Release Asuswrt-Merlin 386.3 is now available

[shabbs]

So in 386.3 I now have to manually enter the ip address of each device in order to not have a dns leak? whereas before on 386.2 I could just set my whole network to go through the vpn with no dns leaks and whitelist a few devices to go to wan.

Not sure if you actually do, just sharing my observation with my setup which also included DNSFilter and two Pi-Hole's with a DHCP-based handout for DNS entries. Not everyone does that.

What is your DNS setup on your router? LAN/WAN/DHCP etc...?

 

[RMerlin]

Me too, but my leak is with DNA set to strict. Not exclusive.

DNS Strict cannot guarantee that only your VPN DNS servers will be used. It only determines in which order the servers get queried.

 

[miniterror]

So, apparently the OnePlus phone's camera does not pick up the QR code for joining wifi. Had an alarm technician in the house yesterday and he asked to join the wifi. Thought it was the perfect time for them to try our my custom made "join our guest wifi" picture frame. Had him point his camera to it. Nothing. Very odd. Works like a charm with Samsung and Apple devices.

I have a oneplus myself.
When going to WiFi you can choose to manually add a network or scan a QR code.
So its there in the settings, not in the main camera.


Edit: sorry, didnt see this was posted a page further

 

[Tim Storey]

Did you properly configure "Redirect Internet traffic"?

Something, something "Doh!" something, etc.

 

[RMerlin]

Is the latter aspect of the above not indicative of a glitch in VPN Director? VPN Director shows the redirecting all traffic, and states WAN rules will have priority, but setting single WAN bypass fails.

Currently, Redirect "Yes" has a higher priority than WAN rules. I need to give it more thought, unsure if it would be better to have WAN exceptions have a higher priority (which would be counter-intuitive as that setting says "All"), or leave it as it is, and have people use VPN Director instead whenever they want to use a WAN exception rule. So far I'm inclined to leave things as they are, as it more accurately reflects what the webui shows. VPN Director is intended to be the method that gives end-user control, over the all-or-nothing of the "No" and "Yes (All)" routing modes.

 

[stamzrat10]

DNS Strict cannot guarantee that only your VPN DNS servers will be used. It only determines in which order the servers get queried.

thanks for explaining this

 

[Lynx]

Currently, Redirect "Yes" has a higher priority than WAN rules. I need to give it more thought, unsure if it would be better to have WAN exceptions have a higher priority (which would be counter-intuitive as that setting says "All"), or leave it as it is, and have people use VPN Director instead whenever they want to use a WAN exception rule. So far I'm inclined to leave things as they are, as it more accurately reflects what the webui shows. VPN Director is intended to be the method that gives end-user control, over the all-or-nothing of the "No" and "Yes (All)" routing modes.

Thanks for this. Is there at present a way to have all traffic including router default to VPN and then to create one or more exceptions to go through WAN? If so, how is this effected?

 

[JacquesR]

I have a oneplus myself.
When going to WiFi you can choose to manually add a network or scan a QR code.
So its there in the settings, not in the main camera.


Edit: sorry, didnt see this was posted a page further

The camera can do it too, at least on my OnePlus 7t. If you have the Google Lens button just to the left of the shutter button, that works to scan QR codes.

 

[jeden]

Can you see if the issue still exists in newer stock firmware? If it was fixed upstream since 42095, then we just have to wait for a new GPL release for me to merge in.

I'm not 100% sure because it was months ago, but I believe the latest stock firmware (43129) contains the bug also.
Is there any way to report a bug that ends up with an actual engineer reading the bug report?

 

[Spud]

Currently, Redirect "Yes" has a higher priority than WAN rules. I need to give it more thought, unsure if it would be better to have WAN exceptions have a higher priority (which would be counter-intuitive as that setting says "All"), or leave it as it is, and have people use VPN Director instead whenever they want to use a WAN exception rule. So far I'm inclined to leave things as they are, as it more accurately reflects what the webui shows. VPN Director is intended to be the method that gives end-user control, over the all-or-nothing of the "No" and "Yes (All)" routing modes.

I run two VPN clients concurrently, both with VPN Director rules.

I want to allocate one of the VPN clients to single device with a kill switch, and create a route to WAN for a single port on the device.

It’s the scenario described in Example 2:

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Is there any way to achieve this at present? As far as I can see, VPN Director defaults to “Policy rules (strict)” and blocks port routing.

 

[miniterror]

The camera can do it too, at least on my OnePlus 7t. If you have the Google Lens button just to the left of the shutter button, that works to scan QR codes.

Ok good to hear, i have a older 6 and there it can only be done in the WiFi settings.

 

[kernol]

I run two VPN clients concurrently, both with VPN Director rules.

I want to allocate one of the VPN clients to single device with a kill switch, and create a route to WAN for a single port on the device.

It’s the scenario described in Example 2:

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Is there any way to achieve this at present? As far as I can see, VPN Director defaults to “Policy rules (strict)” and blocks port routing.

That WiKi section predates VPN Director included with Merlin 386.3 - so sadly not likely to work in the current implementation of VPN Director.
You would have to revert to Merlin 386.2_6 and then follow the @Xentrk notes you refer to [maybe also need x3mRouting ?].

 

[Spud]

That WiKi section predates VPN Director included with Merlin 386.3 - so sadly not likely to work in the current implementation of VPN Director.
You would have to revert to Merlin 386.2_6 and then follow the @Xentrk notes you refer to [maybe also need x3mRouting ?].

