OpenVPN policy routing guide?

[Hemanshu]

Hm, good question ...
You could try to set your Network 192.168.1.0/24 to "ips netflix" to VPN.
The killswitch in your cas could not work, as the router himself should always be able to connect via WAN.

In my eyes running Transmission on the router is very slow, why u do not use a better solution like a NAS or a rs pi?

Edit: I don't want to use a NAS/RS PI I as didn't want to spend the money and the time.. I am a very low level transmission user so don't need the extended setup and my router seems to be handling the load just fine. Hoipe this explains that bit.

My question/confusiuon:
OK I am a bit confused with your response.. I assume you are suggesting I setup a policy rule for 192.168.1.0/24 to VPN (this will bring my transmission on the router at 192.168.1.1 under VPN)?

I could then provide static IP for all my devices I want to be OUTSIDE the VPN and give them IP higher that 192.168.1.25 so as to make sure they stay on WAN and NOT VPN. Would this work?

 

[netguru]

192.168.1.0/24 is your complete network.
Give it a try, if your Router (Transmission) is then using vpn.

 

[Hemanshu]

192.168.1.0/24 is your complete network.
Give it a try, if your Router (Transmission) is then using vpn.

Thanks! I will do that.. then my question is how do I push my Netflix Roku out of VPN and onto WAN? Adding a policy that says "192.168.1.45" to 0.0.0.0 WAN will do the trick from the GUI?

So basically have 2 rules in the policy table going:

192.168.1.0/24 0.0.0.0 VPN [everything goes under VPN]
192.168.1.45 0.0.0.0 WAN [my roku device goes directly to WAN]
192.168.1.52 0.0.0.0 WAN [my wife's laptop goes directly to WAN]

Is that going to work... ?

 

[netguru]

That would be the next question.
Or you would Give it a try to set the Netflix ips to wan.

 

[Hemanshu]

That would be the next question.
Or you would Give it a try to set the Netflix ips to wan.

Right sorry. I will take your time once I try this out today evening from home (am at work right now).

 

[octopus]

Try this instead:

Policy Rules

192.168.1.0/24 0.0.0.0 VPN [everything goes under VPN]
0.0.0.0 192.168.1.45 WAN [my roku device goes directly to WAN]
0.0.0.0 192.168.1.52 WAN [my wife's laptop goes directly to WAN]

 

[Hemanshu]

Try this instead:

Thank you I will give this a try this evening and report my results! My main aim is to have transmission behind VPN and all other devices on WAN (as I need the PIA VPN only for transmission]

 

[netguru]

@octopus
that is not the solution for Transmission / VPN.

 

[octopus]

@octopus
that is not the solution for Transmission / VPN.

Question was: [roku to WAN] and [wife's laptop to WAN] no one mention Transmission.
If transmission is on router (192.168.1.0) it would take VPN way.

 

[netguru]

pls read post #79

 

[octopus]

Then its importent to use custom config right so you havent any strange config there.

From readme file:

OpenVPN client policy routing
-----------------------------
When configuring your router to act as an OpenVPN client (for instance
to connect your whole LAN to an OpenVPN tunnel provider), you can
define policies that determines which clients, or which destinations
should be routed through the tunnel, rather than having all of your
traffic automatically routed through it.

On the OpenVPN Clients page, set "Redirect Internet traffic" to
"Policy Rules". A new section will appear below, where you can
add routing rules. The "Source IP" is your local client, while
"Destination" is the remote server on the Internet. The field can be
left empty (or set to 0.0.0.0) to signify "any IP". You can also
specify a whole subnet, in CIDR notation (for example, 74.125.226.112/30).

The Iface field lets you determine if matching traffic should be sent
through the VPN tunnel or through your regular Internet access (WAN).
This allows you to define exceptions (WAN rules being processed
before the VPN rules).

Here are a few examples.

To have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

Or, to have a computer routed through the tunnel except for requests sent
to your ISP's SMTP server (assuming a fictious IP of 10.10.10.10 for your
ISP's SMTP server):

PC1 192.168.1.100 0.0.0.0 VPN
PC1-bypass 192.168.1.100 10.10.10.10 WAN

Another setting exposed when enabling Policy routing is to prevent your
routed clients from accessing the Internet if the VPN tunnel goes down.
To do so, enable "Block routed clients if tunnel goes down".

 

[netguru]

Thats my idea to route the netflix ips via vpn

 

[octopus]

One problem is DNS settings when use policy rule and VPN. ALL use same dns as you have set in VPN.
To fix that you can use DNS-based Filtering under AiProtection.

 

[RMerlin]

This should make @Martineau's day

Also applied to the script.

 

[Martineau]

This should make @Martineau's day

Also applied to the script.

Indeed it has!

Many thanks.

 

[L&LD]

This should make @Martineau's day

Also applied to the script.

Indeed it has!

Many thanks.

Don't leave us mere mortals in the dark! What will this do for us?

 

[Martineau]

Don't leave us mere mortals in the dark! What will this do for us?

So back in May 2015...

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-17#post-182286

So now RMerlin's tweak means users no longer have to use say /jffs/scripts/init-start to set the VPN Client table mnemonics as I described here:

http://www.snbforums.com/threads/sp...-wan-routing-failover-mode.29682/#post-230214

Essentially, if you never use RPDB Selective Routing (or have a need to investigate/debug the RPDB rules), then this purely cosmetic change will remain a 'secret'!

 

[nonstatic]

Am I able to simply have 1 fixed LAN IP bypass my VPN tunnel via the GUI? Or do I need to code something?

I have a server with 2 NIC's on the motherboard. I want the 2nd NIC to bypass the VPN so I can access my content remotely via Emby (and maybe use uTorrent remote).

I've manually assigned the 2nd NIC an address of 192.168.1.88 in the GUI. What do I need to do to get that to bypass the VPN tunnel, while everything else on my home network goes through the tunnel?

I've tried to figure this out myself, but a lot of the information seems to be outdated due to firmware changes/additions. Any help would be appreciated!

 

[octopus]

Try this:
Redirect Internet Traffic => Polict Rules

"your device name" 192.168.1.88 0.0.0.0 WAN
"Your net" 192.168.1.0/24 0.0.0.0 VPN

 

[nonstatic]

Exactly what I needed, thanks! I wasn't sure if that would work since it was my understanding that the 2nd entry is the whole network. Was confused at first because Windows on my server kept defaulting to the 2nd NIC, but I figured out how to fix that by setting the metrics for both NIC's manually.