VPN for rule for all traffic in MerlinVPN Director

[glitchd]

It seems like this is simple as there's nothing on the net about it, but I just can't seem to make it work.

I'm trying to route all my ax86s internet traffic through the vpn (proton) aside from the iot devices that won't connect from behind it (although if there's a way to do that it would be better but I don't think there is).

From my noobish perspective, it was rough to figure out the rule to catch all traffic and send it through the vpn. I swapped out an ax68u that first got glitchy on 5ghz, common it seems, but merlin 386.7 update seems to have curbed it - then stopped putting things behind the vpn after a week or so of finally working properly. I had saved the config so didn't look at my hard won rule before factory resetting it. Of course the new router won't load the config or even the one I just saved from it itself. Says invalid file.

I'm pretty sure the rule was just client 1 (the vpn) and remote ip: 0.0.0.0
But that isn't working now, when active it doesn't allow internet access, only the iot devices with individual rules directing them to to be sent over wan work.

On the ax68u I remember it was glitchy, i had to put the 0.0.0.0 rule in last, and then toggle it off and on for it to finally work, also do a little dance, but that's not cutting it this time...

 

[eibgrad]

I'm having a hard time following your actions.

Regardless, if you want ALL your devices routed over the OpenVPN client, you don't need the VPN Director at all. Just choose All for the routing policy. If you want to be selective in your routing (i.e., some devices use the VPN, others continue to use the WAN), set the routing policy to the VPN Director and create your rules. In most cases, it's just a matter of choosing the source IP (e.g., 192.168.1.100) or network (e.g., 192.168.1.0/24) you want routed in the local-ip field, and choosing the network interface (i.e., the VPN or the WAN).

 

[glitchd]

I'm having a hard time following your actions.

Regardless, if you want ALL your devices routed over the OpenVPN client, you don't need the VPN Director at all. Just choose All for the routing policy. If you want to be selective in your routing (i.e., some devices use the VPN, others continue to use the WAN), set the routing policy to the VPN Director and create your rules. In most cases, it's just a matter of choosing the source IP (e.g., 192.168.1.100) or network (e.g., 192.168.1.0/24) you want routed in the local-ip field, and choosing the network interface (i.e., the VPN or the WAN).

So i want all over vpn Except the iot devices. Each iot device has a wan rule, their ips were in the drop down list. I need one rule to send everything else over vpn.

Is 192.168.1.0/24 everything else? I read something about 192.168.1.50/..(i forget) from dhcp

 

[eibgrad]

If your local IP network is 192.168.1.x, then yes, you need a rule for 192.168.1.0/24 that's binds it to the VPN. All your IoT devices with rules for the WAN will have precedence over that rule for 192.168.1.0/24.

 

[glitchd]

If your local IP network is 192.168.1.x, then yes, you need a rule for 192.168.1.0/24 that's binds it to the VPN. All your IoT devices with rules for the WAN will have precedence over that rule for 192.168.1.0/24.

Excellent, thank you!

 

[glitchd]

If your local IP network is 192.168.1.x, then yes, you need a rule for 192.168.1.0/24 that's binds it to the VPN. All your IoT devices with rules for the WAN will have precedence over that rule for 192.168.1.0/24.

I checked the IPs of the devices in the dropdown list, they're all 192.168.xx.xx, so i just used that ending in .0/24. Nothing is behind the VPN but now I'm no longer able to access router.asus.com, every other IP and device has full internet access.. I confuse

 

[eibgrad]

..so i just used that ending in .0/24. Nothing is behind the VPN but now I'm no longer able to access router.asus.com, every other IP and device has full internet access.. I confuse

I don't understand what you mean. Show me exactly how you configured the VPN Director. Post a snapshot.

 

[glitchd]

I can't get back in lol, it won't let me access the router page. All i did was add the rule: use client 1, local ip 192.168.50.0/24. All the local ips in the drop down list are 192.168.50.xxx so I figure that must be the network ip? I'll have to factory reset it but I'd rather wait til I know what went wrong

 

[eibgrad]

Don't use router.asus.com, just use the explicit IP (e.g., 192.168.50.1). It's possible you've configured the OpenVPN client w/ Exclusive for "Accept DNS configuration", which then *bypasses* DNSMasq for DNS in favor of the VPN server's DNS. It's DNSMasq that resolves router.asus.com to 192.168.50.1. The VPN DNS servers know nothing about router.asus.com.

 

[glitchd]

Oh you're right, i set the dns to exclusive! Thanks man, yet the connected devices still aren't behind the vpn? Unless that's not the network ip.. I'll check the computer for it soon.

 

[glitchd]

Don't use router.asus.com, just use the explicit IP (e.g., 192.168.50.1). It's possible you've configured the OpenVPN client w/ Exclusive for "Accept DNS configuration", which then *bypasses* DNSMasq for DNS in favor of the VPN server's DNS. It's DNSMasq that resolves router.asus.com to 192.168.50.1. The VPN DNS servers know nothing about router.asus.com.

So i can access the router again, but the damn thing loses internet functionality and has to be factory reset constantly. I went back to the ax68u but I can't get the vpn director "catch all else" rule working again. It's not local 192.168.50.0 with or without the /24. If I do just remote 0.0.0.0 there's no internet regardless of dns setting (the iot devices with use over wan rules still get internet). And it says the saved config file is invalid like the other router.

