Policy based routing on Asus RT-AC86U not working as expected

[Icecube93]

Hi Guys,
after reading here all the cool things you can do with merlin I decided to bite the bullet and got myself an Asus AC86U. I received it a couple of days ago and I'm trying to setup multiple VPNs and have different devices connecting to different VPNs.

I managed to set up the VPNs but I'm having issues with the mapping.

I'm connected to the VPNs correctly.

I've setup each VPN in a pretty similar way, here's an example:

I have setup my phone to use connect to Paris but it's not working. Sometimes it connects directly, sometimes it connect to a different VPN, it's the same for any other device and I really can't figure out what's wrong.

I don't have a rule for that device in any other VPN client setting.
The kill switch is enabled for all VPNs.
DSN configutation is set to 'exclusive' for all VPNs.
The traffic rule is set to "Policy Rules (strict)" for all VPNs.

I also set the devices to have a static IP address in the DHCP server page:

I'm really lost here.
According to this: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing
With my setup, if I don't set any specific rule for a device, the device should connect directly, if I specify one the device should go via the VPN.

Feel like I'm missing something obvious. Can anyone help please?


If it's any useful:
- I went from the stock firmware directly to the latest 384.19 version.
- my goal is to be able to have something like this:

Device A	VPN 1
Device B	VPN 2
Device C	VPN 2
Device D	WAN

the next stage would be to rotate the devices around automatically but that's a separate story

 

[GSpock]

... what is strange on your last but before image is that your VPN to Paris shows an unknown public IP address .... it means no client will ever be able to access the internet via this VPN client 4 .... also why have you put a /32 after the IP address of your phone ?

 

[Icecube93]

Yeah I'm not sure why some of the VPNs are showing unknown. However, that's not always the case, I'm pretty sure I've seen the right IP address there. At the moment I've got a client connected to one of them but still no public IP address:

Regarding the /32 I was trying to debug the issue. Thought of giving that a go because for some reason another device was getting connected to a vpn when it shoudln't have been. It's the same even if I remove the /32

 

[GSpock]

My understanding is that if the public ip address is unknown, even if your client connects to this VPN, it will not be able to access the internet ....

 

[Icecube93]

Oh thank you, that's useful to know!
I went on the page of each VPN client with the unknown IP address and clicked on the refresh button manually, that fixed the unknown IP addresses issue. I imagine this is just temporary and could happen again, but I guess this could be caused by the VPN provider I use (Surfshark).

This didn't fix the mapping issue tho

 

[Jack Yaz]

you cant have multiple vpn connections that all provide the same subnet (10.8.8.x in this case) for the "local" IP - the routing breaks. if your vpn provider offers tcp/udp or different ports to connect to, try using those for the different connections

 

[Icecube93]

Ooh thank you very much!
I don't fully understand this part (lack on my technical knowledge).
However, I tried to delete all the VPNs and setup only 2, one on TCP and one on UDP and things are working as expected!

I just bought a yearly membership to surfshark, they only let you pick TCP or UDP but I got in touch with the support team and they said I should be able to pick some alternative ports:

OpenVPN/TCP:* 443, 80, 7070
OpenVPN/UDP:* 8080, 8008, 7777

I tried these and it fails to connect. This is a separate issue now.
Thanks again, it would have taken me ages to find this out myself!

 

[Martineau]

My understanding is that if the public ip address is unknown, even if your client connects to this VPN, it will not be able to access the internet ....

Incorrect.

e.g. I often use the free VPN VPNBook as an alternative quick test VPN provider when my own VPN ISP exhibits issues.

VPNBook never reports a public IP.

 

[RMerlin]

The public Ip address is obtained by querying an STUN server. If all the supported servers are blocked (or the STUN outbound port is blocked), then the router will be unable to determine your public IP address.

 

[GSpock]

Incorrect.

e.g. I often use the free VPN VPNBook as an alternative quick test VPN provider when my own VPN ISP exhibits issues.

VPNBook never reports a public IP.

Thank you for clarifying.

 

[Icecube93]

I tried again setting up additional VPNs using different ports, however, the router fails to connect to the VPN if I use any of the alternative ports (using obviously the right protocol).
I tried to check on my end whether the ports are open, using this website here: http://portquiz.net:7007/

Have you got any idea on what I could do to understand where the issue is exactly (config my end, my modem, my ISP, VPN service.. )?
Thanks!

 

[MaziahBebop]

I have setup my phone to use connect to Paris but it's not working

Just clarifying the meaning of this statement. Do you mean you setup some VPN software on your phone? With policy rules (strict) on the router you wouldn't need to setup anything on the phone. Sorry if I am misunderstood your statement but I think its a point worth clarifying.

 

[Icecube93]

Just clarifying the meaning of this statement. Do you mean you setup some VPN software on your phone? With policy rules (strict) on the router you wouldn't need to setup anything on the phone. Sorry if I am misunderstood your statement but I think its a point worth clarifying.

Hi there, that issue is fixed. What I meant is that I was trying to set one device to use the VPN service I had configured in the router (no VPN software installed on any phone/client). However, like I said, this is all working. I have to VPN connections setup in my router and configured policy rules. I can add/remove devices from the policies and things work as expected.

