What's new

Release Asuswrt-Merlin 386.3 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
But I don't understand why cutting the connection manually with the button doesn't have the same effect.
There are requests from users who find it difficult to use vpn.
- CHANGED: Rewrote OpenVPN routing handling. The firmware will
now handle route creation itself rather than letting
the openvpn client create/remove routes.
The new implementation brings a few changes:

- "Force Internet traffic through tunnel" can now
be set to "No", "Yes (All)" or "VPN Director".
- This setting will now override whatever setting
pushed by the server regarding gateway redirection.
- The kill switch can now be used in both "Yes" and
"VPN Director" routing modes
- Manually stopping a client will remove the kill
switch. It will now only be applied at boot time
(if client was set to start at boot), or if the
tunnel is disconnected through a non-user event

https://www.snbforums.com/threads/asuswrt-merlin-386-3-is-now-available.73815/post-702662
 
There are requests from users who find it difficult to use vpn.
Thanks for your help, I now have my answer :
"Manual shutdown of a client removes the kill switch.
The kill switch. It will now only be applied at boot time
(if the client has been configured to start at boot time), or if the
tunnel is disconnected by a non-user event" ;)
 
I can see it both ways, but prefer that manually stopping the VPN service will not activate the kill switch. Functionality can still be tested as mentioned.
 
I have tested around with killswitch and it works as it should.
This is more than a wish that you should be able to choose if you want it selectable with old / new killswitch.

Understand that some people find it complicated that wan does not work when you manually turn off the vpn client.

What do you others think about the proposal?

@RMerlin

No, I won't waste precious nvram space with an extra setting and add code bloat to make that "configurable" just because some people didn't take 15 seconds to read the changelog. Such a setting is useless, and the same people who never read changelogs would never even know that such a setting existed anyway...
 
But I don't understand why cutting the connection manually with the button doesn't have the same effect (maybe to avoid having to turn off the killswitch and get the connection back ?)
Some people complained about that behaviour in the past. I will let them explain why.
 
Hi, I am running a AX88U and an AC88U in a mesh setup using Nord VPN. I upgraded this morning and now the VPN Director says I am connected to a server in Miami (which is where my VPN server is) but when I run a IP check, it gives my location in Iowa (where my ISP is).
Any ideas on what I need to tweak ?
Here is what I had to do to get NordVPN to work correctly (Thanks NordVPN for awesome support):


When finished with setting up a VPN connection, you now must also set up the previously optional Kill Switch.

Here’s how to set up the Kill Switch feature on AsusWRT Merlin firmware:

  1. Go to VPN > OpenVPN Client.
  2. Under Advanced Settings, select Redirect Internet Traffic: Policy Rules
  3. A new option will appear, Block routed clients if tunnel goes down. Enable it.
  4. Under Rules for routing client traffic through the tunnel, add your whole network:
Works perfectly now.
 
No, I won't waste precious nvram space with an extra setting and add code bloat to make that "configurable" just because some people didn't take 15 seconds to read the changelog. Such a setting is useless, and the same people who never read changelogs would never even know that such a setting existed anyway...
Sorry, I didn't take the time to read the changelog properly. This new Kill Switch feature works perfectly and suits me, the logic is excellent.
Thanks again for your work. Everything is stable.
Enjoy !
 
Last edited:
No, I won't waste precious nvram space with an extra setting and add code bloat to make that "configurable" just because some people didn't take 15 seconds to read the changelog. Such a setting is useless, and the same people who never read changelogs would never even know that such a setting existed anyway...
I understand your position and agree, sad that people can not as you say take 15 seconds to read the log. Very sad :(
 
I read the change logs and all the posts on this forum that I could find but still do not understand how to create an EXCEPT rule. I would like by default for all traffic to go through OpenVPN1 EXCEPT for hardwares 1 and 2 which I want to go through WAN and my ISP.

I do not see a configuration for this. On OpenVPN1 rules I can choose "Yes route all" but VPN Director states that this rule has priority over all others, which as I understand it means that I cannot exclude anything from it with another rule such as one that says HW1 and HW2 to WAN.

