Split tunnelling on RT AC86U 386.2.2 Merlin

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Grommit

Occasional Visitor
OK, so now I'm totally confused. I started off trying to use policy rules, with little success, but now I can't even get a vpn to work, express vpn or Nord vpn. I leave all config settings at default, I load my config files, I tell it to force internet traffic down the vpn, it doesn't work. At all. I've tried changing DNS from relaxed to strict (my router dns is set to expressvpn's mediastreamer dns. Is that the issue?) If I'm going to use policy rules, must it have a statement forcing all traffic down the vpn with exeptions set to WAN? Or the other way round? I'm not a comlplete idiot but I'm really struggling here. Help please......
 

eibgrad

Very Senior Member
Let's NOT conflate the issue of having the VPN work "at all" w/ how it handles DNS, or even Routing Policy. Those are completely different issues.

When dealing w/ a commercial OpenVPN provider, that provider invariably pushes the "redirect-gateway def1" directive to the OpenVPN client to force a change in the default gateway from the WAN/ISP to the VPN. For that reason, whether you chose No or Yes for "Force internet traffic through tunnel", you get the same results; ALL internet traffic is forced over the tunnel.

If the above doesn't work AT ALL, then you have misconfigured the OpenVPN client in some way. Perhaps you failed to NAT the tunnel? I know a common mistake w/ ExpressVPN is a failure to include the "fragment 1300" directive (I would assume it's in their .ovpn config files, but then I typically configure manually and have to remember to do this), etc. Whatever it is, something is wrong.

Once the above is working (e.g., you can ping 8.8.8.8 from a client behind the router), *now* comes the issue of Routing Policy and DNS, and whether either is working to your satisfaction.

But if you just throw out a bunch of different scenarios and claim they all don't work, it's going to be difficult to provide help. Be methodical. Conquer one thing at a time. All I want to know at the moment is if you can successfully connect to the VPN using the defaults. Until that's working, Routing Policy and DNS are irrelevant.
 

Tech9

Senior Member
When dealing w/ a commercial OpenVPN provider, that provider invariably pushes the "redirect-gateway def1" directive to the OpenVPN client to force a change in the default gateway from the WAN/ISP to the VPN. For that reason, whether you chose No or Yes for "Force internet traffic through tunnel", you get the same results; ALL internet traffic is forced over the tunnel.

In Asuswrt-Merlin all the clients go through WAN unless rules are set.

The simplest configuration:
Network 192.168.1.1/24 0.0.0.0 VPN - all devices through VPN
Router 192.168.1.1 0.0.0.0 WAN - exclude router from VPN
My_PC 192.168.1.x. 0.0.0.0 WAN - device X through WAN

See @Xentrk examples above.
 

eibgrad

Very Senior Member
In Asuswrt-Merlin all the clients go through WAN unless rules are set.

The simplest configuration:
Network 192.168.1.1/24 0.0.0.0 VPN - all devices through VPN
Router 192.168.1.1 0.0.0.0 WAN - exclude router from VPN
My_PC 192.168.1.x. 0.0.0.0 WAN - device X through WAN

See @Xentrk examples above.

Please read my comments more carefully.

When @Xentrk says all traffic will use the WAN, he means when Routing Policy is enabled. That's NOT what I'm talking about. I'm talking about the behavior when Routing Policy is NOT chosen, when either No or Yes is specified w/ the "Force internet traffic through tunnel" option.

By default, the OpenVPN client option "Force internet traffic through tunnel" is set to No, which means the default gateway will be configured according to the *server*. In the case of virtually every commercial OpenVPN provider, they will push the 'redirect-gateway def1' directive to the OpenVPN client, thereby changing the default gateway to the VPN (it's has the same effect as if you had specified Yes for "Force internet traffic through tunnel").

That was my point.

However, once you change "Force internet traffic through tunnel" to one of the Routing Policy options, now the WAN becomes the default gateway, and yes, now you need rules to route any traffic over the VPN.
 

eibgrad

Very Senior Member
@eibgrad, the OPs intention is to enable policy rules. The information you post is correct, but in a form of essay. The OP is not preparing for an exam on the subject. He just needs to know what to click on that UI page. :)

How is someone going help when the OP is jumping from issue to issue, and can't even get it working using the defaults?