It looks as if various kinds of custom routing aren't possible with VPN Director. Eventually I'll have to downgrade to have more functionality again.

 

[RMerlin]

Thanks for this. Is there at present a way to have all traffic including router default to VPN and then to create one or more exceptions to go through WAN? If so, how is this effected?

I don't know. Having the router itself go through the VPN isn't as simple as it may seem, since the tunnel traffic cannot go into itself, it has to go through the WAN interface.

I'm not 100% sure because it was months ago, but I believe the latest stock firmware (43129) contains the bug also.
Is there any way to report a bug that ends up with an actual engineer reading the bug report?

The Feedback form reaches the dev team.

I want to allocate one of the VPN clients to single device with a kill switch, and create a route to WAN for a single port on the device.

Port-based routing is not supported.

 

[RMerlin]

It looks as if various kinds of custom routing aren't possible with VPN Director. Eventually I'll have to downgrade to have more functionality again.

Nothing prevents you from manually configuring the RPDB to suit your special needs. VPN Director is designed to make it sample to handle the most common scenario, not to be able to do every single weird configuration through a webui.

 

[Lynx]

I don't know. Having the router itself go through the VPN isn't as simple as it may seem, since the tunnel traffic cannot go into itself, it has to go through the WAN interface.

Understood. I can see from various posts on this forum that I am not the only one looking to set up default to VPN, with one or more exceptions to WAN. This feels like a fairly typical use case, and helps avoid leaks from the router to ISP.

With the option of having VPN Director allow exceptions to the case of redirect traffic: yes, would that simply be a case of changing the order of priority so that the exception is provided after the effecting of redirect to VPN?

Would there be a way to set that up in a script file for those of us who do want to have all directed to VPN with a couple of exceptions?

 

[RMerlin]

I am not the only one looking to set up default to VPN, with one or more exceptions to WAN.

Doing this is very simple: configure a VPN Director rule to redirect the whole subnet, and then add rules for the exceptions.

What is problematic is people also wanting to have VPN routing applied to the router itself, not just to their LAN. And one known bug where if you set a client to Redirect: No, then it will fail to process the other client rules that come after it - this is already fixed on my end and will be included with the next release.

With the option of having VPN Director allow exceptions to the case of redirect traffic: yes, would that simply be a case of changing the order of priority so that the exception is provided after the effecting of redirect to VPN?

An exception cannot be processed AFTER a rule. Once a rule is hit, a routing decision is made, and the rest of the routing tables are no longer processed.

The current implementation works perfectly fine for that scenario. People are mixing up a lot of different things here. One user's complain was that he needed port-based forwarding. Another was that he also needed the router itself redirected through the VPN. These are the special case that cannot be handled by VPN Director.

I don`t understand why some people are so confused. VPN Director was explicitly designed to provide you a very visual representation of all the rules in one single location, in the order they are applied. Just look at the VPN Director table, and read the rule one at a time, starting from the top. Does that rule match? If yes, then use the defined interface, and stop processing. It doesn't match? Then go on the the next rule in the list.

 

[Lynx]

Thanks RMerlin. Sorry to labour this, but to be clear, there is presently no straightforward way to have all traffic including router directed to VPN with one or two WAN exceptions? Would it be possible with redirect: yes and a line or two in a script file? If so, any suggestion as to what lines to add?

I fear several users will use a VPN and not even realise that their DNS requests are not actually going through the VPN, which introduces significant security implications.

For those that use a VPN and PBR, how does everyone else here deal with DNS queries, mindful that, absent special rules for each DNS server used (and there may be several set at the same time with DNS Filter), with the router defaulting to WAN, all DNS requests are sent over WAN? Personally I make use of at least CleanBrowsing Family (default) and also the NordVPN DNS servers (for televisions to keep Prime and Netflix happy). DNS Filter works perfectly for this - my televisions are set up such that DNS requests from their MAC addresses go via NordVPN, else from all other LAN devices DNS requests go via CleanBrowsing Family - fantastic! So one option for me is of course to simply add those specific DNS server IP addresses as exceptions in VPN Director. But I would need to remember to change these with any change of DNS. Happily the NordVPN DNS seems fixed, but I presume for other VPN providers the DNS servers may change, rendering excepting the particular DNS servers impossible.

In terms of traffic from the router defaulting to WAN, is there any other form of traffic to consider, in terms of eliminating leaks?

 

[RMerlin]

Add a VPN Director rule with the remote IP being the IP of the DNS server.

Automatically adding the server used by Exclusive mode is already planned, but if you also use other DNS servers, then you have to manually add rules for them. The automatic handling through Exclusive mode isn't implemented yet because I don't have any good way of doing so without creating multiple routing rules for every single client, which can grow exponentially complex as you start adding more rules.

Actually I just went ahead and did a test. There's no need for additional forced routes to be added. DNS Exclusive Mode gets applied before any routing is done, so the query that was aimed at your router will be properly redirected to the VPN's DNS server. Since the query will be coming from a redirected client, then the connection WILL be routed through the VPN. I tested by running my own DNS server on a remote VPS, and by using that VPS's IP for my VPN DNS. The client's DNS query that was sent to the router was properly sent to the VPS, and netstat showed the inbound connection came from the VPN's IP.

 

[TITAN]

Fresh install on my AC86U, all looking good at this point. Thanks RMerlin!

I did a full factory reset and entered all settings manually and everything is running smoothly. VPN director is working great too!