What's new

VPN Director: Prioritize Site-to-Site VPN over WAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
I have 2 RT-AX86Us with Merlin 388.2 across two locations, connected via 2x VPN Tunnels. Generally, all internet traffic shall go via VPN for privacy reasons. Except my Synology Box needs to go to WAN (otherwise some things will not work). This gives me the following VPN Director rules on Router A:
1. Synology Box to WAN
2. If Remote IP Range = "other site" => VPN1
3. All else => VPN2

It works amazing, I'm really impressed by Merlin how easy and stable it is.

Now I want the Synology Box to create Backups against a Disk attached on Router B (on the other site connected via site-to-site VPN). Based on the rules above traffic from the Synology box is being sent to WAN which obviously makes it impossible to reach the other site via the site-to-site VPN tunnel. So I face kind of a design challenge.

I'm aware of the VPN Director prioritization (WAN > OVPN > WG) but was wondering if there might be another solution or idea to this combination? Some sort of a manual routing or override (not via GUI) to make Rule#2 "stronger" than the WAN rule? Or to add an exception to Rule #1 for Remote IPs that are in the "other side LAN"?

Thx for all inputs and thoughts
New rule #1? Synology box to othersite Router -> VPN1
New rule #1? Synology box to othersite Router -> VPN1
Thx elorimer. I can‘t. I have a weppage running in a docker container on the synology box that is accessed via ddns on Router 1/port forwarding from external. This is why the synology box (connected to router 1) needs the wan rule.
Still not following why it needs a wan rule since VPN director deals with traffic out, not traffic in. But I freely confess my brain circuitry can't process this kind of logic problem. (Same with taxes!)

Still, if VPN director starts with the implict rule of everything to WAN, except for the following, perhaps you divide your network in half. Put the Synology in the first half, and in the second half put everything you want to go out VPN2. Delete #1, then change #3 (now #2) to everything in the second half --> VPN2.
#3 is my wish to have devices go via Proton VPN for privacy, instead of directly to the WAN. With the exception of the Synology Box and the Router itself. Currently rule #3 covers the entire subnet 172.16.100/24 (site A subnet) which is why I had to add the "exception rule" #1 for the Synology Box.

Maybe I was overthinking this a bit. I follow your proposal about cutting it in half and use the IP range 172.16.100/25 (.0 - .127) for my "normal devices" that should go via Proton VPN for normal browsing. I also changed DHCP range to Rule #2 is changed to Local IPs = All "special devices" that should go via WAN have a static IP > .127, hence eliminating the need for Rule #1 for the Synology Box.

Thank you very much for your patience and thoughts, its all working nicely now!

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online