VPN Director - Asuswrt-Merlin

[Mikey3]

Can someone tell me how to setup a rule in VPN Director to allow all clients to go through the VPN tunnel except one?

Thanks

 

[johndoe85]

Click on Add new rule in VPN director. Choose your VPN client in the interface section and add the clients you want to go through the VPN.
You should be able to set 192.168.50.0/24 as a choice instead of one client per rule. Name that rule "all clients" or something.
Then add a second rule with the client you want to go through the WAN interface

 

[Viktor Jaep]

@Mikey3 And to add just one last tidbit to this... make sure your exception rule is located at the top of your rules list, as rules are processed top-down... So your more global VPN rule should be #2.

 

[kyphos]

A related question about VPN Director:
Is there any way to specify that traffic from all WiFi-connected devices go through a VPN (but devices wired to the LAN continue to go through the WAN interface)? The VPN Director GUI only seems to allow client definition by IP, not by interface.

Thanks.

 

[chongnt]

@Mikey3 And to add just one last tidbit to this... make sure your exception rule is located at the top of your rules list, as rules are processed top-down... So your more global VPN rule should be #2.

WAN has higher priority over VPN client. Regardless of the sequence of rule creation, higher priority rule will always sorted on top in GUI and applied first. There should be no issue for OP requirement.

VPN Director

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Viktor Jaep]

WAN has higher priority over VPN client. Regardless of the sequence of rule creation, higher priority rule will always sorted on top in GUI and applied first. There should be no issue for OP requirement.

VPN Director

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Thanks for this @chongnt ... but if something starts acting wonky, it's probably best to sort them in order of importance top-down... as a best practice.

 

[chongnt]

A related question about VPN Director:
Is there any way to specify that traffic from all WiFi-connected devices go through a VPN (but devices wired to the LAN continue to go through the WAN interface)? The VPN Director GUI only seems to allow client definition by IP, not by interface.

Thanks.

Yes, it seems there is no straight forward way of doing this. You can split LAN and WiFi to different subnet, say manually assign IP for your LAN devices to say 192.168.50.2 -192.168.50.127 (192.168.50.0/25) and let WiFi devices get their IP from DHCP pool 192.168.50.129 - 192.168.50.254 (192.168.50.128/25). This way you can do it with two rules in VPN Director.
Another option I can think of is use Guest Network with YazFi addons. It has option to route it over VPN.

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

 

[chongnt]

Thanks for this @chongnt ... but if something starts acting wonky, it's probably best to sort them in order of importance top-down... as a best practice.

In 386.9, there is no option to sort it manually. I suppose the same for 388.x? The rules are automatically sorted by Interface priority as we create it.

 

[Viktor Jaep]

In 386.9, there is no option to sort it manually. I suppose the same for 388.x? The rules are automatically sorted by Interface priority as we create it.

Jeez... you're absolutely right. Maybe I was confusing the vpn director with something else where you could change its order. Thank you!

 

[kyphos]

Yes, it seems there is no straight forward way of doing this. You can split LAN and WiFi to different subnet, say manually assign IP for your LAN devices to say 192.168.50.2 -192.168.50.127 (192.168.50.0/25) and let WiFi devices get their IP from DHCP pool 192.168.50.129 - 192.168.50.254 (192.168.50.128/25). This way you can do it with two rules in VPN Director.
Another option I can think of is use Guest Network with YazFi addons. It has option to route it over VPN.

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

@chongnt
I can see how I would narrow the scope of the DHCP server to 192.168.50.2-.127. But don't know how to define another DHCP pool (.129-.254) for WiFi devices.

However, I think your Guest Network idea will work. I'd never set one up, but I just tried it. It's not at all obvious (at least, it's not to me), but doing so creates a new subnet (192.168.101.0/24) and a DHCP server for devices that associate with the guest network. So a VPN Director rule can be created with a rule that assigns the entire subnet to a VPN. Presto - mission accomplished.

That DHCP server for the guest network is well hidden - I can't see it listed on the LAN/DHCP Server page, nor on the Guest Network page.

I will take a look at YazFi. I've never heard of it, and frankly don't know how I would add it to my RT-AC86U. I'm fairly new to Merlin firmware.

Thanks for the tips!!!

 

[Mikey3]

Click on Add new rule in VPN director. Choose your VPN client in the interface section and add the clients you want to go through the VPN.
You should be able to set 192.168.50.0/24 as a choice instead of one client per rule. Name that rule "all clients" or something.
Then add a second rule with the client you want to go through the WAN interface

View attachment 47611

View attachment 47612

Thanks. Much appreciated

 

[Mikey3]

@Mikey3 And to add just one last tidbit to this... make sure your exception rule is located at the top of your rules list, as rules are processed top-down... So your more global VPN rule should be #2.

