VPN policy quick guide and feedback

Technical Support for Routers
1

Hi, If you upgrade to beta firmware 3.022 and above you will find VPN policy settings.

Here is a quick guide.

image
image687×628 16.1 KB

  1. Enable or Disable VPN policy
  2. If you enable this, all the processes on the router will use vpn. It means the router’s public IP will be VPN server’s IP. Your DDNS will be your VPN server. If you disable this, only the clients connected to the router will go to the VPN.
  3. You can choose Domain/IP based policy or MAC based policy. You can only choose one but not mixed. We tried to make mixed policy and it will make the logic hard to understand.
  4. Clicking this you will choose whether you need to bypass a list or forward a list to vpn. For example in the picture use VPN for all domain/IP but not 192.168.50.0/24. By using this, I can still access all my service on 192.168.50.0/24 subnet, for example a local share or printer. Using this option, you can also achieve the scenario like only use VPN for facebook, Netflix etc.
  5. You can use subnet instead of individual IP address.

You have to click APPLY to make this take effect.

You can also set up MAC address based policy. Using this you will be able to achieve scenario like “only allowing your TV box to use VPN” or only the TV box don’t use VPN.

image
image698×672 18.2 KB

Pls test and report here. Thanks very much!

2

Hi I am testing this on using an X750 as an OpenVPN client.

I set the policy like this:
XL750%20VPN%20policy

One issue I noticed is that the IP CIDR address under “Use VPN for” disappeared once. I don’t know if it was when I stopped and started the VPN or what.

If the X750 has a cable connection, the connection between my LAN and the router seems to work (but maybe only because the cable connection is inside the LAN, the same LAN as the VPN server).

However when I unplug the cable and only use the cellular connection, it does not seem to work. The VPN is connected, but I cannot ping the X750 using the VPN IP address. Maybe this helps to diagnose this issue: [blocked from uploading two images in one post–see next post].

Also, I see two new warnings on the VPN Client page:

“If you enabled VPN but the VPN cannot connect to its server, there will be NO Internet.”

This would be bad. I disabled “Use VPN for all processes on the router” to make sure the router does not depend on the VPN. If I deploy the X750 as a primary router for a company, perhaps also providing failover to cellular, I do not want their Internet to go down because I am rebooting my VPN server.

“When you change server while VPN is connected, VPN will not be leaked.”

I’m not sure which server you are referring to? Not the VPN server…

In general, I would suggest avoiding the term “data leakage.” To me that sounds like, “Your device will be hacked because private data is leaking onto the public Internet.” Maybe you want to say (if the Policy is enabled), “Your VPN Policy settings determine which data is sent and received through the Virtual Private Network and which data is routed outside the VPN.”

3

Here is the route when there is a cellular connection, no wired connection, and VPN is connected:

XL750%20route
XL750%20route799×166 12.8 KB

4

Trying latest snapshot for 750S (3.022-410):

  1. Under OpenVPN Client I see “VPN Policy Enabled”. If I click on this link I see “Use VPN for all processes on the router. What is this?”,
    a) the “what is this” link doesn’t work (404).
    b) if I turn this off then going back to the OpenVPN menu still shows “VPN Policy Enabled” (ie. the button doesn’t work).

Fixes and explanation required (ie. is the “Use VPN for all processes on the router” the same as the old “Force VPN”)?

5

You are right, the link (help) is still not active.

If you turn it off, you need to click Apply first. Otherwist the settings is not saved.

In my first post I explained what is this option:

If you enable this, all the processes on the router will use vpn. It means the router’s public IP will be VPN server’s IP. Your DDNS will be your VPN server. If you disable this, only the clients connected to the router will go to the VPN.

6

Sorry I cannot understand what you mean.

7

This is by purpose to prevent data leakage when using VPN. So if you want to reboot your vpn server and don’t want your routers drop Internet, it needs another policy.

This is also not related to “VPN policy” mentioned in this thread. It is for general use of vpn client.
But you have good point of data leakage.

8

Not working - please see attached screenshots - first shows “VPN Policy Enabled” and second shows it as “off”.

.gl1

gl2
gl2770×290 7.05 KB

Regarding option (2), “use VPN for all processes”, I guess I should wait for the link for to be fixed for a full explanation!

9

Sorry I cannot understand what you mean.

Maybe you can duplicate it. I will try to describe the scenario, using X750 as an OpenVPN client:

  1. Enable VPN Policy.

  2. Use VPN for all processes: OFF

  3. Please Choose Policy: Domain/IP Based [note there is a typo in UI “Baesd”]

  4. Use VPN for: add the local LAN only. For example, if your main LAN is 192.168.1.1, add 192.168.1.1/24.

  5. Unplug all cables from X750. Connect through Wi-Fi only (does not serve as WAN).

  6. Insert SIM card for data and Auto-configure to get online. You should be able to ping 8.8.8.8.

  7. Set up an OpenVPN client and connect to the VPN. The VPN screen shows you the IP of the router on the VPN. It seems the default is 10.8.0.6.