Once the OP stated the following ...

... now I can't even get a vpn to work, express vpn or Nord vpn. I leave all config settings at default, I load my config files, I tell it to force internet traffic down the vpn, it doesn't work. At all.

... it's no longer just a Routing Policy issue. My point was for the OP to *first* verify it works using the defaults, esp. given those comments. THEN he can pursue the issue of Routing Policy.
 
Last edited:

Tech9

Senior Member
How is someone going help when the OP is jumping from issue to issue

Very simple - reset the client, import the file again, set the policy routing as per example. Merlin made it easy, I've tested it twice and it takes 30 seconds time. I read your posts around and they are pages long full of theoretical information. This is hard to read and follow for average home router users. The OP doesn't need to know how it works under the hood and how many mistakes he made. He needs guidance how to make it work in Asuswrt-Merlin.
 

eibgrad

Very Senior Member
Very simple - reset the client, import the file again, set the policy routing as per example. Merlin made it easy, I've tested it twice and it takes 30 seconds time. I read your posts around and they are pages long full of theoretical information. This is hard to read and follow for average home router users. The OP doesn't need to know how it works under the hood and how many mistakes he made. He needs guidance how to make it work in Asuswrt-Merlin.

Everyone providing tech support has their own preferred approach. For me, when someone gets this confused, it's back to basics. Proving it works using defaults, and NOT introducing additional issues like Routing Policy. If others want to take a different approach, go for it. The OP is free to follow whatever advice best solves his problem.
 

Tech9

Senior Member
Everyone providing tech support has their own preferred approach.

In this case NordVPN client with simple rules takes less time than reading your post with all the gateway redirects and fragments directives. I first read the OP issue and set up a test client quickly to see what happens. I found it working properly. I read your post after and you got me confused with it. :D
 

eibgrad

Very Senior Member
In this case NordVPN client with simple rules takes less time than reading your post with all the gateway redirects and fragments directives. I first read the OP issue and set up a test client quickly to see what happens. I found it working properly. I read your post after and you got me confused with it. :D

Not only do ppl offer advice differently, they respond differently to the advice given. Whatever works.
 

Grommit

Occasional Visitor
OK. So I've read all that. I went back to Asus OS 9.0.0.4.386_41994 firmware to confirm what I DID know. Nord and Express work as expected, but obvioulsy no split tunnel. From what I've read from replies here: If I configure Nord or Express, and choose either "Force all traffic down vpn "yes", or "no", this decision is normally overruled by commercial vpn providers and all traffic will go down the vpn, Yes? That was definitely NOT the case. My ip address using this config was NOT in the UK, where I wanted it. I tried it set to "yes", and to "no", the result was still the same, address was NOT in the UK. To be fair, I'm not 100% convinced any of the available online address checkers or DNS leak testers are completely accurate. I often find different results with different tests. It may be the way in which each vpn provider configures their service, but because google is so crappy these days, it's difficult to get to any good technical based articles regarding vpn configuration to try and work out why. It's the same with speedtesting.
If i try the Merlin OS again: I should configure my vpn, choose policy rules, which forces ALL traffic over the WAN, then statements to make my chosen addresses take the vpn route. Is that correct? And just to say ALL your advice is appreciated, and I don't mind how technical it gets. I was involved on the peripherary of IP networking back in the early years, a long time ago, and have some experience with Cisco switches and routers. It was a LONG time ago, and I'm only just dipping my toe back in the water. You guys are obviously up to speed and far more knowledgeable, and any input is greatly appreciated.
 

Grommit

Occasional Visitor
One more question. I notice Merlin is using OpenVpn 2.5. I spoke to Express, who currently only support 2.4. Is 2.5 backward compatible? I read what I could find, it looks like there may be problems running 2.5 against 2.3, but it IS compatible with 2.4. Is that correct? Anyone have any experience of this?
 

