Excluding specific clients from VPN

[paulbates]

I have an ac88 that connects through a vpn service as a client.

Is it possible to exclude specific clients by mac or nat up address (or other method) from the vpn so that they route through the isp? If yes, how?

Paul


Sent from my iPhone using Tapatalk

 

[endtimes]

Hi have the same router and looking to do the same exact thing. Under the OpenVPN Client tab you can change the DNS mode to exclusive (vs strict) which I think should allow you to allow certain devices to bypass the VPN but I don't know where to set the devices.

 

[Martineau]

Under the OpenVPN Client tab you can change the DNS mode to exclusive (vs strict) which I think should allow you to allow certain devices to bypass the VPN

but I don't know where to set the devices.

Incorrect...setting the DNS mode does not allow you to specify the selective routing of devices via the VPN or WAN, but it does influence which DNS is used.

Select 'Policy Rules'

 

[endtimes]

Incorrect...setting the DNS mode does not allow you to specify the selective routing of devices via the VPN or WAN.

Select 'Policy Rules'

View attachment 8928

Ah okay! Thank you!

 

[endtimes]

@Martineau If you don't configure a rule for a device, what does it default to? WAN or VPN?

 

[john9527]

@Martineau If you don't configure a rule for a device, what does it default to? WAN or VPN?

Defaults to WAN....

If you have both a VPN rule and WAN rule for the same address, the WAN rule takes precedence (for example a CIDR range to route through the VPN, then an exclusion for a particular address).

 

[Martineau]

@Martineau If you don't configure a rule for a device, what does it default to? WAN or VPN?

Well the clue is in the name 'Selective routing' and also in the GUI

'Rules for routing client traffic through the tunnel (Max Limit : 100)'

So if the table is empty then everything by default is routed via the WAN as is the case expected by 99% of users.

e.g. Everything will use the WAN except the Roku

Roku         192.168.1.xxx    0.0.0.0   VPN

Clearly in my example screenshot, you would think that the two WAN entries are redundant...well technically they are, but for such 'illogical' entries, the firmware (used) to explicity force the use of the ISP DNS rather than use the VPN DNS?

P.S. for the 1% of users that want the meaning of the table entries to be reversed, i.e. everything goes via the VPN, except for those entries in the table that explicitly have a target WAN destination, they will also need an explicit VPN rule for the LAN otherwise the table is not reversed!

e.g. Everything will use the VPN except the Roku

Everything   192.168.1.0/24   0.0.0.0   VPN
Roku         192.168.1.xxx    0.0.0.0   WAN

 

[endtimes]

Defaults to WAN....

If you have both a VPN rule and WAN rule for the same address, the WAN rule takes precedence (for example a CIDR range to route through the VPN, then an exclusion for a particular address).

Thanks everyone!

 

[endtimes]

Well the clue is in the name 'Selective routing' and also in the GUI

'Rules for routing client traffic through the tunnel (Max Limit : 100)'

So if the table is empty then everything by default is routed via the WAN as is the case expected by 99% of users.

Clearly in my example screenshot, you would think that the two WAN entries are redundant...well they are, but the firmware (used) to force the use of the ISP DNS rather than use the VPN DNS.

1% of users want the meaning of the table entries to be reversed, i.e. everything goes via the VPN, except for those entries in the table that explicitly have a target WAN destination.

Great info. I got that feeling after rereading the options a few times. lol I understand the concept as well.

 

[Xentrk]

Great info. I got that feeling after rereading the options a few times. lol I understand the concept as well.

@yorgi and I have each posted a guide in the VPN forums about configuration for OpenVPN client for all traffic and policy rules that may also be of help to you.

 

[paulbates]

Thanks for the responses, this answers the question.
I fired up my new vpn service last night and Netflix (of course) immediately gave me the infamous proxy message. I really prefer to have my router route everything vpn except the roku. I'll exclude it, I can live with that.


Sent from my iPhone using Tapatalk

 

[Xentrk]

Thanks for the responses, this answers the question.
I fired up my new vpn service last night and Netflix (of course) immediately gave me the infamous proxy message. I really prefer to have my router route everything vpn except the roku. I'll exclude it, I can live with that.

Thank God my provider is able to circumvent that issue. It makes my life here that much better.
BTW, I used to work for the blue oval in Dearborn for 22 years.

 

[paulbates]

Thank God my provider is able to circumvent that issue. It makes my life here that much better.
BTW, I used to work for the blue oval in Dearborn for 22 years.

It seems uncertain who will stay on or go off the Netflix block list, I went for performance and will exclude bad behavior. My iot all seems to like it, will need a few days to see if that's the case.

Yes, in my +25 years here, I have a lot of friends and neighbors that work at "Fords" [emoji28]. I did a tod there as an IBM/GBS consultant on an IT restructuring initiative.

Ford's corporate footprint continues to grow here now, the block in west Dearborn that Kieran's was on has been razed and Ford offices are going in for ~400 more employees.


