VPN-Client only for specific LAN-Port

[s25a]

Hi all,

I just setup my first Asus-Merlin Router and like it very much. I also setup a VPN-Client and could successfully connect to my VPN Provider. Performance is OK and I would like to use it but only for a specific LAN Port (e.g. Port 2)

Is that Possible? I would like to use that VPN Service only for 2-3 devices in my Network. If thee's another solution (e.g. to use i with MAC Adresse) this would be also good to know.

I am using the RT-AC68U with Firmware 380.66_6

Thanks

S

 

[ASadani]

Some vpn services allow you to do that with gui. you can assign to certain devices and all others will get your local network.

 

[Jack Yaz]

Hi all,

I just setup my first Asus-Merlin Router and like it very much. I also setup a VPN-Client and could successfully connect to my VPN Provider. Performance is OK and I would like to use it but only for a specific LAN Port (e.g. Port 2)

Is that Possible? I would like to use that VPN Service only for 2-3 devices in my Network. If thee's another solution (e.g. to use i with MAC Adresse) this would be also good to know.

I am using the RT-AC68U with Firmware 380.66_6

Thanks

S

Under Redirect Internet traffic on the VPN client page, select Policy Rules (strict). You can then designate rules to govern if an IP is to use the VPN tunnel, or the normal WAN. This assumes you have set up static IPs using DHCP or equivalent on the device itself.

 

[MilkyTech]

@Jack Yaz I like what @s25a is getting at here. I know I can set rules for certain devices or ip's to use the VPN and others to use the normal WAN but I am looking to do what the op suggested in the first place - have a specific LAN port or maybe all wired LAN ports dedicated to VPN and the Wireless connection dedicated to normal WAN on the same router??
I want a single device (my main media server pc) to be able to quickly switch between them but without having to have 2 routers. Often I'll be on my VPN and run into a website that for whatever reason has blocked the VPN ip address and so I need to switch over to the regular WAN for access. I do this already but with a VPN router (Asus RT-AC86U) behind my ISP modem/router and so 2 different subnets with 2 different wireless signals causing inteference with my stereo system. I would rather put the ISP modem/router in bridge mode and only use the Asus as a router (or another router that has this capability if you know of one out there).

 

[Odkrys]

Often I'll be on my VPN and run into a website that for whatever reason has blocked the VPN ip address and so I need to switch over to the regular WAN for access

simple solution is run openvpn server on your router and connect it when you need the connection to wan.
your local ip will be overwritten by vpn so it will not follow policy rules.

 

[CaptainSTX]

The quickest way to switch a PC from VPN to no VPN is probably just to run the VPN on your PC.

The VPN provider's app may give you the option to automatically use the WAN for certain web sites and if that doesn't work you can go down into your ICON tray and just disable the VPN with a click.

 

[MilkyTech]

simple solution is run openvpn server on your router and connect it when you need the connection to wan.

I don't see how this is a simple solution. First I have to set up a vpn server? Then when I need normal WAN I have to log in to my router and connect the server?

The quickest way to switch a PC from VPN to no VPN is probably just to run the VPN on your PC.

Yes, running the vpn on a pc would probably be the quickest way, although not much quicker than disabling my ethernet connection and enabling my wireless connection, however, not at all the best and most efficient way to run a vpn. Also my vpn service only allows 5 simultaneously connected devices. A router only counts as one device no matter how many devices are connected to it so running it on the pc is out.

So the question still is, Is there a router firmware out there that will allow me to run the VPN on specific ports?

What about like dd-wrt with Virtual Wireless Connections. Can't you set up basically unlimited virtual wireless connections with different SSID's? Can you set one of them up to run the VPN while the rest are on regular WAN?

 

[Odkrys]

I don't see how this is a simple solution. First I have to set up a vpn server? Then when I need normal WAN I have to log in to my router and connect the server?

I said "run openvpn server on your router"
connect to router's vpn server from your pc.
it just trick.

 

[MilkyTech]

I said "run openvpn server on your router"
connect to router's vpn server from your pc.
it just trick.

oh,ok. i will check that out. So no good on assigning specific ports?

 

[Martineau]

So no good on assigning specific ports?

To answer your query, the basic technique is to create a separate bridge interface for the Guest SSID interface that is mapped to the appropriate VPN, then create a VLAN on the required Switch Port, then bind it to the bridge. see my Feb 2018 post

e.g. Create bridge (br1) and map 2.4G Guest 1 to VPN Client 1

./WiFiVPN.sh

(WiFiVPN.sh): 1482 v1.15 © 2016-2020 Martineau, WiFi status request.....[]
    WiFi Configuration Status for interfaces:
    wl0.1   Guest241VPN_USA     2.4GHz Guest 1  (192.168.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.194) via Bridge: br1
    -----   (ASUS_88_2G_Guest2) 2.4GHz Guest 2  ** Disabled **
    -----   (ASUS_88_2G_Guest3) 2.4GHz Guest 3  ** Disabled **
    -----   (ASUS_88_5G_Guest)  5GHz   Guest 1  ** Disabled **
    -----   (ASUS_88_5G_Guest2) 5GHz   Guest 2  ** Disabled **
    -----   (ASUS_88_5G_Guest3) 5GHz   Guest 3  ** Disabled **
    eth5                        2.4GHz Network
    eth6                        5GHz   Network

Then create a VLAN on the preferred port

e.g. Port 4 (eth1) on the RT-AX56U

ip link show eth1.40

26: eth1.40@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP mode DEFAULT group default
    link/ether 04:d9:f5:b4:dd:88 brd ff:ff:ff:ff:ff:ff
    alias VPN USA

Then bind the VLAN to the VPN bridge (br1)

brctl show

bridge name bridge id       STP enabled interfaces
br0     8000.04xxxxxxxx88   yes     eth1
                                    eth2
                                    eth3
                                    eth4
                                    eth5
                                    eth6
br1     8000.04xxxxxxxx89   no      eth1.40
                                    wl0.1

 

[MilkyTech]

@Martineau That looks cool, but can I inject that code on the stock AC86U firmware or does it have to be the asus-merlin? Where do I put this code?
I prefer the stock firmware because not only is it much easier to add a new vpn profile (different server location), but it is also much quicker to switch from one profile to another.