Problem using OpenVPN client with "Redirect Internet traffic"

[NodCom]

Hello!

I have a problem with my Asus RT-N66U router running the latest stable Merlin-build. It is related to the OpenVPN function known as "Redirect Internet Traffic" when it is set to "Policy rules". I want to run my annonymising VPN for all but one computer in the network, my server machine. However, as soon as I apply the "Policy rules" option, the router stops tunnling all VPNs and just directs them all directly to WAN.

I doubt this is the issue, but the "Policy rules" setting called "Iface", it should be set to WAN for the IP I want to be forwarded to WAN, right?

 

[RMerlin]

Hello!

I have a problem with my Asus RT-N66U router running the latest stable Merlin-build. It is related to the OpenVPN function known as "Redirect Internet Traffic" when it is set to "Policy rules". I want to run my annonymising VPN for all but one computer in the network, my server machine. However, as soon as I apply the "Policy rules" option, the router stops tunnling all VPNs and just directs them all directly to WAN.

I doubt this is the issue, but the "Policy rules" setting called "Iface", it should be set to WAN for the IP I want to be forwarded to WAN, right?

By default everything goes through the WAN. In your case, you will need a rule for the whole subnet to go through the VPN, and two rules for the router and that specific computer to route through the WAN.

Make sure you read the documentation on how policy rules work.

 

[NodCom]

By default everything goes through the WAN. In your case, you will need a rule for the whole subnet to go through the VPN, and two rules for the router and that specific computer to route through the WAN.

Make sure you read the documentation on how policy rules work.

Thank you for the response! Where would I find the documentation explaining my case? I did a lot of searching the web before coming here, without any results I am afraid.

 

[RMerlin]

Thank you for the response! Where would I find the documentation explaining my case? I did a lot of searching the web before coming here, without any results I am afraid.

It's in the README included with the firmware.

 

[yorgi]

Hello!

I have a problem with my Asus RT-N66U router running the latest stable Merlin-build. It is related to the OpenVPN function known as "Redirect Internet Traffic" when it is set to "Policy rules". I want to run my annonymising VPN for all but one computer in the network, my server machine. However, as soon as I apply the "Policy rules" option, the router stops tunnling all VPNs and just directs them all directly to WAN.

I doubt this is the issue, but the "Policy rules" setting called "Iface", it should be set to WAN for the IP I want to be forwarded to WAN, right?

For 192.168.1.1-192.168.1.254 range do this, all traffic goes to VPN except for 1 computer which goes to WAN local ISP
lets assume your server PC is 192.168.1.50

Source IP 192.168.1.0/24 destination IP 0.0.0.0 lface VPN
source IP 192.168.1.50 destination IP 0.0.0.0 lface WAN

 

[yorgi]

By default everything goes through the WAN. In your case, you will need a rule for the whole subnet to go through the VPN, and two rules for the router and that specific computer to route through the WAN.

Make sure you read the documentation on how policy rules work.

he only needs 2 rules, one for all the traffic to VPN and one for specific server PC to go to WAN
can you explain where the 3rd rule kicks in?

 

[RMerlin]

he only needs 2 rules, one for all the traffic to VPN and one for specific server PC to go to WAN
can you explain where the 3rd rule kicks in?

If you have anything running on your router that uses Internet access. For example if you use Download Master.

 

[yorgi]

If you have anything running on your router that uses Internet access. For example if you use Download Master.

So how would you setup a rule for download manager to use the VPN?

 

[RMerlin]

So how would you setup a rule for download manager to use the VPN?

If you are already routing the whole subnet through it (as my suggestion), then you don't need any additional rule, as your router's IP is within that subnet.

 

[yorgi]

If you are already routing the whole subnet through it (as my suggestion), then you don't need any additional rule, as your router's IP is within that subnet.

I understand but for people who use a limited subnet for example 192.168.1.80/28 for VPN it would be really nice to know how to setup download manager thought the VPN only. Is there a way?
Also is there anyway of testing the policy route to make sure that the download manager is actually on the VPN and not on Local ISP?

 

[RMerlin]

I understand but for people who use a limited subnet for example 192.168.1.80/28 for VPN it would be really nice to know how to setup download manager thought the VPN only. Is there a way?
Also is there anyway of testing the policy route to make sure that the download manager is actually on the VPN and not on Local ISP?

The router is just the same as any other client, with its own IP (typically 192.168.1.1). Just add a rule for 192.168.1.1 then if your VPN subnet doesn't include that IP already.

 

[NodCom]

Thank you for all the information. I found the documentation, but I am not sure I understand it. I am not too good at networking.

If I change my question: How would I, step by step, do to exclude a single IP (Or specific ports, if that's doable) from all VPN traffic?

I have my home server running some things such as Mumble, and I need people from the outside of my LAN to be able to connect to it, while the other clients in my LAN are:
A. Routed through the VPN and
B. Can still access the server through the local LAN.

 

[RMerlin]

You need these rules, assuming router is 192.168.1.1, and server is 192.168.1.100.

From -> To -> Iface
192.168.1.0/24 -> 0.0.0.0 -> VPN
192.168.1.1    -> 0.0.0.0 -> WAN
192.168.1.100  -> 0.0.0.0 -> WAN

You cannot control it by port, only by IP. Doing so by port requires a lot of manual scripting.

 

[NodCom]

You need these rules, assuming router is 192.168.1.1, and server is 192.168.1.100.

From -> To -> Iface
192.168.1.0/24 -> 0.0.0.0 -> VPN
192.168.1.1    -> 0.0.0.0 -> WAN
192.168.1.100  -> 0.0.0.0 -> WAN

You cannot control it by port, only by IP. Doing so by port requires a lot of manual scripting.

Thank you! This seems to have done the trick!

While trying to understand the logic behind these, the first two rules, what do they specifically say? The third is clearly saying to route server to WAN directly, but why is the former two needed for it to work?

Also, I have not worked with subets before, but I assume the first row is related to that somehow, going by previous posts in this thread?

Thanks again for the help. I appreciate it a lot!

 

[RMerlin]

Thank you! This seems to have done the trick!

While trying to understand the logic behind these, the first two rules, what do they specifically say? The third is clearly saying to route server to WAN directly, but why is the former two needed for it to work?

Also, I have not worked with subets before, but I assume the first row is related to that somehow, going by previous posts in this thread?

Thanks again for the help. I appreciate it a lot!

When you enable policy-based routing, the default policy is to route everything through the WAN. So, you need this rule to route the whole network through VPN:

192.168.1.0/24 -> 0.0.0.0 -> VPN

To understand this subnet definition, check Wikipedia or other web resources on CIDR notation. What this says above is to route 192.168.1.1 through 192.168.1.254 through the VPN.

Then, you need exceptions (WAN rules always get applied after VPN rules, allowing to override them.)

Keep the router going through WAN (to avoid potential issues

192.168.1.1    -> 0.0.0.0 -> WAN

And keep the NAS through WAN as well:

192.168.1.100  -> 0.0.0.0 -> WAN