rfmodulator
New Around Here
Experience Level: Dangerous
Router: Asus RT-AC56R
Firmware: Merlin 384.6
Other: Single NAT on LAN (modem is in pass-through mode), All tunnels are OpenVPN
I've configured my router as a client of a well known public VPN service which supports port forwarding. This works.
I've configured a private OpenVPN server on my router and enabled the proper port to be forwarded in my public VPN account. This works.
I've installed the OpenVPN client on my laptop and my phone. I am able to connect to my private VPN from either device remotely, and in any combination of single or nested VPN tunnels on either end of the connection.
My current goal:
I want to ensure there no leaks are present in the public VPN tunnel without my prior knowledge and consent. Part of this is to enable "Block routed clients if tunnel goes down" (i.e.. the "kill switch"). To get this ability, I have to configure Redirect Internet traffic to use Policy Rules. (But why though? I know, different forum...)
My current issue:
Using Policy Rules, and rules that I believe to be correct, I am unable to get the router to use the public VPN for its own internet access, and therefore the router does not listen for incoming connections through the public VNP forwarded port.
To put it another way, if I setup Policy Rules the router still listens on and connects to the internet via my ISP's WAN interface.
Using Policy Rules, all internal network clients are routed properly through the public VPN tunnel for internet access.
…all of this is true for Policy Rules and Policy Rules (strict).
Additionally, if I choose either No or All, the router listens on and connects to the internet via my public VPN tunnel, and I am able to reach my private VPN through the public VPN forwarded port.
The All option makes sense, send everything through the tunnel, beautiful.
How or why this works with the No option seems completely counter intuitive to me. I would expect selecting No would prevent all internet traffic from being redirected through the tunnel. This is not what I want, but what I expect, and in fact it does work like I want it to, not like I expect it to. I expect No to be the exact opposite of All.
...I'm sure all of that is about as clear as mud, so here's a demonstration:
Oops... over limit... see replies.
This makes it seem so simple:
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
...but instead of Router via WAN Iface, I expected to select the VPN Iface and be good. Actually, I expected the 0/24 would handle the Router as well without an explicit rule. By good, I mean all LAN and Router internet traffic routes through the VPN tunnel, and the "Block routed clients..." option is available.
I've attempted to search for a solution (for a few days now), but the keywords are tricky and nothing I've found seems to match my situation.
I'll be happy to test any settings and post any other output that is relevant and helpful to solving the problem.
At this point I really want to know how to solve this as described for my own curiosity, but if something about this proves to be simply impossible to do with Policy Rules, can I stick with the RIT All option, and implement a kill switch in a different way?
Thank you!
Router: Asus RT-AC56R
Firmware: Merlin 384.6
Other: Single NAT on LAN (modem is in pass-through mode), All tunnels are OpenVPN
I've configured my router as a client of a well known public VPN service which supports port forwarding. This works.
I've configured a private OpenVPN server on my router and enabled the proper port to be forwarded in my public VPN account. This works.
I've installed the OpenVPN client on my laptop and my phone. I am able to connect to my private VPN from either device remotely, and in any combination of single or nested VPN tunnels on either end of the connection.
My current goal:
I want to ensure there no leaks are present in the public VPN tunnel without my prior knowledge and consent. Part of this is to enable "Block routed clients if tunnel goes down" (i.e.. the "kill switch"). To get this ability, I have to configure Redirect Internet traffic to use Policy Rules. (But why though? I know, different forum...)
My current issue:
Using Policy Rules, and rules that I believe to be correct, I am unable to get the router to use the public VPN for its own internet access, and therefore the router does not listen for incoming connections through the public VNP forwarded port.
To put it another way, if I setup Policy Rules the router still listens on and connects to the internet via my ISP's WAN interface.
Using Policy Rules, all internal network clients are routed properly through the public VPN tunnel for internet access.
…all of this is true for Policy Rules and Policy Rules (strict).
Additionally, if I choose either No or All, the router listens on and connects to the internet via my public VPN tunnel, and I am able to reach my private VPN through the public VPN forwarded port.
The All option makes sense, send everything through the tunnel, beautiful.
How or why this works with the No option seems completely counter intuitive to me. I would expect selecting No would prevent all internet traffic from being redirected through the tunnel. This is not what I want, but what I expect, and in fact it does work like I want it to, not like I expect it to. I expect No to be the exact opposite of All.
...I'm sure all of that is about as clear as mud, so here's a demonstration:
Oops... over limit... see replies.
This makes it seem so simple:
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
...but instead of Router via WAN Iface, I expected to select the VPN Iface and be good. Actually, I expected the 0/24 would handle the Router as well without an explicit rule. By good, I mean all LAN and Router internet traffic routes through the VPN tunnel, and the "Block routed clients..." option is available.
I've attempted to search for a solution (for a few days now), but the keywords are tricky and nothing I've found seems to match my situation.
I'll be happy to test any settings and post any other output that is relevant and helpful to solving the problem.
At this point I really want to know how to solve this as described for my own curiosity, but if something about this proves to be simply impossible to do with Policy Rules, can I stick with the RIT All option, and implement a kill switch in a different way?
Thank you!
Last edited:
