OpenVPN preferential routing/access

[GGavan]

I'm using OpenVPN client from ASUS router connected to my office.
My issue is that all devices connected in LAN have access through that VPN like me.
I would like to have only a limited list of devices to be able to use that VPN and the others to go normal on internet. I'm thinking to routes based on MAC / LAN IP's... but I don't have a clear idea.
I searched on forum but without success.
Can anybody help me with an idea or a link?
Thx in advance!

 

[octopus]

Use policy base routing to choose what goes where. You must use TUN to get to work.
VPN=> OpenVPN Client Settings => OpenVPN Clients => Rules for routing client traffic through the tunnel.
Redirect Internet Traffic => Policy rules
From merlin-readme file:

Here are a few examples.

To have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

Or, to have a computer routed through the tunnel except for requests sent
to your ISP's SMTP server (assuming a fictious IP of 10.10.10.10 for your
ISP's SMTP server):

PC1 192.168.1.100 0.0.0.0 VPN
PC1-bypass 192.168.1.100 10.10.10.10 WAN

Another setting exposed when enabling Policy routing is to prevent your
routed clients from accessing the Internet if the VPN tunnel goes down.
To do so, enable "Block routed clients if tunnel goes down".

 

[GGavan]

I'm sorry but still not clear. Let me put in other words.
I have 10 devices/users connected in LAN.
Now all of them can go in internet or through VPN.
I would like to have 2 of them working like now internet + VPN and the others 8 to go normal on internet but not through VPN at all.
The idea is to limit the people that can go through VPN. The VPN connection is to my office and I don't want to have all users going on my office LAN through that VPN.
It is possible to do something from router web interface? I'm not good with Linux.

 

[octopus]

It is possible to do something from router web interface? I'm not good with Linux.

Yes at that side I showed you in my post. Then you can choose which goes where. Eg only on PC through VPN.
No need for Linux skills just som GUI clicking.

 

[GGavan]

ok. I will try with this. Thx!

 

[GGavan]

It took me some minutes to find that "Policy rules" but it's working. Thx!

 

[GGavan]

Unfortunately it seems that after this setting on "Policy rules" the VPN DNS is not used even if I have set "Accept DNS Configuration" to "Strict"
In consequence, the computer allowed to go through VPN can't find the servers from office by name, just by IP.
Before setting "Policy rules" I could use names from VPN and internet.
Any idea how to solve also this DNS issue? I can ping servers from internet by name but not server from VPN.
I need to have my computer looking first on DNS from VPN and then on DNS from ISP (given by their DHCP).
It is possible?

 

[octopus]

First try to set Accept DNS Configuration to "Exclusive".
Then your vpn-server must push DNS to clients to work.

If that not working you can use AiProtection=> DNS-based Filtering => DNS-based Filtering
and set which DNS to use with your client.

- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
               and you enable policy-based routing, then those policies
               will also determine which DNS to use (the tunnel's or
               the ISP's).  This is based on DNSFilter's technology.
               You no longer need to use DNSFilter to control
               the DNS used by your OpenVPN clients.

 

[GGavan]

It's working the combination "Exclusive" with "Policy Rules". Thx!