"Redirect Internet traffic" setting in OpenVPN Client configuration

[alexnet]

Can anyone clarify what's the difference between "No" and "All traffic" options for "Redirect Internet traffic" setting in OpenVPN Client configuration. I seem to get the same result with both options.

 

[Martineau]

Can anyone clarify what's the difference between "No" and "All traffic" options for "Redirect Internet traffic" setting in OpenVPN Client configuration. I seem to get the same result with both options.

http://www.snbforums.com/threads/having-trouble-running-custom-scripts.24374/page-2#post-182119

Although since the VPN Server will invariably PUSH its default route I personally think RMerlin's statement is ambiguous. i.e. does explicitly selecting NO effectively enforce the OpenVPN directive route-nopull?

You will need to list the route table after trying both options to identify what effectively happens.

 

[RMerlin]

http://www.snbforums.com/threads/having-trouble-running-custom-scripts.24374/page-2#post-182119

Although since the VPN Server will invariably PUSH its default route I personally think RMerlin's statement is ambiguous. i.e. does explicitly selecting NO effectively enforce the OpenVPN directive route-nopull?

You will need to list the route table after trying both options to identify what effectively happens.

Pushed routes are unaffected by that setting. I guess the setting would need to have "Force" added to the front of its label. What this setting does is add "redirect-gateway def1" to your local config. Many tunnel provider will push this config line to you by default, this isn't overridden by the redirect internet option.

 

[nimdjid]

Pushed routes are unaffected by that setting. I guess the setting would need to have "Force" added to the front of its label. What this setting does is add "redirect-gateway def1" to your local config. Many tunnel provider will push this config line to you by default, this isn't overridden by the redirect internet option.

Hi,
I am not an advanced user and english is not my primary language.. This explination is a little too complex for me to grasp..
I want to know what to use on this setting.. I use merlin build: Firmware:380.65_4
My VPN Provider has a config file for asus WRT that you should just load in the GUI in the router and it should all be fine...
But it leaves the setting "redirect internet traffic off".. However in past versions of the merlin build I have had to fix all settings manual and according to some guide from another VPN provider I used "redirect internet traffic on"...

Both seem to work the same for me..? Except that I have since update of merlin build lost my 5ghz network and 2.4 is going on and off all the time (not sure if it is because of this option because I use VPN from router)..
In simple english: If both options seem to work with redirect internet traffic for VPN: and both seem to give a new external IP and connect to VPN provider, is there any negative effect on security/privacy/functionality by having this setting on either value..?

Ty and sorry for complex post..

 

[RMerlin]

But it leaves the setting "redirect internet traffic off".

That's normal. This setting isn't tied to a specific OpenVPN config setting, but to the firmware settings itself, instructing it how to handle routing. So after importing an ovpn file, you need to manually change this setting according to your needs.

 

[nimdjid]

That's normal. This setting isn't tied to a specific OpenVPN config setting, but to the firmware settings itself, instructing it how to handle routing. So after importing an ovpn file, you need to manually change this setting according to your needs.

Hi and thanks! Love your work and been using your firmware for a few years..

"manually change this setting according to your needs" , This is the part I dont understand.. What needs should I have in mind.. Where can I read about this function..? I dont know what it does really... I just want a simple explanation to why I should turn it on or off basically..
Ty

 

[RMerlin]

Hi and thanks! Love your work and been using your firmware for a few years..

"manually change this setting according to your needs" , This is the part I dont understand.. What needs should I have in mind.. Where can I read about this function..? I dont know what it does really... I just want a simple explanation to why I should turn it on or off basically..
Ty

If you want the Internet traffic of your devices at home to go through the VPN, enable it.

If you just want the tunnel to be used when accessing remote resources at work (assuming a tunnel with your work office), then keep it disabled.

 

[lermin20199]

If you want the Internet traffic of your devices at home to go through the VPN, enable it.

If you just want the tunnel to be used when accessing remote resources at work (assuming a tunnel with your work office), then keep it disabled.

Hi @RMerlin

I've just joined the forum, after installing the latest firmware 384.10_2 on my RT-AC88U. My OpenVPN is setup and working (yay).

I had a similar question about "redirect internet traffic" in OpenVPN Client.

