Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[Xentrk]

Sorry if this has been answered before but I have been researching for some time now without finding an answer that I can understand

I have an Asus RT-AC68U set up behind an Asus DSL-AC68U to use for VPN and I have the latest (384.6) Merlin firmware installed on it.

When I configure an OpenVPN client and get to the bottom of the config there is an option "redirect Internet traffic" which most setup guides advise to set to "No"

I do not understand this setting at all as I would have thought that this is the whole point of a VPN???

Don't I want all my devices (phone, iPad, Desktop PC) connecting to the Router to connect to the internet through the VPN tunnel that is created?

Other options are "All" and "Policy Rules (Strict)"

I've been variously setting it to either "All" or "Policy Rules Strict" and then defining the whole network to go through it (10.4.4.0/27 in my case)

Why would the guides be saying to set it to "No" ???

Thank-you for any advice given.

These references should answer your questions:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

If you still have questions after reading the links, let me know and I'll try to help.

 

[Argonaut]

These references should answer your questions:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

If you still have questions after reading the links, let me know and I'll try to help.

Thank-you Xentrk (Doug) for you reply. I have read the documents you supplied and they are quite comprehensive in their coverage, particularly your own excellent guide. Well done!

I think I understand more than I did before and I can see that there is a great deal of configuration that can be had.

I am still perplexed however that PIA in one of their own guides found here: https://www.privateinternetaccess.com/helpdesk/guides/routers/merlin/merlin-firmware-openvpn-setup
would suggest setting "Redirect Internet Traffic" to a default of No??
Why bother setting up a VPN if the default setting puts none of your traffic through the tunnel?

And that guide doesn't go on to explain how to put either all or selected devices through the tunnel either. Is it just a poorly written guide?

I have read at least one other guide in the last 48 hours which suggested the same thing, although I can't locate it right now...

 

[Argonaut]

And now to add to the confusion, I have set this to "No" as an experiment and yet the traffic from my PC is going to the PIA server and a check on dnsleaktest.com says that my IP is that of Total Server Solutions (PIA) and my DNS provider is also Total Server Solutions?

Also a speedtest with Ookla shows a reduction in speed consistent with traffic going through the VPN. We are on a 100/40 plan and we normally get 88/33 with a speed test. Now it's 33/25.

So I don't understand how this setting is changing things (scratches head)?

 

[Argonaut]

I found another guide which recommends setting this to "No" also...

https://torguard.net/knowledgebase.php?action=displayarticle&id=216

And a couple of other threads basically asking the same question that I am asking-
https://www.snbforums.com/threads/r...etting-in-openvpn-client-configuration.25269/
https://www.snbforums.com/threads/having-trouble-running-custom-scripts.24374/page-2

From what I can gather the "No" option is there to ensure backwards compatibility?

I understand better now the Policy Rules Strict setting, allowing you to do split tunneling, sending some devices through the tunnel and others through the normal WAN etc.

But I don't see any practical difference between the "All" and "No" settings as both appear to send all traffic through the tunnel?

And when it says "redirect internet traffic" are we talking about outbound, inbound or both? Maybe this is where I am misunderstanding?

 

[Xentrk]

Also a speedtest with Ookla shows a reduction in speed consistent with traffic going through the VPN. We are on a 100/40 plan and we normally get 88/33 with a speed test. Now it's 33/25.

So I don't understand how this setting is changing things (scratches head)?

The speed results you are experiencing is normal for the CPU in the router you have. See OpenVPN Performance. The AC86U is the recommended Asus model that for those wanting to achieve best performance over the vpn tunnel due to the CPU architecture.

 

[Vince]

Simply paste the following in your system configuration.
pull-filter ignore "auth-token"

thank you very much, very stable now!

 

[pusb87]

Speed test with VPN

For those who use 100mb/s or faster you will find that disabling NAT may give a bit better performance but you will get somewhere around 30mb/s when you speed test your service.

