VPNDirector (VPN sequence)

[Jetblue]

I am using the RT-AX88U-Pro on 3004.388.8.4 firmware, successfully using Wireguard (WG) with the VPN Director. I connected to 2 VPN locations (Toronto & Dallas), and I connect to Dallas in my VPN Director, all working fine. The documentation instructs that for a VPN Kill Switch, do not apply it to the first VPN connection, but to the second. This seems to make sense, I assume that if the first VPN connection loses connectivity, then it fails over to the second VPN connection e.g.;

Choice 1. VPN Dallas ---> Initial connection in VPN Director
Choice 2. VPN Toronto ---> warm connection (kill switch is here)

All seems well with this, however in the actual Wireguard Clients (WGC1-5) list (see below), they are in no particular order. Do the Wireguard Cients (WGC) need to be "in matching order" for the failover to work? See the screenshot below. Do I need to move Toronto down beneath Dallas for the failover to work properly?

 

[elorimer]

The rules govern, not the order of the clients. It looks like your rules say, seven devices go over WAN, and everything else to anywhere goes over Dallas. Nothing ever to Toronto. Also, you have two local subnets-xx.xx.50.xx and xx.xx.53.xx?

 

[bennor]

Also, you have two local subnets-xx.xx.50.xx and xx.xx.53.xx?

@Jetblue appears to have three subnets.
What I assume is the main LAN subnet: 192.168.50.x
Followed by what I assume are two Guest Network Pro subnets: 192.168.52.x and 192.168.53.x.

 

[Jetblue]

The rules govern, not the order of the clients. It looks like your rules say, seven devices go over WAN, and everything else to anywhere goes over Dallas. Nothing ever to Toronto. Also, you have two local subnets-xx.xx.50.xx and xx.xx.53.xx?

Yes, the seven devices shown are going over WAN to bypass the VPN, and everything else goes through the Dallas WGC initially.
Some of those devices are on Guest Networks (VLAN) so the IP's are a little different.

So if the rules govern... and Dallas WGC goes down, does the VPN director just randomly choose another Wireguard Client from the list? No order?

 

[ColinTaylor]

So if the rules govern... and Dallas WGC goes down, does the VPN director just randomly choose another Wireguard Client from the list? No order?

See the wiki (I think that answers your question):

VPN Director

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[bennor]

In addition to the VPN Director Priority link posted by ColinTaylor, see this discussion:

Can we have a VPN failover ?

Is it possible to have a VPN failover that only activates and then deactivates if a specific client goes down?.. Meaning I would always like to use VPN Client 1 but if that goes down i'd like it to switch to VPN Client 2 / 3 /4 / 5, however I don't want it to stay on client 2 /3/4/5 once VPN...

www.snbforums.com

Edit to add: There are also several VPN addon scripts for Asus-Merlin that may be relevant:

Asuswrt-Merlin Addon Software Catalog

Asus-Merlin Addon Software Catalog This sticky post functions as a software catalog (with links to threads, scripts, and author names), grouped by functionality, to make it easier for Asus-Merlin users to find and install addons for their Asus routers without having to search through massive...

www.snbforums.com

 

[Jetblue]

See the wiki (I think that answers your question):

VPN Director

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

So, I followed the Wiki and sure enough it automatically orders the WGC clients in the rules, based on the Wireguard VPN drop down. You can see below. And just as the Wiki says, it is now using my Failover choice (Toronto) as the primary. Not a huge deal, it means that I have go through, delete all of my Wireguard entries an re-enter them in the order where my Primary (Dallas) is the first choice in the dropdown. It's obvious here that this is a great improvement that could be made in future versions, so that these could be easily re-ordered (versus deleting everything out and re-entering each time). See below.

The above is from the VPN Client Tab. Below is the result in the VPN Director. Pretty important to know this BEFORE you put all of the WGC clients into the router. Below is the VPN Director;

 

[Jetblue]

In addition to the VPN Director Priority link posted by ColinTaylor, see this discussion:

Can we have a VPN failover ?

Is it possible to have a VPN failover that only activates and then deactivates if a specific client goes down?.. Meaning I would always like to use VPN Client 1 but if that goes down i'd like it to switch to VPN Client 2 / 3 /4 / 5, however I don't want it to stay on client 2 /3/4/5 once VPN...

www.snbforums.com

Edit to add: There are also several VPN addon scripts for Asus-Merlin that may be relevant:

Asuswrt-Merlin Addon Software Catalog

Asus-Merlin Addon Software Catalog This sticky post functions as a software catalog (with links to threads, scripts, and author names), grouped by functionality, to make it easier for Asus-Merlin users to find and install addons for their Asus routers without having to search through massive...

www.snbforums.com

Thanks bennor.
This link is great... He says it right there. Bingo.

"If OpenVPN client #1 fails, it automatically falls through to OpenVPN client #2. If OpenVPN client #1 eventually recovers, it will automatically return to OpenVPN client #1. That's just the wait it works."

All good. He forgot to say "JUST MAKE SURE YOU ENTER THEM IN THE CORRECT PRIORITY IN YOUR VPN WIREGUARD DROP DOWN BOX OR YOU WILL HAVE DELETE THEM ALL AND START OVER!"

Thanks for the confirmation. I'm going to take the router offline and re-configure/re-order all of the Wireguard connections manually.

 

[elorimer]

You could simplify your rules a bit by grouping devices into smaller subnets, and then doing a rule for the subnet.

I suspect you could avoid having to redo your configs by just renaming the config files with ssh.

The simplification and control offered by VPN Director are a truly stellar feature.