Is this a bug in VPN Director?

[Jetblue]

I have AsusWrt-Merlin 388.2 setup on the RT-AX88U Pro. Everything is going great. But I may have found a bug here or I am doing something wrong?

- I have a blanket interface for each Wireguard connection in the rules, I leave the Local IP blank. If I do not have this rule, the VPN will not work and I'll go straight to the public IP (it bypasses). So, this is how I set it up and everything in that regard works fine.

- The problem comes when I want to assign a specific IP to A DIFFERENT Wireguard connection. It's not possible. I've tried various combinations of things.

If I could get this to work, I could have some devices going to VPN 1 and other devices going to VPN 2.

Any ideas?

Thanks.

 

[halcy0n9001]

I have this setup working, this is how I did it.

1. Set static IP addresses for the devices on your LAN that you want to route via the VPN
(LAN -> DNS Server -> Manual assignment)
2. Add those static IP addresses to the DNS director rules local IP
3. Reboot the router so those devices get the static IPs and are now routed to wireguard interface in the rules.

 

[RMerlin]

Read the VPN Director documentation, specifically the section about rule priority. If you have a WGC1 rule to redirect everything, then rules for WGC2 will never be reached. You want any final "redirect all" rule to be the lowest priority, not the highest.

 

[Jetblue]

Read the VPN Director documentation, specifically the section about rule priority. If you have a WGC1 rule to redirect everything, then rules for WGC2 will never be reached. You want any final "redirect all" rule to be the lowest priority, not the highest.

Yes, I saw that... but the logic does not work:
For any traffic to go through the VPN there must be a rule for the IP, right? (otherwise it will bypass the VPN by default). So, when a VPN is selected as the top priority for all VPN traffic (WGC1), the second VPN (WGC2) becomes nullified. Once nullified nothing can be assigned to it.

So, when looking at this you can see there is no way to move the Toronto device up in priority, because it's not using WGC1. Make sense? Using your logic would mean that I would have to create separate rules (or a group rule) for all the devices except for the Toronto device (192.168.50.41). I must be missing something really obvious?

 

[Jetblue]

I have this setup working, this is how I did it.

1. Set static IP addresses for the devices on your LAN that you want to route via the VPN
(LAN -> DNS Server -> Manual assignment)
2. Add those static IP addresses to the DNS director rules local IP
3. Reboot the router so those devices get the static IPs and are now routed to wireguard interface in the rules.

View attachment 52092

Where are your rules for everything else? I have to put a rule for ALL IP's in the rules, or else it will just send them to the public internet and bypass the VPN. That's the actual problem for me, because it's a catch 22... Each time I put an ALL IP rule in, it nullifies everything after it.

 

[RMerlin]

So, when looking at this you can see there is no way to move the Toronto device up in priority, because it's not using WGC1. Make sense? Using your logic would mean that I would have to create separate rules (or a group rule) for all the devices except for the Toronto device (192.168.50.41). I must be missing something really obvious?

Swap your clients. WGC1 must be the Toronto client that has the more limited scope (i.e. the LAN client set to go through Toronto), and WGC2, the lower priority one, must be Dallas, with its catch-all rule to redirect everyone throught it.

 

[halcy0n9001]

Where are your rules for everything else? I have to put a rule for ALL IP's in the rules, or else it will just send them to the public internet and bypass the VPN. That's the actual problem for me, because it's a catch 22... Each time I put an ALL IP rule in, it nullifies everything after it.

For me everything else goes out on non-VPN.

Rules are executed from the top to bottom, once a rule is matched no further rules are processed.

So you just need to setup your WG clients as @RMerlin suggests.

 

[Jetblue]

Thanks for the response. I see that the priority is actually set in the order of the drop down box of the VPN Client tab. So, I went there and deleted the original order and put in the correct order, Toronto first. Now Toronto shows up as a priority WGC1. I altered the rules as follows;

So, you can see that Toronto takes precedence for 1 device. Here is the quandary;

1. If I do it this way ALL traffic goes to Toronto and Dallas is ignored. So all devices end up under Toronto.

2. If I disable the "Remainder of Toronto WG", then two things happen;
--- The secluded device (192.168.50.41) set for Toronto cannot get online whatsoever.
--- Everything else goes to Dallas

I'm still hanging in there, not seeing it yet?

 

[RMerlin]

. If I do it this way ALL traffic goes to Toronto and Dallas is ignored. So all devices end up under Toronto.

Your logic makes no sense here. How can you redirect all traffic to Toronto and also all traffic to Dallas? It's one or the other, you cannot logically do both.

