99     0.0.0.0     VPN
Device2     192.168.1.100    0.0.0.0     VPN

vs.

Code:
Device1    192.168.1.100     0.0.0.0     VPN
Device2     192.168.1.99     0.0.0.0     VPN

given in both cases, both devices will be routed via the VPN (as expected) but the order in which they appear in both tables is irrelevant as the same outcome is achieved - do you agree?

P.S. Isn't it about time you assisted the users by warning them that a table consisting of ONLY WAN target entries is functionally potentially misleading/obsolete?
 
So since it is a binary decision WAN or VPN the order doesn't matter unless you had CIDR overlap between entries?

CIDR was the scenario I had in mind. While I see no real-life scenario where these would make any sense indeed, from a purely technical point of view, order does matter, if one wanted to be pedantic about it.

P.S. Isn't it about time you assisted the users by warning them that a table consisting of ONLY WAN target entries is functionally potentially misleading/obsolete?

This is a one-man project, so I have to decide where I want to devote my limited resources. I've decided a long time ago that development is my priority, and the rest is up to the community. If you feel something isn't clear enough on the Wiki documentation, feel free to improve on it - the Wiki edit rights are open to anyone.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
 
If you feel something isn't clear enough on the Wiki documentation, feel free to improve on it - the Wiki edit rights are open to anyone.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

@yorgi (and more recently @Xentrk ) already found it necessary to publish a far more comprehensive real-world guide on the subject over a year ago

https://www.snbforums.com/threads/h...r-pia-and-other-vpn-providers-380-65_4.30851/

but I agree, its your 'hobby' and bugs can take a back seat if they are 'documented' - caveat emptor!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top