If the VPN goes down: I would like all internet for all devices on my network to be killed. So I don't want any devices to have internet access if VPN goes down.

When the VPN is up and running: I would like all devices on my network to go through OpenVPN, without exception, at all times.

So should I set "redirect internet traffic" to "all"? Will that satisfy both of the above?

Or to satisfy both the above, do I need to set to "Policy Rules (Strict)" and then select each device individually and set "Block routed clients if tunnel goes down"

Appreciate your advice

 

[Xentrk]

Hi @RMerlin

I've just joined the forum, after installing the latest firmware 384.10_2 on my RT-AC88U. My OpenVPN is setup and working (yay).

I had a similar question about "redirect internet traffic" in OpenVPN Client.

If the VPN goes down: I would like all internet for all devices on my network to be killed. So I don't want any devices to have internet access if VPN goes down.

When the VPN is up and running: I would like all devices on my network to go through OpenVPN, without exception, at all times.

So should I set "redirect internet traffic" to "all"? Will that satisfy both of the above?

Or to satisfy both the above, do I need to set to "Policy Rules (Strict)" and then select each device individually and set "Block routed clients if tunnel goes down"

Appreciate your advice

Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.

Also, beware of the Accept DNS Configuration setting when using Policy Rules or Policy Rules Strict. See Policy Rule Routing on Asuswrt-Merlin Firmware for explanation.

Other references:

• Asuswrt-Merlin Policy-Based-Routing Wiki
• How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18
  
• Torguard OpenVPN 2.4 Client Setup Guide for Asuswrt Merlin Firmware

 

[lermin20199]

Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.

Thank you kindly.

If I select "Policy Rules (Strict)" and I enable “Block routed clients if tunnel goes down” , do I need to add IP addresses in the table below?

As mentioned earlier, I don't want any devices on my network to have internet access when OpenVPN goes down.

 

[Xentrk]

Thank you kindly.

If I select "Policy Rules (Strict)" and I enable “Block routed clients if tunnel goes down” , do I need to add IP addresses in the table below?

As mentioned earlier, I don't want any devices on my network to have internet access when OpenVPN goes down.

View attachment 17302

You're welcome! Happy to help. You can use CIDR format for all LAN clients in one entry:

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN

This entry routes all LAN traffic thru the VPN. LAN clients will lose internet if the tunnel goes down.

 

[lermin20199]

You're welcome! Happy to help. You can use CIDR format for the entire WAN in one entry:

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN

This entry routes all LAN traffic thru the VPN. LAN clients will lose internet if the tunnel goes down.

Thanks so much again.

Final question after reading your advice here and the links you shared:

Will "LAN_IPs 192.168.1.0/24 0.0.0.0 VPN" also mean the router itself will only access internet through OpenVPN?

Or does the router itself need a separate entry in that table?

 

[Xentrk]

Thanks so much again.

Final question after reading your advice here and the links you shared:

Will "LAN_IPs 192.168.1.0/24 0.0.0.0 VPN" also mean the router itself will only access internet through OpenVPN?

Or does the router itself need a separate entry in that table?

The 192.168.1.0/24 means the router (192.168.1.0) will also use the routing rule.

Mxtool Subnet Calculator:

If you want the router to have access to the WAN at all time, enter an entry for the router

Router  192.168.1.0   0.0.0.0   WAN

The WAN client will take a higher priority then the VPN client rule or bypass the rule above. You can logon using an SSH session and type the command ip rule to see the routing rules and priorities.

 

[lermin20199]

The 192.168.1.0/24 means the router (192.168.1.0) will also use the routing rule.

Brilliant, this is all crystal clear now. I can't thank you enough.

Thanks to your help , it wasn't as daunting as I first though.

I think I may 'up'-grade my RT-AC88U to an RT-AC86U at some point, as I read it features AES-NI, for better OpenVPN performance?

 

[Xentrk]

Brilliant, this is all crystal clear now. I can't thank you enough.

Thanks to your help , it wasn't as daunting as I first though.

View attachment 17305

I think I may 'up'-grade my RT-AC88U to an RT-AC86U at some point, as I read it features AES-NI, for better OpenVPN performance?