@yorgi

can you elaborate on which settings you mean when you say "disabling NAT may give a bit better performance"
I can find 3 instances which refer to NAT in the current 384.6 firmware
Can you advise how these 3 settings should be
LAN > Switch Control [NAT acceleration]
WAN > Internet Connection [Enable NAT]
VPN > VPN Client [Create NAT on tunnel]

 

[Xentrk]

@yorgi

can you elaborate on which settings you mean when you say "disabling NAT may give a bit better performance"
I can find 3 instances which refer to NAT in the current 384.6 firmware
Can you advise how these 3 settings should be
LAN > Switch Control [NAT acceleration]
WAN > Internet Connection [Enable NAT]
VPN > VPN Client [Create NAT on tunnel]
View attachment 14000 View attachment 14001 View attachment 14002

I'm sure he meant the NAT Acceleration setting on the first screen print you posted.
https://routerguide.net/nat-acceleration-on-or-off/

 

[pusb87]

I'm sure he meant the NAT Acceleration setting on the first screen print you posted.
https://routerguide.net/nat-acceleration-on-or-off/

@Xentrk
Thanks for getting back. I had allready looked at that reference and that is what i thought @yorgi meant and have set as well and do seem to get a slight improvement in d/l speed using the VPN with NAT acceleration disabled ( approx 5-10%better)

I have a 200Mbps connection and the two references more or less align except for when disabling NAT cuts in for benefit, or am I or someone getting mb/s and Mbps mixed up

from @yorgi
Speed test with VPN

For those who use 100mb/s or faster you will find that disabling NAT may give a bit better performance but you will get somewhere around 30mb/s when you speed test your service.
In the real world you are getting about 60mb/s so don't judge a speed test to be real world numbers. Try a really fast torrent and you will see speeds in the 5 MB/if you have a faster cpu you should get over 60 mb/s
Better cpu will give always give you faster VPN speeds

from RouterGuide >>
When You Should Use or Enable NAT Acceleration
You should typically enable NAT acceleration or Cut-Through Forwarding when you have internet speed above 100 mb/sec. You will typically only see a difference for speed above 200 mb/s.

You should generally set the option as Auto or ON, unless you need to use features that directly conflict with NAT acceleration.

 

[HowIFix]

I can find 3 instances which refer to NAT in the current 384.6 firmware
LAN -> Switch Control [NAT acceleration]
WAN -> Internet Connection [Enable NAT]
VPN -> VPN Client [Create NAT on tunnel]

There is also another NAT option in:

• Tools -> Other Settings -> Disable Asusnat tunnel: Yes (Set this to "Yes")

Disable this option to get a better performance, because it eats a fair amount of CPU and RAM.

Only enable Asusnat tunnel if you use IFTTT or Alexa or ASUS application on cell phones.
(I recommend that you do not use any of that)

 

[HowIFix]

@RMerlin please add popup to help explain the option Asusnat tunnel on the router, I had to use google to understand what it was for. (I hope I'm not wrong)

 

[RMerlin]

@RMerlin please add information in Asusnat tunnel option on the router, I had to use google to understand what it was for. (I hope I'm not wrong)

I can't, as I don't know the details as to what this service does exactly.

 

[HowIFix]

@RMerlin This is what I have searched:

• I have asked ASUS to clarify the function of ASUSNat Tunnel (The answer of ASUS support)
• Disable Asusnat tunnel IFTTT: People having issues with it
• I think it's also used by Asus's AiHome product
• if you don't use IFTTT or Alexa then you can disable
• turning on this setting "Disable Asusnat tunnel" Seems the crashing has stopped
• Changelog 382.1 (12-Nov-2017) (find: Asus NAT)

 

[RMerlin]

@RMerlin This is what I have searched:

• I have asked ASUS to clarify the function of ASUSNat Tunnel (The answer of ASUS support)
• Disable Asusnat tunnel IFTTT: People having issues with it
• I think it's also used by Asus's AiHome product
• if you don't use IFTTT or Alexa then you can disable
• turning on this setting "Disable Asusnat tunnel" Seems the crashing has stopped
• Changelog 382.1 (12-Nov-2017) (find: Asus NAT)

And a lot of this is actually based on my own partial suspicions and speculations. Nothing definitive as to what all the related services (mastiff, natnl) do exactly. It seems to have ties to AiHome and IFTTT, but since those services were added before even these new features appeared, I'm still unsure as to what they do specifically.