The issue at the moment is that I only have 2 VPNs setup, one on TCP and one un UDP. I'd like to have another 2 connections however it seems that I can't use the same protocol&port combination. I tried using a different port but the router fails to connect to the VPN server.
I'm not sure how to find out where the issue is, whether that's on my side, the ISP side, the VPN provider or else..

 

[MaziahBebop]

you cant have multiple vpn connections that all provide the same subnet (10.8.8.x in this case) for the "local" IP - the routing breaks.

OP should set something like VPN 1 10.8.8.x, VPN 2 10.8.7.x, VPN 3 10.8.6.x, VPN 4 10.8.5.x? Is that possible to configure client side, or comes pre-configured from the VPN provider? Maybe request from provider, different sub-nets.

 

[Icecube93]

OP should set something like VPN 1 10.8.8.x, VPN 2 10.8.7.x, VPN 3 10.8.6.x, VPN 4 10.8.5.x? Is that possible to configure client side, or comes pre-configured from the VPN provider?

I had a look. So in the ovpn file provided by the VPN provider there's nothing regarding 10.8... Even when you import the ovpn file I can't see anywhere to change that value to something else. Maybe I need to go somewhere else in the settings page, not sure.

 

[MaziahBebop]

I had a look. So in the ovpn file provided by the VPN provider there's nothing regarding 10.8... Even when you import the ovpn file I can't see anywhere to change that value to something else. Maybe I need to go somewhere else in the settings page, not sure.

Pretty sure this is a server config only (can't be set client side).

 

[Icecube93]

Pretty sure this is a server config only (can't be set client side).

Does that mean that the only way for me to have more than 2 VPNs would be to subscribe with another VPN service provider and hope that they use different ports?

 

[MaziahBebop]

Does that mean that the only way for me to have more than 2 VPNs would be to subscribe with another VPN service provider and hope that they use different ports?

If Jack Yaz's statement is true "you can't have multiple vpn connections that all provide the same subnet (10.8.8.x in this case)". A few options might exist though:

• Try another provider that issues multiple subnets
• Request multiple subnets from existing provider
• Ask on the forums if there's a hack you can apply locally to work-around the issue...

 

[eibgrad]

Does that mean that the only way for me to have more than 2 VPNs would be to subscribe with another VPN service provider and hope that they use different ports?

The issue is NOT ports. It's IP addressing.

A fundamental principle of the IP protocol is that every device must have a unique IP, and therefore no two networks can share the same IP network/subnet. If that ever happens, you've created a routing conflict. The routing system is left w/ more than one path to a given device/network, so what is it supposed to do at that point?

IOW, for any given device/network, there *must* be one and only one path to it in the routing table. But anytime you're dealing w/ multiple, concurrent OpenVPN connections (same or different OpenVPN provider), you risk the possibility of having each connection attempting to use the same IP network over the tunnel. And then you have a routing conflict. Yaz was suggesting that you use different protocols (tcp vs. udp) when dealing w/ the same OpenVPN provider in the *hope* they happen to use different IP networks for each protocol. But that's not necessarily the case. That's just getting lucky if it happens to be true.

And there's no way around the problem. No special hacks. If it was your *own* OpenVPN servers, you'd obviously make sure to not let this happen. But when dealing w/ commercial OpenVPN providers and *their* servers, you don't have any such control, so this always remains a risk. That's why supporting multiple, concurrent OpenVPN connections using the router can be tricky. Things get considerably more complicated under such circumstances. You can't just blindly assume it will all work. YOU have to take the trouble to make sure this doesn't happen!

 

[JoeBee]

The issue is NOT ports. It's IP addressing.

A fundamental principle of the IP protocol is that every device must have a unique IP, and therefore no two networks can share the same IP network/subnet. If that ever happens, you've created a routing conflict. The routing system is left w/ more than one path to a given device/network, so what is it supposed to do at that point?

IOW, for any given device/network, there *must* be one and only one path to it in the routing table. But anytime you're dealing w/ multiple, concurrent OpenVPN connections (same or different OpenVPN provider), you risk the possibility of having each connection attempting to use the same IP network over the tunnel. And then you have a routing conflict. Yaz was suggesting that you use different protocols (tcp vs. udp) when dealing w/ the same OpenVPN provider in the *hope* they happen to use different IP networks for each protocol. But that's not necessarily the case. That's just getting lucky if it happens to be true.

And there's no way around the problem. No special hacks. If it was your *own* OpenVPN servers, you'd obviously make sure to not let this happen. But when dealing w/ commercial OpenVPN providers and *their* servers, you don't have any such control, so this always remains a risk. That's why supporting multiple, concurrent OpenVPN connections using the router can be tricky. Things get considerably more complicated under such circumstances. You can't just blindly assume it will all work. YOU have to take the trouble to make sure this doesn't happen!

Hi thanks for your reply, I was just curious rather then start a new thread with a similar issue I just wanted to confirm using 2 commercial VPN providers on the Asus router (86u) basically is not going to work right ?

Just like ts I had issues with running 2 commercial VPN providers (Express/Nord) my Asus router would jam up and freeze after 1-2 days time requiring a reboot, I do have the alternative option of just making things easier and install the VPN app on the device I require so I can use the 2nd VPN provider and just have Clearnet run on it via policy routing to obtain fuller speeds though, but just wished to double check this.