Asus RT-AX88U w/ Nord VPN - When setting a particular device to bypass the VPN, all device are no longer routed through VPN

[Woofer Wrecker]

Greetings All, my first post here, and I apologize in advance for my ignorance. I know just enough to be dangerous. Hence why I have come begging for help!

I have successfully set up my RT-AX88U running Merlin 386.7, to run the Nord VPN OVPN on board. All my devices are currently run through the tunnel.

My issue arises when I set a specific device IP to not use the VPN, which I do by setting the router to use VPN director polices, and then adding the device IP as a new rule. I set the interface to the client I want, and do not enter a remote IP. Add the rule, apply it, and re boot the router. When restarted all devices are now bypassing the VPN tunnel, exposing my real IP address, which I do not want.

I need to exclude certain devices as wifey works remotely and has complained that she can not access certain work related sites due to VPN.

If there is any suggestions anyone has to help me get this resolved, I would be most grateful.

Thank you in advance!
WW

 

[eibgrad]

To exclude IPs, you set those to use the WAN (not the VPN), then create a rule to route everything else through the VPN.

192.168.1.103 WAN
192.168.1.0/24 OVPN1

Even though the VPN rule (192.168.1.0/24) includes 192.168.1.103, the WAN rules take precedence over any VPN rules. That's why it works.

 

[Woofer Wrecker]

To exclude IPs, you set those to use the WAN (not the VPN), then create a rule to route everything else through the VPN.

192.168.1.103 WAN
192.168.1.0/24 OVPN1

Even though the VPN rule (192.168.1.0/24) includes 192.168.1.103, the WAN rules over take precedence over any VPN rules. That's why it works.

Ahh okay, I did also try setting the interface to WAN for the device previously, but I did not realize I needed to create additional rules. So are you saying I need to add every other device I want to go through the VPN as its own rule?

And thank you for the quick reply! I really appreciate it!

 

[Woofer Wrecker]

Edit: if I am understanding correctly, the "0/24" would encompass all devices assigned IPs within that range. In my case, I would need to add /255 as a rule because the router has assigned all random IP addresses to my devices. Is this thinking correct?

 

[ddebacker]

You need something like this.
One rule for the exclusion targeting your device exception IP address using WAN as interface and another one with a CIDR block (IP range) using your VPN interface. Since WAN IF takes precedence it doesn't matter whether your exception device is in that range.

 

[Woofer Wrecker]

Thank you both! I will try these settings now.

Edit correctly this time: So settings like this? Will this work even though I have devices that have IP addresses that are outside 24?

 

[ddebacker]

You need to ensure that you network mask does include the devices that you want your rule to apply to. But if the first two entries need to go to AN directly and the rest in the range should go through your VPN this should work. If you have device that are OUTSIDE of 192.168.1.0/24 then those devices will go to WAN by default I believe

 

[eibgrad]

Technically, it should be 192.168.1.0/24, NOT 192.168.1.1/24. The latter is actually NOT valid, but some parts of the system will accept the latter and handle it, others won't. So the former is always safer.

 

[Woofer Wrecker]

I tried setting the rule to 192.168.1.0/255 to encompass all devices in my network, but the router tells me it is an invalid IP. I do not want any devices outside the VPN unless I specify a rule for it allowing it. These are all of the IP addresses my router has assigned...

 

[eibgrad]

192.168.1.0/24, NOT 192.168.1.0/255

 

[Woofer Wrecker]

I understand that, but DDEBACKER said the mask needs to encompass all IP's or else they will default to WAN. As you can see, I have IP's way outside /24. Or am I missing something? Won't any deice with an IP ending beyond 24 default to WAN?

These are current settings.

 

[eibgrad]

The following might help to understand the CIDR notation.

Limit of 64 Manually Assigned IP around the DHCP list - Workaround for RT-AX92U?

I am converting my powerline light switches in my house (Insteon) to IP based switches by Shelly and TP-Link/KASA. For the software I use, I need static IP addresses so I can differentiate between lights in the house (I use one switch to dim on turn on/off another). My RT-AX92U has been...

www.snbforums.com

IOW, /24 *does* cover the entire 192.168.1.x IP network. The /24 is just another way of representing the alternative notation, 192.168.1.0 255.255.255.0, but the GUI is built to expect the former CIDR notation.