 

[Argonaut]

These references should answer your questions:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

If you still have questions after reading the links, let me know and I'll try to help.

Thanks again Xentrk for your help.

In the document you quoted from github there is a line towards the end which has me puzzled...

It says:-
A common configuration setup where you want your whole LAN to go through the VPN, but not the router itself:

LAN 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN

Why would I not want the Router itself to go through the tunnel? An example or two would be really helpful?

 

[Xentrk]

Thanks again Xentrk for your help.

In the document you quoted from github there is a line towards the end which has me puzzled...

It says:-
A common configuration setup where you want your whole LAN to go through the VPN, but not the router itself:

LAN 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN

Why would I not want the Router itself to go through the tunnel? An example or two would be really helpful?

From https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

A common configuration setup where you want your whole LAN to go through the VPN, but not the router itself:

LAN 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN

A VPN is an encrypted tunnel thru the internet or WAN. The router needs access to the WAN in order to create the tunnel.

You can try it without entering the Router entry and see what happens. I last tested this several months ago. Without the router entry in OVPNC1, I would get routing issues, system would hang and I could not connect to web sites. I used three VPN tunnels concurrently with Policy Rules in my testing. You can use two tunnels in yours. By design, OVPNC1 is higher priority than OVPNC2. OVPNC2 is higher priority than OVPNC3 and so on. My recommendation is to put the router entry in the OVPNC with the higher priority. So, if you use OVPNC3 and OVPNC5, put the router entry in OVPNC3.

 

[Argonaut]

Thanks Xentrk for your prompt reply!

I thought of a scenario where excluding the router itself from the tunnel makes sense...

I have the router configured to take time from a local time server on the next higher up network. i.e the WAN of the router is set to a LAN address of the higher up network.

Without excluding the router itself from the tunnel, this would be impossible would it not?

 

[Argonaut]

I am getting unpredictable DNS behavior when creating Policy Based Rules in setting up a VPN.

The setup:-

ASUS RT-AC86U router with Merlin Firmware 384.6
with DNS servers set to Cloudflare (1.1.1.1 and 1.0.0.1)

Windows 10 machine with the following Ethernet LAN adapter settings:-

IPv4 Address 10.4.0.2
Subnet Mask 255.255.255.240
Default Gateway 10.4.0.1
IPv4 DNS Servers 8.8.8.8
8.8.4.4

OpenVPN Client Settings:-

NordVPN server address and port – 144.48.xx.xx

Accept DNS Configuration – Exclusive

Redirect Internet traffic - Policy Rules (strict)

Rules for routing client traffic through the tunnel

All traffic 10.4.0.0/28 0.0.0.0 VPN

ntp Sydney 10.4.0.2 203.35.xx.xx WAN

When checking for DNS leak on dnsleaktest.com I find that if I set the DNS servers to Google (8.8.8.8 and 8.8.4.4) on the Windows Machine Ethernet LAN settings, then the list of DNS servers returned is that of NordVPN.

If however, I set the Ethernet adapter DNS servers to that of the router (10.4.0.1) then the list of DNS servers returned on dnsleaktest.com is that of the router (Cloudflare).

How to explain this (unintended) behavior?

 

[Xentrk]

I am getting unpredictable DNS behavior when creating Policy Based Rules in setting up a VPN.

The setup:-

ASUS RT-AC86U router with Merlin Firmware 384.6
with DNS servers set to Cloudflare (1.1.1.1 and 1.0.0.1)

Windows 10 machine with the following Ethernet LAN adapter settings:-

IPv4 Address 10.4.0.2
Subnet Mask 255.255.255.240
Default Gateway 10.4.0.1
IPv4 DNS Servers 8.8.8.8
8.8.4.4

OpenVPN Client Settings:-

NordVPN server address and port – 144.48.xx.xx

Accept DNS Configuration – Exclusive

Redirect Internet traffic - Policy Rules (strict)

Rules for routing client traffic through the tunnel

All traffic 10.4.0.0/28 0.0.0.0 VPN

ntp Sydney 10.4.0.2 203.35.xx.xx WAN

When checking for DNS leak on dnsleaktest.com I find that if I set the DNS servers to Google (8.8.8.8 and 8.8.4.4) on the Windows Machine Ethernet LAN settings, then the list of DNS servers returned is that of NordVPN.

