What's new

VPN Director - Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mikey3

Occasional Visitor
Can someone tell me how to setup a rule in VPN Director to allow all clients to go through the VPN tunnel except one?

Thanks
 
Click on Add new rule in VPN director. Choose your VPN client in the interface section and add the clients you want to go through the VPN.
You should be able to set 192.168.50.0/24 as a choice instead of one client per rule. Name that rule "all clients" or something.
Then add a second rule with the client you want to go through the WAN interface

1675213662463.png


1675213699262.png
 
@Mikey3 And to add just one last tidbit to this... make sure your exception rule is located at the top of your rules list, as rules are processed top-down... So your more global VPN rule should be #2.
 
A related question about VPN Director:
Is there any way to specify that traffic from all WiFi-connected devices go through a VPN (but devices wired to the LAN continue to go through the WAN interface)? The VPN Director GUI only seems to allow client definition by IP, not by interface.

Thanks.
 
@Mikey3 And to add just one last tidbit to this... make sure your exception rule is located at the top of your rules list, as rules are processed top-down... So your more global VPN rule should be #2.
WAN has higher priority over VPN client. Regardless of the sequence of rule creation, higher priority rule will always sorted on top in GUI and applied first. There should be no issue for OP requirement.

 
WAN has higher priority over VPN client. Regardless of the sequence of rule creation, higher priority rule will always sorted on top in GUI and applied first. There should be no issue for OP requirement.

Thanks for this @chongnt ... but if something starts acting wonky, it's probably best to sort them in order of importance top-down... as a best practice. ;)
 
A related question about VPN Director:
Is there any way to specify that traffic from all WiFi-connected devices go through a VPN (but devices wired to the LAN continue to go through the WAN interface)? The VPN Director GUI only seems to allow client definition by IP, not by interface.

Thanks.
Yes, it seems there is no straight forward way of doing this. You can split LAN and WiFi to different subnet, say manually assign IP for your LAN devices to say 192.168.50.2 -192.168.50.127 (192.168.50.0/25) and let WiFi devices get their IP from DHCP pool 192.168.50.129 - 192.168.50.254 (192.168.50.128/25). This way you can do it with two rules in VPN Director.
Another option I can think of is use Guest Network with YazFi addons. It has option to route it over VPN.
 
Thanks for this @chongnt ... but if something starts acting wonky, it's probably best to sort them in order of importance top-down... as a best practice. ;)
In 386.9, there is no option to sort it manually. I suppose the same for 388.x? The rules are automatically sorted by Interface priority as we create it.
 
In 386.9, there is no option to sort it manually. I suppose the same for 388.x? The rules are automatically sorted by Interface priority as we create it.
Jeez... you're absolutely right. Maybe I was confusing the vpn director with something else where you could change its order. Thank you!
 
Yes, it seems there is no straight forward way of doing this. You can split LAN and WiFi to different subnet, say manually assign IP for your LAN devices to say 192.168.50.2 -192.168.50.127 (192.168.50.0/25) and let WiFi devices get their IP from DHCP pool 192.168.50.129 - 192.168.50.254 (192.168.50.128/25). This way you can do it with two rules in VPN Director.
Another option I can think of is use Guest Network with YazFi addons. It has option to route it over VPN.
@chongnt
I can see how I would narrow the scope of the DHCP server to 192.168.50.2-.127. But don't know how to define another DHCP pool (.129-.254) for WiFi devices.

However, I think your Guest Network idea will work. I'd never set one up, but I just tried it. It's not at all obvious (at least, it's not to me), but doing so creates a new subnet (192.168.101.0/24) and a DHCP server for devices that associate with the guest network. So a VPN Director rule can be created with a rule that assigns the entire subnet to a VPN. Presto - mission accomplished.

That DHCP server for the guest network is well hidden - I can't see it listed on the LAN/DHCP Server page, nor on the Guest Network page.

I will take a look at YazFi. I've never heard of it, and frankly don't know how I would add it to my RT-AC86U. I'm fairly new to Merlin firmware.

Thanks for the tips!!!
 
A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?
 
A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?
Not sure, but you can add several instances of VPN's. And set up rules for each one, so if one goes down 2nd comes as backup and so forth.
 
I wonder though how i can setup rules for priority of the VPN's.

Like using the OpenVPN with the killswithch as a backbone. It would fall through WGC1 then WGC2 and then lastly to OVPN1+killswitch

With this setup the OVPN gets nr.1 in line so this could only work if all VPN clients where OpenVPN clients.
@RMerlin can a priority be added to the VPN director?
 
Not sure, but you can add several instances of VPN's. And set up rules for each one, so if one goes down 2nd comes as backup and so forth.
Alright that's a shame, perhaps someone else knows otherwise I will be forced to go with OpenWRT because you can scheduele wireguard-watchdog every few mintues to check. Seems there is no similar feature for Asus if the VPN Client stays disconnected even when the VPN goes back online again.
@RMerlin can a vpn-watchdog be implemented that re-connects the client if it's been disconnected?
 
Alright that's a shame, perhaps someone else knows otherwise I will be forced to go with OpenWRT because you can scheduele wireguard-watchdog every few mintues to check. Seems there is no similar feature for Asus if the VPN Client stays disconnected even when the VPN goes back online again.
@RMerlin can a vpn-watchdog be implemented that re-connects the client if it's been disconnected?

I don't know if this is what you are looking for, but when you enable the VPN server, a cron job is created to run this script:

Code:
#!/bin/sh
if [ -z "$(pidof vpnserver1)" ]
then
   service restart_vpnserver1
fi

Path: /etc/openvpn/server1/vpn-watchdog1.sh

You can view the cron jobs with the command:

Code:
cru l

1682699051182.png


For any other VPN Client service, it would be enough to copy/adapt the script above to new file (I think).

In my case, I just need the VPN Client services to be restarted every day (1 = 05:30am, 2 = 05:40am), like this:

Code:
cru a RestartVPNCliente1 "30 5 * * * service restart_vpnclient1"
cru a RestartVPNCliente2 "40 5 * * * service restart_vpnclient2"

1682699521081.png


Note: I created the file "services-start" (rwxr-xr-x - 0755) on path: "/jffs/scripts/services-start", for when the router restarts, create the tasks again.
 
Last edited:
__________
UPDATE:

I just tested it and it works :)

Example, for VPN Client 2:

1. I created the file "vpn_client2-watchdog.sh" via SCP. Path: "/jffs/scripts/vpn_client2-watchdog.sh". Permissions: 0755.

Code:
#!/bin/sh
if [ -z "$(pidof vpnclient2)" ]
then
   service restart_vpnclient2
fi

2. I added the cron job via SSH (eg. every minute):
Code:
cru a CheckVPNClient2 "* * * * * /jffs/scripts/vpn_client2-watchdog.sh"

1682703129203.png


3. Turn off OpenVPN Client 2 from GUI.

1682703171130.png


4. Wait up to 1 min and check the log that the service ran automatically. :)

1682703251792.png


1682703547081.png
 
Last edited:
A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?
It's the whole reason I wrote VPNMON-R2. Let me know if you have any questions... This will make your connection stay up 100% of the time... 99% wasn't good enough for me. ;)
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top