ASUS RT-AC68U/Merlin Split Tunnel

[jim99]

I have a home network that supports several laptops over wireless and two servers (NethServer and a HikVision NVR) on copper. I have a FTTP connection to the Internet, and a single public IP address. The NethServer supports an email server, and three small websites, the HikVision NVR is accessible externally by the use of non-standard port numbers, so it doesn't clash with the NethServer (because of the single IP address).

It all works fine, has done for years, but now I want to protect my outgoing browsing with a VPN. I am running with SurfShark loaded on my clients, but I want to move the VPN to the router. This is where it gets a bit complex. I want to route all client traffic down the VPN, but have all incoming port 80/443 browsing traffic and mail traffic go directly to the servers, so a kind of split tunnel.

Is this going to need Merlin (or similar) to work on an Asus RT-AC86U, or can I do it with the stock F/W?

If I need Merlin, where is the best source of documentation

Thanks
Jim

 

[eibgrad]

If your intent is to route all *outgoing* traffic over the VPN, while remotely accessing your servers over the WAN, then it will only work if you do NOT have those servers being routed down the VPN.

IOW, you can't have any given local device bound to both the WAN and VPN at the same time. It's one or the other.

With that said, if your VPN provider supports port forwarding over the tunnel, then you should be able to keep all your local devices bound to, and remotely accessible from, the VPN.

Does it require Merlin? If you decide to split tunneling as described above (some devices bound to the WAN, others to the VPN), or decide to keep *all* local devices bound to the VPN and use port forwarding over the VPN for remote access purposes, it will require Merlin, since I don't believe the OEM firmware is capable of either.

 

[jim99]

If your intent is to route all *outgoing* traffic over the VPN, while remotely accessing your servers over the WAN, then it will only work if you do NOT have those servers being routed down the VPN.

IOW, you can't have any given local device bound to both the WAN and VPN at the same time. It's one or the other.

With that said, if your VPN provider supports port forwarding over the tunnel, then you should be able to keep all your local devices bound to, and remotely accessible from, the VPN.

Does it require Merlin? If you decide to split tunneling as described above (some devices bound to the WAN, others to the VPN), or decide to keep *all* local devices bound to the VPN and use port forwarding over the VPN for remote access purposes, it will require Merlin, since I don't believe the OEM firmware is capable of either.

Hi eibgrad,
Thanks for your response, you have confirmed what I thought was the case. As you rightly say, I want all locally-originated sessions (like outbound PC traffic to web servers in the Internet) to go through the VPN tunnel, but I want all Internet-originated sessions (either browsing the 3 web servers on NethServer, or communicating with the mail server) to go through the native WAN connection, so it looks like I need to teach myself how to work Merlin....I feel a vertical learning curve facing me

Thanks

Jim

 

[eibgrad]

I should add one other option, esp. since it would work w/ Merlin or OEM firmware.

If you know the public IP(s) of the device(s) that will be the remotely accessing over the WAN (e.g., workplace, home of friend/relative, favorite wifi cafe, etc.), then you can add static routes that bind those public IPs to the WAN (at least if they are static). In that case, it *is* possible to have those servers bound to both the WAN and VPN at the same time. The problem is (obviously), most ppl do NOT know the public IPs from which they will be remotely accessing their home network, because they are truly roaming. But for those who do know, that would work.

 

[jim99]

Once again, Thanks eibgrad, I got Merlin flashed with no dramas, and two hours of playing later, I have the browser traffic going down the VPN, the servers going out to the Internet over the Local WAN, a shared disk hung off the USB port and I can get access to my camera server from both inide and outside the network. Surprisingly easy, its never going to compete with Cisco for configuratbility but its pretty damn good!