Asus RT-AX88U w/ Nord VPN - When setting a particular device to bypass the VPN, all device are no longer routed through VPN

[Bitrudeuk]

What I recommend is that you *ignore* the VPN provider's advice, and either use your normal ISP DNS servers on the WAN, or perhaps something else (e.g., 1.1.1.1 and 1.0.0.1), or even DoT (but specify Disabled for "Accept DNS configuration" in that case).

That's why all this is so tricky. There are lot of low level details regarding various settings and how they all relate and behave that make it a complex subject. That's why I created the DNS monitor, to help visualize what's actually happening.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

I have previously used 1.1.1.1 before getting a VPN, so would happily use that again. I only enter the manual servers when I am ready to use the VPN director though right?

Leaving it as is, I am in theory bound to my VPN ones, or I am really bound to my ISP ones and therefore leaking, even though the test sites say I am not? Or I am misunderstanding what you have said?

I did read about your DNS monitor in another thread, but again because I have no SSH experience, shied away from it...

You need to use an SSH client to access the router's SSH server, and thus its command line. IIRC, Windows 10/11 does provide an SSH client via its own command line (CMD). There's also one available via PowerShell, or even the PuTTY app.

Ok, thanks, in order to do that I will need to amend the Service - Enable SSH on the system tab right? And then click LAN only?

The whole reason I am doing this is to have my OpenVPN home server on the Firestick or as another VPN client on the router at another property and access Plex away from home or at the other property. Instead of fussing around with the VPN director, could I just use the OpenVPN on the firestick on top of the retail VPN client on the router? I think in a previous thread you said this wouldn't be possible, as my home server wouldn't see the Firestick, just my retail VPN client?

My thinking is that if I just carved out the Firestick via the VPN Director and then accessed any VPN/OpenVPN home server via the Firestick itself?

 

[Bitrudeuk]

One more thing.

I'm assuming the push'd DNS servers of the VPN provider are themselves bound to the VPN's tunnel. IOW, if the tunnel is 10.8.0.0/24, those IPs are within the scope of that tunnel. For example, 10.8.0.1 or 10.8.0.10.

However, sometimes the VPN provider pushes *public* DNS servers that are NOT within the scope of the tunnel (e.g., 8.8.8.8), or perhaps their own public DNS servers. If using the VPN Director and Exclusive, those DNS servers will be accessed over the WAN! Again, the VPN provider is *assuming* the router itself is bound to the VPN. But that's NOT the case when the VPN Director is active.

Again, the DNS monitor would reveal this type of potential problem.

Strangely the DNS server in ipconfig/all is showing as what I think is my router IP address? That's not right is it?

 

[eibgrad]

I have previously used 1.1.1.1 before getting a VPN, so would happily use that again. I only enter the manual servers when I am ready to use the VPN director though right?

Leaving it as is, I am in theory bound to my VPN ones, or I am really bound to my ISP ones and therefore leaking, even though the test sites say I am not? Or I am misunderstanding what you have said?

Once you set the DNS servers on the WAN, you leave them alone. You do NOT keep changing them each time you use the VPN.

I did read about your DNS monitor in another thread, but again because I have no SSH experience, shied away from it...

Time to get familiar with it. It's an invaluable tool for diagnostics, customization, etc.

Ok, thanks, in order to do that I will need to amend the Service - Enable SSH on the system tab right? And then click LAN only?

Yes.

The whole reason I am doing this is to have my OpenVPN home server on the Firestick or as another VPN client on the router at another property and access Plex away from home or at the other property. Instead of fussing around with the VPN director, could I just use the OpenVPN on the firestick on top of the retail VPN client on the router? I think in a previous thread you said this wouldn't be possible, as my home server wouldn't see the Firestick, just my retail VPN client?

My thinking is that if I just carved out the Firestick via the VPN Director and then accessed any VPN/OpenVPN home server via the Firestick itself?

You lost me a bit there. If you want to manage the OpenVPN client on individual devices, esp. if you only have the one, like a firestick, there's no real reason to manage it on the router. You avoid a lot of configuration issues that way.

 

[Bitrudeuk]

Once you set the DNS servers on the WAN, you leave them alone. You do NOT keep changing them each time you use the VPN.

I used to have the VPN suggested DNS servers entered, so hopefully they were just carried over and are bound after the update to the new firmware? I guess we will find out when I run the script, once I sort out the SSH stuff... Bare with me on that bit though!

You lost me a bit there. If you want to manage the OpenVPN client on individual devices, esp. if you only have the one, like a firestick, there's no real reason to manage it on the router. You avoid a lot of configuration issues that way.

Yes, sorry it was a little garbled...

So, I currently have an AX86U running a Windscribe VPN client. When I go away, I switch off the VPN client and run an OpenVPN home server to access our Plex server, without having to open any ports. At our other Property, I have an AX88U. This will be running a Windscribe VPN client. Everything on the LAN would be going via the VPN tunnel. I then plan to access the OpenVPN home server at the other property, via the Firestick. Will that access the OpenVPN home server ok, despite being behind the Windscribe VPN tunnel? I thought I would have to take the Firestick out of the VPN tunnel, to access the home server ok? If I can avoid using the VPN Director, I think it would be safer....

