VPN Policy - use only guest network for VPN (3.100)

hi,

I am aiming for a fairly simple setup : some devices I want to connect to VPN (streamers etc) and the rest connect to WAN directly.

I guess I can create a rule per MAC or subnet, but as I was looking at the settings I noticed the “Use VPN for guest network”.
am I correct in assuming that if I leave this option enabled and disable the “Use VPN for all processes on the router” then effectively what will happen is that any client connected to Guest will go thru VPN and everything else (inclusing LAN and Wifi clients) will go thru WAN?

follow up -
I have created the following setup :

  1. created and connected to an openvpn site (nordvpn)
  2. enabled vpn policies and selected “use vpn for guest”
  3. disabled “use vpn for all processes on the router”
  4. created a policy of type “only allow the following use vpn” for the subnet of the guest network

now when I connect to the main wifi I end up going directly to WAN,
and when connecting to the guest network I go thru VPN.
all this is cool but…

when connected to the non-guest wifi (direct to WAN), I am connected but at a ridiculous rate, to the point where the connection is unusable (sites like youtube barely load and do not play videos).
and when connected to the guest wifi (VPN), everything work fast but obviously via VPN.

ideas?

Thank you for this brilliant idea, as it gives me some ideas for a slight different setup.

I’ll look into it and if I come across something that might benefit you or solve you’re issues, I’ll let you know.

Could you check if with your initial setup the test at speed.io is running through from a pc not on the guest network.

Mine always stalls, when trying to split tunnel.

@ThH -
as with other browsing, it takes a loooooong time for it to find an appropriate speed-test server, and when it finally does and I initiate the test it yields ridiculously low speeds.
now, if I do the same from a pc on the guest network (VPN) everything works quickly and fine.

I am curious though -
am I (and @ThH) the only one interested in having a “mixed environment” split based on the 2 wifi networks which would enable streamers and such to “be abroad” and the rest just work as usual?
my guess is that if there is enough interest in it, it might motivate the developers to take a look and possibly recommend (or fix) something.

IMO firewall rules impact very badly on this type of setup.
I’m interested too on a dual setup vpn for my clients and the ideal setup would be “use vpn for and do not use vpn for” at the same time.
I asked about this functionality to @alzhao but he answered that it’s to hard to implement…

not that you didn’t do this, but when playing with different configurations its best to perfom a reboot before running test scenarios not that it needs it but it cant hurt.

try not to use the same client machine for testing use two separate machines.

let me throw some ideas and see if one hits.

what hardware were you using?

did (direct to wan) mean ethernet -wan-connected or wireless repeater connnected to wan? (just making sure) assuming the first.

if you were wwan did you have a dualband router where wireless clients into router on 2g and wwan from router to another router on 5g

did you try a ethernet client for lan networks?

you can configure two ways were the wan is your vpn clients and your guest is your local internet access clients

were you using dns over tls cloudflare or dnscrypt-proxy? if so disable on test
were you overriding dns for all clients? if so, disable for test

Do you use bridging?

no. just direct ethernet (dhcp) wan access from my ISP’s router (as far as the 750 is concerned it is getting unlimited wan access)

@rp201rp -
you seem to have mentioned some potential culprits. I will test thoroughly and report back in the next couple of days (my baby is having her 3rd birthday this week so I am busy with “fun” errands LOL)

Only the main network can create such a policy, are you creating an IP policy or a MAC policy?

had time to do some testing based on @rp201rp 's ideas :

  1. tried both using either and both ethernet and wireless (repeater) for WAN - didn’t make a difference
  2. disabled and enabled DoT and/or “override dns for all clients” - didn’t make a difference
  3. tried using either wireless or ethernet for my lan connection - didn’t make a difference
  4. warm reboots between each and every configuration change

on a separate note -
I would like to re-iterate the (simple) desired behavior :
when traveling, we usually carry our “work tools” (laptop, phone) and our “entertainment tools”.
the idea is to have some devices to go thru vpn and the others directly to wan.

I have tried almost every conceivable combination (with or without using guest wifi) and it seems like the VPN policies simply don’t make any difference with that.
it might be that vpn policies work fine for dealing with destinations, but it does nothing to dealing with policing the clients/origins.
it is important to note that vpn policies for my use-case become useless if they only offer the ability to police destinations. trying to keep track of which addresses/urls are used by streaming services etc is not simple and time consuming.

all we need is a SIMPLE way to set a “policy” that can decide if a certain internal subnet/ip/mac can exit to vpn and default all others to wan, OR vice versa - default is vpn and specified is to wan.

either what exists now is really really broken, OR works but in an improperly documented and/or counter-intuitive.

I am willing to put time and effort in helping test it but I want to first understand if what I am trying to do is in fact included in the designs.

My understanding from reading these forums is glinet policy routing mac address is source based routing while domain/ip is destination based .

this is what I have observed too, but it simply doesn’t work.
I hope one of their support people will stumble on this post and clear things out (or pass it along to the developers for a fix).

I have a ar750 that works fine under those policy settings v3.1.

@rp201rp - did you manually configure it in Luci / ssh or did you use GL-iNet’s web interface?

for routing, vpn and wireless I stay away from luci and leave it up to the gli-net web admin for those.

@AnonyOne As the GL gui didn’t do what I wanted it to do, I tried my luck with split tunneling in LuCI.
I guess your solution could be found there.

See how I solved it in my thread: Wireguard with split tunnel

If you are still interessted, I would be happy to try it out with you.

1 Like