VPN Setup issues

[mallzero]

Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question

 

[octopus]

Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question

Have you read the wiki? There is a nice guide
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing

 

[mallzero]

Have you read the wiki? There is a nice guide
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing

Ohh, okey. So what i need to do is using the Rules for routing client traffic through the tunnel and adding the devices to that protocol?

Thanks for the respone

 

[GSpock]

Hi! I have read up on several guides for setting up a VPN on mu ASUSMerlin router. But im still having the issue that not my whole network goes threw the vpn only my computer and not the phone and everything else connected to the network.

- Basically I want it to be setup as my superb editing skills of the photo below (pun) Could anyone guide me to the right direction.

I have the .ovpn file correctly setup via VPN Client within the router. But as I said is now encrypting every device just some.

Thanks in advance for a stupid question

could you attach a picture of your openvpn client settings

 

[mallzero]

could you attach a picture of your openvpn client settings

 

[GSpock]

So, only the 5 devices listed will go thru VPN, all others will go to WAN .... this is the normal behavior ...

 

[mallzero]

Okey, its not possible that every devices that is connected to goes threw the vpn without me having to config that device?

 

[GSpock]

Okey, its not possible that every devices that is connected to goes threw the vpn without me having to config that device?

yes it is possible, I think (but to be checked) you should simply have one line : 192.168.1.0/24 => VPN

 

[eibgrad]

If the OP wants *everything* routed through the VPN, do NOT use PBR (policy based routing). Just specify Yes for the "Force internet traffic through tunnel" option.

By default, any commercial OpenVPN provider will force all your traffic through his OpenVPN server, and by specifying Yes for that option, the router basically does nothing and let's that happen. But if you use PBR and add 192.168.1.0/24, yes, it will work, but it will also have the side effect of having the router itself OFF the VPN! IOW, anything the router does is over the WAN, and so it becomes a source of leaks, perhaps even DNS leaks. That's one of the undesirable side effects of using PBR, esp. when the router is providing other services you want secured (e.g., transmission). But sometimes you have to use PBR because you only want *some* clients to use the VPN and not others. But again, if you end up sending everything over the VPN anyway, PBR makes no sense.

 

[GSpock]

If the OP wants *everything* routed through the VPN, do NOT use PBR (policy based routing). Just specify Yes for the "Force internet traffic through tunnel" option.
... But if you use PBR and add 192.168.1.0/24, yes, it will work, but it will also have the side effect of having the router itself OFF the VPN! IOW, anything the router does is over the WAN, and so it becomes a source of leaks, perhaps even DNS leaks. That's one of the undesirable side effects of using PBR, esp. when the router is providing other services you want secured (e.g., transmission). But sometimes you have to use PBR because you only want *some* clients to use the VPN and not others. But again, if you end up sending everything over the VPN anyway, PBR makes no sense.

So, if I got you well, keeping in mind what he wants to achieve, what about this at "Rules for routing client traffic through the tunnel"
1. 192.168.1.1 ==> WAN
2. 192.168.1.0/24 => VPN

would this work then ?

 

[eibgrad]

So, if I got you well, keeping in mind what he wants to achieve, what about his this at client access:

1. 192.168.1.1 ==> WAN

2. 192.168.1.0/24 => VPN

would this work then ?

Your suggestion is *still* using PBR. What I'm saying is to NOT use PBR at all. The default behavior when NOT using PBR is to route everything over the VPN, *including* the router itself and all its internet bound services. If you use PBR as you've described above, that takes the router off the VPN. And since all the router's internet-based services are bound to the WAN (not the LAN, i.e., 192.168.1.1), that rule is basically useless. In order to be effective, you would have to *rebind* those services to the LAN rather than the WAN so PBR was effective wrt the router itself. But that's just complicating matters. Better to just not use PBR at all.

 

[Vimes]

I have always used PBR to create rules for certain devices to NOT use the VPN. As the OP wishes to use the VPN client for everything to go through the VPN then simply do not use PBR.

Unless I'm missing something here.

 

[mallzero]

Thanks for all the response. Im that tech savy, but my router I had before could use the L2PT protocol directly so it went from Wan-to L2PT then everything was encrypted there under. But from what im reading here this setup will make it that way as well with openvpn client if im not misstaken?