Thanks again

 

[eibgrad]

Yes, sorry it was a little garbled...

So, I currently have an AX86U running a Windscribe VPN client. When I go away, I switch off the VPN client and run an OpenVPN home server to access our Plex server, without having to open any ports. At our other Property, I have an AX88U. This will be running a Windscribe VPN client. Everything on the LAN would be going via the VPN tunnel. I then plan to access the OpenVPN home server at the other property, via the Firestick. Will that access the OpenVPN home server ok, despite being behind the Windscribe VPN tunnel? I thought I would have to take the Firestick out of the VPN tunnel, to access the home server ok? If I can avoid using the VPN Director, I think it would be safer....

Presumably when you're using the Windscribe OpenVPN client at the other property, THAT becomes your default gateway for all your clients at that location (assuming you do NOT use the VPN Director to be selective in your routing). At that point, it would make sense to *only* use the OpenVPN server at home for access to resources located there, NOT internet access. So you would NOT configure that particular OpenVPN client as your internet gateway. If your OpenVPN home server *is* currently configured to route its clients to the internet, you can prevent it by adding the following to the OpenVPN client's custom config field.

pull-filter ignore "redirect-gateway"

So you end up w/ two concurrent OpenVPN clients, only one of which is serving as your default gateway (Windscribe). For access to home resources, it's via the other OpenVPN client that's bound only to that network.

 

[Bitrudeuk]

SUCCESS... I've managed to get Putty up and running and have somehow logged in....

Your script output suggests that my DNS servers are indeed my ISP's and not my VPN's. I'll see if I can change these, at least to 1.1.1.1 and see what happens? As I said before, it didn't like me trying to add manual ones?

As for the other data you suggested I collate, is there anything that I shouldn't be showing to the big wide world and should blank out, like router name for instance??

 

[eibgrad]

As for the other data you suggested I collate, is there anything that I shouldn't be showing to the big wide world and should blank out, like router name for instance??

If you're talking about information I or others might request from various linux commands for posting on this website, what you want to avoid is posting anything that uniquely identifies YOU, such as your public IP on the WAN (or perhaps a static public IP provided to you by your VPN provider). Anything that's common to most users AND unroutable over the internet (e.g., the private IP space, 192.168.x.x, 10.x.x.x, 172.16.x.x) is considered safe. No one can actually do anything w/ that information other than help you diagnose problems.

 

[Bitrudeuk]

Presumably when you're using the Windscribe OpenVPN client at the other property, THAT becomes your default gateway for all your clients at that location (assuming you do NOT use the VPN Director to be selective in your routing). At that point, it would make sense to *only* use the OpenVPN server at home for access to resources located there, NOT internet access. So you would NOT configure that particular OpenVPN client as your internet gateway.

Yes, the router would have the VPN as the default gateway for all clients. The home server is currently set up for internet access too. The main reason being that I would be in a different country and this allows me to trick my ISP TV to think it is still at home, so I can watch all the sports abroad! This was why I was going to use the VPN Director to take the Firestick off of the Router VPN and configure the Firestick itself, to access my home server. I thought I could add my home server to the router at the other house and just access that via the Firestick and the rest of the traffic would use the Windscribe VPN tunnel already on the router?

My understanding is that if I had the router set up for a UK VPN server, if I then set the Firestick to an NL server, the layering could create conflicts? A tunnel within a tunnel doesn't seem like it would work properly?

Hopefully that makes sense?

 

[eibgrad]

A tunnel inside is tunnel certainly isn't ideal. And now that i think about it, you will encounter this problem unless you use the VPN Director for *both* OpenVPN clients.

By using the VPN Director for both clients, it prevents the router itself from being bound to either VPN. All references to the OpenVPN server's IP in either case is routed through the WAN, never the other OpenVPN server.

Since your own OpenVPN home server would be using the VPN Director, the pull-filter isn't necessary. You could just add the Firestick's IP to the VPN Director.

192.168.1.100 OVPN1 # assumes OVPN1 = OpenVPN home server

For the case of Windscribe, you could route the entire network (or be selective if you prefer) through it w/ the following rule.

192.168.1.0/24 OVPN2 # assumes OVPN2 = Windscribe

Beware, I specifically placed your OpenVPN home server on the first OpenVPN client (#1) because the VPN clients have a priority, from highest (#1) to lowest (#5). So even though the entire network is routed through OVPN2, OPVN1 take precedence in the case of the Firestick (or any references to your home IP network).

That's the trick is avoiding nested tunnels; you *must* use the VPN Director for any and all your concurrently active OpenVPN clients!

 

[Bitrudeuk]

ifconfig
ip route
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers

Apologies for the delay in getting the info, wifey stopped me "tinkering"

So, here goes; https://pastebin.com/yFQPVHY3

This is of course without the VPN Director being on.

