Working with multiple VPN clients RT-AC86U

[mjb49]

I am having trouble switching between VPN clients. When I turn one off and disable the auto start at boot hit apply and turn another on and apply windows and the router show I am connected to the internet but web pages wont load unless I reboot the PC and router. Is this normal or is there a process I should follow when switching? Using latest Merlin firmware and firefox.

Thanks in advance.

 

[CaptainSTX]

To provide a definitive answer need more information about what your settings are for each client.

I have no problem switching between clients without rebooting either the router or the device.

 

[mjb49]

I use NordVPN and use the recommended settings, see attached file for VPN settings. Withe the exception of the OpenVPN client file all settings are the same. I have used many different client files in the number 2 position in an attempt to troubleshoot in addition to switching client files between client 1 and 2 with no joy.
The custom configuration is:
"remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log"

I use the NordVPN recommended WAN DNS settings
103.86.96.100
103.86.99.100

 

[st3v3n]

Mib49, looking at what you provided, unless there's a problem with the way Nord's config handles changing between clients (I take it you're using different Nord server addresses?), I can't duplicate what you've described on our 86U, which is running the newest stable Merlin FW release.

Sometimes the 86 can be a finicky beast. If all of your devices are assigned a static IP and all are routed the same way through each of your OpenVPN clients, ie, each Nord config/tunnel, if all you're doing is turning one config off, then turning another tunnel on, ir nothing else is misconfigured or is lingering outside of the first tunnel, you shouldn't have to reboot just to turn off the first client to be able to use all of our devices through the 2nd/next OpenVPN tunnel.

We usually have two concurrent OpenVPN tunnels running, and they come on when the router is cycled on each day. Sometimes we only need one tunnel. At those times, I've seen no problems with our 86 releasing one tunnel and picking up another, again as long as all devices are configured and routed correctly in both configs/tunnels.

There have been cases where using the same UDP port on two tunnels can result in a conflict, depending on your config and how the provider's subnets are laid out, and their/your DNS requests are handled. If you're allowing Nord to handle all of your DNS requests, there should'nt be a reason you'd have to reboot to clear your router, before moving to the 2nd client; the 86 is quite responsive if configured correctly, and the VPN provider handles your DNS instead of using your ISP's DNS or a third parties DNS services, such as cloudflare or Quad9. None of our traffic ever drops to WAN/or the ISP and we're pleased with the our VPN provider's DNS solution. Nord might have some some data caching going on with their end which may be why the first config/tunnel isn't releasing the devices to the 2nd tunnel. That's something we have run into and worked through with our VPN provider.

As long as rebooting clears the cachine or log jam, and your devices work well in either client, it's only a couple of minutes; grab a coffee, take a stretch. Good luck, hope this helps.

 

[CaptainSTX]

I use NordVPN and use the recommended settings, see attached file for VPN settings. Withe the exception of the OpenVPN client file all settings are the same. I have used many different client files in the number 2 position in an attempt to troubleshoot in addition to switching client files between client 1 and 2 with no joy.
The custom configuration is:
"remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log"

I use the NordVPN recommended WAN DNS settings
103.86.96.100
103.86.99.100

Also need some of the standard settings:

Port Number for both clients

Accept DNS condition specified

Forces Traffic Settings

 

[mjb49]

To provide a definitive answer need more information about what your settings are for each client.

I have no problem switching between clients without rebooting either the router or the device.

Also need some of the standard settings:

Port Number for both clients

Accept DNS condition specified

Forces Traffic Settings

Port number both 1194
Accept DNS Exclusive
Forces Traffic Policy Rules All Devices xxx.xxx.xx.0/24

 

[mjb49]

Mib49, looking at what you provided, unless there's a problem with the way Nord's config handles changing between clients (I take it you're using different Nord server addresses?), I can't duplicate what you've described on our 86U, which is running the newest stable Merlin FW release.

Sometimes the 86 can be a finicky beast. If all of your devices are assigned a static IP and all are routed the same way through each of your OpenVPN clients, ie, each Nord config/tunnel, if all you're doing is turning one config off, then turning another tunnel on, ir nothing else is misconfigured or is lingering outside of the first tunnel, you shouldn't have to reboot just to turn off the first client to be able to use all of our devices through the 2nd/next OpenVPN tunnel.

We usually have two concurrent OpenVPN tunnels running, and they come on when the router is cycled on each day. Sometimes we only need one tunnel. At those times, I've seen no problems with our 86 releasing one tunnel and picking up another, again as long as all devices are configured and routed correctly in both configs/tunnels.

There have been cases where using the same UDP port on two tunnels can result in a conflict, depending on your config and how the provider's subnets are laid out, and their/your DNS requests are handled. If you're allowing Nord to handle all of your DNS requests, there should'nt be a reason you'd have to reboot to clear your router, before moving to the 2nd client; the 86 is quite responsive if configured correctly, and the VPN provider handles your DNS instead of using your ISP's DNS or a third parties DNS services, such as cloudflare or Quad9. None of our traffic ever drops to WAN/or the ISP and we're pleased with the our VPN provider's DNS solution. Nord might have some some data caching going on with their end which may be why the first config/tunnel isn't releasing the devices to the 2nd tunnel. That's something we have run into and worked through with our VPN provider.

As long as rebooting clears the cachine or log jam, and your devices work well in either client, it's only a couple of minutes; grab a coffee, take a stretch. Good luck, hope this helps.

