VPN Client Rules: Why can WAN iface clients not access internet?

[alwaysCurious]

Setup: Cable modem --> AC86U (router, WiFi off, OpenVPN Client) --> AC1900P (AP Mode) --> WiFi clients

I just added an AC86U to my setup to boost OpenVPN speeds. However, my FireTV Stick (FTS) won't play Prime Videos when connected to a VPN (i.e., "You are connected to a VPN. Please disconnect..."). I expected this. When I had only the AC1900P, I created a VPN rule to redirect traffic from the FTS to the WAN iface. Everything worked.

Using the AC86U, the same rule causes all traffic from the FTS to get dropped. It connects to the network, but not the internet. Here is a summary of what I've tried:
- Restarted FTS, modem, AC86U, and AC1900P --> no internet access
- Used WiFi on AC86U --> no internet access
- "Block routed clients if tunnel goes down" Yes/No --> no internet access
- Turned off VPN client connection --> no internet access
- Kept VPN connected, but removed FTS rule (i.e., it used the VPN) --> can access internet (but can't play Prime Video because of VPN connection)
- Kept VPN connected on, and changed FTS rule to explicitly use the VPN --> can access internet (but can't play Prime Video because of VPN connection)

I was able to recreate the issue with my Android phone by adding a VPN rule for it. However, doing the same with my Windows laptop (WiFi) does not recreate the issue. I am perplexed as to what this could be.

How can I get my FTS to bypass the VPN? Please let me know what additional information would be pertinent to add. Thanks

 

[CaptainSTX]

I think your notation is the problem. Keep it simple to start.

Delete the first two rows in your client selection table. By default everything not listed in this table will be routed by WAN.

The only rows you need are to list are the IPs you want routed using the VPN. Again keep it simple and start by listing individual IPs as source. If you get it working you can try using notation later. It is easier to do this if you assign specific devices static IPs. Other ways to accomplish this but get your basic setup working first.

Also no need to list a destination for most use cases. Just leave that field blank .

 

[alwaysCurious]

Thank you for your reply. I think I have an incorrect understanding of the rules table.

Delete the first two rows in your client selection table...

The only rows you need are to list are the IPs you want routed using the VPN.

Done, but now with only the "Default" rule in the table, doesn't that mean all traffic will go through the VPN? I've tried adding a rule ("Passthrough") to bypass the VPN, but that's where the problem starts. My passthrough device is now blocked from the internet. Is this a problem with my configuration, or a bug in the updated firmware code (i.e., should I downgrade to 384.18)?

 

[CaptainSTX]

Thank you for your reply. I think I have an incorrect understanding of the rules table.



Done, but now with only the "Default" rule in the table, doesn't that mean all traffic will go through the VPN? I've tried adding a rule ("Passthrough") to bypass the VPN, but that's where the problem starts. My passthrough device is now blocked from the internet. Is this a problem with my configuration, or a bug in the updated firmware code (i.e., should I downgrade to 384.18)?

The problem is with your setup. VPN clients works well for me on .19 as well as most other on this site. NORD VPN is used by many individuals on this site.

1. Assign devices you want to use the VPN static IPs in the LAN tab
2. Add these devices to the list of devices to be routed using the VPN
3. Temporarily change block internet connection if tunnel down to NO
4. Click apply at bottom of page

If it works and it is vital to your setup go back and change block connection setting. I don't block because my VPN clients are stable and I have never had one drop. I also use just policy rules not strict policy rules and that has never been an issue for me.

 

[alwaysCurious]

Instead of creating a static/reserved IP address and VPN rule for almost every device on my network, I want all devices on my network to go through the VPN by default, and only exclude specific ones (one or two devices). I created static IPs and rules for those devices, but without the expected result. It worked on the AC1900p. What about my setup could be preventing this from working with the AC86u?

Update 1: Once I apply a VPN routing rule (static IP, regardless of device), the FTS and my smartphone (which have static IPs, but no VPN rules) get blocked from the internet. It seems I can have everything go though the VPN (i.e., "Force internet traffic through tunnel": Yes), everything go through WAN (i.e., "Force internet traffic through tunnel": No), or some devices go through the VPN and other lose internet completely (i.e., "Force internet traffic through tunnel": Policy Rules (Strict)).

Update 2: I downgraded to 384.18, reset, and configured the same settings. The VPN rules worked correctly, as they did with the AC1900P. If someone else experiences the same issue I did, I hope this helps.

 

[beastofpray]

Just a heads up, i noticed that i have the exact same problem with my AC86U and Firmware 384.19.
Every traffic is routed through the VPN and not only the two Clients I create a rule for.
Force Internet traffic through tunnel is set to "Policy Rules (strict)"
My VPN is working with my FireTV stick so I didn't notice this first, but if the VPN gets disabled every Client on my Network has no Internet and not only the two which had been defined to use the policy.
I´m not sure where to report this but in the release notes of this version there has been a lot of changes regarding the VPN so i assume it is a bug.

 

[cplay]

Instead of creating a static/reserved IP address and VPN rule for almost every device on my network, I want all devices on my network to go through the VPN by default, and only exclude specific ones (one or two devices). I created static IPs and rules for those devices, but without the expected result. It worked on the AC1900p. What about my setup could be preventing this from working with the AC86u?

Update 1: Once I apply a VPN routing rule (static IP, regardless of device), the FTS and my smartphone (which have static IPs, but no VPN rules) get blocked from the internet. It seems I can have everything go though the VPN (i.e., "Force internet traffic through tunnel": Yes), everything go through WAN (i.e., "Force internet traffic through tunnel": No), or some devices go through the VPN and other lose internet completely (i.e., "Force internet traffic through tunnel": Policy Rules (Strict)).

Update 2: I downgraded to 384.18, reset, and configured the same settings. The VPN rules worked correctly, as they did with the AC1900P. If someone else experiences the same issue I did, I hope this helps.

@RMerlin -

I am experiencing the same issue as multiple people in this thread.

Is there anyway you can look at this bug / thread?

Downgrading to previous firmware works for me as a workaround as is the same for other users.

Hope you are well.