Static IP issue AND VPN autostart issue

[gotenks121]

posted in another forum - realised this is probably a better place to ask.

Ok so i have asus router (merlin).
I have setup vpn client.
I have made it so all my traffic goes through VPN (192.168.1.0/24) apart from one IP which i have manually assigned as static, under DHCP settings.

My questions are:

1. Can I set up ONE static IP for a PC that goes through the WAN - or do I need to assign every device on my network with a static IP and specify each IP to go through WAN or VPN.
2. Is my current setup OK, I have manually assigned one static IP on my network for ONE PC and the rest go thorough the VPN with the IP range 192.168.1.0/24
3. What would happen if I add other devices to my network in the future if I only specify a static IP for one device and not the others. i.e does it make a difference if a new device is added to my wifi?

Thank you all in advance.

 

[Zastoff]

posted in another forum - realised this is probably a better place to ask.

Ok so i have asus router (merlin).
I have setup vpn client.
I have made it so all my traffic goes through VPN (192.168.1.0/24) apart from one IP which i have manually assigned as static, under DHCP settings.

My questions are:

1. Can I set up ONE static IP for a PC that goes through the WAN - or do I need to assign every device on my network with a static IP and specify each IP to go through WAN or VPN.
2. Is my current setup OK, I have manually assigned one static IP on my network for ONE PC and the rest go thorough the VPN with the IP range 192.168.1.0/24
3. What would happen if I add other devices to my network in the future if I only specify a static IP for one device and not the others. i.e does it make a difference if a new device is added to my wifi?

Side note - I have an ASUS 86u latest firmware - when is restart it the vpn is off and doesnt autostart even though, 'Automatic start at boot is enabled. any issues


Thank you all in advance.

Try Set router ip to wan aswell (guess yours is 192.168.1.1)

 

[ColinTaylor]

That's fine. You only need a static IP for a device that you want to route differently than those covered by 192.168.1.0/24.

 

[gotenks121]

Try Set router ip to wan aswell (guess yours is 192.168.1.1)

what do you mean and how?

 

[Zastoff]

In your vpn client
Force Internet traffic through tunnel: Policy rules or policy rules (strict)
Block routed clients if tunnel goes down=yes (killswitch if tunnel goes down)
Rules for routing client traffic through the tunnel:
All 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN
and continue to add (clients) like with router if you want them on isp connection(WAN)
Edit:
and like ColinTaylor wrote in his post

 

[gotenks121]

In your vpn client
Force Internet traffic through tunnel: Policy rules or policy rules (strict)
Block routed clients if tunnel goes down=yes (killswitch if tunnel goes down)
Rules for routing client traffic through the tunnel:
All 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN
and continue to add (clients) like with router if you want them on isp connection(WAN)
Edit:
and like ColinTaylor wrote in his post

Is there any benefit in having the router (192.168.1.1) go through the WAN? Why not let it go through the VPN?
Sorry if that's a silly question..
Thank you

 

[Zastoff]

It`s not a silly question (the router or one client needs the WAN connection)
I have it set like i posted it
Here is some more info:
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

 

[gotenks121]

It`s not a silly question (the router or one client needs the WAN connection)
I have it set like i posted it
Here is some more info:
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Is it a security issue if I dont define the router (192.168.1.1) to pass through the WAN in policy rules.

 

[Zastoff]

No but guess you could have issues with with your isp connection (you dont want your WAN(isp) connection under the killswitch)
If the vpn tunnel goes down killswitch stops all routed clients until it`s back up and if router is down you will lose isp connection aswell thats how i am thinking

 

[gotenks121]

No but guess you could have issues with with your isp connection (you dont want your WAN(isp) connection under the killswitch)

Why dont I want the WAN connection under the kill switch? In other words what would happen if the router (192.168.1.1) stayed under the VPN and I didnt specify it in the policy rules(strict) to go through the WAN?
I know maybe I'm misunderstanding something...
I thought that it was better if everything was under the VPN except for devices hooked to Netflix or something.

 

[Zastoff]

If the router(isp connection) it self goes down you cant get the vpn tunnel back up
(Think that whats happened when you reboot the vpn client shuts down and killswitch cuts your router off from your isp)

 

[gotenks121]

If the router(isp connection) it self goes down you cant get the vpn tunnel back up
(Think that whats happened when you reboot the vpn client shuts down and killswitch cuts your router off from your isp)

Also does ot mean that if I use a different VPN client ie swapping between servers. I can do that if 192.168.1.1 is WAN. Otherwise it would be blocked through policy rules?

 

[Zastoff]

I guess switching vpn servers could have the same effect yes since it will shutdown while it reconnects
Are you running more then 1 vpn-client?

 

[gotenks121]

Ok

If the router(isp connection) it self goes down you cant get the vpn tunnel back up
(Think that whats happened when you reboot the vpn client shuts down and killswitch cuts your router off from your isp)

So I changed the router to go through the WAN NOW now the internet has gone down and my WAN ip is showing as a 192.168.x.x

Basically I have setup one vpn client with policy rules.
1. I have setup policy rules.
2. Static ip for one device to go through the WAN
3. yesterday put in a new rule for the router to go through the WAN.
4. DNS settings as strict and used DNS as given by the VPN provider.

I'm gonna try and leave it for a couple hours as I expect that the actual ISP has gone down. Not able to get internet on devices that arent even going through router yet. Will check back later. I thought it could have been a DNS issue.

 

[Xentrk]

For my use case, I find the entry for the router is required in the OpenVPN Client 1 Screen when using more than one OpenVPN Client instance and have multiple rules routing traffic through more than one VPN interface and other traffic through the WAN interface.

Defining the router’s IP address to use the WAN interface and the priorities of the OpenVPN Clients is the first place to look if you experience issues with Policy Rules or traffic is not going where you expect it to.

Type the command ip rule on the command line to see the Routing Policy Database (RPDB) rules.

If you use a streaming service like Netflix, you may get blocked if using a VPN. You can use x3mRouting to bypass Netflix traffic from the VPN and route to the WAN.