Hi All,
My goal is to maintain on the router a VPN tunnel to my VPN Provider (PIA). I only need this tunnel for certain sites, the rest traffic should bypass the tunnel.
I tried to use for this purpose the built-in VPN Policies feature, but unfortunately it is not usable for me. With the following settings:
Enable VPN Policy = On
Policy = Domain/IP
Rules = Only allow the following use VPN
Use VPN for = “some-vpnsite”
and OpenVPN configuration file from my vpn provider, the VPN tunnel is successfully established. The traffic to the “some-vpnsite” is indeed routed via the tunnel, the rest traffic bypasses the tunnel, but everything works extremely slow. Whenever I try speedtest.net, the download test starts, but never completes: I get socket error.
Turning off VPN brings things to normal speed. I have been never able to get the VPN Policies feature work with normal speed: the same behavior exists in firmware 3.104 as well.
After I gave up on VPN Policies, I tried to configure selective vpn routing by the means of OpenVPN client configuration file. I do the following:
- Add “pull-filter ignore redirect-gateway” to the client configuration file. This prevents the openvpn client from adding the redirection rules to the routing table
- Add “route hostname default default”. This instructs openvpn client to add a route to “hostname” via the established tunnel. Openvpn client should manage on its own the hostname resolution and rules adding/removing on tunnel up/down.
Unfortunately this approach still does not work because of the following:
- although the openvpn client does not add any redirecting rules, those rules seem to be added by /etc/vpn.user script which is run upon tunnel creation (see the ovpn_main() function)
- even if I comment rules adding in the vpn.user script, I only have access to the “vpnsite” routed via the tunnel. Access to all other sites remains blocked (presumably by firewall rules, adjusted on tunnel creation).Attempt to traceroute to a “non-vpn” site, gives the following:
Tracing route to google.com
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms [ar750s-router]
2 [ar750s-router] reports: Destination protocol unreachable.
Things get back to normal if I turn VPN off.
So my question is: is it possible to completely switch off the built-in VPN Policies and configure the router so that
- it won’t add any redirect rules apart from those that are managed by openvpn client
- the firewall won’t drop packets targeted to sites, for which VPN tunnel should not be used?
Or alternatively I would be glad to use the built-in VPN Policies feature if only its performance is fixed. (Though I doubt it is possible unless the implementation approach is completely changed)
Thank you in advance for any insights about these problems.