OVPN when Dual-WAN Load Balancing is active

[MHK1996]

I have dual wan load balancing and routed some devices to go through my second wan and my gaming devices go through primary wan

I want to enable VPN for my gaming devices (Primary WAN) but it doesn't work

I have tried using VPN Director and routing the ip addresses but it doesn't work, my OVPN will turn on and gets public ip, but none of my devices are routed through the vpn even with redirecting all traffic or vpn director.

Here is my dual wan config:

 

[eibgrad]

There is an order of precedence here when it comes to the relationship between the WAN and how it load balances, vs. the VPN Director and how is redirects traffic wrt the primary WAN.

Using ssh, you can examine this precedence for yourself.

ip rule

You'll notice there are numerous rules, w/ the rules at the top of the list have higher priority to rules at the bottom of the list. Notice the WAN rules (wan0 and wan1) always precede any rules for the OpenVPN clients (ovpnc1 thru ovpnc5).

If your gaming devices are explicitly bound one of the WANs, any rules in the VPN DIrector related to those same devices have no effect! IOW, you can't have policy rules regarding the choice of WAN and VPN that are effective at the same time for the same devices. Either they are bound to a choice of WAN w/ NO VPN, or else bound to the VPN, and the VPN defaults to the primary WAN.

 

[FernandoF]

(...)
You'll notice there are numerous rules, w/ the rules at the top of the list have higher priority to rules at the bottom of the list.
(...)

Very interesting, thank you. I've just started experimenting with Load Balance as well. And now that I've learned about the "ip rule" command, I'd like to ask a couple of questions (with permission from the OP):

1. Is it possible to manually edit the order of the rules, at least within the same "section" (e.g. 100, 200, 400, ...)? I'm envisioning a few wan1 rules preceding wan0 rules (which does not seem to be the standard order), such as:
   • from 192.168.1.10 to 123.456.789.0 lookup wan1
   • from 192.168.1.10 to all lookup wan0
2. Alternatively, is there any way of adding an "except" element to the rules, something like:
   • from 192.168.1.10 to all EXCEPT 123.456.789.0 lookup wan0
   • from 192.168.1.10 to 123.456.789.0 lookup wan1

Thanks in advance.

 

[eibgrad]

@FernandoF

I don't recommend you alter the existing rules. For one thing, those rules will likely be reapplied should the WAN be reinitialized, wiping out your changes. Same thing w/ any changes to rules created by the VPN Director. But you can always ADD your own rules and give them higher priority (i.e., lower numbered than those used by the router).

ip rule add from 192.168.1.10 prior 10 table wan0

Refer to the ip rule man page for what types of rules are available and the required syntax.

You'd probably have to add these rules using a wan-event script.

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[FernandoF]

Thank you very much @eibgrad for the recommendations and helpful links. I'll carefully study those resources.

 

[MHK1996]

@FernandoF

I don't recommend you alter the existing rules. For one thing, those rules will likely be reapplied should the WAN be reinitialized, wiping out your changes. Same thing w/ any changes to rules created by the VPN Director. But you can always ADD your own rules and give them higher priority (i.e., lower numbered than those used by the router).

ip rule add from 192.168.1.10 prior 10 table wan0

Refer to the ip rule man page for what types of rules are available and the required syntax.

You'd probably have to add these rules using a wan-event script.

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Hello again and thanks for the info, I successfully moved the OVPN rule to the top but unfortunately that ignores my load balancing rules now, so all the connections are going through load balancer 1:1 and then going through OVPN, my network splitting rules are ignored. I want to keep the split rules and each wan goes through the OVPN if that's possible.

Edit: I was able to do this by adding my OVPN rule between my split rules, but the perfect solution would be "from wan0 lookup ovpnc" which is not possible, can you tell if there as an alternative to do this?

 

[eibgrad]

Hello again and thanks for the info, I successfully moved the OVPN rule to the top but unfortunately that ignores my load balancing rules now, so all the connections are going through load balancer 1:1 and then going through OVPN, my network splitting rules are ignored. I want to keep the split rules and each wan goes through the OVPN if that's possible.

Edit: I was able to do this by adding my OVPN rule between my split rules, but the perfect solution would be "from wan0 lookup ovpnc" which is not possible, can you tell if there as an alternative to do this?

Again, there's no way to integrate the two different routing policies of dual WAN and the VPNs. They work independently, w/ the dual WAN routing policy rules taking precedence. That's why you can't configure the OpenVPN client to prefer wan0 over wan1, or vice versa. The two routing policies have nothing to do w/ one another. They manage their own rules and routing tables intended to support their own specific needs. What you're asking for is that they be integrated somehow in a coordinated effort to support routing policy, which just isn't there.

That's not to say that given sufficient interest and effort by the developers, it couldn't be done. But I don't see it happening anytime soon. AFAIK, Merlin does NOT develop or support the dual WAN feature himself. ASUS does. But he does develop and manage the VPN Director. So the chances you'd ever find both ASUS and Merlin being able to coordinate such routing policies changes seem highly unlikely. The best you're going to be able to do is understand how it presently works, then perhaps create your own rules to work around the limitations (as imperfect as that might be).