Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

[Xentrk]

Yes NordVPN push their DNS server through and it has the same IP as the main server but only when there are no exceptions to the basic rule which is:
All traffic 10.4.0.0/28 0.0.0.0 VPN

As soon as I introduce any exceptions such as:-
ntp Sydney 10.4.0.2 203.35.xx.xx WAN
then the DNS becomes that set on the WAN of the router for that device (10.4.0.2)

I notice that other devices on the network are not affected by this as long as they don't have any exceptions to the basic rule.

This is contrary to what is said here by Merlin himself:-
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

DNS behaviour
For best results it's recommended to configure "Accept DNS configuration" to Exclusive. When combined with Policy based routing, this means that all clients that are configured to go through the VPN will use the DNS servers provided by the VPN tunnel, but those configured to go through the WAN will keep using the ISP's DNS.

Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS. This is because the router has no way of knowing if the DNS query is related to a specific destination. Therefore, the safest behaviour gets used, and all the queries done by that client will use the VPN server's DNS.

I note that there are others who have asked about this also and have been stumped...

I don't understand the concern. I don't see where it contradicts with the Wiki you quoted. If a client is defined to use the WAN interface, then it will use the DNS specified on the WAN page, or the ISP if a DNS was not specified, rather than the DNS of the VPN tunnel.

I have never tested with specifying all of my lan clients using CIDR notation. With my use case, I have to list each client separately. I wrote a script to automate the process so I don't have to key them into the web gui page.

There are priorities in the routing rules.

Is the ntp Sydney 10.4.0.2 203.35.xx.xx WAN entry listed above the 10.4.0.0/28 0.0.0.0 VPN entry in the web gui?

What are the results of the ip rule command from SSH session? The lower the priority number in the first column, the higher the priority.

You can try a test. Here is my theory.

If 10.4.0.0/28 0.0.0.0 VPN entry has a lower prior number than the ntp Sydney 10.4.0.2 203.35.xx.xx WAN entry, it has a higher priority. In theory, 10.4.0.2 will first match the 10.4.0.0/28 rule, which will prevent 10.4.0.2 from traveling to the WAN interface.

 

[Argonaut]

Thanks Xentrk for sticking with me on this...

I haven't checked the ip rule from SSH session but here are the entries as they appear in order in the web gui...

All Traffic 10.4.0.0/28 0.0.0.0 VPN
PC general 10.4.0.2 0.0.0.0 VPN
ntp Syd 10.4.0.2 203.35.xx.xx WAN

I added the second line to test your theory and to demonstrate more clearly that what is said in the Wiki is in fact contradictory...

It says:- "Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS."

This is clearly inaccurate in my example because the client (10.4.9.2) does in fact have two rules, a general one for all traffic going to the VPN and a specific one for connecting with a NTP server going to the WAN.

And yet a DNS leak test shows that all name resolution on the client (a Windows 10 PC) is going through the WAN, not the VPN as stated in the quotation above...

Are you suggesting that I should totally invert the rules in the gui and try that?

 

[Argonaut]

Here are the results of the corresponding "IP rule" lookup:-

0: from all lookup local
10001: from 10.4.0.2 to 203.35.xx.xxx lookup main
10101: from 10.4.0.0/28 lookup ovpnc1
10102: from 10.4.0.2 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

Does this confirm your theory?

 

[Martineau]

Are you suggesting that I should totally invert the rules in the gui and try that?

The physical order of GUI entries in the Routing Policy table is ONLY meaningful within the two categories i.e. VPN or WAN for each individual VPN Client.

e.g. RPDB GUI sequence

All Traffic 10.4.0.0/28 0.0.0.0      VPN
PC general  10.4.0.2    0.0.0.0      VPN
ntp Syd     10.4.0.2    203.35.xx.xx WAN

is the same as your three rules

ntp Syd     10.4.0.2    203.35.xx.xx WAN
All Traffic 10.4.0.0/28 0.0.0.0      VPN
PC general  10.4.0.2    0.0.0.0      VPN

ip rule

10001: from 10.4.0.2 to 203.35.xxx.xxx lookup main
10101: from 10.4.0.0/28 lookup ovpnc1
10102: from 10.4.0.2 lookup ovpnc1

but RPDB GUI sequence (although preferred)

