1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-AC68U - Merlin Firmware:384.13 - Some questions

Discussion in 'Asuswrt-Merlin' started by Valid Name, Dec 3, 2019.

  1. Valid Name

    Valid Name New Around Here

    Joined:
    Nov 29, 2019
    Messages:
    2
    Hi all,

    I have recently installed ASUS Merlin on my AC68U router and have a few questions. This is my first ever exposure to this firmware and router configuration in general and have never previously done any router configuration at this level so please bear with me if I have missed something.

    I am using a VPN provider and have configured the OpenVPN (client instance 3) as per below screenshot:

    upload_2019-12-3_21-45-7.png


    Custom Configuration section has the below settings:

    Code:
    remote-random
    resolv-retry infinite
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    remote-cert-tls server
    pull
    fast-io
    I have a device with static IP on the network and I want to avoid VPN connection to this device only for certain external IPs so I have created the following rules for OpenVPN Client instance 3:

    upload_2019-12-3_22-15-28.png


    The contents of /tmp/etc/openvpn/fw/client3-dns.sh are
    Code:
    #!/bin/sh
    /usr/sbin/iptables -t nat -N DNSVPN3
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
    /usr/sbin/iptables -t nat -A DNSVPN3 -s 192.168.1.0/24 -j DNAT --to-destination 10.X.X.X
    /usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN3
    /usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN3
    Where 10.x.x.x is my VPN provider's DNS server


    Below are the contents of /jffs/scripts/nat-start
    Code:
    #!/bin/sh
    
    sleep 10  # During the boot process nat-start may run multiple times so this is required               
    
    # Ensure duplicate rules are not created
    for VPN_ID in 0 1 2 3 4 5
       do
          ip rule del prio 999$VPN_ID  2>/dev/null
       done
    
    # Create the RPDB rules
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
    ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
    ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
    ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
    ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
    
    
    # Allow mobile mac addresses to bypass the VPN Client
    iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
    Basically, the two mobile devices already have a proprietary OpenVPN client application installed and I want to bypass the OpenVPN connection on my router completely as I think it is not needed and there might even be a performance overhead(?).


    What I've noticed is that if edit the below line in nat-start file
    Code:
    iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
    and change it to
    Code:
    iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p all -j MARK --set-mark 0x8000/0x8000
    The mobile devices are unable to access Internet at all if I leave the protocol option to all. Even when I have tcp protocol selected and access dnsleaktest.com, my VPN provider's IP configured in the router is shown on the page indicating that traffic is still getting routed through the VPN provider configured in the router. The OpenVPN client on the mobile is using a different VPN IP to the OpenVPN client on the router so I expected the IP of mobile's OpenVPN client will be shown here instead. Is my assumption correct? How can I completely bypass the OpenVPN client on my router just for two specific mac addresses and ensure that there are no DNS leaks through my router?

    Another question:
    I also have to use a VPN connection (through FortiClient VPN client) on Mac/Windows computers to connect to my work network. I have noticed that when I am connected to my work network form home using my router's internet connection, I get a DNS leak. Is DNS leak avoidable at all when connected to my work VPN through my router?

    There are only a few resources I access when connected to work VPN so I am happy to access them using IP address directly instead of their NETBIOS or FQDN hostnames. If someone has any ideas/workarounds to avoid DNS leak while connected to my work VPN, please let me know.

    Lastly, I also have Skynet blocking lists configured on a 4 GB USB Drive with a 256 MB swap file. Is 256 MB a good swap size, should I increase it for any reasons such as performance

    Thanks in advance.

    Regards,