  8. Log on to your VPN server. In my case this is as Windows Server 2016 machine. It should have two IP addresses, e.g. 192.168.1.3 and 10.8.0.1.

  9. Open a command/terminal prompt on the VPN server. Ping the router on 10.8.0.6. It should work, but it doesn’t.

10

What policy does it need? I already set the policy “Use VPN for all processes on the router" = OFF. So the router should not depend on the VPN server to have an Internet connection.

11

I have a similar problem and I have submitted to development team.

Thanks!

12

You are right about this. But that message is for the clients.

13

The word “leak” is always negative in English. Usually it refers to water. If you have a leak, your kitchen will have a flood. It means that something is broken and must be fixed.

As described here, “Data leakage is the unauthorized transmission of data from within an organization to an external destination or recipient.” So when applied to data, it means data is being actively stolen by someone. It is broken and must be fixed.

As I understand, what you mean is that some data may go outside the VPN. But depending on the environment, that is not always bad. For example in my situation, the VPN will only be used for a backup cellular connection between the client and my office. Most customer data should go through their normal Internet connection. But if their main Internet goes down, I want to be able to connect to the router via the cellular VPN so I can make changes if necessary. Cellular is limited to 1 or 2 GB per month (unless you pay a lot more), so I don’t want to use it for the client’s normal Internet connection.

14

You are right.

We used the word “Data leakage” for scenarios of data privacy only. Actually this words is used by all the VPN service providers who want to use scary words for purpose.

15

Just to add to what @alzhao wrote, when using the word “leak” in regard to VPN, the data IS leaking, and a potential attacker can see the data. It’s just a matter of someone listening to the traffic or not.

Is it a configuration bug and should be fixed, and is as serious as it sounds when you have VPN enabled.

When talking about VPN’s nowadays users are expecting full privacy too, so in your example of the office, say that your boss knows there is a VPN in the cellular, and the customer decides to send some confidential info via the VPN, if data is leaking and it is not expected, a fellow coworker could be sniffing the private data.

If the VPN is actually not secure in the office, it should be written somewhere that it’s not, so that users are not expecting that it is completely. There shouldn’t be a leak for any of the devices routed into the VPN.

16

@Johnex, I’m not sure I follow your point. How do you want to deploy the VPN?

If you employ a VPN to hide ALL of your communications between the desktop and the VPN server, then yes, it could be considered a “leak” if some data is going outside the VPN. (Of course, even in this scenario, if the VPN server then puts the traffic onto the public Internet, you are subject to sniffing past the VPN server.)

However let’s say you are using the router without VPN at all. You do your browsing, watch Netflix, even online banking (using https sites). Then you have a new requirement to read private documents on the server at a remote location, so you set up a tunnel between your desktop and the server. Since the VPN uses non-routable IP addresses, if the VPN is down, you simply will not have access to the corporate server. There is no “leak” unless the router is misconfigured to send data from inside the VPN to the public side of the non-VPN WAN.

My understanding of the VPN Policy feature is to allow for both purposes: encrypt ALL traffic or only encrypt SOME traffic. It’s not leaking as long as it is doing what you tell it to do.

17

My point was about the strict terminology, and that a VPN is considered secure.

And i was talking internally. If the VPN is between your boss pc, and a remote secret location, and the VPN leaks, it will leak data into the internal network, letting other people on the local network see the data. That is also a bad leak, and if the person was expecting the VPN to be fully secure and properly configured, they will have a bad day.

18

Can I use wildcards in domain names?

19

No you cannot use wildcard

1 Like
20

first of all, I am very happy & impressed with my new ar-750s slate!!

but, I have an issue with vpn policy routing with firmware version openwrt-ar750s-3.022-0329.

I’ve tested many scenarios & I’ve noticed the following:

primary/default LAN network

  • MAC policy works, I can exclude devices from using wireguard vpn tunnel & send traffic locally
  • ip policy doesn’t work, whatever I do traffic is always tunneled over vpn, I cannot use IP to exclude traffic from tunnel

guest network

  • neither MAC or IP policies make any difference, whatever I do traffic is always forced over wireguard vpn tunnel

What I would really like to see is the ability to setup 2 wireless LANs (one primary, one guest) & have traffic either tunneled or not tunneled based on what network/ip range the clients are connected to.

I’ve even tried blocking all MAC addresses on default LAN from accessing tunnel - but I couldn’t find a wildcard that worked (00:00:00:00:00:00, FF:FF:FF:FF:FF:FF), & I don’t want to have to add all devices to block list.

Is this a bug or am I doing something wrong?

Thanks