PC general  10.4.0.2    0.0.0.0      VPN
All Traffic 10.4.0.0/28 0.0.0.0      VPN
ntp Syd     10.4.0.2    203.35.xx.xx WAN

isn't the same as

All Traffic 10.4.0.0/28 0.0.0.0      VPN
PC general  10.4.0.2    0.0.0.0      VPN
ntp Syd     10.4.0.2    203.35.xx.xx WAN


ip rule

10001: from 10.4.0.2 to 203.35.xxx.xxx lookup main
10101: from 10.4.0.2 lookup ovpnc1
10102: from 10.4.0.0/28 lookup ovpnc1

Summary: WAN target rules always take priority over VPN target rules within each of the individual VPN Client tables.

NOTE: You should preferably give the firmware a helping hand to ensure that the most specific RPDB GUI entries within a category (VPN or WAN) are entered first and (overlapping) more generic CIDR masks are entered last.

 

[Martineau]

Here are the results of the corresponding "IP rule" lookup:-

0: from all lookup local
10001: from 10.4.0.2 to 203.35.xx.xxx lookup main
10101: from 10.4.0.0/28 lookup ovpnc1
10102: from 10.4.0.2 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

And yet a DNS leak test shows that all name resolution on the client (a Windows 10 PC) is going through the WAN, not the VPN as stated in the quotation above...

Your current ordering of RPDB VPN routing rules are technically valid, with 10.4.0.2 always routed via the WAN when accessing 203.35.xxx.xxx as desired, but all other 10.4.0.2 traffic will be via the VPN ...although clearly rule 10102 will never fire (see post #585)

However, in order to diagnose the DNS redirect problem caused by the 'Accept DNS Configuration=EXCLUSIVE', you can see how the VPN Client DNS redirect rules are implemented by issuing:

iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 RETURN     all  --  *      *       10.4.0.2             0.0.0.0/0          
2        0     0 DNAT       all  --  *      *       10.4.0.0/28          0.0.0.0/0            to:xxx.vpn.dns.xxx
3        0     0 DNAT       all  --  *      *       10.4.0.2             0.0.0.0/0            to:xxx.vpn.dns.xxx

and you can see the firmware's rule #1 'WAN rule takes precedence' decree unfortunately (incorrectly) conflicts with rule #3.

You could try a manual fix by issuing:

iptables -t nat -R DNSVPN1 1 -s 10.4.0.2 -d 204.35.xxx.xxx -j RETURN

iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 RETURN     all  --  *      *       10.4.0.2             235.35.xxx.xxx          
2        0     0 DNAT       all  --  *      *       10.4.0.0/28          0.0.0.0/0            to:xxx.vpn.dns.xxx
3        0     0 DNAT       all  --  *      *       10.4.0.2             0.0.0.0/0            to:xxx.vpn.dns.xxx

or if you don't need visual confirmation that the RPDB table was applied/processed you can actually delete the problematic rule

iptables -t nat -D DNSVPN1 1

If manually altering the DNSVPN1 chain resolves your WAN DNS leak issue, then you can use the openvpn-event 'vpnclient1-route-up.sh' script to automate the correction.

 

[Argonaut]

Thank-you Martineau for your lengthy reply, much appreciated.

I think I have found a simple solution that works for my purposes and uses your suggested ordering...

The setup:-

ASUS RT-AC86U router with Merlin Firmware 384.6
with WAN DNS servers set to Cloudflare (1.1.1.1 and 1.0.0.1) for testing purposes
and LAN DHCP turned off.

Windows 10 machine with the following manually assigned Ethernet adapter settings:-

IPv4 Address 10.4.0.2
Subnet Mask 255.255.255.240
Default Gateway 10.4.0.1
IPv4 DNS Server 1 10.4.0.1
IPv4 DNS Server 2 blank

OpenVPN Client Settings:-

NordVPN server address and port – 144.48.xx.xx
Accept DNS Configuration – Exclusive
Redirect Internet traffic - Policy Rules (strict)

Rules for routing client traffic through the tunnel

ntp Sydney 0.0.0.0 203.35.xx.xx WAN

ntp Melbourne 0.0.0.0 203.35.xx.xx WAN

All other traffic 10.4.0.0/28 0.0.0.0 VPN

This leaves most traffic going through the VPN and using the VPN provider’s DNS servers and any (non-client specific) traffic intended for the WAN able to do so without introducing a DNS Leak.