 

[Woofer Wrecker]

Understood! Thank you all so very much for your time and help! what an amazing community!

 

[ddebacker]

Here is some tutorial on how to understand network masks:
What is a Netmask? (computerhope.com)

 

[Bitrudeuk]

You need something like this.
One rule for the exclusion targeting your device exception IP address using WAN as interface and another one with a CIDR block (IP range) using your VPN interface. Since WAN IF takes precedence it doesn't matter whether your exception device is in that range.
View attachment 42391

Thank you for posting this, I have been trying to understand the picture on the Wiki page about how to get the rules to ensure everything else is captured. This makes it nice and idiot proof.

Technically, it should be 192.168.1.0/24, NOT 192.168.1.1/24. The latter is actually NOT valid, but some parts of the system will accept the latter and handle it, others won't. So the former is always safer.

I've tried 0/24 and I loose access to the router via the LAN? Something is obviously conflicting or should I try and use 1/24? Would this not be right as the router is assigned 1 after all? Or am I just putting 2 and 2 together and getting 3??

I wanted to carve out my Firestick, but leave everything else on the VPN, which it seems to have done. All my other devices appear to be going via the VPN, so it's just the router access i've lost, Any ideas? Did yours work out ok?? @Woofer Wrecker

I'm on the latest Merlin 386.7 via an AX86U. I'm also using Asus DDNS, if that would cause the conflict, but I think this is VPN director related?

 

[eibgrad]

Thank you for posting this, I have been trying to understand the picture on the Wiki page about how to get the rules to ensure everything else is captured. This makes it nice and idiot proof.



I've tried 0/24 and I loose access to the router via the LAN? Something is obviously conflicting or should I try and use 1/24? Would this not be right as the router is assigned 1 after all? Or am I just putting 2 and 2 together and getting 3??

I wanted to carve out my Firestick, but leave everything else on the VPN, which it seems to have done. All my other devices appear to be going via the VPN, so it's just the router access i've lost, Any ideas? Did yours work out ok?? @Woofer Wrecker

I'm on the latest Merlin 386.7 via an AX86U. I'm also using Asus DDNS, if that would cause the conflict, but I think this is VPN director related?

If your LAN is using 192.168.1.1 255.255.255.0, as defined on the LAN > LAN IP page, then you reference the entire IP network as 192.168.1.0/24. 192.168.1.1/24 is NOT valid CIDR notation. As I said, sometimes the system will accept it because it knows users will make this mistake, and knowing your intent, treats it as 192.168.1.0/24. That's why using 192.168.1.1/24 will work in *some* cases.

For example, the firewall rules don't care, they'll convert 192.168.1.1/24 to 192.168.1.0/24 on your behalf. But the routing system (except for ip rule) *does* care. It will reject the use of 192.168.1.1/24 until you correct it yourself! It's just not that user-friendly or accommodating as the firewall when it comes to this issue.

For myself, I use 192.168.1.0/24 w/ the VPN Director all the time, I have no issues. So something else has to be wrong w/ how you set this up if you do the same and the router then becomes inaccessible. But having no other knowledge of your configuration, it's hard to imagine what that might be.

Perhaps a dump of your config might provide a clue.

ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers

I admit it's quite extensive, but then I don't know what might be relevant at this point. It might make sense to post the output on PasteBin (given its size) and provide a link back here.

 

[Bitrudeuk]

I fear i'm going to have to do a factory reset in order to gain access?? I have no way of accessing other than via the App, as I don't know how to code via SSH etc..

That means the config file will be gone when I log back in, doesn't it? I assume I can get one when I have uploaded my previous settings, though the VPN director won't be set up and therefore not showing? That said, it may show that something else is wrong behind the scenes and what is causing the conflict??

Thanks as always for your assistance on these technical matters @eibgrad As soon as I try and be too clever, it inevitably goes wrong somehow!

