Split tunnelling on RT AC86U 386.2.2 Merlin

[Grommit]

So if I simply set policy rules ON, all traffic goes to the WAN, ignoring the VPN completely. Then I just have to explicitly send stuff down the VPN, address by address. Is that correct?
No other config required?

And Tech 9's configuration?

The simplest configuration:
Network 192.168.1.1/24 0.0.0.0 VPN - all devices through VPN
Router 192.168.1.1 0.0.0.0 WAN - exclude router from VPN
My_PC 192.168.1.x. 0.0.0.0 WAN - device X through WAN

This will also work? Sorry to be such a pain, but I'm still not sure I understand...

Cheers Now....
Graham.

 

[RMerlin]

One more question. I notice Merlin is using OpenVpn 2.5. I spoke to Express, who currently only support 2.4. Is 2.5 backward compatible? I read what I could find, it looks like there may be problems running 2.5 against 2.3, but it IS compatible with 2.4. Is that correct? Anyone have any experience of this?

2.5 is fully backward compatible with even 2.3 (and possibly older). It works fine with NordVPN, it's actually the VPN provider I use for my VPN client testing. The NordVPN client on my development RT-AC66U_B1 has been connected since the last router reboot 3 days ago.

 

[Grommit]

Hi RMerlin. Now we're off on another thread. I recently upgraded from an RT-N66U to an RT AC86U, on advice from Nordvpn support, because it didn't support 2.4 and would not connect to a lot of their UK servers which they were upgrading to 2.4, and when it DID connect, VPN was slow, 4-5mbps, and they told told me that was because it had no hardware support for the latest decrypting. That was on stock Asus firmware. Is that correct? If I'd booted up from Merlin, would it have been better?

Cheers Now....
Graham.

 

[Tech9]

Then I just have to explicitly send stuff down the VPN, address by address. Is that correct?

Only if you like your keyboard too much. Please, read @Xentrk explanation. I've never seen before Asuswrt-Merlin VPN implementation and made it work in few minutes. If you have few clients only using VPN, list them one by one. If you have few clients only using WAN, push the entire network to VPN first and exclude the WAN clients one by one after. Here is another good explanation by @RMerlin, he made it so easy:

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Grommit]

Only if you like your keyboard too much. Please, read @Xentrk explanation. I've never seen before Asuswrt-Merlin VPN implementation and made it work in few minutes. If you have few clients only using VPN, list them one by one. If you have few clients only using WAN, push the entire network to VPN first and exclude the WAN clients one by one after. Here is another good explanation by @RMerlin, he made it so easy:

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Well, I gotta be honest, I found pretty much every explanation here confusing in one way or another, very much like the actual Merlin configuration page. You all obviously understand it easily and very well, so it must be me.
I can see the logic in pointing a complete subnet at the vpn, and then pointing various exceptions towards the WAN, as in your example, but why, when the RMerlin article states

"The "Iface" field (short for Interface) lets you determine if matching traffic should be sent through the VPN tunnel or through your regular Internet access (WAN). This allows you to define exceptions (WAN rules being processed before the VPN rules).

By default, all traffic will go through the WAN. What you define there with a VPN iface will be routed through the VPN. Use the WAN Iface to configure exceptions to configured VPN rules (for instance, if you configure a /24 to be routed through the VPN, but want one IP within that /24 to be routed through the WAN instead)."

So if all traffic goes through the WAN by default, why point the whole subnet at the vpn then point some addresses back towards the WAN? Why not just point the addresses you want to vpn at the vpn interface?
All that said, you've convinced me it must work, so I'll maybe give it another go.

 

[Tech9]

Make sure your other firmware settings don't interfere with what you are trying to do. The router I have is used for tests only and it's always "fresh", original Asuswrt or Asuswrt-Merlin. I'm under impression many folks around start with an underlying issue and run into problems afterwards.

 

[ColinTaylor]

Why not just point the addresses you want to vpn at the vpn interface?

It depends on how many addresses you want to go through the VPN, whether the addresses are contiguous and how easy it is to represent them (e.g. 192.168.1.224/27). Sometimes it's simpler (i.e. fewer rules) to do it one way rather than the other. It depends on each person's use case.

 

[RMerlin]

VPN was slow, 4-5mbps, and they told told me that was because it had no hardware support for the latest decrypting.

If you use any AES-based cipher, then they're incorrect, it does have hardware AES support (and even if it didn't, that CPU can handle around 50-70 Mbps without too much trouble).

Such a low rate indicate a problem somewhere. Disable QoS if you had that enabled, and test with a local server.

 

[john9527]

and even if it didn't, that CPU can handle around 50-70 Mbps without too much trouble).

The 4-5Mbps statement was against an N66, so probably pretty close in the real world.

 

[RMerlin]

The 4-5Mbps statement was against an N66, so probably pretty close in the real world.

Gotcha, I thought he was referring to the RT-AC86U.

I vaguely remember getting around 20-22 Mbps on the RT-N66U back then, after I had done extensive optimizations to both OpenSSL and OpenVPN. Most of these optimizations should also be included in the stock firmware now (a huge one was when I backported the ASM optimizations from 1.0.2 on top of the version Asus were using back then). So I'd expect all of these firmwares (stock/Merlin/John) to have nearly identical OpenVPN performance.

That was however with AES-128-CBC. 256-bit or stronger HMAC would have a significant performance impact on that.

 

[RMerlin]

Here are my actual test results that I had stored in Onenote.