Now when I set the Ethernet adapter DNS server(s) to that of the router (10.4.0.1) or other DNS providers (9.9.9.9 or OpenDNS), the list of DNS servers returned on dnsleaktest.com is that of the VPN provider (NordVPN).

This is desired behavior for me but YMMV depending on your intended setup.

Conclusions from all of this:-
1) If you configure exceptions on a device by device basis to use the WAN interface, then that device will no longer be forced by the rule “Accept DNS Configuration – Exclusive” to use a specific VPN DNS but rather the default setting which is that of the WAN DNS.

2) If you want a whole device to go through the WAN or the VPN then that is easily achieved but if you want some traffic from a device to go to the VPN and other traffic from the same device to go through the WAN then it seems that level of granularity is not able to prevent DNS leaks?

 

[Martineau]

Conclusions from all of this:-
<snip>

2) If you want a whole device to go through the WAN or the VPN then that is easily achieved but if you want some traffic from a device to go to the VPN and other traffic from the same device to go through the WAN then it seems that level of granularity is not able to prevent DNS leaks?

The decision to link the selective routing of a target IP from a specific device together with altering the device's DNS server does seem inappropriate.

@john9527's LTS Fork firmware sensibly ensures the user must explicitly tick the separate GUI option to enforce the WAN DNS change:

So in lieu of the separate VPN Client GUI check box in v38x.xx I'm not sure if the following

Spoiler: Patch to updown.sh

  for ENTRY in $VPN_IP_LIST
    do
        if [ "$ENTRY" = "" ]
        then
            continue
        fi
        VPN_IP=$(echo $ENTRY | cut -d ">" -f 2)
        if [ "$VPN_IP" != "0.0.0.0" ]
        then
            TARGET_ROUTE=$(echo $ENTRY | cut -d ">" -f 4)
            if [ "$TARGET_ROUTE" = "VPN" ]
            then
                echo /usr/sbin/iptables -t nat -A DNSVPN$instance -s $VPN_IP -j DNAT --to-destination $server >> $dnsscript
                /usr/bin/logger -t "openvpn-updown" "Forcing $VPN_IP to use DNS server $server"
            else
                ########################################################################################## Martineau Hack 2 of 2
                #echo /usr/sbin/iptables -t nat -I DNSVPN$instance -s $VPN_IP -j RETURN >> $dnsscript
                #/usr/bin/logger -t "openvpn-updown" "Excluding $VPN_IP from forced DNS routing"
                DEST_IP=$(echo $ENTRY | cut -d ">" -f 3)
                if [ "$DEST_IP" != "127.0.0.1" ];then
                    logger -t "openvpn-updown" "Selective routing" $VPN_IP "to" $DEST_IP "via" $TARGET_ROUTE "excluded from forced WAN DNS routing"
                else
                    echo /usr/sbin/iptables -t nat -I DNSVPN$instance -s $VPN_IP -j RETURN >> $dnsscript
                    logger -t "openvpn-updown" "Excluding $VPN_IP from forced DNS routing"
                fi
                ################################################################################################################
            fi
        fi
    done

is acceptable for all use cases, but it would mean for your use case that simply using:

PC general  10.4.0.2     205.35.xxx.xxx  WAN
LAN subnet  10.4.0.0/28  0.0.0.0         VPN

means only traffic from 10.4.0.2 to 205.35.xxx.xxx (rather than your compromise to redirect ALL LAN traffic to 205.35.xxx.xxx) is correctly routed via the WAN without changing 10.4.0.2 from using the expected VPN DNS to the WAN DNS.