 

[MaziahBebop]

Thanks for all the response. Im that tech savy, but my router I had before could use the L2PT protocol directly so it went from Wan-to L2PT then everything was encrypted there under. But from what im reading here this setup will make it that way as well with openvpn client if im not misstaken?

I think what is being said is.... to achieve this:



Do this:

 

[Martineau]

As the OP wishes to use the VPN client for everything to go through the VPN then simply do not use PBR.

Unless I'm missing something here.

If the OP wants to have all traffic thru' the VPN tunnel, and no traffic via the WAN, he would most likely wish to explicitly have the KILL-Switch enforced, so PBR is mandatory.

 

[eibgrad]

Seems we've found a bug/flaw in the GUI.

The OP never indicated a need for a kill switch. But putting that aside for the moment, the fact the GUI requires PBR in order to have a kill switch makes no sense. It's perfectly valid to use/need a kill switch even in the case of specifying Yes for "Force Internet traffic through tunnel". The only difference between Yes and the PBR options is the former means *everything*, while the latter is *selective*. But in either case, something is required to use the VPN, and so you have just as much reason to use/need a kill switch in either situation. The only time a kill switch doesn't make sense is in the case of No for "Force Internet traffic through tunnel", since by definition you are defaulting to the WAN. And frankly, there's nothing all that difficult about adding a kill switch, esp. when you need to block everything over the WAN.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT

Having to use PBR just to take advantage of a kill switch is not only a bug/flaw in the GUI, but imo it's too high a price to pay for letting the router itself come off the VPN. Now the router becomes the potential source of data leakage rather than your clients. This is something that apparently a lot of users are unaware of, but need to carefully consider when they choose to use PBR, esp. if the use of the WAN is such a concern that it warrants a kill switch.

 

[Martineau]

The OP never indicated a need for a kill switch.

Never stated that was the the OPs requirement. I was merely replying to @Vimes to clarify that the available GUI options differ based on the setting 'Force Internet traffic through tunnel' providing a flexible configuration.

....in the case of No for "Force Internet traffic through tunnel", since by definition you are defaulting to the WAN.

Does it ? - I believe @RMerlin explained many years ago that this isn't always the case i.e. if 'Force Internet traffic through tunnel=No', the router will actually honour/accept the relevant setting pushed by the OpenVPN server, so in most cases, the default route is via the VPN.

 

[eibgrad]

Does it ? - I believe @RMerlin explained many years ago that this isn't always the case i.e. if 'Force Internet traffic through tunnel=No', the router will actually honour/accept the relevant setting pushed by the OpenVPN server, so in most cases, the default route is via the VPN.

Fair point. Although the use of No certainly suggests at least YOU (the one managing the OpenVPN client) are NOT interested in forcing traffic over the VPN. I suspect many (perhaps most) users have no idea the commercial OpenVPN server is the one forcing traffic over the VPN. So logically, it makes more sense for the user to specify Yes if that is their intent, even if in the end, it's superfluous.

But regardless, that wasn't the real point of my comments. You can remove that one statement and the question still remains; why is the kill switch NOT available when set to Yes?

 

[kazak]

And frankly, there's nothing all that difficult about adding a kill switch, esp. when you need to block everything over the WAN.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT

So to create a kill switch, without using Policy Rules, for the whole router VPN, would I add the code you provided, as is, to the Custom Configurations section? TIA

 

[eibgrad]

So to create a kill switch, without using Policy Rules, for the whole router VPN, would I add the code you provided, as is, to the Custom Configurations section? TIA

As with any firewall rules, you should first test it using a ssh session, and copy/paste them into the ssh window, then verify it works as expected. That way, if by chance they cause some unexpected problem (not likely given the simplicity of this code, but still prudent), you can simply reboot the router and return to normal.

Once verified, you need to add the code to a file called firewall-start and store it in /jffs/scripts. Make sure under Administration->System the JFFS and custom scripts options are enabled.

As a convenience, I've created the following installation script that you can copy/paste into an ssh window. Then reboot.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

function create_script(){
cat << "EOF" > $SCRIPT
#!/bin/sh
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

Note, the script will NOT overwrite any existing firewall-start script. In such a case, you would have to manually add the code to the existing firewall-start script.