Can local traffic be sent to my other router and bypass VPN?

hank · 2017-04-16T02:07:51.000Z

I have a GL-AR150 setup for NordVPN and it works great. The GL-AR150 provides a VPN to one computer from behind my existing gateway router. Is there a way that I can add a static route so that traffic intended for my LAN (home network) is NOT routed through the VPN? I want to have access to my NAS file server (which is not on the VPN) from my computer which is on the VPN. Is this possible?

Most of the search results I get when looking for this info is about accessing a home network from the other end of the VPN but that isn’t what I want to do. I want traffic for 192.168.2.x to be forwarded to my other router instead of over the VPN. I have the IP address of my VPN network in the same subnet but strangely, even with the VPN disabled, the local network is not visible to the PC behind the AR150. The only way I can see the local network is if I go into the Physical Settings for the LAN adapter and add the WAN to the LAN/Wireless bridge.

Can you please point me in the right direction?

Thanks!

Hank

hank · 2017-04-16T23:01:25.000Z

More details:

PC1 is connected to the GL-AR150 which is setup as a VPN client to NordVPN (and it works great).

I would like to have PC1 split traffic for the 192.168.2.x network not go through the VPN but instead go to the TP Link so it can access the NAS.

I am assuming I have to:

Turn of DHCP server on AR150 so PC1 pulls IP from the TP Link instead (so they are on the same network)

Turn off NAT (or bridge the LAN to the WAN) on the AR150 so it is transparent to the local network

Setup some kind of static route or otherwise adjust the routing table so traffic for the local network is not sent to the TUN interface

I am not sure about this but from what I have been finding on traffic splitting, this is what I need to do. Does anyone know if this is correct? If not, how should I go about it (or is it even possible)? I would think this is a pretty common situation so I don’t know why I can’t find a guide somewhere.

Thanks for any help.

Hank

alzhao · 2017-04-18T10:16:58.000Z

Actually there should be some way to do it. But I am not quite sure.

If you make the AR150 transparent and your PC1 get IP from your tp-link, then AR150 cannot control the traffic and cannot route it to vpn. You could set up a vpn proxy in AR150 and then set up your PC1 to use the proxy, but I don’t know how to do it now.

So you need to keep the NAT on AR150 on. Your PC1 should be able to access your main network but they are not in the subnet. I am not sure NAS will work.

hansome · 2017-04-19T15:49:10.000Z

You don’t need to turn off NAT and DHCP of AR150, when its wan interface and your NAS server in the same subnet, the iptables should MASQUERADE the traffic of wan interface seperately from openvpn.

Make sure: in openvpn client Settings page, turn Force VPN option off.

When you visit your devices connected to your main router, the data will not go through your vpn. For example if you have a web server in PC2, you can access this web server from PC1. But I don’t know what protocol your NAS is using.

I am trying this in my side and hope to find a way.

hank · 2017-04-19T18:24:23.000Z

Thank you, hansome, for the reply. You are absolutely right, as soon as I unchecked the Force VPN box, I had access to my local network. It is not what I expected the checkbox to do since it is labeled ‘No Internet if VPN not connected’ which IS a feature that I want… if the VPN goes down, I would rather have no Internet than have my real IP exposed. Is there a way I can implement that rule while still having access to my local network?

Strangely, the NAS is still not visible from behind the VPN even though my primary router (the TP-Link) is visible on port 80. The NAS uses SMB protocol, do I have to modify the firewall rules or forward the NetBios/SMB ports? I will try that tonight, after work.

Just out of curiosity, have you ever SSHed into the router to play around with routing tables or other advanced configurations? Another goal for me is going to be to route Netflix traffic to the WAN port rather than the VPN. Not sure if I can use the Static Routes feature to accomplish that.

Thank you again for the reply. I am not very knowledgeable about advanced network setups but if I have the right direction I can usually research and work my way through it.

Hank

hansome · 2017-04-19T19:35:55.000Z

Force VPN means only traffic of TUN inferface is allowed, but ethernet WAN interface traffic is blocked. Although underneath the hood, the TUN traffic is encapsulated by the WAN traffic, they are tackle differently by iptables. You are behind two layers of NAT, I don’t think your real IP could get exposed.

AFAIK, NAS discovery stage will send some UDP broadcast or multicast packet which is only visible in the same subnet. You can try Mapping network drives from Windows resource explorer if you are using MS windows. This way, SMB protocol shold use TCP to initiate connection behind NAT corrrectly.

I’m not familiar with Netflix, how server and client setup?

Basicly, the key point is not about VPN, but NAT traveral.

hank · 2017-04-19T21:21:55.000Z

The VPN computer (Computer 1) is running Windows 7 and it does have the NAS mapped as a network drive but I still cannot access it. I do see similar questions (about accessing an NAS from a different subnet) around on various networking forums so hopefully I will get it around the NAT.

Netflix is a video streaming service but they do not like VPNs, they keep track of VPN IP addresses and will not work if you connect from one. When I am connected to the VPN, Netflix does not work, disconnected from the VPN it works fine. I would like to have the AR-150 forward traffic for Netflix to WAN port instead of TUN port.

Thanks again!

petey · 2017-04-19T23:06:48.000Z

@Hank, looks like you are looking to do split tunneling. I would this this when working from home such that I could utilize local resources (NAS, Printers et al) and VPN connected resources.

The split tunnel is configured on the client side (not the router side) and basically is just a routing table.

Googling a bit relating to my use of PFSense and IPSec; it involves forcing NAT transversal and splitting DNS.

I’ve seen some routers equipped with a button for NAT transversal, some doing it by default and some not doing it at all. (IE: there is some non nonsensical paranoia about using it sometimes).

I haven’t played much with OpenVPN much these days.

hank · 2017-04-20T06:14:05.000Z

Well, I can ping the NAS from the machine on the VPN (not surprising since I can see the other router) and I can access the shares by IP address (\192.168.2.x) but the name resolution doesn’t work. From what I understand, NetBIOS doesn’t route across subnets so my only options are probably WINS server or to set a static Ip on the NAS and just use the address. Does anyone know of a another way that I could still browse by name?

hansome · 2017-04-20T11:04:46.000Z

You could try to configure ‘Network - DHCP and DNS - DNS forwardings’ at AR150 luci, forwarding DNS lookup to your main router.

hank · 2017-04-20T18:10:29.000Z

Thanks hansome, but unfortunately that didn’t work. I guess I will set the NAS to a static IP and create a share based on that rather then the name. If I absolutely MUST have it browsable by name, I can always add an entry to the HOSTS file.

One last question if you would be kind enough… is there a way I can add specific routes to the routing table through the GUI? For instance, if I wanted to route 100.100.x.x/16 to the WAN port instead of the TUN port, can I do that in LuCi or do I need to SSH in and change the table manually?

Thanks

hansome · 2017-04-20T18:44:37.000Z

You are welcome.
ip route add 100.100.0.0/16 via 192.168.2.1