NOTE: The patch would still force the LAN device to use the WAN DNS if the following was also explicitly specified:

PC general  10.4.0.2     127.0.0.1  WAN

 

[Argonaut]

Thank-you Martineau for your help and the link to the patch you provided...

Did you compile the patch yourself? If so, well done!

It seems that there is a fair bit of background to this issue that I am just coming in on; late to the party, so to speak.

I am happy with the "compromise" solution that I have in place now as it works as intended for me and is in fact simple and elegant without the hassle of having to (unnecessarily) list out each client in the GUI.

As far as patches are concerned and editing code goes, I would rather just work within the GUI and I think many others would feel the same.

But I would like to see the Wiki article reworded to reflect the current state of play:-

It currently says:- "Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS."

It should say:- "Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the WAN specified DNS."

As I say, I don't know the background to this but I suspect there has been a change in the behavior of the "Accept DNS Settings - Exclusive" setting and it's interplay with the "Redirect Internet Traffic - Policy Rules Strict" settings since that Wiki was written?

Perhaps in response to the many posts about unwanted or unintended DNS behavior in this forum and others?

 

[Lance.dBoyle]

Hi and thanks for the thread. Unfortunately I'm still confused. I'm trying to create a split tunnel on my Linksys E4200 v1 router running AdvancedTomato so my Roku will use the vpn and all other devises, the isp ip.

I have the vpn working and have tried to establish a routing policy so only the Roku ip address will use the vpn, but all of the traffic is still going through the vpn. Can anyone suggest what I'm doing wrong?

Here are some screen shots of the vpn set up on the router.
Basic

Advanced

Keys

Routing Policy

I've also noticed that my internet speed has taken a big hit going from 80 Mbps without the vpn on to 3-4 Mbps with it on (I checked my vpn internet speed as well using Netflix' connection test on my Roku and it showed 1 Mbps!). Is this due to my lack of processing power in my router? Could I turn off the encryption to speed things up? Would that be dangerous to do (I would only have Roku, Netflix and Amazon going through the vpn -- provided I can get it set up properly)? If none of the above, how can I speed it up?

There is a Quality of Service option in the router settings, but I'm wary of fiddling with the set up any more than I have. Can this improve my speeds?

Thanks in advance for any help you can provide, Cheers,

 

[Martineau]

As I say, I don't know the background to this but I suspect there has been a change in the behavior of the "Accept DNS Settings - Exclusive" setting and it's interplay with the "Redirect Internet Traffic - Policy Rules Strict" settings since that Wiki was written?

Yes, sadly the old adage "Poor (in particular out-of-date) documentation is far worse than no documentation." still holds true.

Clearly it is not the intention of programmers/tech writers to deliberately mislead/confuse users, but the Wiki is indeed in need of a review - so too are the relevant sections in posts #1 and #2

NOTE: It appears that the original documentation was correct, but the behaviour has since been altered - possibly as a consequence of this patch:

382.2 Beta (17-Jan-2018)
   - FIXED: DNSFILTER rules would have priority over OPENVPN Client
            rules (when client has DNS set to Exclusive mode).

 

[Maverick44]

Hi-

I am using PIA (OpenVPN) and have an Asus RT-AC68P running Merlin 384.6. I've researched this a bit so I think I know the answer but wanted confirmation.

For my streaming device, I have times I want to turn it on and other times I want it off. I added the streaming device IP to the policy rules and turned the kill switch on. When I did that, the streaming device only works when the VPN is on. If I turn it off, the streaming device no longer works. Other devices in the house do work regardless.

So, I'm thinking that I have to do 1 of 2 things if I want it specific to this device and the ability to turn it on / off:

1. Install PIA directly on the streaming device itself and turn it on / off from there when I want; or
2. When I want it on, go to the VPN router page, add the device to the policy rules, and then turn on the VPN.
a. When I want it off, go back to the VPN router page, turn off VPN, and remove the device from the policy rules.

Can someone confirm if I'm right in my thinking above or provide help on how I can better setup the router to obtain the objective I'm looking for?

Thanks,

Maverick

 

[pusb87]

Hi-

I am using PIA (OpenVPN) and have an Asus RT-AC68P running Merlin 384.6. I've researched this a bit so I think I know the answer but wanted confirmation.

