Jump to content
TorGuard
  • 0
FallGuy

Asus Merlin settings to bypass VPN (Policy based routing and Killswitch)

Rate this question

Question

FallGuy

I've just purchased an Asus RT AC87u and installed the latest Merlin firmaware. I've setup the VPN client on the router and I need my IPTV boxes to bypass the VPN. How can I do this?

 

 

--Problem Solved. I played around with some settings.

1- In the router go to VPN,

2- Go to OpenVPN Clients Tab, 

3- Find "Advanced Settings"

4- Set "Redirect Internet Traffic" to Policy Rules

5- Below that you'll see "Rules for routing client traffic through the tunnel". Under Source IP I chose my IPTV box's IP, left the "Destination IP" empty, set the "Iface" to Wan and clicked add and Apply. That's it. Easy.

6- I chose to add all of my IPtv boxes, laptops and smartphones here and chose whichever Iface, Wan or VPN to suit my needs.

 

There's also a kill switch here if you set "Block routed clients if tunnel goes down" to Yes. I've tested it and it works.

Share this post


Link to post
Share on other sites

14 answers to this question

Recommended Posts

  • 0
Support

Thanks for reporting back your fix and sorry for the delay, will sticky this :)

 

Best Regards

Share this post


Link to post
Share on other sites
  • 0
DFK61

I do the opposite.  I have tried multiple servers both close and far and it seems that from 5PM EST to around 11PM EST i just can't get a steady and stable stream to play without it freezing and stopping.    

Share this post


Link to post
Share on other sites
  • 0
Anders

Fantastic - thanks! So much less hassle than writing to NVRAM etc....:)

 

Sticky this in Gold with bells on it Admins...

Share this post


Link to post
Share on other sites
  • 0
stephenj

Nice! does the asus router have to be flashed with merlin or can it be done with the built in openvpn client?

Share this post


Link to post
Share on other sites
  • 0
FallGuy

You need merlin's firmware.

Share this post


Link to post
Share on other sites
  • 0
torman

I've just purchased an Asus RT AC87u and installed the latest Merlin firmaware. I've setup the VPN client on the router and I need my IPTV boxes to bypass the VPN. How can I do this?

 

 

--Problem Solved. I played around with some settings.

1- In the router go to VPN,

2- Go to OpenVPN Clients Tab, 

3- Find "Advanced Settings"

4- Set "Redirect Internet Traffic" to Policy Rules

5- Below that you'll see "Rules for routing client traffic through the tunnel". Under Source IP I chose my IPTV box's IP, left the "Destination IP" empty, set the "Iface" to Wan and clicked add and Apply. That's it. Easy.

6- I chose to add all of my IPtv boxes, laptops and smartphones here and chose whichever Iface, Wan or VPN to suit my needs.

 

There's also a kill switch here if you set "Block routed clients if tunnel goes down" to Yes. I've tested it and it works.

 

 

No worked on my asus ac68u... If I turn on this option than shows me my real ip...I don `t know why

Share this post


Link to post
Share on other sites
  • 0
FallGuy

There can be a few reasons.

 

1. Are you connected? Do you have an ip address in the vpn status page?

 

2. On the pc that you use to check your vpn ip address, is it's local ip address listed in the openvpn clients tab at the bottom? And is Iface set to vpn?

Share this post


Link to post
Share on other sites
  • 0
torman
1. Are you connected? Do you have an ip address in the vpn status page?

 

 

My VPN status: shows that I'm connected, screenshot: http://uploadpie.com/YyFxE

 

Also "OpenVPN Clients" bright green, Service state "ON" http://uploadpie.com/Qjwy7

 

But when I go to: www.dnsleaktest.com, show me my real ip address,

 

Previously what I wrote is only when I have turn on options; Redirect Internet traffic (Block routed clients if tunnel goes down)

 

This is my settings with the included option "Redirect Internet traffic": screenshot: http://uploadpie.com/HHcQK 

but as I said My IP address is real now no matter what Service state bright green

to check IP I use: www.dnsleaktest.com

 

I do not know maybe I'm doing something wrong... Now I'm off this option because in this case IP VPN work properly...

Share this post


Link to post
Share on other sites
  • 0
FallGuy

The iface needs to be set to VPN and it's currently set to WAN. I would delete the rule and reconfigure it using VPN. If you leave it set to WAN it will always display your wan or isp's ip address when you run a leak test or ipcheck.

 

Also, under Accept Dns configuration, it should be set to "strict".

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
torman

The iface needs to be set to VPN and it's currently set to WAN. I would delete the rule and reconfigure it using VPN. If you leave it set to WAN it will always display your wan or isp's ip address when you run a leak test or ipcheck.

 

Also, under Accept Dns configuration, it should be set to "strict".

 

Now is ok :) Thanks @FallGuy for help

 

:)

Share this post


Link to post
Share on other sites
  • 0
FallGuy

You're quite welcome. I'm happy it worked for you.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Bugleboy

Is the Merlin firmware pretty much the same across the various model routers?  I'm thinking of getting an Asus RT-AC3100 and just hoping that this will all be the same for that one.

Share this post


Link to post
Share on other sites
  • 0
Support

Is the Merlin firmware pretty much the same across the various model routers?  I'm thinking of getting an Asus RT-AC3100 and just hoping that this will all be the same for that one.

 

Hi bugleboy

 

Yes it’s pretty much the same across all models.

 

Regards

Share this post


Link to post
Share on other sites
  • 0
diameter

Your setup works, but by default all clients use WAN and all VPN clients must be added manually through an entry in the table. You do not have to add devices and set them to WAN as that's the default.

 

You can alter this so that all clients are on VPN by default and still keep the killswitch function. To do this, remove all your VPN entries for all clients under the policy rules. Then add a single entry - call it what you want, but ALL is a good name. Then set the IP to the entire range of your IP addresses using CIDR notation. If you are using the Asus default your range is 2 to 254. So add this one single entry

 

All 192.168.1.0/24 0.0.0.0 VPN

 

To verify, just go here http://www.ipconvertertools.com/cidr2iprangesand past in 192.168.1.0/24 and click calculate. You will see the IP range it covers.

 

Note, your subnet mask must be 255.255.255.0 (the default) for this to work. By adding this single entry, all your devices will tunnel through the VPN by default. Then you can add manual entries for devices you want to bypass the VPN and use the WAN. Since I only have a few devices that need to bypass the VPN (I.E., streaming devices with Netflix and Hulu detect the TG IP and won't work so I need to remove these from the VPN), I personally find it easier to maintain when setup this way. I prefer this setup as when I have guests visiting and they connect to my guest network they are on the VPN by default. Also, all new devices I add to the network are on the VPN by default. I find this a more secure setup as I want all devices to default to the VPN, not the other way around. I find this far easier to maintain then manually adding all new devices to the VPN. This is setup once and forget it.

 

Hope this helps.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×