 

[ColinTaylor]

2. If I disable the "Remainder of Toronto WG", then two things happen;
--- The secluded device (192.168.50.41) set for Toronto cannot get online whatsoever.
--- Everything else goes to Dallas

Double check what's happening to 192.168.50.41. My understanding in this situation is that this device should still have internet access through Toronto. Everything else should work in the way you describe.

 

[Jetblue]

Double check what's happening to 192.168.50.41. My understanding in this situation is that this device should still have internet access through Toronto. Everything else should work in the way you describe.

Yes... So in my above comment... Focusing now on this:

2. If I disable the "Remainder of Toronto WG", then two things happen;
--- The secluded device (192.168.50.41) set for Toronto cannot get online whatsoever.
--- Everything else goes to Dallas

There's only one "ALL" that is going to Dallas (WGC2) after the secluded device rule, which is Toronto (WGC1). I looked at the log and saw that the device did connect to Toronto. I then checked Netstat and saw that after the device was pointed to Toronto it forced the device DNS to DNS servers configured in the Wireguard profiles. So, it seems as if the DNS is hanging up or something else. It is the same DNS server in the Dallas profile and I am positive it works perfectly for all other connections.

I read something about a DNS Exclusive setting in the documentation but could not grasp it. Maybe has nothing to do with this issue not sure.

 

[ColinTaylor]

secluded? I assume you mean "selected".

Sorry, I don't know how you've configured your DNS settings so I can't comment on that. But it sounds like everything else is working as expected.

 

[RMerlin]

Maybe there's something wrong with the DNS servers published by the Toronto server. Try either overriding them, or adding Toronto rules for the remote IP used by these DNS servers to also be forced through Toronto.

I would also triple check that you have the correct IP for your LAN device. The fact that it works properly with the catch-all rule makes me suspect that maybe the IP is wrong.

 

[Jetblue]

Yeah, it seems that it is somehow DNS related. Out of frustration I reviewed the Merlin router log. In there it clearly showed that the device was assigned to Toronto, and it also showed two lines forcing the Toronto DNS for that rule. When reviewing Netstat I did see a destination target for this device with the word "UNREPLIED". If this was DNS related, it is strange because the DNS servers are the exact same as Dallas (which works).

I will be back to my office in a day, I will recheck everything to make sure and post the router log with netstat info as well.

 

[halcy0n9001]

I'm guessing you imported the wireguard config file from your VPN provider. If it was typed manually maybe there is a typo in the config?

 

[Jetblue]

I'm guessing you imported the wireguard config file from your VPN provider. If it was typed manually maybe there is a typo in the config?

Yes, I imported that from Surfshark. It uses a key that I can create which encrypts the user and pwd and I copy and paste that over. I am allowed to create multiple keys and I use this same key with Dallas. Also this same profile is used for the Toronto ALL rule and it works great. I will get back to my laptop and go through all of this a little closer.

 

[halcy0n9001]

AFAIK a keypair can only be used on a 1 concurrent connection.

e.g. if you import the Dallas key pair into 2 connections it will only work on 1st connection, then 2nd and subsequent connections will connect but there will be no internet.

If you want to use the Dallas server twice, you need to generate a unique key-pair for each connection.

 

[Jetblue]

AFAIK a keypair can only be used on a 1 concurrent connection.

e.g. if you import the Dallas key pair into 2 connections it will only work on 1st connection, then 2nd and subsequent connections will connect but there will be no internet.

If you want to use the Dallas server twice, you need to generate a unique key-pair for each connecti

Thanks. Yeah I tried it with no luck. Generated 3 different key pairs... rebooted the router etc... but same result.
I think your idea makes perfect sense though. I might add, however.. that you are right about the connection. I can run nslookup and ping commands from the .41 device, but no internet.

 

[Jetblue]

I wanted to update folks on the log output from this below. Just FYI, client 4 is Dallas, client 1 is Toronto.
Anything look off here?

Aug 5 22:13:58 vpndirector: Routing Device for Toronto from 192.168.50.41 to any through wgc1
Aug 5 22:13:58 wireguard: Forcing 192.168.50.41 to use DNS server 162.252.172.57 for WGC1
Aug 5 22:13:58 wireguard: Forcing 192.168.50.41 to use DNS server 149.154.159.92 for WGC1
Aug 5 22:13:58 WireGuard: Starting client 1.
Aug 5 22:13:58 WireGuard: Other interface use 10.14.0.2 too.
Aug 5 22:13:58 vpndirector: Routing All WG to Dallas from any to any through wgc4
Aug 5 22:13:59 WireGuard: Starting client 4.

I also noticed that the Wireguard profile was using those two DNS servers (above), but they were optional. So, I removed them and still got the same result. Even though the device on WGC1 is unable to connect to the internet, nslookup, ping etc.. all do work.