If however, I set the Ethernet adapter DNS servers to that of the router (10.4.0.1) then the list of DNS servers returned on dnsleaktest.com is that of the router (Cloudflare).

How to explain this (unintended) behavior?

Does your VPN provider push a DNS server thru the tunnel? You may have to ask them.
My providers pushes DNS to the tunnel. It is the same IP address as the tunnel, except the last digit is a 1.

In the system log, Merlin reassigns the DNS for VPN tunnels to 10.8.0.1 and 10.9.0.1. I have been meaning to ask him why.

Aug 16 17:46:04 ovpn-client3[13006]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,route 10.24.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.24.0.6 10.24.0.5,peer-id 0,cipher AES-128-GCM'

Here is a write up I did on my blog site that may help explain the of DNS behavior over the VPN tunnel.

Spoiler: DNSmasq and OpenVPN DNS

AB-Solution is the ad blocking solution for Asus routers using Asuswrt-Merin firmware. AB-Solution requires DNSmasq to work properly. With Asuswrt-Merlin firmware, OpenVPN clients use the VPN tunnel’s DNS. As a result, AB-Solution will not work for LAN clients connected to the VPN tunnel when using Policy Rules and Accept DNS Configuration set to Exclusive since DNSmasq is by-passed. AB-Solution will still work for devices connected to the WAN though.

John9547 LTS fork has implemented DNS differently than Asuswrt-Merlin. The DNS rules are reversed. With Accept DNS Configuration set to Exclusive, the VPN clients will use DNSmasq and AB-Solution will work. There is also a check box on how you want to handle the WAN clients. If you leave it unchecked, the WAN clients will also use the VPN DNS servers (but not the tunnel) and they can use AB-Solution. If you check the box, the WAN client requests are sent directly to the WAN DNS servers and AB-Solution will not be available.

To resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin, set Accept DNS Configuration to “Strict” and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command (e.g. dhcp-option DNS 1.1.1.1) in the Custom Configuration section. Without the dhcp-option command, AB-Solution updates will fail, the AB-Solution email function will no longer work and the wget command will not able to resolve the domain name. The downside with these settings is that DNS will leak. Having my DNS leak has not caused me any issues for my use case.

Commands to display DNS routing when using Accept DNS Configuration=Exclusive
iptables -nvL PREROUTING -t nat --line

iptables --line -t nat -nvL DNSVPNX, where X=OpenVPN client number 1, 2, 3, 4 or 5

Merlin FW places DNS rules in the files in the /tmp/etc/openvpn/dns/ directory.

 

[Argonaut]

Does your VPN provider push a DNS server thru the tunnel? You may have to ask them.

Yes NordVPN push their DNS server through and it has the same IP as the main server but only when there are no exceptions to the basic rule which is:
All traffic 10.4.0.0/28 0.0.0.0 VPN

As soon as I introduce any exceptions such as:-
ntp Sydney 10.4.0.2 203.35.xx.xx WAN
then the DNS becomes that set on the WAN of the router for that device (10.4.0.2)

I notice that other devices on the network are not affected by this as long as they don't have any exceptions to the basic rule.

This is contrary to what is said here by Merlin himself:-
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

DNS behaviour
For best results it's recommended to configure "Accept DNS configuration" to Exclusive. When combined with Policy based routing, this means that all clients that are configured to go through the VPN will use the DNS servers provided by the VPN tunnel, but those configured to go through the WAN will keep using the ISP's DNS.

Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS. This is because the router has no way of knowing if the DNS query is related to a specific destination. Therefore, the safest behaviour gets used, and all the queries done by that client will use the VPN server's DNS.

I note that there are others who have asked about this also and have been stumped...