Great. Thanks

 

[Daarke01]

A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?

 

[johndoe85]

A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?

Not sure, but you can add several instances of VPN's. And set up rules for each one, so if one goes down 2nd comes as backup and so forth.

 

[johndoe85]

I wonder though how i can setup rules for priority of the VPN's.

Like using the OpenVPN with the killswithch as a backbone. It would fall through WGC1 then WGC2 and then lastly to OVPN1+killswitch

With this setup the OVPN gets nr.1 in line so this could only work if all VPN clients where OpenVPN clients.
@RMerlin can a priority be added to the VPN director?

 

[Daarke01]

Not sure, but you can add several instances of VPN's. And set up rules for each one, so if one goes down 2nd comes as backup and so forth.

Alright that's a shame, perhaps someone else knows otherwise I will be forced to go with OpenWRT because you can scheduele wireguard-watchdog every few mintues to check. Seems there is no similar feature for Asus if the VPN Client stays disconnected even when the VPN goes back online again.
@RMerlin can a vpn-watchdog be implemented that re-connects the client if it's been disconnected?

 

[Jonnny]

Alright that's a shame, perhaps someone else knows otherwise I will be forced to go with OpenWRT because you can scheduele wireguard-watchdog every few mintues to check. Seems there is no similar feature for Asus if the VPN Client stays disconnected even when the VPN goes back online again.
@RMerlin can a vpn-watchdog be implemented that re-connects the client if it's been disconnected?

I don't know if this is what you are looking for, but when you enable the VPN server, a cron job is created to run this script:

#!/bin/sh
if [ -z "$(pidof vpnserver1)" ]
then
   service restart_vpnserver1
fi

Path: /etc/openvpn/server1/vpn-watchdog1.sh

You can view the cron jobs with the command:

cru l

For any other VPN Client service, it would be enough to copy/adapt the script above to new file (I think).

In my case, I just need the VPN Client services to be restarted every day (1 = 05:30am, 2 = 05:40am), like this:

cru a RestartVPNCliente1 "30 5 * * * service restart_vpnclient1"
cru a RestartVPNCliente2 "40 5 * * * service restart_vpnclient2"

Note: I created the file "services-start" (rwxr-xr-x - 0755) on path: "/jffs/scripts/services-start", for when the router restarts, create the tasks again.

 

[Jonnny]

__________
UPDATE:

I just tested it and it works

Example, for VPN Client 2:

1. I created the file "vpn_client2-watchdog.sh" via SCP. Path: "/jffs/scripts/vpn_client2-watchdog.sh". Permissions: 0755.

#!/bin/sh
if [ -z "$(pidof vpnclient2)" ]
then
   service restart_vpnclient2
fi

2. I added the cron job via SSH (eg. every minute):

cru a CheckVPNClient2 "* * * * * /jffs/scripts/vpn_client2-watchdog.sh"

3. Turn off OpenVPN Client 2 from GUI.

4. Wait up to 1 min and check the log that the service ran automatically.

 

[Viktor Jaep]

A question regarding VPN Director.

Does it automatically re-connect to the VPN after it goes down and comes back on again? Or does it continue to stay disconnected?
I've read that the normal behaviour for Asus routers are that it stays disconnected: https://www.asus.com/en/support/FAQ/1011232/

This is a huge problem for me. I don't need a killswitch, as long as VPN is on 99% of the time I'm fine as I want to have internet connection no matter what. But if it somehow goes down for a while, I would want it to automatically re-connect when the VPN is online again. Does VPN Director achieve this?

It's the whole reason I wrote VPNMON-R2. Let me know if you have any questions... This will make your connection stay up 100% of the time... 99% wasn't good enough for me.

 

[gruffysmallz]

Hello, I made an account and decided to reply to this thread even though it's over a year old because it was the top search result when I was figuring out how to do this

however when I route traffic to WAN via VPN Director, for specific devices, my internet connection is adversly affected, immediately noticeable (it's way worse on my phone than what is shown in the screenshots on my computer)
at first I thought my ISP might be having issues and what I was experiencing was just a coincidence... but then I decided to testing it another way and it turns out that what I was experiencing was indeed because of VPN Director

speedtest with this configuration:

and minutes later with not routing traffic to wan with VPN Director:

is it a bug? either way, I thought it would be a good idea to let people know on what was my top search result