VPN-Routing Question with Merlin-Firmware

[Mirko]

Hey guys,

I hope someone can help me here with my problem. I got the Asus RT-AC68U Router behind my Fritzbox (both in Router-Mode) and started to strictly connect to a VPN-Server in Iceland all the time. I`m using Merlin-Firmware 384.15.

I need to create exceptions for a few sites that doesn`t allow using a VPN-Connection such as my Online-Banking, and a few Shopping-Sites. I encountered Account-Blocking already due to "unusual activities" on one of my Accounts for Online-Shopping and they told me that it was caused because someone with an Icelandic IP logged into my account. (LOL) I told them it was me and that it worked well for months simply by putting in my ZIP-Code as a necessary step but they won`t accept it any longer and said I should turn off my VPN completely - I won`t do that.

So I tested a little bit around but unfortunately doesn`t have that much experience. Is there a way for me to create exceptions for sites like these and if so, how do I do that? I`m afraid I won`t be able to use my created VPN Killswitch, created on my Firewall-Settings any longer then too...

I`d be very thankful for an Instruction where and how I can solve that. Thank you very much in advance!

 

[distilled]

I cannot help at all with this because I haven't tried it myself yet, but you might give this script a look:

https://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware.57793/

I think it may help with what you want.

Unrelated, but you may want to exclude all online banking and shopping from your VPN traffic, not just those things that prohibit it.

 

[Mirko]

I cannot help at all with this because I haven't tried it myself yet, but you might give this script a look:

https://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware.57793/

I think it may help with what you want.

Unrelated, but you may want to exclude all online banking and shopping from your VPN traffic, not just those things that prohibit it.

Thank you, I will have a look on it.

And I don`t see much of a problem with tunneling even such things through the VPN. I mean why should I trust my ISP more than my VPN-Provider? The first one is responsible that I decided to use a VPN the whole time now in the first place - cause my ISP started to block unpopular sites. Besides from that, most of my critical Websites use Two-Factor Authentication and looking at the Political Agenda in my Country, there will be pretty much "Internet Regulation" ahead for us - which usually means nothing good. I refuse that. Where things like censorship starts I`ll take action on my own.

Anyways, thank you for your reply!

 

[Xentrk]

Thank you, I will have a look on it.

And I don`t see much of a problem with tunneling even such things through the VPN. I mean why should I trust my ISP more than my VPN-Provider? The first one is responsible that I decided to use a VPN the whole time now in the first place - cause my ISP started to block unpopular sites. Besides from that, most of my critical Websites use Two-Factor Authentication and looking at the Political Agenda in my Country, there will be pretty much "Internet Regulation" ahead for us - which usually means nothing good. I refuse that. Where things like censorship starts I`ll take action on my own.

Anyways, thank you for your reply!

This article will introduce you to the basics of Policy Routing on Asuswrt-Merlin. You may be able to just specify an IP address or two or an IP address subnet in the Policy Routing section of the screen. x3mRouting has other features and options for Policy Routing.

 

[distilled]

You will certainly know your situation and will do what is best for you. I apologize if I sounded like I was telling you your business, I only meant to point out that technically, what you do online through a VPN can be correlated and cross indexed with times, leading to deanonymization. There are a lot of ifs, and it probably only matters if you are doing something really serious, so I shouldn't have said anything about that.

Good luck with the selective routing, it looks extremely useful.

 

[distilled]

This article will introduce you to the basics of Policy Routing on Asuswrt-Merlin. You may be able to just specify an IP address or two or an IP address subnet in the Policy Routing section of the screen. x3mRouting has other features and options for Policy Routing.

Holy cow, mate, your website is a treasure trove of useful information! THANK YOU for this, that article itself is terrific.

 

[Mirko]

You will certainly know your situation and will do what is best for you. I apologize if I sounded like I was telling you your business, I only meant to point out that technically, what you do online through a VPN can be correlated and cross indexed with times, leading to deanonymization. There are a lot of ifs, and it probably only matters if you are doing something really serious, so I shouldn't have said anything about that.

Good luck with the selective routing, it looks extremely useful.

I see your point and I`m thankful for that. Of course, it`s always something to seriously take under consideration. So no need to apologize!

 

[Mirko]

This article will introduce you to the basics of Policy Routing on Asuswrt-Merlin. You may be able to just specify an IP address or two or an IP address subnet in the Policy Routing section of the screen. x3mRouting has other features and options for Policy Routing.

I wanna thank you so much too! It`s really, really helpful. I searched for something like that on my fav. Search Engine before but no proper Result. Thank you!!!

 

[Mirko]

Guess I will need still some help. This is weird... I followed the steps in the article. I set my current System (Linux Mint Debian) as Source IP and as Destinaton I set for testing purposes the IP of dnsleaktest.com (23.239.16.110) and set it to WAN. As you can see here on the Screenshot.

I clicked "apply".I disabled the VPN-Killswitch in my Firewall before that and tried. The weird thing is: After doing that dnsleaktest shows me my real IP. So far so good. BUT other IP Check-Sites do the same. The whole VPN seems to be disabled (Linux shows me in my Status-Bar the Home-Symbol of my ISP as well instead of the Icelandic Flag) although the client says it`s connected (with showing the IP of the VPN). This happens with policy rules on policy rules (strict) it`s the same result.

I also tried setting the Source-IP to the WAN-IP of my Asus Router. Same result.

Am I doing something generally wrong?

 

[ColinTaylor]

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

By default, all traffic go through the WAN. What you define there with a VPN iface will be routed through the VPN. Use the WAN iface to configure exceptions to configured VPN rules (for instance, if you configure a /24 to be routed through the VPN, but want one IP within that /24 to be routed through the WAN instead).

See the examples at the bottom of the wiki page.

 

[Mirko]

I got it!!! Set the IP of my Linux Mint to an empty Destination IP (VPN), and after that I did the same (Empty Source-IP) with the Destination-IP of dnsleaktest (WAN) - voila!

 

[Mirko]

I managed it now completely. I had some serious issues because I changed the IP of my Asus Router recently and somehow that caused problems - well, switched back to 192.168.1.1, restarted the router, followed the Instructions and everything works fine now. The websites that I listed so far there really can see the IP of my ISP and so it shouldn`t cause any further problems or even concerns about security. I can keep my Icelandic VPN, the critical sites will know that I log in with my local IP, everything is fine.

Thanks to all who provided help! This forum is useful and I bookmarked it right away! Looking forward to read you guys in further discussions. If a Admin will check: This thread obviously can be closed. Problem solved!