Unfortunately, my experience was not that great. In the short time I had my hands on one, I got the same OpenVPN performance when compared to my AC88U. I suspect the issue is due to my long distance to the server which is half way across the globe. But many others have reported improved performance. I don't think Asus brands the acceleration feature as AES-NI though. But it has the similar purpose of improving hardware crypto performance.

We had fun discussing OpenVPN performance on the forum a year or two ago. I will get some metrics for the HND routers form some of the forum members and add them to the article.

 

[lermin20199]

Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.

Also, beware of the Accept DNS Configuration setting when using Policy Rules or Policy Rules Strict. See Policy Rule Routing on Asuswrt-Merlin Firmware for explanation.

Other references:

• Asuswrt-Merlin Policy-Based-Routing Wiki
• How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18
  
• Torguard OpenVPN 2.4 Client Setup Guide for Asuswrt Merlin Firmware

I seem to be having some issues with internet not working at all with OpenVPN connected.

So I have 3 x OpenVPN clients setup (3 server locations each with separate .ovpn files uploaded).

And for each of these clients I have followed your instruction, adding LAN_IPs 192.168.1.0/24 0.0.0.0 VPN

Should I be doing that for each?

 

[Xentrk]

I seem to be having some issues with internet not working at all with OpenVPN connected.

So I have 3 x OpenVPN clients setup (3 server locations each with separate .ovpn files uploaded).

And for each of these clients I have followed your instruction, adding LAN_IPs 192.168.1.0/24 0.0.0.0 VPN

Should I be doing that for each?

I have never seen it done that way. Normally, you should only pick one OpenVPN client when using CIDR notation to specify routing thru the VPN tunnel for your network. Same with individual LAN clients entries. Only enter a LAN client in one OpenVPN Client screen..

You are telling the firmware to route your LAN clients to all three tunnels. My guess is OpenVPN Client 1 will get the first priority followed by client 2, 3, 4 and 5. Maybe you discovered a fail over hack so that if one OpenVPN Client goes down, the clients can still have internet connection by falling back to one of the other OpenVPN clients. But as you stated, the clients no longer have internet connectivity. The setting appears to result in a routing conflict. Type ip rule at the command line to see the rules and priorities.

I wrote a program you may want to use when I am ready to publish. It will write all LAN clients that have a dhcp static reservation to a flat file. You just need to edit the file and assign the iface to each lan client. Once done, bounce the VPN client for the routing rules to take effect:

########################################################
# Assign the interface for each LAN client by entering  #
# the appropriate interface number in the first column  #
# 0 = WAN                                               #
# 1 = OVPNC1                                            #
# 2 = OVPNC2                                            #
# 3 = OVPNC3                                            #
# 4 = OVPNC4                                            #
# 5 = OVPNC5                                            #
#########################################################
2 192.168.1.149 AmazonFireTV-2
1 192.168.1.150 SamsungTV
1 192.168.1.151 Samsung-Phone
2 192.168.1.152 Laptop
1 192.168.1.153 Pad
1 192.168.1.154 Wife-Laptop
2 192.168.1.155 Wife-iPhone
2 192.168.1.156 my-laptop-eth
2 192.168.1.157 Roku
2 192.168.1.158 Epson-Printer
2 192.168.1.159 RaspberryPi-Eth
2 192.168.1.160 RaspberryP

Saves typing in each LAN client individually and is very useful in restoring routing rules for LAN clients after a factory reset as it eliminates the manual entry in the OpenVPN Client screen.

 

[lermin20199]

I have never seen it done that way. Normally, you should only pick one OpenVPN client when using CIDR notation to specify routing thru the VPN tunnel for your network. Same with individual LAN clients entries. Only enter a LAN client in one OpenVPN Client screen..

Many thanks again. But with these 3 OpenVPN clients I have setup, I only have one 'activated' at any one time.

So if I want to change OpenVPN server, I just de-activate one and activate the server I want.

Do you mean this is not a common way to use different OpenVPN clients?

 

[Xentrk]

Many thanks again. But with these 3 OpenVPN clients I have setup, I only have one 'activated' at any one time.

So if I want to change OpenVPN server, I just de-activate one and activate the server I want.

Do you mean this is not a common way to use different OpenVPN clients?

As long as only one OpenVPN is active at a time, then you should be okay. I misunderstood and thought you were running three active OpenVPN clients concurrently with the 192.168.1.0/24 entry.