For my streaming device, I have times I want to turn it on and other times I want it off. I added the streaming device IP to the policy rules and turned the kill switch on. When I did that, the streaming device only works when the VPN is on. If I turn it off, the streaming device no longer works. Other devices in the house do work regardless.

So, I'm thinking that I have to do 1 of 2 things if I want it specific to this device and the ability to turn it on / off:

1. Install PIA directly on the streaming device itself and turn it on / off from there when I want; or
2. When I want it on, go to the VPN router page, add the device to the policy rules, and then turn on the VPN.
a. When I want it off, go back to the VPN router page, turn off VPN, and remove the device from the policy rules.

Can someone confirm if I'm right in my thinking above or provide help on how I can better setup the router to obtain the objective I'm looking for?

Thanks,

Maverick

I have a similar situation and I think the easiest is Option 1.....but you need to add the device ip to the policy rules to run through the WAN

 

[VikingRulez]

Thank you for a great tool to setup an ASUS router. There are many ideas how to utilize the hardware you invested in.

As a total NOOB in this I'm reaching out to get a little help setting up my ASUS AC2900 with Merlin. My issue is more delicate because of this:

I need to run the ASUS with split tunneling for streaming from another country. To be more specific, then the app I need to run thru the VPN is on a Nvidia Shield device. I installed OPENVPN for android on the Nvidia box to make it easier due to the app control. The Nvidia box and the router are connected thru Ethernet cable. I would like all other devices incl xbox, cellphones and a laptop to bypass the vpn except for a few foreign IP addresses which have to go thru the VPN client for streaming the same content as on the Nvidia box.

I'm not this setup will work since both the router and the Nvidia box are running OPENVPN clients for the same vpn service provider?

 

[Rpony]

Trying to get my second router 68u to not be behind vpn on my 86u. They are linked together.
On client one. I specify the ip address but for some reason it's still behind the vpn when connected.
Any ideas how to over come this issue?

Both routers are on the most recent version of merlin.
Any help would be appreciated

 

[CaptainSTX]

Trying to get my second router 68u to not be behind vpn on my 86u. They are linked together.
On client one. I specify the ip address but for some reason it's still behind the vpn when connected.
Any ideas how to over come this issue?

Both routers are on the most recent version of merlin.
Any help would be appreciated

You will need to double NAT the second router behind the first. Then on the first set up policy routing and specify the WAN IP of the second router (this will be an IP in the first router's LAN DHCP ) use the WAN.

 

[hans2150]

hello,
Can somebody please help me? My vpn loose connection after a while.
thank you

 

[Kingp1n]

Great post...i'm currently using PIV VPN and have setup policy rules (strict) to use Kodi and VPN with my firestick. I also have IPV6 enabled under my router as I do a lot of gaming and xbox recommends to enable IPV6 if your provider offers this option which in my case I do. My question is, is there a way disable IPV6 to the firestick only? I have search in google and I don't see how I can disable this feature to both of my firesticks??? Everything else I used doesn't require VPN filtering under strict rules.

 

[wesbez]

@Kingp1n can you see what client app is available for your vpn provider? Look to see if they have a setting in there for the android app for aggressive ipv6 blocking. If they do, side load the app on your fire stick. Doing it on device means you’ll be able to take it anywhere.

 

[frooty]

Hello again all,

I noticed on the PIA website merlin router setup guide that they recommend using the persist-key & persist-tun commands in the custom configuration field:

https://www.privateinternetaccess.com/helpdesk/guides/routers/merlin/merlin-firmware-openvpn-setup

...but it's not used in this guide - so was wondering if it's needed & what those two commands actually do?

Thanks.

 

[CaptainSTX]

Here are the custom settings generated by PIA's configuration utility. This is using Port 1197 which I suppose could have slightly different requirements than their default 1198.

resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ

Here are the settings if you download one of their generic configuration files. I downloaded them in January which uses the default Port 1198.

persist-key
persist-tun
pull-filter ignore "auth-token"
resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ

As you can see they are not consistent but both have been running for days with no issues or droped VPN tunnel.

Try one or both examples your results may vary.