RT-AC86U refuses to connect to internet (384.7_2) with more than 1 client VPN

[redcat]

Hi all,

If I define more than 1 VPN client RT-AC86U refuses to connect to internet (384.7_2). If I only define 1 it works. The VPN provider used is nordvpn

Client 1 (all confi. are in default except the following)
Automatic start at boot time: Yes
Service state: ON
Description: UK_VPN_UDP
Accept DNS Configuration: Strict
Username/Password Authentication: Yes
Username: XXX
Password: XXX
Username / Password Auth. Only No
Redirect Internet traffic: Policy rules (strict)
Block routed clients if tunnel goes down: Yes

Rules for routing client traffic:
Description: ALL
Source IP: 192.168.1.0/24
Iface: VPN


The other clients will have similar confi. expect the following:

Client 2
Automatic start at boot time: No
Service state: OFF
Description: FR_VPN_UDP

How can I solve this issue any help would be apreciated.

 

[Martineau]

Hi all,

If I define more than 1 VPN client RT-AC86U refuses to connect to internet (384.7_2). If I only define 1 it works. The VPN provider used is nordvpn

Client 1 (all confi. are in default except the following)
Automatic start at boot time: Yes
Service state: ON
Description: UK_VPN_UDP
Accept DNS Configuration: Strict
Username/Password Authentication: Yes
Username: XXX
Password: XXX
Username / Password Auth. Only No
Redirect Internet traffic: Policy rules (strict)
Block routed clients if tunnel goes down: Yes

Rules for routing client traffic:
Description: ALL
Source IP: 192.168.1.0/24
Iface: VPN


The other clients will have similar confi. expect the following:

Client 2
Automatic start at boot time: No
Service state: OFF
Description: FR_VPN_UDP

How can I solve this issue any help would be apreciated.

asus merlin - vpn - only first client instance works

 

[redcat]

Thanks for the help. The first VPN client is a software version restriction? or will never be possible?

Would be possible to do something like this using the router:

Let say that I have 5 VPN clients I simply want that the router jump from 1 client to another after a time interval. And if the tunnel goes down it apply the kill switch. This is a basic function performed by some VPN software like ipvanish. Would this be possible to do in the router?

 

[Martineau]

Thanks for the help. The first VPN client is a software version restriction? or will never be possible?

Would be possible to do something like this using the router:

Let say that I have 5 VPN clients I simply want that the router jump from 1 client to another after a time interval. And if the tunnel goes down it apply the kill switch. This is a basic function performed by some VPN software like ipvanish. Would this be possible to do in the router?

If you read the solution description link, it will tell you how to achieve what you want via the GUI.

However, if you want to only have the kill switch applied when the ACTIVE VPN Client goes DOWN then you will need to use an openvpn-event trigger script see Wiki e.g. User script openvpn-event

 

[redcat]

Martineau thank you for the help but I still dont understand what to do. I am newby regarding routers.

Where is description link? Is the one int he previous post? If so I read it but still dont understand what to do.

 

[Martineau]

Martineau thank you for the help but I still dont understand what to do. I am newby regarding routers.

Where is description link? Is the one int he previous post?

Yes

​

so I read it but still dont understand what to do.

So you don't understand this post?
Confused as to how to make the kill switch work

 

[redcat]

Can you just confirm if this is ok (if so other users may also be interested)?
Config for NordVPN and assuming that LAN prefix is 192.168.1

For what I understand what I need to do is this.
In this case the following options (at red and particularly those at blue) of the client’s are correct?

