VPN Setup issues

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mallzero

New Around Here
Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question :)
 

Attachments

octopus

Very Senior Member
Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question :)
Have you read the wiki? There is a nice guide
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing
 

GSpock

Senior Member
Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question :)
could you attach a picture of your openvpn client settings
 

GSpock

Senior Member
So, only the 5 devices listed will go thru VPN, all others will go to WAN .... this is the normal behavior ...
 

mallzero

New Around Here
Okey, its not possible that every devices that is connected to goes threw the vpn without me having to config that device?
 

GSpock

Senior Member
Okey, its not possible that every devices that is connected to goes threw the vpn without me having to config that device?
yes it is possible, I think (but to be checked) you should simply have one line : 192.168.1.0/24 => VPN
 

eibgrad

Very Senior Member
If the OP wants *everything* routed through the VPN, do NOT use PBR (policy based routing). Just specify Yes for the "Force internet traffic through tunnel" option.

By default, any commercial OpenVPN provider will force all your traffic through his OpenVPN server, and by specifying Yes for that option, the router basically does nothing and let's that happen. But if you use PBR and add 192.168.1.0/24, yes, it will work, but it will also have the side effect of having the router itself OFF the VPN! IOW, anything the router does is over the WAN, and so it becomes a source of leaks, perhaps even DNS leaks. That's one of the undesirable side effects of using PBR, esp. when the router is providing other services you want secured (e.g., transmission). But sometimes you have to use PBR because you only want *some* clients to use the VPN and not others. But again, if you end up sending everything over the VPN anyway, PBR makes no sense.
 

GSpock

Senior Member
If the OP wants *everything* routed through the VPN, do NOT use PBR (policy based routing). Just specify Yes for the "Force internet traffic through tunnel" option.
... But if you use PBR and add 192.168.1.0/24, yes, it will work, but it will also have the side effect of having the router itself OFF the VPN! IOW, anything the router does is over the WAN, and so it becomes a source of leaks, perhaps even DNS leaks. That's one of the undesirable side effects of using PBR, esp. when the router is providing other services you want secured (e.g., transmission). But sometimes you have to use PBR because you only want *some* clients to use the VPN and not others. But again, if you end up sending everything over the VPN anyway, PBR makes no sense.
So, if I got you well, keeping in mind what he wants to achieve, what about this at "Rules for routing client traffic through the tunnel"
1. 192.168.1.1 ==> WAN
2. 192.168.1.0/24 => VPN

would this work then ?
 
Last edited:

eibgrad

Very Senior Member
So, if I got you well, keeping in mind what he wants to achieve, what about his this at client access:

1. 192.168.1.1 ==> WAN

2. 192.168.1.0/24 => VPN

would this work then ?
Your suggestion is *still* using PBR. What I'm saying is to NOT use PBR at all. The default behavior when NOT using PBR is to route everything over the VPN, *including* the router itself and all its internet bound services. If you use PBR as you've described above, that takes the router off the VPN. And since all the router's internet-based services are bound to the WAN (not the LAN, i.e., 192.168.1.1), that rule is basically useless. In order to be effective, you would have to *rebind* those services to the LAN rather than the WAN so PBR was effective wrt the router itself. But that's just complicating matters. Better to just not use PBR at all.
 

Vimes

Regular Contributor
I have always used PBR to create rules for certain devices to NOT use the VPN. As the OP wishes to use the VPN client for everything to go through the VPN then simply do not use PBR.

Unless I'm missing something here.
 

mallzero

New Around Here
Thanks for all the response. Im that tech savy, but my router I had before could use the L2PT protocol directly so it went from Wan-to L2PT then everything was encrypted there under. But from what im reading here this setup will make it that way as well with openvpn client if im not misstaken?
 

MaziahBebop

Regular Contributor
Thanks for all the response. Im that tech savy, but my router I had before could use the L2PT protocol directly so it went from Wan-to L2PT then everything was encrypted there under. But from what im reading here this setup will make it that way as well with openvpn client if im not misstaken?
I think what is being said is.... to achieve this:

vpnmockup.png

Do this:
VPN force.png
 

Martineau

Part of the Furniture
As the OP wishes to use the VPN client for everything to go through the VPN then simply do not use PBR.

