What's new

connect 2 vpn at the same time?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ewokuk

Regular Contributor
I have an Asus AC68U with 380.67 (380.68 caused huge interface lag for me).

I have 3 openvpn clients set up but can never connect more than one at a time. The errors I get if one is already connected are always that it cannot resolve the host of the server I am trying to connect to. I am guessing it is dns related and that being connected on one vpn is preventing the other vpn being able to resolve the dns of the server it is trying to connect to.

Not sure if this is normal or if I need to change a setting somewhere.

What I am ultimately trying to do is get say 192.168.1.5 to go via vpn 1 and 192.168.1.6 to go via vpn 2. Easy by simply using policy rules to redirect internet traffic but I cant get the second vpn to connect without disconnecting the first one.

I suspect it is not possible and even if it was, I would need to use a different port on each vpn client?
 
Last edited:
I have an Asus AC68U with 380.67 (380.68 caused huge interface lag for me).

I have 3 openvpn clients set up but can never connect more than one at a time. The errors I get if one is already connected are always that it cannot resolve the host of the server I am trying to connect to. I am guessing it is dns related and that being connected on one vpn is preventing the other vpn being able to resolve the dns of the server it is trying to connect to.

Not sure if this is normal or if I need to change a setting somewhere.

What I am ultimately trying to do is get say 192.168.1.5 to go via vpn 1 and 192.168.1.6 to go via vpn 2. Easy by simply using policy rules to redirect internet traffic but I cant get the second vpn to connect without disconnecting the first one.

I suspect it is not possible and even if it was, I would need to use a different port on each vpn client?

Check that your VPN ISP does allow multiple concurrent connections...not all do.

I use HMA and have three concurrent VPN Clients running (although I have actually had all five running concurrently)
Code:
./VPN_Client_Switch.sh status

     VPN Client Status:
          Client 5 Connected via 100.120.38.67 (HMA UK testing)                   VPN tunnel end-point I/P: 5.62.43.53
          Checking for response (5secs) from 'http://ipecho.net/plain' to verify  VPN tunnel end-point I/P: 5.62.43.53
          Client 2 Connected via 100.120.68.114 (HMA Hong Kong)                   VPN tunnel end-point I/P: 119.81.128.216
          Checking for response (5secs) from 'http://ipecho.net/plain' to verify  VPN tunnel end-point I/P: 119.81.128.216
          Client 1 Connected via 100.120.82.118 (HMA New York)                    VPN tunnel end-point I/P: 77.234.46.191
          Checking for response (5secs) from 'http://ipecho.net/plain' to verify  VPN tunnel end-point I/P: 77.234.46.191
All three VPN Clients are configured 'Accept DNS Configuration=Exclusive', but as shown below, each client connection uses a different DNS server:
Code:
Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104.223.91.210

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.2.2           0.0.0.0/0            to:208.67.222.222
2        0     0 DNAT       all  --  br2    *       10.88.102.0/24       0.0.0.0/0            to:208.67.222.222

Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.5.5           0.0.0.0/0            to:100.120.0.1

If you believe that you have a DNS issue, then rather than use the VPN ISP DNS servers for both connections (since using yor WAN ISP DNS servers is deemed inappropriate for your traffic) you should temporarily change one of the VPN Clients to use a third party DNS server.

Due to experiencing weird issues with pushed HMA DNS servers, see their 'support' article

HMA advice to fix their DNS issues and DNS leak prevention

I have consequently written (for freedom of choice/performance etc.) an openvpnclientX.postconf script that recognises my psuedo OpenVPN Client GUI directive 'dns=' and dynamically translates it into the appropriate DNS server directive by adding the 'dhcp-option DNS' statement to the config.

e.g. I have specified 'dns=opendns' in the VPN client 2 GUI:
Code:
# These are my pseudo DNS config commands (see openvpnclientX.postconf)
#dns=opennic
#dns=dyn
#dns=comodo
dns=opendns
#dns=anycast
#dns=freedns
#dns=newyork
#dns=randomus

and it has resulted in VPN Client 2 using the following DNS directive:
Code:
#Explicitly Override HMA DNS with OpenVPN DNS servers
dhcp-option DNS 208.67.222.222
 
Cool thanks, I think I have managed to get it all working now :D

Main reason for this is I want to have one vpn connected to a US server that can unblock US netflix, and one connected to a local UK server for general use. Then I can just redirect certain devices to each vpn depending on whether they are for streaming netflix or not :D

Really good being able to do all this stuff with this router thanks to merlin firmware. I will be scared of getting a new router now that I couldn't put Merlin on for fear of losing all this stuff (but i would like a new one with much more powerful processor so I can get full 220mb 256bit vpn on it instead of the 49mb I can get on my overclocked AC68U, but I doubt such a thing exists still on a consumer router).
 