ColinTaylor

Part of the Furniture
You need to determine why your VPN doesn't work at all with either firmware before playing around with policy rules. It's probably going to be easier to debug things if you use Merlin's firmware rather than stock.

I'm bit concerned with how you're testing that it's working or not. Are you in the UK? Does the WAN IP address shown by https://canyouseeme.org/ change when you enable and disable the VPN client?
 

Grommit

Occasional Visitor
You need to determine why your VPN doesn't work at all with either firmware before playing around with policy rules. It's probably going to be easier to debug things if you use Merlin's firmware rather than stock.

I'm bit concerned with how you're testing that it's working or not. Are you in the UK? Does the WAN IP address shown by https://canyouseeme.org/ change when you enable and disable the VPN client?
Hi Colin. No, I'm not in the UK at the moment. Wish I was. Sorry for the confusion. Currently I'm running Asus stock firmware, Nord and Express work perfectly. I see my address in the UK when they're on.
With Merlin when I tried it, my address stayed firmly in my country of origin. It's altogether possible I hadn't configured the rules correctly. I tried/changed so many things whilst trying to get it working, and all common sense and method went out of the window.
Just to be clear before I try again:

If I choose "Forced, Yes or No" all traffic goes to the vpn regardless because Nord and Express will force it to be the default. And I must include statements to send chosen non-vpn addresses to the WAN?
Will that work? (Pretty sure I tried that, unsuccessfully)

If I choose "Policy Rules", all traffic goes to the WAN, and I must put statements in stating "VPN" for any exceptions to that.
Is that correct?
And with the "Policy Rules" choice, do I have to include a statement explicitly sending all traffic to the VPN? I'm not sure after reading some of the posts.

Tech 9's advice....

"In Asuswrt-Merlin all the clients go through WAN unless rules are set." This is with "Policy Rules" set on, yes? Not with "Forced, Yes or No"?

The simplest configuration:
Network 192.168.1.1/24 0.0.0.0 VPN - all devices through VPN
Router 192.168.1.1 0.0.0.0 WAN - exclude router from VPN
My_PC 192.168.1.x. 0.0.0.0 WAN - device X through WAN

So does split tunnel only work if ALL traffic is forced down the vpn, and then statements for exceptions to the WAN?

Sorry for any misunderstanding....
 

ColinTaylor

Part of the Furniture
Ok thanks for the clarification.

I think your understanding of what should be happening is correct. As it isn't I suggest you start with the basics as @eibgrad recommended and just try to confirm that the VPN client works without policy routing. Set "Force internet traffic through tunnel" to Yes just to be sure.

Then check the VPN - Status page to confirm that the VPN client has connected successfully and that traffic is flowing. Also check the messages in the System Log for potential problems when the VPN client starts up. And check again whether your external IP address has changed from what it normally is.
 

Grommit

Occasional Visitor
Ok thanks for the clarification.

I think your understanding of what should be happening is correct. As it isn't I suggest you start with the basics as @eibgrad recommended and just try to confirm that the VPN client works without policy routing. Set "Force internet traffic through tunnel" to Yes just to be sure.

Then check the VPN - Status page to confirm that the VPN client has connected successfully and that traffic is flowing. Also check the messages in the System Log for potential problems when the VPN client starts up. And check again whether your external IP address has changed from what it normally is.
Which bit of my understanding is correct? This bit......"So does split tunnel only work if ALL traffic is forced down the vpn, and then statements for exceptions to the WAN?"
That would make sense, and explain why I couldn't get it working...

I did the other things you suggested....checked the VPN status page to make sure it had connected ok, and I could see traffic both ways, and checked the logs for errors...
 

ColinTaylor

Part of the Furniture
Which bit of my understanding is correct? This bit......"So does split tunnel only work if ALL traffic is forced down the vpn, and then statements for exceptions to the WAN?"
No, the opposite. With policy rules enabled all traffic will default to going via the WAN. You have to create explicit exceptions for clients to go through the VPN.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top