Menu
What's new
By:
Filters Better Search

Require AP traffic to use VPN tunnel

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

Steve23

Occasional Visitor
I have successfully installed a Wireguard client on my router [1]. When I select devices in the router UI to use the VPN [2], I see that they indeed are using the tunnel (IP addresses change accordingly, DNS leaks are reported as gone).

I have a basic access point [3] that allows me to provide Wifi to an outdoor work area. It works nicely. The AP is not a repeater, so it is connected via ethernet to the router (I prefer it this way anyway), nor does this AP include a DHCP server, so IP addresses are issued by the router. Fine.

I want to require any device connecting via the AP to use the VPN, so I included the AP in the list of devices that are supposed to use the tunnel (in the router's UI).
When I do this, however, it is clear that devices connected using the AP are not using the VPN.

Initially I had the AP set to accept a reserved IP address so I tried this using DHCP, to no avail (didn't really expect that to make a difference).

Have I extrapolated this ability in a way that isn't valid, or should this work?


[1] Asus RT-AX86U using Feb 07 stock firmware, ver 3.0.0.4.388.22525
[2] my desktop PC connected via ethernet, or my laptops using Wifi, for example.
[3] TP-Link EAP-110Outdoor
 
By including the AP in the required list all you did is made IT use the VPN, for checking for firmware, updating its time, etc. You need to select the client devices themselves if you want them to use VPN. As far as your router is concerned, that AP is just a switch with several clients behind it.
 
Yes, I understand. Thank you.

This is a challenge to accomplish in whole because guest clients connecting via this AP can't be thus restricted. The AP has a nice feature that keeps clients off the private subnet (aka: a guest network). I'm pleased about that.

While the Wifi password is posted in my work area for visitors, I regularly change it for this SSID. It's an easy way to keep the potential client list from growing.

This is a situation where I want VLAN capabilty additionally to keep traffic via this AP separated from my LAN (routing thru the VPN aside, although still desired). Guess I could also go back to two routers (install the VPN and require everything to use it). Come to think of it, would that accomplish it either?
Must say, I didn't really want to go back to two routers, but...


EDIT:
Now looking at this thread to see if I can accomplish something
www.snbforums.com

How to block a device from access to other devices on a LAN?

Hi, Is it possible to allow a device access to the internet/WAN but block its access to other devices on the LAN? Thanks.
www.snbforums.com www.snbforums.com
 
Last edited:
I didn't get the feeling that advice in the thread I mentioned above would do what I'd like to do.

Recapping, then: If I connect (via ethernet) an AP which hosts clients to my router (including 'unknown clients,' in terms of MACs, issued IP addresses etc., because they're visitors*), how does one route all of that traffic thru a VPN installed on the router?
(The AP does not include a DHCP server, so all IPs are issued by the router.)

Further, this becomes an issue for users who employ a repeater to extend their Wifi coverage. (Note, I'm not tackling the merit of doing this, I'm just trying to tackle a real-world situation that's common.) Repeaters commonly issue IP addresses so those clients aren't sufficiently visible to the router.

How would one accomplish this?

* Some clients would perhaps be issued predictable IPs (because they visit more than once), thus allowing their inclusion on the use-the-VPN list** if the router remembers and issues the same IP. Not sure I want to rely on that. Some clients, however, will be one-time visitors so this would fail in that situation.

** manually :confused:
 
In your case your router knows the MAC and IP of the clients just as if they were directly plugged in, your AP is a layer 2 device like a switch. Short of setting up a special VLAN and DHCP range for that port (requiring scripts) not sure there is a way to accomplish what you want, unless you just have all clients use the VPN. It would actually be easier if your AP was a router, then you just tell your main router to send all traffic for the WAN IP/MAC of the second router to the VPN, it would look like just one client. So maybe upgrading that AP to a router would be the easiest solution. Or look for a VPN client that has an "all other clients" option? Then anything you don't explicitly define will use the VPN. Are you sure whatever client you're using now doesn't have something like that?
 
There is a "apply to all devices" slide switch in the Asus router UI. Unfortunately, what this means is that there should now be an "exception list" rather than an "inclusion list" to route traffic through the VPN because...

drinkingbird said:
In your case your router knows the MAC and IP of the clients just as if they were directly plugged in,
Click to expand...
It doesn't but it will when clients connect.* I can't route devices through the VPN until they have connected once and I have that information. Further, I'd have to stop, get into the router UI while the client is connected via the AP so that I could add the client info. Clearly that's not really practical. Normally this means that it would be great to use the "apply to all devices" switch except...

while I will have many devices running thru the VPN, there are a couple that will not be, so I'd love that "except-for-these-devices" list. [Hmm... Later note below]

* random clients, first-time connection to the network.

drinkingbird said:
Or look for a VPN client that has an "all other clients" option? Then anything you don't explicitly define will use the VPN. Are you sure whatever client you're using now doesn't have something like that?
Click to expand...