Last edited:
Martineau, excellent script, now I know this can be done. Question; it is possible to use two concurrent openvpn tunnels using only the GUI on my AC3200, v380.68_4? Two non- concurrent openvpn clients are configurable at present. Our VPN providers' network generally uses 10.10.10.10 for customers to enter in the router for his network. However, as they permit several concurrent sessions at once, I can find the alternative internal addresses they use for different servers. They're very close lipped about it, especially where the limited provision for Netflix is concerned. I've tried to make this work on my own, but after many efforts, don't know if copying and pasting script is doable. I can no longer keyboard, and one hand with a thumb and finger, ie, 1 click-1 character. Voice recognition and manual editing has made manual scripting difficult compared to the way it used to be. Many thanks.
 
Last edited:
Martineau, excellent script, now I know this can be done. Question; it is possible to use two concurrent openvpn tunnels using only the GUI on my AC3200, v80.68_4? Two non- concurrent openvpn clients are configurable at present. Our VPN providers' network generally uses 10.10.10.10 for customers to enter in the router for his network. However, as they permit several concurrent sessions at once, I can find the alternative internal addresses they use for different servers. They're very close lipped about it, especially where the limited provision for Netflix is concerned. I've tried to make this work on my own, but after many efforts, don't know it will work for me wihtout being able to work with scripts. Not whining, I have limited use of one hand to work a trackball with thumb and finger, (ie, 1 click to 1 character), not a prefered method for key entry. I can generate a dialogue for a letter or email with voice recognition and that takes manual editing to clean before it's good enough to copy and paste it in a window to post. I tried voice entry for coding / scripting for Winscp, and have resigned myself to the fact this task requires more multi-tasking ability than my golden-oldy brain is capable of maintaining. Thank you.

Selective routing of devices/CIDR ranges via multiple VPN Clients is definitely possible simply via the GUI, and in most cases importing the appropriate OpenVPN configs usually will suffice.

However, if the VPN ISP provider does not truly allow separate VPN routes, then you will probably experience the 'Error - Routing Conflict' message.
NOTE: If your VPN ISP charges you for their service then I would expect them to be a little more forthcoming regarding their service configuration - if not then it is probably time to switch VPN provider?

Creating/maintaining scripts is challenging at the best of times, and I do commiserate with your personal circumstances but fortunately custom scripts/commands are only required in advanced Selective routing scenarios e.g. for Ports,domains,MACs etc.

Hopefully your requirements can be met without resorting to tedious coding.
 
Martineau, no commiserating necessary, understanding is all I hope for. I've lurked and searched various sites for months. I found a mention on the forum that multiple openvpn tunnels work *only if provided by different providers, so to learn I was wrong by reading your post above re scripting; it made me optimistic since I suspected *that information was an error. Routers route, regardless of brand, depending on how advanced the user and and their needs. Our providers' DNS gateway is 10.10.10.10 but all tunnels show a internal DNS resolver after connected. I didn't intend to denigrate the provider. Few providers are still provide streaming services to US domestic customers. Most no longer post their internal setups in a blog. The main VPN has always provided 3-5 concurrent openvpn tunnels/configs and are working to expand the client count allowed per home. Unless a home is running a separate openvpn tunnel on each of several mobile devices at once, most private customers won't need more than 3 or 4 configs on the router if the FW provides for it. I was mistaken that the reduction to two openvpn tunnels/configs in the latest FW, was to avoid over-loading the 3200's CPU. Our PfSense box, an i5 660 with 8 GB of ram handles 4 concurrent tunnels without any issues compared to the 1 ghz dual-core AC3200, and it always seems to handle two since it isn't bogged down with other chores. Always grateful for all pointers.
 
Last edited:
Martinear, not half an hour after replying, I found the resource I've searched for endlessly, applied the second config and done; two openvpn tunnels with the GUI and the router hums along. Coding isn't tedious if brain and hands work, which once was, but isn't now in the cards for me. Reminded me of bewildering all the Windows 1 newbies of that time with DOS. Thank you.
 
Martinear, not half an hour after replying, I found the resource I've searched for endlessly, applied the second config and done; two openvpn tunnels with the GUI and the router hums along. Coding isn't tedious if brain and hands work, which once was, but isn't now in the cards for me. Reminded me of bewildering all the Windows 1 newbies of that time with DOS. Thank you.

Usually (having experienced an external confidence boosting insight/confirmation), a tenacious/focused session of stubborn/determined research can win the day in solving a "Computer Science" conundrum, but invariably a little luck/serendipity may play a part before the solution reveals itself.;)

So does this prove that "Computer Science" is a misnomer?:p

"The devil is in the detail" - glad you got your issue sorted.
 