 

[Bitrudeuk]

Ok, so I have done a reset and then upped the previous settings, so I am back in. That said, at some point very soon, I will do a fresh install!

One thing I noticed in the recent update, was the change to the WAN DNS settings area. Mine has defaulted to "Get the DNS IP from your ISP automatically." and I am unable to enter my VPN suggested DNS servers. As when I enter them, I can't access any web pages? Could this be because my VPN client is set to "Accept DNS Configuration" Exclusive and therefore I am using the VPN ones automatically, rather than my ISP's? I've done a couple of leak tests and there are no leaks that I can tell with this set up.

Could it be that when I change the VPN client to use the VPN Director, rather than all traffic going through the tunnel, I should amend the DNS Config to Strict and then add the VPN servers in manually on the WAN section?

Perhaps a dump of your config might provide a clue.

ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers

To get the config info, can I get the data via cmd in windows or does it have to be via SSH?? I've never accessed the router this way, so that would need to be researched first...

 

[eibgrad]

One thing I noticed in the recent update, was the change to the WAN DNS settings area. Mine has defaulted to "Get the DNS IP from your ISP automatically." and I am unable to enter my VPN suggested DNS servers. As when I enter them, I can't access any web pages? Could this be because my VPN client is set to "Accept DNS Configuration" Exclusive and therefore I am using the VPN ones automatically, rather than my ISP's? I've done a couple of leak tests and there are no leaks that I can tell with this set up.

Could it be that when I change the VPN client to use the VPN Director, rather than all traffic going through the tunnel, I should amend the DNS Config to Strict and then add the VPN servers in manually on the WAN section?

AFAIK, you can still assign your own custom DNS servers to the WAN.

Starting w/ 386.5 (IIRC), ASUS decided to statically bind any DNS servers defined on the WAN (either ISP or your custom DNS servers) to the WAN. That's problematic for anyone following their VPN providers advice to specify *their* DNS servers on the WAN. Once the OpenVPN client gets connected, the VPN provider is *assuming* you are routing ALL your traffic over the VPN (i.e., NOT using the VPN Director), and that those same DNS servers will now be routed over the VPN. But they WON'T! They are statically bound to the WAN! Hence, a DNS leak.

What I recommend is that you *ignore* the VPN provider's advice, and either use your normal ISP DNS servers on the WAN, or perhaps something else (e.g., 1.1.1.1 and 1.0.0.1), or even DoT (but specify Disabled for "Accept DNS configuration" in that case).

If NOT using DoT, and if you want to prevent DNS leaks, the only setting guaranteed to work for "Accept DNS configuration" is Exclusive. Strict or Relaxed will inevitably lead to DNS leaks because the DNS servers defined on the WAN (which remember are statically bound to the WAN) will be used in conjunction w/ the DNS server of VPN provider. In contrast, the use of Exclusive means *only* the VPN provider's DNS servers will be used.

That's why all this is so tricky. There are lot of low level details regarding various settings and how they all relate and behave that make it a complex subject. That's why I created the DNS monitor, to help visualize what's actually happening.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

To get the config info, can I get the data via cmd in windows or does it have to be via SSH?? I've never accessed the router this way, so that would need to be researched first...

You need to use an SSH client to access the router's SSH server, and thus its command line. IIRC, Windows 10/11 does provide an SSH client via its own command line (CMD). There's also one available via PowerShell, or even the PuTTY app.

 

[eibgrad]

One more thing.

I'm assuming the push'd DNS servers of the VPN provider are themselves bound to the VPN's tunnel. IOW, if the tunnel is 10.8.0.0/24, those IPs are within the scope of that tunnel. For example, 10.8.0.1 or 10.8.0.10.

However, sometimes the VPN provider pushes *public* DNS servers that are NOT within the scope of the tunnel (e.g., 8.8.8.8), or perhaps their own public DNS servers. If using the VPN Director and Exclusive, those DNS servers will be accessed over the WAN! Again, the VPN provider is *assuming* the router itself is bound to the VPN. But that's NOT the case when the VPN Director is active.

Again, the DNS monitor would reveal this type of potential problem.