Valid Name
New Around Here
Hi all,
I have recently installed ASUS Merlin on my AC68U router and have a few questions. This is my first ever exposure to this firmware and router configuration in general and have never previously done any router configuration at this level so please bear with me if I have missed something.
I am using a VPN provider and have configured the OpenVPN (client instance 3) as per below screenshot:
Custom Configuration section has the below settings:
I have a device with static IP on the network and I want to avoid VPN connection to this device only for certain external IPs so I have created the following rules for OpenVPN Client instance 3:
The contents of /tmp/etc/openvpn/fw/client3-dns.sh are
Where 10.x.x.x is my VPN provider's DNS server
Below are the contents of /jffs/scripts/nat-start
Basically, the two mobile devices already have a proprietary OpenVPN client application installed and I want to bypass the OpenVPN connection on my router completely as I think it is not needed and there might even be a performance overhead(?).
What I've noticed is that if edit the below line in nat-start file
and change it to
The mobile devices are unable to access Internet at all if I leave the protocol option to all. Even when I have tcp protocol selected and access dnsleaktest.com, my VPN provider's IP configured in the router is shown on the page indicating that traffic is still getting routed through the VPN provider configured in the router. The OpenVPN client on the mobile is using a different VPN IP to the OpenVPN client on the router so I expected the IP of mobile's OpenVPN client will be shown here instead. Is my assumption correct? How can I completely bypass the OpenVPN client on my router just for two specific mac addresses and ensure that there are no DNS leaks through my router?
Another question:
I also have to use a VPN connection (through FortiClient VPN client) on Mac/Windows computers to connect to my work network. I have noticed that when I am connected to my work network form home using my router's internet connection, I get a DNS leak. Is DNS leak avoidable at all when connected to my work VPN through my router?
There are only a few resources I access when connected to work VPN so I am happy to access them using IP address directly instead of their NETBIOS or FQDN hostnames. If someone has any ideas/workarounds to avoid DNS leak while connected to my work VPN, please let me know.
Lastly, I also have Skynet blocking lists configured on a 4 GB USB Drive with a 256 MB swap file. Is 256 MB a good swap size, should I increase it for any reasons such as performance
Thanks in advance.
Regards,
I have recently installed ASUS Merlin on my AC68U router and have a few questions. This is my first ever exposure to this firmware and router configuration in general and have never previously done any router configuration at this level so please bear with me if I have missed something.
I am using a VPN provider and have configured the OpenVPN (client instance 3) as per below screenshot:
Custom Configuration section has the below settings:
Code:
remote-random
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
remote-cert-tls server
pull
fast-io
The contents of /tmp/etc/openvpn/fw/client3-dns.sh are
Code:
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN3
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -I DNSVPN3 -s 192.168.1.200 -j RETURN
/usr/sbin/iptables -t nat -A DNSVPN3 -s 192.168.1.0/24 -j DNAT --to-destination 10.X.X.X
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN3
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN3
Where 10.x.x.x is my VPN provider's DNS server
Below are the contents of /jffs/scripts/nat-start
Code:
#!/bin/sh
sleep 10 # During the boot process nat-start may run multiple times so this is required
# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
done
# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN 3 fwmark
# Allow mobile mac addresses to bypass the VPN Client
iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
Basically, the two mobile devices already have a proprietary OpenVPN client application installed and I want to bypass the OpenVPN connection on my router completely as I think it is not needed and there might even be a performance overhead(?).
What I've noticed is that if edit the below line in nat-start file
Code:
iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p tcp -j MARK --set-mark 0x8000/0x8000
Code:
iptables -t mangle -A PREROUTING -i br0 -m mac --mac-source XX:XX:XX:XX:XX:XX -p all -j MARK --set-mark 0x8000/0x8000
The mobile devices are unable to access Internet at all if I leave the protocol option to all. Even when I have tcp protocol selected and access dnsleaktest.com, my VPN provider's IP configured in the router is shown on the page indicating that traffic is still getting routed through the VPN provider configured in the router. The OpenVPN client on the mobile is using a different VPN IP to the OpenVPN client on the router so I expected the IP of mobile's OpenVPN client will be shown here instead. Is my assumption correct? How can I completely bypass the OpenVPN client on my router just for two specific mac addresses and ensure that there are no DNS leaks through my router?
Another question:
I also have to use a VPN connection (through FortiClient VPN client) on Mac/Windows computers to connect to my work network. I have noticed that when I am connected to my work network form home using my router's internet connection, I get a DNS leak. Is DNS leak avoidable at all when connected to my work VPN through my router?
There are only a few resources I access when connected to work VPN so I am happy to access them using IP address directly instead of their NETBIOS or FQDN hostnames. If someone has any ideas/workarounds to avoid DNS leak while connected to my work VPN, please let me know.
Lastly, I also have Skynet blocking lists configured on a 4 GB USB Drive with a 256 MB swap file. Is 256 MB a good swap size, should I increase it for any reasons such as performance
Thanks in advance.
Regards,