Using Multiple OpenVPN Clients

[TonyK132]

Is there a tutorial somewhere that talks about configuring Merlin for handling multiple OpenVPN clients? I have Client 1 running PIA and Client 2 running ExpressVPN. I would like all of my traffic to go to Client 1 except for a small range of IP addresses to use Client 2. Can I configure the Policy Rules for doing this?

 

[Butterfly Bones]

Have you looked at the Policy Based Routing section of the RMerlin Wiki? Good info there.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

 

[TonyK132]

Have you looked at the Policy Based Routing section of the RMerlin Wiki? Good info there.
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

I did see that post, and I reviewed again after your post. I believe it does not address the 2 client situation. Still, I experimented a bit and I think what works is:

1. In Client 1, you leave the range of IP addresses undefined that you want to use in Client 2. This will cause that client to view those addresses as going through the WAN
2. In Client 2, you declare the addresses you want to go through that client as part of the undefined addresses from Client 1

What does NOT work is defining the address range in both Client 1 and Client 2 hoping that Client 2 will prevail since it follows Client 1 in the order of execution. I guess it does not work that way.

 

[CaptainSTX]

So I can tell exactly what is happening when using 2-3 VPN clients I do the following:

1. For all devices that regularly connect to this router I assign static IPs
2. I use policy routing or strict policy routing on all VPN clients.
3. In the lowest numbered client I select all devices that I want to use VPN Tunnel 1.
4. In the lowest numbered client I also select all devices that I want to use the WAN and assign them to the WAN. Some people recommend assigning the router's LAN IP to the WAN also. In my experience it doesn't seem to make a difference. I prefer to include the WAN connections so I know exactly where a device is connecting and you don't have to make an assumption
5. On the second VPN Tunnel 2, assign the IPs you want to use this tunnel. As you found out IPs can't be listed under policy routing in more than one tunnel.
6. Be careful if you select block routed clients if the tunnel goes down. In my case I feel it is more important to keep certain IoT clients connected as long as I have a viable Internet connection. Not much of an issue for me as my ISP connection is rock solid as is Merlin's 384.9 -11 so If one of my tunnels goes down it is a very rare occurence.
7. I do have all my VPN clients set to start with the WAN.

FYI: It is possible to have more that one VPN clients from PIA running on your router at the same time. If you are interested search my posts on this forum for information on how to do so. Very simple.

 

[Martineau]

I did see that post, and I reviewed again after your post. I believe it does not address the 2 client situation. Still, I experimented a bit and I think what works is:

1. In Client 1, you leave the range of IP addresses undefined that you want to use in Client 2. This will cause that client to view those addresses as going through the WAN
2. In Client 2, you declare the addresses you want to go through that client as part of the undefined addresses from Client 1

What does NOT work is defining the address range in both Client 1 and Client 2 hoping that Client 2 will prevail since it follows Client 1 in the order of execution. I guess it does not work that way.

Presumably you have now created the following Selective Routing GUI tables?

e.g. For ExpressVPN (VPN Client 1)

Express1      192.168.1.111    0.0.0.0   VPN
Express2      192.168.1.123    0.0.0.0   VPN

e.g. For PIA (VPN Client 2) - Everything else

ALL_LAN_PIA   192.168.1.0/24   0.0.0.0   VPN
Router        192.168.1.1      0.0.0.0   WAN

NOTE: You don't have to use the GUI to statically define the Selective Routing of the devices, you can always exploit the openvpn-event triggers to rebuild the RPDB table to enforce your requirements.

Optionally, you may wish to enable the KILL switch for VPN Client 1, then that should ensure that ExpressVPN devices .111/.123 do not leak via VPN Client 2 or the WAN

 

[TonyK132]

Presumably you have now created the following Selective Routing GUI tables?

e.g. For ExpressVPN (VPN Client 1)

Express1      192.168.1.111    0.0.0.0   VPN
Express2      192.168.1.123    0.0.0.0   VPN

e.g. For PIA (VPN Client 2) - Everything else

ALL_LAN_PIA   192.168.1.0/24   0.0.0.0   VPN
Router        192.168.1.1      0.0.0.0   WAN

NOTE: You don't have to use the GUI to statically define the Selective Routing of the devices, you can always exploit the openvpn-event triggers to rebuild the RPDB table to enforce your requirements.

Optionally, you may wish to enable the KILL switch for VPN Client 1, then that should ensure that ExpressVPN devices .111/.123 do not leak via VPN Client 2 or the WAN

Thanks for your reply. Yes, that is basically the configs that I have, although I found that when I had PIA as Client 1 with 192.168.1.0/24 VPN then tried to do 192.168.1.123 on the WAN for ExpressVPN on Client 2, that it did not work. I need to put the .123 device to a range that was not declared in Client 1, say .250, then put .250 on the VPN in Client 2.

For the Kill Switch, I'll need to research how to do that. I'll also have to research about the openvpn-event triggers.

 

[Martineau]

Thanks for your reply. Yes, that is basically the configs that I have, although I found that when I had PIA as Client 1 with 192.168.1.0/24 VPN then tried to do 192.168.1.123 on the WAN for ExpressVPN on Client 2, that it did not work. I need to put the .123 device to a range that was not declared in Client 1, say .250, then put .250 on the VPN in Client 2.

For the Kill Switch, I'll need to research how to do that. I'll also have to research about the openvpn-event triggers.

Thanks for the feedback. - I'm glad you got it sorted, and hopefully my example configuration proves the exception to the myth "IPs can't be listed under policy routing in more than one tunnel" .

Spoiler: Debunking the myth

i.e. 192.168.1.111 and 192.168.1.123 appear in both VPN Client 1 and VPN Client 2 (implicitly), yet this doesn't cause any undesired Selective Routing issues for your user case where .111/.123 will prefer VPN Client 1 if it is UP otherwise they will use VPN Client 2.

NOTE: If you would rather 192.168.1.123 should use the WAN if VPN Client 1 is DOWN, then you need to simply explicitly add the following to VPN Client 2

ExpressVPN2   192.168.1.123   0.0.0.0   WAN