=== 3.0.0.4.270.24:
AES-128-CBC [152]    0.0-30.0 sec  69.9 MBytes  19.5 Mbits/sec
=== 3.0.0.4.270.25 (with openvpn + openssl + lzo optim):
AES-128-CBC [152]  0.0-30.0 sec  79.5 MBytes  22.2 Mbits/sec

=== 3.0.0.4.374_32:
AES-128-CBC             0.0-30.0 sec  84.8 MBytes  23.7 Mbits/sec
=== 3.0.0.4.374.33_Alpha2 (with mips32r2)
AES-128-CBC             0.0-30.1 sec  93.8 MBytes  26.1 Mbits/sec

 

[arktex54]

I did a full "factory" reset on my RT-AC68U and cannot get the VPN to show me the "policy rules" on "Force Internet traffic through tunnel". I reloaded the RT-AC68U_386.2_2 and did another factory reset. Same thing. The VPN connects fine but I only have the option of "on" or "off" for internet redirect. I only want my media machines to use the VPN.

 

[ColinTaylor]

I did a full "factory" reset on my RT-AC68U and cannot get the VPN to show me the "policy rules" on "Force Internet traffic through tunnel". I reloaded the RT-AC68U_386.2_2 and did another factory reset. Same thing. The VPN connects fine but I only have the option of "on" or "off" for internet redirect. I only want my media machines to use the VPN.

You must be using a TUN interface to have Policy Rules.

 

[Grommit]

It depends on how many addresses you want to go through the VPN, whether the addresses are contiguous and how easy it is to represent them (e.g. 192.168.1.224/27). Sometimes it's simpler (i.e. fewer rules) to do it one way rather than the other. It depends on each person's use case.

So, one way or another, I got split tunnelling working, I think. If I set the whole subnet to use the vpn, can I simply point individual ip addresses at the wan (ie: 192.168.1.100). Yes?
I've still had to go back to stock Asus firmware, as I found that although split tunnelling was working, ie my address was in the UK, my DNS was exposed, when set to "Relaxed". If I set it to "Strict" or "Explicit", DNS was hidden but devices on the LAN complained of no internet connection. This seemed more apparent with Expressvpn than with Nord. Is this a known issue? Is there a way around it?

 

[Alfsu]

@Grommit

I have 3 VPN tunnels setup on an AC86U and it is very reliable.

To use split tunnel with Asuswrt-Merlin and to avoid DNS leaks, you should select the following for each VPN client configuration:

- Set option "Accept DNS Configuration" to "Exclusive"
- Set option "Force Internet traffic through tunnel" to "Policy rules (strict)"
- Set option "Block routed clients if tunnel goes down" to "Yes"
- Add clients you want to be routed through the tunnel.
- Set "Destination IP" to 0.0.0.0 for each client.

DNS provided by the VPN server is used for all clients you select to be routed through the specific VPN client connection.

 

[Grommit]

@Grommit

I have 3 VPN tunnels setup on an AC86U and it is very reliable.

To use split tunnel with Asuswrt-Merlin and to avoid DNS leaks, you should select the following for each VPN client configuration:

- Set option "Accept DNS Configuration" to "Exclusive"
- Set option "Force Internet traffic through tunnel" to "Policy rules (strict)"
- Set option "Block routed clients if tunnel goes down" to "Yes"
- Add clients you want to be routed through the tunnel.
- Set "Destination IP" to 0.0.0.0 for each client.

DNS provided by the VPN server is used for all clients you select to be routed through the specific VPN client connection.

Hi Alfsu. Thanks for the reply. The clients I want to add to be routed through the tunnel: I can just use simple ip address ie 192.168.1.10 etc? Or must be in cidr format? I ask because I'm fairly sure I tried the config you're suggesting, but I can't be sure because I've tried so many.

 

[Alfsu]

One IP address per client yes, that is the most used approach.
You could also however, use cidr as long as you are grouping the IP addresses to devices you want tunneled (via DHCP static assignments). Adding one tunnel client with IP address 192.168.1.64/26 to the list will route any device having its IP address in that range (192.168.1.64 - 127).

 

[Tech9]

The clients I want to add to be routed through the tunnel: I can just use simple ip address ie 192.168.1.10 etc?

Seems like you completely ignored RMerlin instructions and Xentrk examples. If you can't follow instructions no one can help you.

 

[Grommit]

Seems like you completely ignored RMerlin instructions and Xentrk examples. If you can't follow instructions no one can help you.

Not the case at all. I tried ALL ways. Nothing works. I configured as per RMerlin and Xentrk examples, and followed YOUR advice (Although I still don't understand it, if ALL traffic is routed through the WAN by default and WAN rules are actioned first, as per the documentation you say I'm unable to follow....)

The simplest configuration:
Network 192.168.1.1/24 0.0.0.0 VPN - all devices through VPN
Router 192.168.1.1 0.0.0.0 WAN - exclude router from VPN
My_PC 192.168.1.x. 0.0.0.0 WAN - device X through WAN

the results were the vpn DID segregate the traffic but my DNS leaked, and when I tried to stop the DNS leak by setting "Relaxed" to "Strict" or "Explicit", that was successful in stopping the DNS leak but LAN side equipment reported no internet connection. I configured lots of other ways too, nothing worked correctly. I rebooted the router lots of times, I defaulted to factory settings lots of times.

 

[Grommit]

Alfsu, excellent. Your config works perfectly. Does exactly what it says on the tin, and it's logical, which is what I wanted. Thanks.