 

[eibgrad]

When configuring the VPN Director rules, and you want ALL destination IPs to be affected by that rule, you simply leave the remote-ip field blank! Blank = ALL. Even if you wanted to be explicit for some reason, it is NOT 0.0.0.0, but 0.0.0.0/0 that means ALL.

P.S. I think part of the problem here is you're over-thinking it. You're going beyond what is necessary to get the rules installed and working, and in the process, creating additional problems.

 

[glitchd]

Lol i wish, I'm underthinking it! I should have gone to class when i was "studying" networking.
So I tried the rule these different ways (all having selected client 1 (ovpn1))
-local: 192.168.50.0/24 remote: blank
-local: 192.168.50.0 remote: blank
-local: blank remote:0.0.0.0
- combining the above rules separately and in the same single rule. I've tried with the dns setting in each available setting.
It either doesn't put anything behind the vpn or with 0.0.0.0 stops all internet traffic for everything that doesn't have a wan rule or isn't ethernet

I don't get it.

 

[eibgrad]

Then maybe it's time to dump the underlying data structures and make sure all it normal and as expected.

ifconfig
ip route show table main
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers
cat /tmp/etc/openvpn/client1/config.ovpn
cat /tmp/etc/openvpn/client2/config.ovpn
cat /tmp/etc/openvpn/client3/config.ovpn
cat /tmp/etc/openvpn/client4/config.ovpn
cat /tmp/etc/openvpn/client5/config.ovpn
cat /jffs/openvpn/vpndirector_rulelist

I know that's a lot, but then I don't know where the problems lies, so let's get it all. You can safely obscure your public IP where applicable, but just do so consistently.

 

[ottofreud]

I have the opposite situation. I want all traffic to go through WAN unless I have a rule that routes it through the VPN.
So I set up my VPN client to use the VPN director. And I have rules to route specific devices through the VPN (that I can turn off and on when necessary). But, what rule should I set up for routing "all other non specified traffic" through WAN?
If I set up a WAN rule for 10.2.01 (my router), the non specified devices seem to bypass the VPN (which is what I want), but setting up a WAN rule for my router seemed not quite right to me.
My router acts as the DHCP and DNS points for all clients. DNS is then set up in "Internet Connection" tab of the WAN screens. My VPN Client is set to "Accept DNS Configuration: Strict"
Any help, or confirmation that my "router WAN rule" is OK would be appreciated

 

[glitchd]

I have the opposite situation. I want all traffic to go through WAN unless I have a rule that routes it through the VPN.
So I set up my VPN client to use the VPN director. And I have rules to route specific devices through the VPN (that I can turn off and on when necessary). But, what rule should I set up for routing "all other non specified traffic" through WAN?
If I set up a WAN rule for 10.2.01 (my router), the non specified devices seem to bypass the VPN (which is what I want), but setting up a WAN rule for my router seemed not quite right to me.
My router acts as the DHCP and DNS points for all clients. DNS is then set up in "Internet Connection" tab of the WAN screens. My VPN Client is set to "Accept DNS Configuration: Strict"
Any help, or confirmation that my "router WAN rule" is OK would be appreciated

You don't need a rule to route things over WAN, everything use that by default unless a vpn director rule contradicts it.

 

[glitchd]

Then maybe it's time to dump the underlying data structures and make sure all it normal and as expected.

ifconfig
ip route show table main
ip route show table ovpnc1
ip route show table ovpnc2
ip route show table ovpnc3
ip route show table ovpnc4
ip route show table ovpnc5
ip rule
iptables -t nat -vnL --line-numbers
iptables -vnL --line-numbers
cat /tmp/etc/openvpn/client1/config.ovpn
cat /tmp/etc/openvpn/client2/config.ovpn
cat /tmp/etc/openvpn/client3/config.ovpn
cat /tmp/etc/openvpn/client4/config.ovpn
cat /tmp/etc/openvpn/client5/config.ovpn
cat /jffs/openvpn/vpndirector_rulelist

I know that's a lot, but then I don't know where the problems lies, so let's get it all. You can safely obscure your public IP where applicable, but just do so consistently.

I don't know where I'd even enter those commands, does the router have a command console? Or is it what's described here https://mycyberuniverse.com/linux/full-controling-the-asus-router-via-command-line.html

 

[ottofreud]

You don't need a rule to route things over WAN, everything use that by default unless a vpn director rule contradicts it.

That's not been my experience. without the Router WAN rule, nothing seems to get out to the internet.

 

[eibgrad]

I don't know where I'd even enter those commands, does the router have a command console? Or is it what's described here https://mycyberuniverse.com/linux/full-controling-the-asus-router-via-command-line.html

Most don't allow telnet access anymore.

You need to enable the SSH server on the router (Administration > System > Service > Enable SSH), then use an ssh client (e.g., PuTTY, although most platforms these days typically have a built-in ssh client already) and connect to the router. Then copy/paste the command into terminal window.

 

[glitchd]

That's not been my experience. without the Router WAN rule, nothing seems to get out to the internet.

Not even over the vpn, just no internet access? That's what happens to me when I try a catch all rule to send everything else over vpn.. most of the time, i did get it to work for a couple of weeks once