And I also managed to check the DNS using your clever tool, hopefully i've done both of these things right?



Cheers

 

[Bitrudeuk]

Hi @eibgrad I've now moved onto the latest Merlin Firmware, 386.7_2.

Assuming everything is how it should be and the other problems we were discussing have gone away, the following should work correctly right?

Just to take the firestick off the VPN client, but everything else goes through the VPN client?



As an extra question. When I switch on my home VPN server and switch off the VPN client, do I need to switch off/un-enable the VPN Director Rules too, or as the Client is not switched on, they won't effect the Home Server?

Many thanks

D

 

[eibgrad]

As an extra question. When I switch on my home VPN server and switch off the VPN client, do I need to switch off/un-enable the VPN Director Rules too, or as the Client is not switched on, they won't effect the Home Server?

The VPN Director has nothing to do w/ the OpenVPN server in any way. You can leave your rules enabled.

 

[Bitrudeuk]

Thanks for confirming! I'll give the VPN Director another go tonight, with the settings above! Fingers crossed it doesn't lock me out again...

 

[eibgrad]

Lock you out?

 

[Bitrudeuk]

Lock you out?

Yes, last time I tried to use the VPN Director, I was unable to access the router via wireless or ethernet and had to reset it... Internet was working fine though and firestick appeared to be off of VPN, which suggested it was working... I just couldn't access the router anymore

I think that is why you asked for the information above, but I couldn't access it before to give it to you. In theory, this time if I am "locked" out, I should be able to SSH in and get the data to assess what is going wrong?

 

[eibgrad]

Yes, last time I tried to use the VPN Director, I was unable to access the router via wireless or ethernet and had to reset it... Internet was working fine though and firestick appeared to be off of VPN, which suggested it was working... I just couldn't access the router anymore

I think that is why you asked for the information above, but I couldn't access it before to give it to you. In theory, this time if I am "locked" out, I should be able to SSH in and get the data to assess what is going wrong?

Beware, when you configure the OpenVPN client w/ Exclusive for "Accept DNS configuration", this bypasses DNSMasq on the router for local name resolution. And if you're referencing router.asus.com to access the router, it won't work. Only DNSMasq knows anything about that domain name. You need to use the router's explicit IP (e.g., 192.168.1.1).

That's one of the downsides of using Exclusive w/ the VPN Director; while it guarantees against DNS leaks, it does so at the price of losing access to DNSMasq and its various features (local name resolution, local caching, ad blocking, etc.).

You wouldn't be the first person to mistakenly believe you're locked out of the router when in fact it's just an expected consequence of losing access to local name resolution due to Exclusive.

 

[Bitrudeuk]

That would explain it then, I was trying to access via "https://router.asus.com:*****/Main_Login.asp" I shall try just with the IP

I was looking at trying to get access via the actual DDNS page on another thread prior to playing around with the VPN Director. Would the below work with this set up, or am I just better off accessing via the IP all the time?

If you just want to access your router via your FQDN e.g. your chosen DDNS name, which does have a valid SSL Certificate (you can disable https://router.asus.com within your router's GUI pages) say from a device that's located on your own router's LAN and via https in your browser e.g. https://ddns-mydomain.tld then THIS POST will tell you how to do it. This does assume that you have NOT enabled "Enable Web Access from WAN" which is the normal recommendation made by most router users on here for security reasons. If you must access / control your router remotely, then you could / should do this via very secure VPN and/or via very secure SSH - If you still want to minimise the chances of a hack or other unsavoury remote visits to your router too.

 

[eibgrad]

When located inside the LAN, using the explicit LAN ip of the router will *always* work. The same can't be said for router.asus.com.

The issue of DDNS is for another purpose. Sometimes users have a device (e.g., smartphone) from which they access the router (or more likely, a port forward'd device) both on the LAN and remotely. But they don't want to keep switching the configuration on that device from the local reference (e.g., router.asus.com) to the public reference (myhostname.myddnsprovider.com) as they move back and forth between the two environments. They just want to reference the latter all the time. And that requires the router to support NAT loopback (aka, hairpinning), which it does. But in either situation, this assumes the relevant domain name is resolvable. If it ever is NOT, for whatever reasons, the private/private IP is still available.

 

[Bitrudeuk]

I only ever access my router via the LAN or via my home OpenVPN Server. The reason for me trying to have a formal access page, via (myhostname.myddnsprovider.com), was to finally have the HTTPS accepted, without it always warning me it's "unsafe".

I know the warning doesn't matter, as I am only ever accessing inside the network, I just want it to be less cumbersome to access it. Even access via the router IP comes up with the warning annoyingly, but I guess that will never change until the certificate is accepted, and that is logged against (myhostname.myddnsprovider.com) of course.. Grrr

 

[Bitrudeuk]

@eibgrad Many thanks for all your help, VPN Director is up and running correctly and access to router is also possible!