Client 1 (all confi. are in default except the following)
Service state: YES
Automatic start at boot time: Yes
Description: UK1_VPN_UDP
Accept DNS Configuration: Strict
Username/Password Authentication: Yes
Username: XXX
Password: XXX
Username / Password Auth. Only No (apply to NordVPN but others might be different)
Redirect Internet traffic: Policy rules (strict)
Block routed clients if tunnel goes down: NO
Rules for routing client traffic:
Description: Router Source IP: 192.168.1.1 Iface: wan
Description: ALL Source IP: 192.168.1.0/24 Iface: VPN


Clients 2 to 4
Service state: YES
Automatic start at boot time: NO
Description: UK2_VPN_UDP _ UK4_VPN_UDP
Accept DNS Configuration: Strict
Username/Password Authentication: Yes
Username: XXX
Password: XXX
Username / Password Auth. Only No (apply to NordVPN but others might be different)
Redirect Internet traffic: Policy Rules (strict)
Block routed clients if tunnel goes down: NO
Rules for routing client traffic:
Description: Router Source IP: 192.168.1.1 Iface: wan
Description: ALL Source IP: 192.168.1.0/24 Iface: VPN


Client 5
Service state: YES
Automatic start at boot time: NO
Description: UK5_VPN_UDP
Accept DNS Configuration: Strict
Username/Password Authentication: Yes
Username: XXX
Password: XXX
Username / Password Auth. Only No (apply to NordVPN but others might be different)
Redirect Internet traffic: Policy Rules (strict)
Block routed clients if tunnel goes down: YES
Rules for routing client traffic:
Description: Router Source IP: 192.168.1.1 Iface: wan
Description: ALL Source IP: 192.168.1.0/24 Iface: VPN

Questions
1) Any Aditionall setting should be set?

2) Those at red and blue are correct?

3) Can I put the Service state to NO (OFF) and it will work anyway? this is important because of this:
Let say that I have 3 licenses to use in 3 devices from a VPN provider. I will be able to define 5 clients in the router? That is each client accounts needs a license or only 1 license independent of the number of clients defined?

 

[wesbez]

Try this. Instead of policy rules being strict. Just change it to policy rules. Enter your details provided to you by your vpn service. Check if they have OPENVPN file you can upload via the webUI. Here is a really good tutorial for selective routing through the vpn. Read it.

I don’t know why you need it to change vpn servers if one goes down. This just doesn’t happen with decent VPN servers. What is your use case? Read the other links you’ve been provided for what you’re trying to achieve. (The link below doesn’t include that)

https://www.vpnuniversity.com/routers/use-selectivepolicy-routing-kill-switch-asuswrt-merlin

 

[redcat]

Thanks wesbez but what is in that site is the same as here (here is in more detail). And for what I have read is better to use policy rules strict insted only policy rules.

 

[wesbez]

That’s why I said the other links that were provided to you will give you the info you need. I wanted to know your use case.

 

[Martineau]

I don’t know why you need it to change vpn servers if one goes down. This just doesn’t happen with decent VPN servers. What is your use case?

Back in Jan. 2016 I posted a script and .bat file for an OP who observed VPN server throughput/performance degradation.

As you state, modern VPN endpoints rarely fail, but everyone knows that finding a VPN server that isn't oversubscribed can be a challenge, and a follow-the-sun strategy can sometimes work i.e. if using say US East coast VPN servers, then as everyone wakes up in NY, then switch to West coast LA servers etc.

 

[redcat]

Martineau, can you please comment regarding the questions in post 7?

 

[Martineau]

Martineau, can you please comment regarding the questions in post 7?

@redcat
Did you try the solution?

 

[redcat]

Yes I try and it seems to be working I just have those doubts (questions)...

I dont know how to test the system in case the tunnel goes down...

I also get a message regarding VPN password. I supposed it was because I was using more clients than licences.

Assuming that each cliente use one VPN licence is that true? Or the five clientes only use one licence (one at a time when they jump from one to other cliente)?

 

[CaptainSTX]

Yes I try and it seems to be working I just have those doubts (questions)...

I dont know how to test the system in case the tunnel goes down...

I also get a message regarding VPN password. I supposed it was because I was using more clients than licences.

Assuming that each cliente use one VPN licence is that true? Or the five clientes only use one licence (one at a time when they jump from one to other cliente)?

While you can have multiple clients active with many VPN providers if your plan permits this, the catch is you can only have one VPN client active on your router unless your VPN provider also makes it possible to use different ports. Some VPN providers offer options for different ports however each port usually has different encryption, auth hash and Root CA. Not all of these options will be started using your router's firmware.