If instead I choose "VPN director" setting for OpenVPN1 I can make rules for it in VPN Director but they are all additive. So I can set HW1 and HW2 to WAN and then HW3 to HWn to OpenVPN1 but I'd have to manually add a rule for each HW and then if I add another HW to my network that I want on my VPN have to manually add it,which is not scalable

What am I missing? I'm sure this "except" option exists as the software seems super configurable and awesome. Note I just bought my first ASUS (AC86) specifically for the Merlin FW and this capability.

Thank you
 
Hi Merlin, 386.3 is running flawlessly… but I have a question…

I run Iperf3 on a Synology and I get around 940Mb in DL on my Ipad Pro when performing a speedtest (LAN > Wi-Fi). When I use the speedtest tab (OKLA) on the router and select a specific ISP I also get 940mb in DL (Internet > WAN).
But when I perform the same test with the same ISP with the Okla App on my Ipad, I never get this speed (approx. 750 mb) Can there be a overhead/speedissue between Internet > WAN/LAN > Wi-Fi?
 
OK - finally got around to getting the release back on. Seems to be fine now. Only difference was I updated the APs before the router. No idea why that would make a lick of a difference, but here we are.

Obligatory: filthy upgrade (eventually) from Beta 3 to release across the gear. So far so good, all devices re-connected, Nest cameras on-line and happy, Rogers 4k units all good. Plethora of IOT/Google devices all chirping again, VPN Director / Connection all good.

Thanks @RMerlin and team and all the testers.
 
All good, no issues. Thank you Eric.
 
Last edited:
Is it possible to use the new VPN Director to route different guest networks to different VPN clients or is YazFi still required for this?
 
Updated my RT-AX88U today and all looks good. I just have one question:

Has anyone noticed that when the OpenVPN client connects, it doesn’t add the remote subnet to the routing table?

Please excuse my ignorance if I’ve missed something.

Is there something I’m missing?

Thanks for all your hard work @RMerlin
 
1.5 days since dirty update - no issues - all stable and working like a charm.
Thanks RMerlin for another great update...
 
I do not see a configuration for this. On OpenVPN1 rules I can choose "Yes route all" but VPN Director states that this rule has priority over all others, which as I understand it means that I cannot exclude anything from it with another rule such as one that says HW1 and HW2 to WAN.
Enable VPN Director.
Set which LAN clients you want set to use the tunnel.
Any client that is not set to use the tunnel, or for which you create a "WAN" destination won't be redirected through the tunnel.

I recommend looking at the Wiki article on VPN Director, it's the most complete documentation on this new feature:

 
But when I perform the same test with the same ISP with the Okla App on my Ipad, I never get this speed (approx. 750 mb) Can there be a overhead/speedissue between Internet > WAN/LAN > Wi-Fi?
It's possible. 750 Mbps is what I would expect though from any dual-stream 802.11AC client however, so this looks normal to me.
Is it possible to use the new VPN Director to route different guest networks to different VPN clients or is YazFi still required for this?
VPN Director only deals with IP addresses. You would have to ensure that your Guest Network have specific IP addresses if you want to route these through the tunnel.

I haven't tested it, but this might be a good use scenario for the fact that Guest Network 1 now uses a different IP range than the rest of the LAN.

Has anyone noticed that when the OpenVPN client connects, it doesn’t add the remote subnet to the routing table?
Is that subnet pushed by the server through the PUSH parameter? Check the system log for what gets pushed. If the server doesn't push it, then you might need to manually add it to your Custom Settings section.
 
Is there a reason why Trend Micro will be turned off after flash and the primary user name on samba storage page and ftp server page would be changed from the routers admin user name back to the default admin.
?
On AX88U after update all this were fine.
 
It's possible. 750 Mbps is what I would expect though from any dual-stream 802.11AC client however, so this looks normal to me.

VPN Director only deals with IP addresses. You would have to ensure that your Guest Network have specific IP addresses if you want to route these through the tunnel.

I haven't tested it, but this might be a good use scenario for the fact that Guest Network 1 now uses a different IP range than the rest of the LAN.


Is that subnet pushed by the server through the PUSH parameter? Check the system log for what gets pushed. If the server doesn't push it, then you might need to manually add it to your Custom Settings section.

I think the question is why in routing table there are no routes from VPN server to VPN client. After upgrade firmware, routes came, it's working, but in routing table there are no routes. VPN server pushed through the PUSH parameter. VPN server and clients on RMerlin's firmware 386.3.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top