The Wireguard client installed in the router is a pretty simple interface. I'll look again, but I don't think so. [Hmm... Later note below]

drinkingbird said:
It would actually be easier if your AP was a router, then you just tell your main router to send all traffic for the WAN IP/MAC of the second router to the VPN, it would look like just one client. So maybe upgrading that AP to a router would be the easiest solution.
Click to expand...

Oh, yes, this is elegant, inexpensive, easy to implement, and effective. This should work beautifully! :)
I think I'm in the market for a simple wireless router to give my work area the (very basic) network capability it needs! Gotta be an outdoor model, other than that, no special anything.

Replacing my AP is not an issue. As I mentioned before, it's about the lowest-cost, decent AP out there, but it's strictly an AP. Plenty of outdoor models are multi-mode devices which include router-mode operation.

Thank you for all the back-and-forth. I'll edit this post when Iook over the Wireguard VPN Client settings in my router UI.

Later note
The Asus UI includes the "apply to all devices" slide switch for both the Wireguard Client and for the "Internet Connection" on its VPN Fusion page. There's no information about how these sort of work, so it looks like I need to try some combinations of this to see how these interact, perhaps making the VPN connection the default (if possible) and using the switch, then using the "device selector" on the "internet connection" to select the devices that are off the VPN. Oh boy...

VPN Fusion page 75pct.jpg
 
Last edited:
Well. I tried what I said I would. I think there's a problem with how this works. I set the VPN connection as default. When I include (for example) my desktop computer in the device selector for the Internet Connection and perform the what's my IP check and the DNS leak test, I see that the IP address is 'exposed' (not on the VPN). That's expected.
The DNS leak test, however, shows that the DNS is still as if I was using the VPN. This causes problems on some websites. Some load fine, some load partially. Amazon, for example, presents me with the letter-code entry screen and, upon submitting the letter-code, goes directly to another letter-code entry screen.

I have cleared browser caches, flushed DNS caches, 'renewed' the network adapter, and restarted the computer, to no avail. I will be restarting the router soon (wasn't able to do so atm due to homework assignments being in-process). EDIT: that didn't help.

Barring that working, I don't know what's amiss so I'm going back to the internet connection as default and 'parking there' for a while until I get some clues about what to do next.
 
Last edited:
Steve23 said:
Well. I tried what I said I would. I think there's a problem with how this works. I set the VPN connection as default. When I include (for example) my desktop computer in the device selector for the Internet Connection and perform the what's my IP check and the DNS leak test, I see that the IP address is 'exposed' (not on the VPN). That's expected.
The DNS leak test, however, shows that the DNS is still as if I was using the VPN. This causes problems on some websites. Some load fine, some load partially. Amazon, for example, presents me with the letter-code entry screen and, upon submitting the letter-code, goes directly to another letter-code entry screen.

I have cleared browser caches, flushed DNS caches, 'renewed' the network adapter, and restarted the computer, to no avail. I will be restarting the router soon (wasn't able to do so atm due to homework assignments being in-process). EDIT: that didn't help.

Barring that working, I don't know what's amiss so I'm going back to the internet connection as default and 'parking there' for a while until I get some clues about what to do next.
Click to expand...

Yeah obviously I meant the router knows the MAC/IP after a device connects, it isn't predicting anything.

I think your only solution with the current setup is to include all and create an exclusion list. There must be some way to get that working, I'm sure others have. Not sure why DNS is still routing over the VPN, maybe you have DNS director or something set up that is interfering?

The alternate is just convert the AP to a router and set that on your include list, along with anything else you want included.
 
I think the idea to replace the outdoor AP serving my work area with a device that includes a router operation mode is a good one. I thank you for suggesting it!

The VPN thing still bugs me. There must be some problem with VPN Fusion. I'm not using DNS Director (I didn't set up anything like that separately), so I may post this problem elsewhere to see if I can get help to resolve it. This is another one that's important for me to get working properly and reliably.
 
You must log in or register to reply here.

Similar threads

S
POssibility to turn single TP-link EAP225 access point off during night time, site is Omada OC-200 managed
Replies
11
Views
660
Tech9
Tech9
F
AP Mode Denied LAN Access
2 3
Replies
53
Views
1K
glens
G
Smokindog
Using Linksys MR7500 Hydra Pro 6E as AP
Replies
2
Views
1K
lgp1985
L
M
WiFi AP with Mesh Setup?
Replies
5
Views
486
MJW75
M
A
Instant Guard - traffic is not going through established vpn tunel until...
Replies
1
Views
300
Alipasijaner
A
Similar threads
Thread starter Title Forum Replies Date
J sniffing wireless traffic General Wireless Discussion 11

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 746 (members: 34, guests: 712)
Top