Last edited:
The post I found wasn't a guide, ie, turn config 1 off, save, load tunnel 2 config, save, turn it on, verify it runs, then turn tunnel 1 on again, etc. Usually a subsequent post confirms previous theories or statements but not this time. I always believed two tunnels would run, but after several different attempts failed, it didn't work until last night. I've never bricked an Asus router or motherboard in hundreds of tests; when I reloaded the second config, turned them on, they ran and are still running/encrypting with video streaming and full bandwidth.

I suspected something would change later, which happened last night after a reboot and again this morning after the systems were up. After three or four minutes, the logs and routing table appeared normal. On the client/server status page, I saw the first openvpn client indicated 'green/on' and running, but not the second openvpn client, even though it -is- running. Likewise, the server indicates 'green' when on, and off when not. The second config shows 'green/on' -only- when openvpn client 2 page is selected from the drop-down menu. Does this represent an error?

The members are generous with explanations, sharing knowledge and experience; sometimes an URL to point the way is all that's needed when there's time; thanks for your reply.
 
Last edited:
"What I am ultimately trying to do is get say 192.168.1.5 to go via vpn 1 and 192.168.1.6 to go via vpn 2. Easy by simply using policy rules to redirect internet traffic but I cant get the second vpn to connect without disconnecting the first one."

I would like to do this too - and have been trying for years - but keep being confronted by the same issue.

Let's keep it simple: I use Astrill but I can also use TorGuard - both well known - both allow multiple logins.

I want two VPN Clients connected 24x7

Maybe the secret is using Exclusive DNS. For testing purposes, I am willing to limit the test to just one device (per tunnel).

Do I need to use a script or can Merlin 380.68 handle that from the GUI using Policy Routing?
 
"What I am ultimately trying to do is get say 192.168.1.5 to go via vpn 1 and 192.168.1.6 to go via vpn 2. Easy by simply using policy rules to redirect internet traffic but I cant get the second vpn to connect without disconnecting the first one."

I would like to do this too - and have been trying for years - but keep being confronted by the same issue.

Let's keep it simple: I use Astrill but I can also use TorGuard - both well known - both allow multiple logins.

I want two VPN Clients connected 24x7

Maybe the secret is using Exclusive DNS. For testing purposes, I am willing to limit the test to just one device (per tunnel).

Do I need to use a script or can Merlin 380.68 handle that from the GUI using Policy Routing?

Multiple concurrent VPN Clients with selective routing of devices does work simply using the GUI.

I don't use Astrill or Torguard so not sure if these are causing your issue.

When using your current VPN ISP for both clients, then you could try ensuring they are using different protocols/Ports and endpoint servers.

VPN Client 1
Protocol=UDP
Port=xx
as recommended for UDP by your VPN ISP
Accept DNS Configuration=EXCLUSIVE

VPN Client 2
Protocol=TCP

Port=xxxx
as recommended for TCP by your VPN ISP
Accept DNS Configuration=EXCLUSIVE

Alternatively you could try configuring your current VPN ISP for your VPN Client 1 connection and try the FREE VPN provided by vpnbook https://www.vpnbook.com/freevpn for your VPN Client 2 connection.

This test config may assist in proving that your current VPN ISP does not truly allow multiple concurrent VPN Client connections.

NOTE: If both VPN clients initialise correctly concurrently but say the desired vpnbook Selective routing fails with DNS resolution issues, then you can override the pushed vpnbook DNS with say the OpenDNS DNS server 208.67.222.222.

 
I have three VPN clients running on my AC1900P. Three different providers, Astrill, Strong and PIA. All use open vpn with different ports. Policy based routing, and with certain static IPs assigned to each VPN client.

All done using latest Merlin firmware through GUI. Occasionally I have a problem with the PIA client not reauthorizing but otherwise works well. Not a high volume of traffic on any of the VPN clients as this router is used for IoT devices. Primary network router is double NATed behind this router with its own VPN run on a VPN appliance.
 
Multiple concurrent VPN Clients with selective routing of devices does work simply using the GUI.

I don't use Astrill or Torguard so not sure if these are causing your issue.

When using your current VPN ISP for both clients, then you could try ensuring they are using different protocols/Ports and endpoint servers.

VPN Client 1
Protocol=UDP
Port=xx
as recommended for UDP by your VPN ISP
Accept DNS Configuration=EXCLUSIVE

VPN Client 2
Protocol=TCP

Port=xxxx
as recommended for TCP by your VPN ISP
Accept DNS Configuration=EXCLUSIVE


Thanks, I'm going to try it. I can select which port I connect on - but I need UDP for all tunnels.
 
