script for asus-merlin firmware that routes a VPN to a second internal IP

[Frank Hauptle]

Hello all,

probably a weird request, but I could have sworn I found a script like this online and then lost and couldn't find it again.

Basically I want to have two internal IP addresses on my AC87U so that the normal one routes traffic from devices using it as their gateway IP will be routed to the internet as usual. (192.168.1.1 by default)

The Second IPI'd like to have it also handling NAT etc, but all traffic from devices using this one as their gateway IP would be routed though the VPN, and not work unless the VPN is up.

That way things like my IOT devices and ipads and the kids youtube devices and the PS4's can use the internet as normal, but any devices for which I might prefer extra privacy can route out via the VPN. I have many devices like set top boxes laptops etc on gigabit Ethernet so having a wireless network for VPN isn't all that effective for me and I'm in a wireless congested area so making it worse to provide something not really related to the wireless at all seems counter productive. (even if it is easier to configure on the client devices)

Does anyone know if a asus-merlin script that achieves some or all of this ? If not, I'm gonna have to get busy.

kindest regards

Frank

 

[ColinTaylor]

I don't think you need to complicate things with multiple interfaces. I think you just need to use Policy-based routing (OpenVPN Client Settings > Redirect Internet traffic > Policy Rules).

 

[Frank Hauptle]

I don't think you need to complicate things with multiple interfaces. I think you just need to use Policy-based routing (OpenVPN Client Settings > Redirect Internet traffic > Policy Rules).

Hi Colin,

Yes, I considered that, but I have better than 65 devices on my network. (smart house, 2 x PS4, 3 x smart TV's, plus blueray players, set top boxes NAS devices even smart sprinkers and such..) split between 5G wireless, 2.4 wireless and gigabit ethernet. It's much easier to just manually configure DNS servers and gateway IP when I configure devices than to setup static IP reservations and then creating and maintaining a huge rules list. Obvviously I don't want all traffic using the VPN because I'd have 30+ IOT devices chewing up bandwidth that would be better used by me getting full value from my Netflix HD subscription., so I'd need a heap of rules. Plus if I decide to swap a device to or from private all I need do is change the gateway IP of the device. Plus I can't help thinking that specifying that all traffic to or from an internal IP is forwarded though the VPN is a better way of ensuring DNS leakage is less likely since the all DNS requests from those devices would also go to that gateway IP and get forwarded though. (I realize that the policy routing should also do that, I'm just concerned that the increased complexity of the policy setup could lead to leakage)

I spose the policy routing VPN traffic is a workable alternative, but I'd really hoped that someone would remember the merlin script I'm referring to. I even saved it at the time but I can't find the link in my 12000 favorites.. (gotta clean that out.. the downside of one account syncing the fav's of about 20 devices)

Another script I was thinking would be a good one, is one that routes a ping to a list of VPN IP's outside of the active VPN and looks for a faster response and if it gets one a few times in a row, it swaps the VPN to the faster option. (I don't think ping is a good test of VPN speed unless it's though a tunnel but I'm not sure the Asus setup could handle a second VPN connection firing up, doing a test and then swapping without wrecking the existing VPN connection. I wrote a perl script yonks ago that did something like that and run from a pie.. but it just reported the fastest one rather than acting on the info.