That option is not available if you select All.
For those who prefer to route all LAN traffic to the VPN, enabling the
“Policy Rules” or
“Policy Rules (Strict)” setting enables the option to
“Block routed clients if tunnel goes down” to be displayed. Enabling this option will allow you to block LAN traffic from traversing to the WAN interface if the VPN tunnel goes down.
To enable the Policy Rule feature in Asuswrt-Merlin firmware, set
“Redirect Internet traffic” to
“Policy Rules” or
“Policy Rules (Strict)” in the OpenVPN Client Screen.
Policy Rules (Srtict) mode will take additional steps to ensure there aren’t any extra routes that could potentially bypass the VPN tunnel by only allowing routes that specifically target the VPN tunnel’s network interface. The
Policy Rules (Srtict) mode is the preferred setting.
Once you enable Policy Rules, a new section will appear below, where you can add routing rules. The
“Source IP” is a local LAN Client device, such as a laptop or mobile phone.
“Destination” is a remote server on the Internet. The
“Destination” field can be left empty, or set to
0.0.0.0 to signify any IP address. You can also specify a whole subnet in CIDR notation. For example, 74.125.226.112/30.
A common configuration where you want your entire LAN to go through the VPN, but not the router itself:
Code:
LAN_IPs 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN
“Accept DNS Configuration” set to “Disabled”
The disadvantage of setting “Accept DNS configuration” to “Exclusive” is that DNSMASQ will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider. The popular Diversion ad blocker program, written for the Asuswrt-Merlin firmware, will not work since Diversion requires the features of DNSMASQ. Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”.
My preferred setting is to set
“Accept DNS Configuration” to
“Disabled” and install
Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network. This setting also allows the Diversion ad blocker to work over the VPN tunnel.