Unless I'm missing something here.
If the OP wants to have all traffic thru' the VPN tunnel, and no traffic via the WAN, he would most likely wish to explicitly have the KILL-Switch enforced, so PBR is mandatory.
 

eibgrad

Very Senior Member
Seems we've found a bug/flaw in the GUI.

The OP never indicated a need for a kill switch. But putting that aside for the moment, the fact the GUI requires PBR in order to have a kill switch makes no sense. It's perfectly valid to use/need a kill switch even in the case of specifying Yes for "Force Internet traffic through tunnel". The only difference between Yes and the PBR options is the former means *everything*, while the latter is *selective*. But in either case, something is required to use the VPN, and so you have just as much reason to use/need a kill switch in either situation. The only time a kill switch doesn't make sense is in the case of No for "Force Internet traffic through tunnel", since by definition you are defaulting to the WAN. And frankly, there's nothing all that difficult about adding a kill switch, esp. when you need to block everything over the WAN.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT
Having to use PBR just to take advantage of a kill switch is not only a bug/flaw in the GUI, but imo it's too high a price to pay for letting the router itself come off the VPN. Now the router becomes the potential source of data leakage rather than your clients. This is something that apparently a lot of users are unaware of, but need to carefully consider when they choose to use PBR, esp. if the use of the WAN is such a concern that it warrants a kill switch.
 
Last edited:

Martineau

Part of the Furniture
The OP never indicated a need for a kill switch.
Never stated that was the the OPs requirement. I was merely replying to @Vimes to clarify that the available GUI options differ based on the setting 'Force Internet traffic through tunnel' providing a flexible configuration.

....in the case of No for "Force Internet traffic through tunnel", since by definition you are defaulting to the WAN.
Does it ? - I believe @RMerlin explained many years ago that this isn't always the case i.e. if 'Force Internet traffic through tunnel=No', the router will actually honour/accept the relevant setting pushed by the OpenVPN server, so in most cases, the default route is via the VPN.
 

eibgrad

Very Senior Member
Does it ? - I believe @RMerlin explained many years ago that this isn't always the case i.e. if 'Force Internet traffic through tunnel=No', the router will actually honour/accept the relevant setting pushed by the OpenVPN server, so in most cases, the default route is via the VPN.
Fair point. Although the use of No certainly suggests at least YOU (the one managing the OpenVPN client) are NOT interested in forcing traffic over the VPN. I suspect many (perhaps most) users have no idea the commercial OpenVPN server is the one forcing traffic over the VPN. So logically, it makes more sense for the user to specify Yes if that is their intent, even if in the end, it's superfluous.

But regardless, that wasn't the real point of my comments. You can remove that one statement and the question still remains; why is the kill switch NOT available when set to Yes?
 
Last edited:

kazak

New Around Here
And frankly, there's nothing all that difficult about adding a kill switch, esp. when you need to block everything over the WAN.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT
So to create a kill switch, without using Policy Rules, for the whole router VPN, would I add the code you provided, as is, to the Custom Configurations section? TIA
 

eibgrad

Very Senior Member
So to create a kill switch, without using Policy Rules, for the whole router VPN, would I add the code you provided, as is, to the Custom Configurations section? TIA
As with any firewall rules, you should first test it using a ssh session, and copy/paste them into the ssh window, then verify it works as expected. That way, if by chance they cause some unexpected problem (not likely given the simplicity of this code, but still prudent), you can simply reboot the router and return to normal.

Once verified, you need to add the code to a file called firewall-start and store it in /jffs/scripts. Make sure under Administration->System the JFFS and custom scripts options are enabled.

As a convenience, I've created the following installation script that you can copy/paste into an ssh window. Then reboot.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

function create_script(){
cat << "EOF" > $SCRIPT
#!/bin/sh
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
Note, the script will NOT overwrite any existing firewall-start script. In such a case, you would have to manually add the code to the existing firewall-start script.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top