RT-AX86U Pro VPN-Fusion & Wireguard

[Steve23]

It's my opinion that VPN Fusion is a very useful feature, allowing me to choose which devices are routed through a tunnel and which are not. I recently installed and configured a Wireguard profile on my router.*

A couple of notes I think are worth mentioning...

First, the UI can use a couple of tweaks, imo. For example, the slider that allows you to "Apply to all devices" is too easy to miss. It's way down on the screen because all of the categories of settings are expanded and it isn't very prominent, being kind of grey on the largely-grey UI. This is a shame because this is the real power and utility of this feature. I also think that the ability to edit the inclusion list is kind of 'hidden in plain sight' there, just below the slider. (see image 01)

Spoiler: Image 01

Second, and much more important, the firmware is very quirky about this capability, placing all devices on the check-box inclusion-list and them being greyed-out so that they cannot be deselected. (see image 02)

Spoiler: Image 02

You can see that my printer is on the inclusion list and cannot be deselected. This device has no need to be included, imo.
The second device on the list (a desktop PC) was "locked" and unable to be deselected via the checkbox until I went through the steps I listed below, but no such luck with the printer. The other two devices are DHCP. Why mention that? Read on...

I discovered a couple of things about this behavior.
a) It appears to apply to network clients that are on the IP reservation list, not those that obtain an IP address from the router via DHCP. Further...
b) It appears that if I delete those entries from the IP reservation list AND the devices are present on the network after the wireguard client is configured and running, then when I again add the devices back to the IP reservation list, sometimes they become available on the list to select whether they are included in the VPN tunnel or not (not always).

I have not tested all the iterations to make this predictable; that's quite a bit of repetitive work. I hope the tip can help some of you who might be experiencing this quirky behavior.



* please note that I am currently operating this router on the beta firmware because I was interested in taking a peek at the upcoming VLAN features. I have not yet tested this while operating the router with release firmware. 9.0.0.6.102.3506

 

[128bit]

just a suggestion, but have u considered merlinware (asus-merlin)? especially, for use with a vpn. it's has a much cleaner ui with more functionality. fwiw, fusion was too confusin' in the previous release, so i reverted back to merlinware. btw, 388.1 is the current release and it's been problematic but 386.72 is a dream and has worked flawlessly for me.

 

[Tech9]

but 386.72 is a dream

RT-AX86U Pro is supported from Asuswrt-Merlin 388.1. There is no 386.x for this router.

 

[Steve23]

It is a valid question and I appreciate the thought-provocation. The stock firmware has always worked for me on Asus routers that I have used. That, of course, is not to say that there isn't something better. Perhaps also it may be time to consider if my needs have evolved to make this a wise change.

One thing wrt the RT-AX86U-Pro that would strongly affect my decision would be the prospect of VLAN support on this router using Meriln - especially if it were more user-friendly and understandable than its execution in stock firmware. *

*This mostly so that it's easier to me to help others who inevitably ask me for help. I'm no expert (just look at my other posts ), but tell that to those who I essentially bail out of their technical distress calls time and time again.

EDIT: typo

 

[Tech9]

That, of course, is not to say that there isn't something better.

Right now there isn't anything better. If you want Asuswrt-Merlin - wait for 388.2 release on better Asuswrt base. If you want Asuswrt-Merlin based on the new Pro firmware - check back in 2024 or later.

 

[128bit]

. . . One thing wrt the RT-AX86U-Pro that would strongly affect my decision would be the prospect of VLAN support on this router using Meriln - especially if it were more user-friendly and understandable than its execution in stock firmware. *

using merlinware will likely be a value-add but you can always check the release notes. while i can't "speak" specifically for the pro, that has always been the case with my ac/ax86u devices. should you need to revert, that process resembles the stock update where the user has already downloaded the update file; there is no "auto-download & update" interface that we have with the stock version. it's manual.

i've done it several times with no issue but ultimately end up running merlin's code even if it's down level. let me add, running downlevel for me is a first in several years of using his code.

 

[steetiehj]

A quick question as I've just tried to set up WireGuard on my AX86U with the latest firmware Version 3.0.0.4.388_23285. If I've assigned an IP address to a device, does this mean that I can't add it to a device in my WireGuard settings - I don't want all devices using this setting. I get greyed-out checkboxes against those that do have an assigned IP.

 

[Steve23]

A quick question as I've just tried to set up WireGuard on my AX86U with the latest firmware Version 3.0.0.4.388_23285. If I've assigned an IP address to a device, does this mean that I can't add it to a device in my WireGuard settings - I don't want all devices using this setting. I get greyed-out checkboxes against those that do have an assigned IP.

View attachment 50161

I've been using the beta firmware on this router, but my experience was a bit odd too. I had trouble with devices that I had on my DHCP reservation list but in retrospect I am not sure if it was an oddity with the interface/firmware or if it was my error.

