Redirect Internet traffic Policy Question

[bkz81]

After scratching my head all day with this and browsing the forums I am going to have to post my question.

It seems like everybody wants all of their traffic to be routed through the VPN from what i have read on here. I am trying to do the opposite. I would like only two devices i have on my network to be routed which are
192.168.1.4 0.0.0.0 VPN, and 192.168.1.12 0.0.0.0 VPN, and the rest can go out the regular way. I have those two hosts in the policy rules however when i enable the VPN connection i can't browsed the internet at all on this PC, which is 192.168.1.2 Is there a third rule i need to include in the policy settings? I have tried 192.168.1.0/24 WAN, and 192.168.1.2 WAN but it didn't work. I was thinking that the two VPN ones would be consider exceptions, and i wouldn't have to add another rule thinking that everything else would go right out.

Running a N66U on 380.58

Thanks

 

[ImaStinker]

I just set that up last night and am having no problems with it.

Only SERVER is going through VPN. I'm on another machine right now that's going directly through my ISP. I upgraded to 380.58_0 last week. on my AC66U.

 

[bkz81]

Weird. Could it be something with my LAN/VPN settings? I notice when i have my VPN setup as exclusive i lost internet on my desktop which goes straight to my ISP. When i set the VPN to strict it comes back.

 

[bkz81]

This may very well be my problem.
========================================================
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
and you enable policy-based routing, then those policies
will also determine which DNS to use (the tunnel's or
the ISP's). This is based on DNSFilter's technology.
You no longer need to use DNSFilter to control
the DNS used by your OpenVPN clients.
========================================================
I have tried multiple ways to add WAN routes to the VPN section to exclude all other hosts but so far nothing works. I have even turned on DNS filtering and messed around in there but that didn't work either, when i put in the WAN routes in the VPN section as well.

 

[ImaStinker]

Yes -- I get what you're saying.
I have set the openVPN client DNS mode to "Exclusive", and I use policy-based routing.
I have exactly one rule: my local server routes all its internet traffic thru the VPN.
It works well. I just can't quite figure out why all my other PCs, which are going through my ISP, are all using PIA's DNS server and not my ISPs...

 

[john9527]

Try leaving the Default Gateway and DNS Server 1 fields blank in your LAN > DHCP Server settings page.

 

[bilboSNB]

Yes -- I get what you're saying.
I have set the openVPN client DNS mode to "Exclusive", and I use policy-based routing.
I have exactly one rule: my local server routes all its internet traffic thru the VPN.
It works well. I just can't quite figure out why all my other PCs, which are going through my ISP, are all using PIA's DNS server and not my ISPs...

This is happening to me also. Except with a different vpn provider.

 

[ImaStinker]

Try leaving the Default Gateway and DNS Server 1 fields blank in your LAN > DHCP Server settings page.

Hmm, This is what I am currently passing to all the internal network PCs.
(my gateway, and google). I guess I could see how if I left those fields blank the internal networked PCs might get passed the DNS entry that the actual router is getting from the ISP.
But I don't understand why they are getting PIA's DNS gateway instead of my gateway and Google.

 

[ImaStinker]

In fact, the internal PC's are not getting passed PIAs DNS gateway.

But when I check at dnsleaktest it shows this internal PC, going through the ISP, is using PIAs DNS gateway. Which I guess means that the router itself is using PIAs DNS?

So the router is telling all the non-VPN PCs to point at itself for DNS, and it in turn is pointing at PIA instead of my ISP (As long as the VPN connection is up in the background. When it drops, the router reverts to my ISPs DNS?)

 

[ImaStinker]

Yes indeed. I just dropped the VPN tunnel that was running in the background to my server, and re-checked at dnsleaktest. Now the router is pointing at my ISP. Hell Cox!

 

[ImaStinker]

From Post #18 in ver. 380.58 Policy rules, The DNS for Local ISP Leaks VPN IP. This is a serious problem. Caution

"If you enable Policy-based routing for a VPN client and you set the Accept DNS Configuration to "Exclusive", then the router will "AUTOMATICALLY" configure firewall rules that will force VPN clients to use the DNS server from your OpenVPN tunnel providers, and leave the non-VPN clients on your router's usual (typically your ISP's) DNS servers. This is implemented in a similar way that DNSFilter works, so those of you using DNSFilter to force VPN clients to specific DNS servers can now remove those DNSFilter rules."

"and leave the non-VPN clients on your router's usual (typically your ISP's) DNS servers. "
My ISP DNS server is 24.201.245.77 not VPN DNS as I am getting.
If your documentation is right then this firmware has a serious issue and it needs attention.

@RMerlin -- Something doesn't seem right. My non-VPN PCs are getting my VPN DNS...

 

[bkz81]

I had to change my VPN DNS settings from exclusive to strict. Then turn on DNS filtering and place DNS 1 and DNS2 from my VPN provider to custom 1 and custom 2 to my two devices that only need a VPN connection. I then set Global filtering mode to no filtering. All appears to be working now, my other device can go out to the ISP with no problem, and my other two device go straight to the VPN provider. One thing i did notice is that i can't do nslookups to the out side, it just times out.

 

[RMerlin]

From Post #18 in ver. 380.58 Policy rules, The DNS for Local ISP Leaks VPN IP. This is a serious problem. Caution



@RMerlin -- Something doesn't seem right. My non-VPN PCs are getting my VPN DNS...

The firmware wasn't properly checking the Internet redirection mode, causing tunnel servers to still get added to dnsmasq in addition to the firewall rules. Should in theory be fixed with this commit, I haven't had the time to retest it yet however.

 

[ImaStinker]

Thank you. I'll be sure an test it on the next release, or whenever it comes out.

 

[SpaceDog]

Awesome! I had decided to try this feature and ran into the same problem. Glad to see that the question was already asked and answered and hopefully will be fixed in the next release.

For now I'm keeping this code in my /jffs/configs/dnsmasq.conf.add file:

# ROKU:
dhcp-host=DC:3A:5E:55:55:55,set:vpnhost
# DENON:
dhcp-host=00:05:CD:55:55:55,set:vpnhost
# DVD-BR:
dhcp-host=6C:5A:B5:55:55:55,set:vpnhost
dhcp-option=tag:vpnhost,6,8.8.4.4

(anonymized the DNS and MAC addresses)