Thanks for the detailed reply. Yes I am using different Nord server addresses but same port. I have the latest Merlin firmware. Yes, I have noticed the 86 can be finicky. I did assign static addresses to all devices, didn't help. It seems VPN server 1 has some kind of priority. I can change from server 2 to 1 without reboot but not server 1 to 2. Yes using the nord vpn dns server. For now I will reboot the 86 to change vpn servers. It is a DNS issue because I am connected to the internet but pages will time out and not load. Thanks again.

 

[CaptainSTX]

The issue is probably related to the fact that both VPN clients are using the same Port.

With PIA I have the option of 11 ports. Each port has its own configuration requirements and not all of these settings are available or supported using Merlin's firmware. I have two clients setup the first running on Port 1198 and the second running on 1197.

Another possible conflict in your setup is that VPN Server 1 also uses Port 1194. Have you set up and/or are you also running a VPN server also?

One thing you could try is to run your first VPN on client 1 and your second VPN on client 3 as these will then both run on the same core and switching between clients on the same core might overwrite the settings that the prior VPN client was running. This is just speculation on my part but worth a try.

Otherwise you probably will need a script to run after stopping a VPN client and running the second client to clear the settings regarding Port 1194. If that doesn't work for you the easiest solution for you might be to switch VPN provider to find one that offers service on more than one port.

 

[mjb49]

The issue is probably related to the fact that both VPN clients are using the same Port.

With PIA I have the option of 11 ports. Each port has its own configuration requirements and not all of these settings are available or supported using Merlin's firmware. I have two clients setup the first running on Port 1198 and the second running on 1197.

Another possible conflict in your setup is that VPN Server 1 also uses Port 1194. Have you set up and/or are you also running a VPN server also?

One thing you could try is to run your first VPN on client 1 and your second VPN on client 3 as these will then both run on the same core and switching between clients on the same core might overwrite the settings that the prior VPN client was running. This is just speculation on my part but worth a try.

Otherwise you probably will need a script to run after stopping a VPN client and running the second client to clear the settings regarding Port 1194. If that doesn't work for you the easiest solution for you might be to switch VPN provider to find one that offers service on more than one port.

I'm not running a VPN server. Client 3 suggestion, no joy. Port 1194 is the only port available for UDP.

 

[FLA_NL]

I'm not running a VPN server. Client 3 suggestion, no joy. Port 1194 is the only port available for UDP.

I'm using NordVPN with 2 clients successfully. You need to configure 1 client as TCP and the other as UDP. This is to make sure NordVPN gives two local VPN IP addresses in two different IP ranges. If both are on TCP or UDP they both get a IP in the same range and it messes up the routing and you will experience the effect that network clients are not on the VPN connection where you expect them to be or maybe other side effects.

 

[mjb49]

I'm using NordVPN with 2 clients successfully. You need to configure 1 client as TCP and the other as UDP. This is to make sure NordVPN gives two local VPN IP addresses in two different IP ranges. If both are on TCP or UDP they both get a IP in the same range and it messes up the routing and you will experience the effect that network clients are not on the VPN connection where you expect them to be or maybe other side effects.

Thanks. I was looking for a way to switch VPN servers without rebooting the router, In the event that I am having VPN server issues, rather than have two clients running. It sounds like I need a script to accomplish this and I don't know anything about the Merlin scripting language or how to use a script if I had one.

 

[FLA_NL]

Thanks. I was looking for a way to switch VPN servers without rebooting the router, In the event that I am having VPN server issues, rather than have two clients running. It sounds like I need a script to accomplish this and I don't know anything about the Merlin scripting language or how to use a script if I had one.

Well for for switching servers I just change the NordVPN server for that client and hit apply. I don't have to reboot. I've two clients because some clients I want to have in my home country and others not. For example you can configure a media streamer to use Netflix in a different country other then your devices where you browse the internet.

 

[mjb49]

That would be a lot easier. Thanks

 

[Martineau]

I can change from server 2 to 1 without reboot but not server 1 to 2. .

Do you have the KILL-Switch enabled for VPN Client 1?

I was looking for a way to switch VPN servers without rebooting the router, In the event that I am having VPN server issues, rather than have two clients running. It sounds like I need a script to accomplish this and I don't know anything about the Merlin scripting language or how to use a script if I had one.

It depends what you mean by

"...having VPN server issues"

If you mean whilst you are connected using say VPN Client 1 to a Nord-Server the connection suddenly drops and you want some automatic fail-over resiliency, then simply configure VPN Client 1 with multiple Nord-Server addresses, which will be tried in sequence until a (re)connection is made.
e.g.

NordVPN-server1.xxx.xxx.xxx
NordVPN-server2.xxx.xxx.xxx
NordVPN-server3.xxx.xxx.xxx
etc.

However if you need a script I can recommend one!

 

[mjb49]

Do you have the KILL-Switch enabled for VPN Client 1?


It depends what you mean by

"...having VPN server issues"

If you mean whilst you are connected using say VPN Client 1 to a Nord-Server the connection suddenly drops and you want some automatic fail-over resiliency, then simply configure VPN Client 1 with multiple Nord-Server addresses, which will be tried in sequence until a (re)connection is made.
e.g.

NordVPN-server1.xxx.xxx.xxx
NordVPN-server2.xxx.xxx.xxx
NordVPN-server3.xxx.xxx.xxx
etc.

However if you need a script I can recommend one!

I may be interested. Please provide the details.

 

[Martineau]

I may be interested. Please provide the details.

Read OpenVPN 2.4 Manual



and insert the required '--remote xxx.xxx.xxx.xxx' directives in the VPN Client Custom Configuration GUI.

 

[mjb49]

Thank you.