When you see devices on the list whose checkboxes are greyed-out, it is possible that they are selected on the other profile. In case that's not clear, I can elaborate: when you create the WireGuard config, you now have two (barring others) server lists- the default 'internet' and the 'WireGuard' server. (It's a bit hidden but) you then find the little pencil icon, click that to get the device list such as the one you shared, then select devices to be included in the profile. For example, then, if I have one of my devices selected in the internet profile, it is not accessible in the VPN profile (so it's greyed-out).

During my initial setup steps of this, I made myself notes to remove the VPN configuration, remove candidate devices* from the DHCP reservation list, then re-do the VPN config to make this work (and I did those steps). However, I'm not sure whether that was my missing how the device lists interacted and perhaps I just had the devices checked in one profile and thus greyed-out in the other. I freely admit that when I was first setting this up, it was utterly non-intuitive to me and I felt it was confounding until I figured it out (or thought I did). I also freely admit that I didn't re-do the setup again just to find out. One can only tinker so much in one session!

If the image you show is the device list for the VPN profile, it suggests to me that the greyed-out devices are locked to the internet profile (or vice versa).

If you learn that it's just a matter of what is checked in which profile, I'd really appreciate hearing that! Even if you learn that it's something else, I'd like to hear your experience.


* in other words, devices that I may want to assign to one profile or another. I still left my printer (for example) on the DHCP reservation list; that's not going on the VPN.

 

[steetiehj]

I've been using the beta firmware on this router, but my experience was a bit odd too. I had trouble with devices that I had on my DHCP reservation list but in retrospect I am not sure if it was an oddity with the interface/firmware or if it was my error.

When you see devices on the list whose checkboxes are greyed-out, it is possible that they are selected on the other profile. In case that's not clear, I can elaborate: when you create the WireGuard config, you now have two (barring others) server lists- the default 'internet' and the 'WireGuard' server. (It's a bit hidden but) you then find the little pencil icon, click that to get the device list such as the one you shared, then select devices to be included in the profile. For example, then, if I have one of my devices selected in the internet profile, it is not accessible in the VPN profile (so it's greyed-out).

During my initial setup steps of this, I made myself notes to remove the VPN configuration, remove candidate devices* from the DHCP reservation list, then re-do the VPN config to make this work (and I did those steps). However, I'm not sure whether that was my missing how the device lists interacted and perhaps I just had the devices checked in one profile and thus greyed-out in the other. I freely admit that when I was first setting this up, it was utterly non-intuitive to me and I felt it was confounding until I figured it out (or thought I did). I also freely admit that I didn't re-do the setup again just to find out. One can only tinker so much in one session!

If the image you show is the device list for the VPN profile, it suggests to me that the greyed-out devices are locked to the internet profile (or vice versa).

If you learn that it's just a matter of what is checked in which profile, I'd really appreciate hearing that! Even if you learn that it's something else, I'd like to hear your experience.


* in other words, devices that I may want to assign to one profile or another. I still left my printer (for example) on the DHCP reservation list; that's not going on the VPN.

So I noticed that in the internet profile, the device I wanted to add to the WireGuard profile was ticked, so I removed this, applied settings, then added my device to the WireGuard profile (now unchecked) and enabled that device before applying all settings. I suspected this wouldn't work as it's now not in the Internet profile, and it didn't - that device couldn't see the Internet.

Did I want to troubleshoot it? No. I returned to my original settings and used OpenVPN on the client device.

 

[Steve23]

I understand. Troubleshooting gobbles up an amazing amount of time. I was motivated by a couple of reasons, the 1st of which was that I didn't want to do this on a device-by-device basis. Too much repetition. Too much dealing with quirks of each device. Too much being sure it works for each device. You know...

Hmm. Your experience does bring up another peculiarity. That is: why is a device on the VPN profile not able to connect to the internet?

Mine shows both profiles as "connected" (see image). I would hope yours did too but it's still confusing. One reason: looking at the so-called server list, for the internet connection, "Apply to all devices" is ON, while for the VPN, it is not. This must then mean: 'apply to all devices in the profile" but this is unclear. (Actually, it is unspecified so I can't tell for sure. That said, I have no evidence that it does not behave that way.)

Spoiler: VPN Fusion page

My experience was a bit more convoluted because of my 2nd motivation: that I wanted the router to send traffic for all devices connected to a certain ethernet port thru the VPN tunnel. I have a switch on one ethernet port to which I connect all wired devices that I want thru the VPN tunnel at all times (streaming boxes, wireless access point for guest network, etc.) Trying to get that working while sorting out the uncertainties of the Wireguard setup really upped the number of things I was juggling.

That, as it turned out, worked quite nicely when I used the Guest Network Pro to set up a wired-only GNP. Now, if Asus would only correct this so that the router's VLAN tagging doesn't completely bomb if you set up more than one GNP...

Please, please. Pretty please!