Sent from my iPhone using Tapatalk

 

[paulbates]

Well the clue is in the name 'Selective routing' and also in the GUI

'Rules for routing client traffic through the tunnel (Max Limit : 100)'

So if the table is empty then everything by default is routed via the WAN as is the case expected by 99% of users.

e.g. Everything will use the WAN except the Roku

Roku         192.168.1.xxx    0.0.0.0   VPN

Clearly in my example screenshot, you would think that the two WAN entries are redundant...well technically they are, but for such 'illogical' entries, the firmware (used) to explicity force the use of the ISP DNS rather than use the VPN DNS?

P.S. for the 1% of users that want the meaning of the table entries to be reversed, i.e. everything goes via the VPN, except for those entries in the table that explicitly have a target WAN destination, they will also need an explicit VPN rule for the LAN otherwise the table is not reversed!

e.g. Everything will use the VPN except the Roku

Everything   192.168.1.0/24   0.0.0.0   VPN
Roku         192.168.1.xxx    0.0.0.0   WAN

Martineau
I was able to try this out with purevpn today and it works great. While I appreciate everyone's help, your explaining and documenting it got me to end of job. As it turns out, I am one of the 1% who wants my whole lan protected except for a few devices that run netflix.

Thank you.

Paul

 

[paulbates]

A related follow up. When using the openvpn client, I did not get a DNS server from my VPN provider on clients.
dnsleak.com showed I was still using comcast DNS, and one of my purposes was to get away from comcast's DNS.

I manually configured.

Paul

 

[RMerlin]

Set DNS mode to "Exclusive".

 

[paulbates]

Hi Merlin..

thanks, I did give that a try for 'accept dns configuration' (as well as the relaxed, strict, ...). That caused the VPN to not connect.

The VPN provider gives a .ovpn file to load and it turns that setting to 'disabled'... and its curious why... their mobile and desktop apps provide the VPN they want you to use. Their support chat, which has been great, could not explain it.

I could find the DNS addresses for the current server i'm currently connected to, but unfortunately that address wonders with the server address when it changes. I manually entered put in opendns's generic router addresses on the WAN tab

Paul

 

[RMerlin]

Importing an ovpn should not affect the DNS configuration, since this is an Asuswrt setting, not an OpenVPN one. Setting it to Exclusive will ensure that VPN clients are forced through the VPN provider's DNS servers. This gets applied only after the tunnel is connected, so there's no reason for it to prevent you from connecting to them either. Make sure your ISP DNS are properly configured.

Also make sure you don't have a DNSFilter configuration enabled for those clients, as it would create a conflict.

 

[paulbates]

Hey Merlin
Well <sensored>!!!... Turned the VPN off, changed it to Exclusive, turned it back on.. now works the way it should. Thank you for hanging in there with me!!

Originally I noticed on the documentation page from the VPN provider that that setting was 'Disabled'.. that's where I think I got the brain fade on this from

Paul

 

[tristanlee85]

Well the clue is in the name 'Selective routing' and also in the GUI

'Rules for routing client traffic through the tunnel (Max Limit : 100)'

So if the table is empty then everything by default is routed via the WAN as is the case expected by 99% of users.

e.g. Everything will use the WAN except the Roku

Roku         192.168.1.xxx    0.0.0.0   VPN

Clearly in my example screenshot, you would think that the two WAN entries are redundant...well technically they are, but for such 'illogical' entries, the firmware (used) to explicity force the use of the ISP DNS rather than use the VPN DNS?

P.S. for the 1% of users that want the meaning of the table entries to be reversed, i.e. everything goes via the VPN, except for those entries in the table that explicitly have a target WAN destination, they will also need an explicit VPN rule for the LAN otherwise the table is not reversed!

e.g. Everything will use the VPN except the Roku

Everything   192.168.1.0/24   0.0.0.0   VPN
Roku         192.168.1.xxx    0.0.0.0   WAN

Thanks for the write-up on this. I suppose I fall into the 1% of this as well since I prefer all devices to go through the VPN tunnel unless otherwise specified.

Using your recommended settings, I was not successful though. I'm using the AC68U_380.65_4 firmware. Looking through the system log, I can see where the routes were applied without error. However, checking my IP on PIA's website shows that I am not accessing it through their VPN. Any suggestions?

May 10 13:12:58 openvpn-routing: Configuring policy rules for client 1
May 10 13:12:58 openvpn-routing: Creating VPN routing table
May 10 13:12:59 openvpn-routing: Removing route for 10.55.13.1 to tun11 from main routing table
May 10 13:12:59 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from main routing table
May 10 13:12:59 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from main routing table
May 10 13:12:59 openvpn-routing: Removing rule 10001 from routing policy
May 10 13:12:59 openvpn-routing: Removing rule 10101 from routing policy
May 10 13:12:59 openvpn-routing: Adding route for 192.168.1.113 to 0.0.0.0 through WAN
May 10 13:12:59 openvpn-routing: Adding route for 192.168.1.0/24 to 0.0.0.0 through VPN client 1
May 10 13:12:59 openvpn-routing: Tunnel re-established, restoring WAN access to clients
May 10 13:12:59 openvpn-routing: Completed routing policy configuration for client 1

EDIT:
After reading a previous post from @paulbates , it appears that after updating the route, the VPN service needs to be cycled for it to take effect. Doing so, I am confirmed that this does selectively use WAN for those devices specified and VPN for all others.