Can anyone clarify what's the difference between "No" and "All traffic" options for "Redirect Internet traffic" setting in OpenVPN Client configuration. I seem to get the same result with both options.
http://www.snbforums.com/threads/having-trouble-running-custom-scripts.24374/page-2#post-182119
Although since the VPN Server will invariably PUSH its default route I personally think RMerlin's statement is ambiguous. i.e. does explicitly selecting NO effectively enforce the OpenVPN directive route-nopull?
You will need to list the route table after trying both options to identify what effectively happens.
Pushed routes are unaffected by that setting. I guess the setting would need to have "Force" added to the front of its label. What this setting does is add "redirect-gateway def1" to your local config. Many tunnel provider will push this config line to you by default, this isn't overridden by the redirect internet option.
But it leaves the setting "redirect internet traffic off".
That's normal. This setting isn't tied to a specific OpenVPN config setting, but to the firmware settings itself, instructing it how to handle routing. So after importing an ovpn file, you need to manually change this setting according to your needs.
Hi and thanks! Love your work and been using your firmware for a few years..
"manually change this setting according to your needs" , This is the part I dont understand.. What needs should I have in mind.. Where can I read about this function..? I dont know what it does really... I just want a simple explanation to why I should turn it on or off basically..
Ty
If you want the Internet traffic of your devices at home to go through the VPN, enable it.
If you just want the tunnel to be used when accessing remote resources at work (assuming a tunnel with your work office), then keep it disabled.
Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.Hi @RMerlin
I've just joined the forum, after installing the latest firmware 384.10_2 on my RT-AC88U. My OpenVPN is setup and working (yay).
I had a similar question about "redirect internet traffic" in OpenVPN Client.
If the VPN goes down: I would like all internet for all devices on my network to be killed. So I don't want any devices to have internet access if VPN goes down.
When the VPN is up and running: I would like all devices on my network to go through OpenVPN, without exception, at all times.
So should I set "redirect internet traffic" to "all"? Will that satisfy both of the above?
Or to satisfy both the above, do I need to set to "Policy Rules (Strict)" and then select each device individually and set "Block routed clients if tunnel goes down"
Appreciate your advice
Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.
You're welcome! Happy to help. You can use CIDR format for all LAN clients in one entry:Thank you kindly.
If I select "Policy Rules (Strict)" and I enable “Block routed clients if tunnel goes down” , do I need to add IP addresses in the table below?
As mentioned earlier, I don't want any devices on my network to have internet access when OpenVPN goes down.
View attachment 17302
LAN_IPs 192.168.1.0/24 0.0.0.0 VPN
You're welcome! Happy to help. You can use CIDR format for the entire WAN in one entry:
Code:LAN_IPs 192.168.1.0/24 0.0.0.0 VPN
This entry routes all LAN traffic thru the VPN. LAN clients will lose internet if the tunnel goes down.
The 192.168.1.0/24 means the router (192.168.1.0) will also use the routing rule.Thanks so much again.
Final question after reading your advice here and the links you shared:
Will "LAN_IPs 192.168.1.0/24 0.0.0.0 VPN" also mean the router itself will only access internet through OpenVPN?
Or does the router itself need a separate entry in that table?
Router 192.168.1.0 0.0.0.0 WAN
The 192.168.1.0/24 means the router (192.168.1.0) will also use the routing rule.
Unfortunately, my experience was not that great. In the short time I had my hands on one, I got the same OpenVPN performance when compared to my AC88U. I suspect the issue is due to my long distance to the server which is half way across the globe. But many others have reported improved performance. I don't think Asus brands the acceleration feature as AES-NI though. But it has the similar purpose of improving hardware crypto performance.Brilliant, this is all crystal clear now. I can't thank you enough.
Thanks to your help , it wasn't as daunting as I first though.
View attachment 17305
I think I may 'up'-grade my RT-AC88U to an RT-AC86U at some point, as I read it features AES-NI, for better OpenVPN performance?
Enabling the “Policy Rules” or “Policy Rules (Strict)” setting enables the option to “Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.
Also, beware of the Accept DNS Configuration setting when using Policy Rules or Policy Rules Strict. See Policy Rule Routing on Asuswrt-Merlin Firmware for explanation.
Other references:
I have never seen it done that way. Normally, you should only pick one OpenVPN client when using CIDR notation to specify routing thru the VPN tunnel for your network. Same with individual LAN clients entries. Only enter a LAN client in one OpenVPN Client screen..I seem to be having some issues with internet not working at all with OpenVPN connected.
So I have 3 x OpenVPN clients setup (3 server locations each with separate .ovpn files uploaded).
And for each of these clients I have followed your instruction, adding LAN_IPs 192.168.1.0/24 0.0.0.0 VPN
Should I be doing that for each?
########################################################
# Assign the interface for each LAN client by entering #
# the appropriate interface number in the first column #
# 0 = WAN #
# 1 = OVPNC1 #
# 2 = OVPNC2 #
# 3 = OVPNC3 #
# 4 = OVPNC4 #
# 5 = OVPNC5 #
#########################################################
2 192.168.1.149 AmazonFireTV-2
1 192.168.1.150 SamsungTV
1 192.168.1.151 Samsung-Phone
2 192.168.1.152 Laptop
1 192.168.1.153 Pad
1 192.168.1.154 Wife-Laptop
2 192.168.1.155 Wife-iPhone
2 192.168.1.156 my-laptop-eth
2 192.168.1.157 Roku
2 192.168.1.158 Epson-Printer
2 192.168.1.159 RaspberryPi-Eth
2 192.168.1.160 RaspberryP
I have never seen it done that way. Normally, you should only pick one OpenVPN client when using CIDR notation to specify routing thru the VPN tunnel for your network. Same with individual LAN clients entries. Only enter a LAN client in one OpenVPN Client screen..
As long as only one OpenVPN is active at a time, then you should be okay. I misunderstood and thought you were running three active OpenVPN clients concurrently with the 192.168.1.0/24 entry.Many thanks again. But with these 3 OpenVPN clients I have setup, I only have one 'activated' at any one time.
So if I want to change OpenVPN server, I just de-activate one and activate the server I want.
Do you mean this is not a common way to use different OpenVPN clients?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!