Two concurrent VPN clients advice needed

[galanga]

Some background: (I’ve read quite a lot about how to do it, but still have a few questions – please see at the end…)

If it would work well, I would like to use 2 VPN clients (from 2 different VPN providers,
I’ve read doing it that way shouldn’t cause a conflict with routes or ports), so that torrenting by one
LAN client doesn’t affect the bandwidth of other LAN clients.
(which it currently does at times when using just one VPN client, and the wife isn’t pleased
when it affects her streaming service… )

I’m in Thailand, and want to both stream from US providers, as well
as have privacy and bypass any censorship, so I want *everything* going
thru a VPN – have been doing that fine so far with just one client - ExpressVPN
on my router), no issues with anything going thru the WAN.

I’ll be getting an AX88U, so I’m assuming there won’t be much overhead to actually using
2 clients due to hardware encryption, and that since the combination of both, even with both running at full “VPN speed”
won’t saturate my ISP bandwidth. Besides, bandwidth from Thailand to the US
is limited anyway…

Only one IP (Laptop) will be doing torrenting, so I assume that one should be put in
the 1st client spot, and the 2nd client spot would have every IP listed? i.e.

client 1:
Laptop 192.168.1.249 VPN
Router 192.168.1.1 WAN

Client 2:
All 192.168.1.0/24 VPN

Questions:

1. Is putting only ALL in the 2nd client correct? I assume Laptop should go thru the 1st client due to the order of client rules with client 1 having priority,
   and that client 2 would then handle *ONLY* everything not listed in client 1?
   Or… do I need to put every IP (ranges) into Client 2 -other than- the Laptop IP? Or some other configuration entirely?

1. Is putting the Router/WAN in Client 1 (and only in client 1?) correct? Is it required - why? I see it recommended, but I'm not sure exactly what it does...
   What implications for security (if any) does adding the Router to the WAN interface have?
   Could that allow something over the WAN that shouldn’t go?

1. Should the kill-switch be set for both clients? only client 1? only 2?
   I just want the normally expected behavior, so NO LAN client goes thru the WAN if a tunnel drops.
   (if for example, the Laptop should go thru Client 2 if client 1 goes down, that’s fine as long as it
   goes thru the VPN in client 2 and never thru the WAN…)
   
   
2. Will both VPN clients only go thru only one CPU? Or 2? If only one, any way to change that behavior?
   
   
3. One of my VPN providers (NordVPN) has 2 DNS servers, but when I use “Exclusive”, Doing a leak test,
   I do get a DNS server that is in the same NYC network that the VPN is exiting at, so it seems
   the DNS is going thru the VPN tunnel, but it’s not one of the 2 IP's that they gave me as their DNS servers…
   Is that ok? or is that still considered a “leak” ?
   I suspect those 2 servers they gave me are just for WAN clients, not the VPN, but I’m not sure…
   

Thanks!

 

[Martineau]

Is putting the Router/WAN in Client 1 (and only in client 1?) correct? Is it required - why? I see it recommended, but I'm not sure exactly what it does...

If the VPN is DOWN i.e. during the boot process before any VPN tunnel is established, how will the router retrieve the time (or access the DNS servers etc.) if it isn't allowed to use the WAN interface?

So it is probably best to also ensure the router is defined to use the WAN in VPN Client 2 given the 192.168.0.1/24 VPN rule.

Should the kill-switch be set for both clients? only client 1? only 2?
I just want the normally expected behavior, so NO LAN client goes thru the WAN if a tunnel drops.
(if for example, the Laptop should go thru Client 2 if client 1 goes down, that’s fine as long as it
goes thru the VPN in client 2 and never thru the WAN…)

KILL-Switch should only be enabled on VPN Client 2

Will both VPN clients only go thru only one CPU? Or 2? If only one, any way to change that behavior?

VPN Client CPU affinity is odd/even so in a dual-CPU router, VPN Clients 1,3 and 5 would use say CPU 0, and VPN Clients 2 and 4 would use CPU 1.

 

[eibgrad]

I don't understand the point of placing the router's *LAN* ip in PBR (policy based routing).

You can't treat the router like it was just another LAN device when it comes to PBR. The router is only using the LAN's network interface for the purposes of communicating w/ the LAN. For anything else that requires internet access, all the action occurs on the WAN's network interface! And when you use PBR, by definition, the router is taken off the OpenVPN client, and therefore always uses the WAN. That's the price you pay for using PBR!

Now if you decide you don't like this situation, say you have transmission running on the router and still want it routed over the VPN, despite PBR being active, then you would have to bind the transmission process (via its config file) to the *LAN* rather than (what is presumably the default) the WAN. NOW you can add the router's LAN ip to PBR because at least in this one respect, it *is* like any other LAN device on the network. Same would hold true for any other router processes similarly reconfigured.

 

[eibgrad]

If the VPN is DOWN i.e. during the boot process before any VPN tunnel is established, how will the router retrieve the time (or access the DNS servers etc.) if it isn't allowed to use the WAN interface?

So it is probably best to also ensure the router is defined to use the WAN in VPN Client 2 given the 192.168.0.1/24 VPN rule.

The router isn't using the LAN network interface to gain internet access. So the fact its LAN ip is in PBR is meaningless. It's only going to affect processes that are bound to the LAN side, which typically isn't going to be anything that requires internet access. That's the point I'm making in my prior post.

 

[galanga]

The router isn't using the LAN network interface to gain internet access. So the fact its LAN ip is in PBR is meaningless. It's only going to affect processes that are bound to the LAN side, which typically isn't going to be anything that requires internet access. That's the point I'm making in my prior post.

Thank you for that explanation!
Based on using a single client for a couple of years with just 192.168.1.0/24 (and no router listed) and DNS Exclusive, Kill-Switch On and start-on-boot, and never having a problem with the VPN not coming up / having internet access after either a hard/cold reboot, It make sense that the Router wouldn't need to be listed - unless it had something else to do with there being more than one client (which is where I'd seen people mention it...) but I didn't see a good explanation for it so I wasn't sure...