CaptainSTX, The latest Merlin on our RT-AC3200 is v380.68_4, and shows only two openvpn configs available, per the screen grab enclosed. Please post your guide and or/illustration how you were able to set up three concurrent openvpn clients on your router with the GUI, which as post #11 would be helpful to everyone. I can wrap my brain around it your third or even forth openvpn clients run on the second router behind the first, regardless of the number of providers you use. Per below, both of my clients do use UDP, see screengrab.

Martineau, re #11, both openvpn clients from my provider are running well again today, but since they both use UDP protocol, are contrary to your excellent illustration in #11, which by the way, I'd have paid a dollar for last week:). Thankfully, our AC3200 never received the memo, but I'm not changing it again for now. Each config is addressed/ruled properly to different provider endpoints/locations. With all respect, the configs are separate, and nothing in either config points to the other since they're to two separate addresses/locations, yet are in conflict with #11. If you can help resolve this, I'm grateful. *Please see attached png of the client status page, both openvpn configs are on/green, both UDP. Both configs have excellent speed for all devices,with no errors in the log; good response to all tests. I also finally received a reply from a friend I wrote to a couple of weeks ago. He has two openvpn tunnels running on his Asus AC3200, one UDP, the other TCP, which matches #11. He didn't send me a screengrab or his method, so I wrote him back to see if he'll provide details/shots of the server/address range. He's either mistaken or is using a different/non-conflicting address, or I'm missing something that post #11 states clearly. Cheers.
 

Attachments

  • 2ovnudp tun.png
    2ovnudp tun.png
    113.7 KB · Views: 470
Martineau, re #11, both openvpn clients from my provider are running well again today, but since they both use UDP protocol, are contrary to your excellent illustration in #11.....I'm missing something that post #11 states clearly

My post #11 was intended as a method to assist in debugging potential conflicts in the network stack.

Basically the aim is to ensure that each VPN Client connection cannot physically be confused with its siblings.

So as per What is a TCP/IP Socket you have (now?) ensured that whilst both of your VPN Clients are indeed using UDP, they are using different ports so their sockets are unique.

So with four concurrent VPN Clients active on my router, there isn't a physical conflict given there are three different providers and unique sockets all using UDP, so I don't need to resort to changing one of the connections to TCP as it all just simply works.

Code:
OpenVPN HMA New York - Connected (ny.us.hma.rocks udp:553)
OpenVPN HMA Hong Kong - Connected (hk.hma.rocks udp:1194)
OpenVPN VPNBOOK USA1  - Connected (us1.vpnbook.com udp:53)
OpenVPN Client 4  - Connected (Glenmorangie udp:1194)

NOTE: Switching to TCP, usually the VPN ISP will force a port change from the one used by UDP.

Apologies if my post #11 didn't make this clear.
 
Last edited:
CaptainSTX, The latest Merlin on our RT-AC3200 is v380.68_4, and shows only two openvpn configs available, per the screen grab enclosed. Please post your guide and or/illustration how you were able to set up three concurrent openvpn clients on your router with the GUI, which as post #11 would be helpful to everyone. I can wrap my brain around it your third or even forth openvpn clients run on the second router behind the first, regardless of the number of providers you use. Per below, both of my clients do use UDP, see screengrab.
AC3200 only supports 2 VPN clients, limitation of the device itself.
 
Martineau, much appreciated, thank you. Seriously, your clarification always provides enlightenment. I always pick up valuable insight from your posts. Your writing is clear and concise which few others can equal. When you post an URL, it usually solves a question.

Historically, any consumer grade router with limited RAM which isn't managed appropriately tends to crash. I'd be grateful for actual references to URLs, user reports, statics, or any anecdotal evidence that supports Jacks position on the AC3200. Succinct clarification would justify this tangent, making it relevant to my query to CaptainSTX.

I asked CaptainSTX if he could provide data or illustrate how he accomplished running multiple OpenVPN clients in his AC1900P router. If he has time to post something similar to Martineau's illustration, with or without photos, it would be a great help to me and anyone else with a similar setup.
 
Last edited:
Hello yet again, Very Senior Member Mr. Yaz. You misunderstood my query to CaptinSTX. I regret that my phrasing was in error; I'm aware of the differences between the AC1900 and AC3200.
Apologies, it was the phrasing to which I interpreted as a "how to have more than 2 clients available in the GUI".
 
Thanks, No problemo, I just have to keep laughing at myself, to get by most days:) The machine reads my posts back to me and they never sound like I wote or intend them to sound/mean.
 
For those of you that asked, here are screen shots of the three VPN configurations I have running on my AC1900P

Some of the custom setting may not be showing so if you are using that VPN provider and you need to see exactly what is in the box let me know and I will post that.

Merlin_3VPN.png
Astrill_Open.png
Strong_VPN.png
PIA_VPN.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top