Simple question about configuring Policy-based routing for an OpenVPN client

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mer_du_sud

Occasional Visitor
Hello.
I am equipped with an ASUS AC68UF router located behind a box. I also use a VPN to access the Internet (PROTONVPN in this particular case). I switched to Merlin firmware because of the possibility to specify which devices connected to the local network will go through the VPN and which other devices will go directly to the WAN. My first attempt was not very happy: I had no more access to anything and I had to reset the router. Before trying again, I would like to avoid the same mistake. In fact, my need is basic: by default, I want all the devices to go directly on the WAN and only some of them to go through the VPN (in fact, basically all those on which it is not possible to install a VPN client). Let's assume that only the 192.168.2.50 and 192.168.2.77 devices have to go through the VPN. What should I write?

Thank you for your help.
 

mer_du_sud

Occasional Visitor
Thank you for the link. If I understand correctly "By default, all traffic go through the WAN", it means I have only to write 2 lines (according to my example) :
192.168.2.50 -> VPN
192.168.2.77 -> VPN
And that's all ? Nothing to write for all other devices I want to go directly to WAN ? Right ?
 

octopus

Very Senior Member
Yes
 

mer_du_sud

Occasional Visitor
Thank you. I have to proceed now as suggested. By the way, do you know other literature than the link you gave me.
 

mer_du_sud

Occasional Visitor
Hello. I have proceeded as suggested.
It works, as far as I can tell from the system logs. I wanted to do a test with a smartphone, and I was confronted with the following problem: when I added a line for this equipment and then went back to see, I was able to test with myip.com and it was ok, without DNSLEAK, what's more; on the other hand, when I went back to Merlin and deleted the line for this smartphone, I then noticed (with myip.com) that my IP was still that of the VPN. The only way I was able to fix the problem was to reboot the router. So, Merlin's bug or bad settings on my part?
 

mer_du_sud

Occasional Visitor
I have another more annoying problem (which may have already been addressed in another thread): when I restart the router manually or when the router restarts automatically as scheduled, I find that the VPN client has stopped. And yet, I checked "yes" for the "Automatic start at boot time" parameter.
Does anyone have the answer?
 

octopus

Very Senior Member
I have another more annoying problem (which may have already been addressed in another thread): when I restart the router manually or when the router restarts automatically as scheduled, I find that the VPN client has stopped. And yet, I checked "yes" for the "Automatic start at boot time" parameter.
Does anyone have the answer?
Your time have not updated yet therefore vpn cant start. Do you have public ip-number?
 
Last edited:

mer_du_sud

Occasional Visitor
And how can I update the time? Router is behind my Internet box ; its public ip-number is something like 192.168.1.x. Only my Internet box has real public ip.
 

octopus

Very Senior Member
And how can I update the time? Router is behind my Internet box ; its public ip-number is something like 192.168.1.x. Only my Internet box has real public ip.
Do router have realtime? It takes longer time to update. Can you set your internet box in bridge mode?
 

mer_du_sud

Occasional Visitor
I don't think I can set my internet box in bridge mode (what would be the benefits besides ?). I am not sure to understand exactly what you mean by "realtime".
 

octopus

Very Senior Member
I don't think I can set my internet box in bridge mode (what would be the benefits besides ?). I am not sure to understand exactly what you mean by "realtime".
Realtime=show correct time.
Bridge mode, then you have public ip shown in router instead of 192.168.1.x
 

octopus

Very Senior Member
Do you trying to connect router from wan, to your client? To connect to router you have to config server.
 

mer_du_sud

Occasional Visitor
Do you trying to connect router from wan, to your client? To connect to router you have to config server.
Why this question ? Anyway, i have no problem to connect to router from outside or to any client attached to the router. To connect to router i have set up remote access ; i have also the possibility to activate Asus VPN server or Synology VPN server (i have a synology NAS attached to the router), etc. ; of course I set up port forwarding at internet box level and at router level.
I can answer your other question : my router shows correct time.
 

octopus

Very Senior Member
Why this question ? Anyway, i have no problem to connect to router from outside or to any client attached to the router. To connect to router i have set up remote access ; i have also the possibility to activate Asus VPN server or Synology VPN server (i have a synology NAS attached to the router), etc. ; of course I set up port forwarding at internet box level and at router level.
I can answer your other question : my router shows correct time.

Okey, Remote Access is not recommended as it can be hacked easily. Recommended is to setup VPN-server and connect to your lan-devices.
If it shows the correct time, I think it will not have time to sync the vpn-client (probably becuse you do not have a public IP number for the router)
 

mer_du_sud

Occasional Visitor
Okey, Remote Access is not recommended as it can be hacked easily. Recommended is to setup VPN-server and connect to your lan-devices.
If it shows the correct time, I think it will not have time to sync the vpn-client (probably becuse you do not have a public IP number for the router)
OK, thanks for the advice about remote access; I won't implement it anymore even if I don't see why it can be easily hacked unlike a VPN link.
But, I must be a bit blocked, I don't see the relation between implementing a remote access via the VPN server so (from ASUS or my NAS; do you have a preference, by the way?) and the fact that the VPN client stops when the router reboots.
 

octopus

Very Senior Member
OK, thanks for the advice about remote access; I won't implement it anymore even if I don't see why it can be easily hacked unlike a VPN link.
But, I must be a bit blocked, I don't see the relation between implementing a remote access via the VPN server so (from ASUS or my NAS; do you have a preference, by the way?) and the fact that the VPN client stops when the router reboots.
Have you looked at the log if you can see what happened there? You should see if ntp syncing or not when you reboot.
Like this: Nov 15 08:32:24 rc_service: ntpd_synced 1611:notify_rc start_vpnclient1
 
Last edited:

mer_du_sud

Occasional Visitor
Have you looked at the log if you can see what happened there? You should see if ntp syncing or not when you reboot.
Like this: Nov 15 08:32:24 rc_service: ntpd_synced 1611:notify_rc start_vpnclient1
Indeed, i have made another test tonigth and i have the following line :
Nov 16 23:38:11 rc_service: ntpd_synced 663:notify_rc start_vpnclient4
but, i have also a few lines further :
Nov 16 23:38:26 rc_service: skip the event: start_vpnclient4.
Maybe, this is the reason why client vpn has not started ?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top