I am aiming for a fairly simple setup : some devices I want to connect to VPN (streamers etc) and the rest connect to WAN directly.
I guess I can create a rule per MAC or subnet, but as I was looking at the settings I noticed the “Use VPN for guest network”.
am I correct in assuming that if I leave this option enabled and disable the “Use VPN for all processes on the router” then effectively what will happen is that any client connected to Guest will go thru VPN and everything else (inclusing LAN and Wifi clients) will go thru WAN?
created and connected to an openvpn site (nordvpn)
enabled vpn policies and selected “use vpn for guest”
disabled “use vpn for all processes on the router”
created a policy of type “only allow the following use vpn” for the subnet of the guest network
now when I connect to the main wifi I end up going directly to WAN,
and when connecting to the guest network I go thru VPN.
all this is cool but…
when connected to the non-guest wifi (direct to WAN), I am connected but at a ridiculous rate, to the point where the connection is unusable (sites like youtube barely load and do not play videos).
and when connected to the guest wifi (VPN), everything work fast but obviously via VPN.
@ThH -
as with other browsing, it takes a loooooong time for it to find an appropriate speed-test server, and when it finally does and I initiate the test it yields ridiculously low speeds.
now, if I do the same from a pc on the guest network (VPN) everything works quickly and fine.
I am curious though -
am I (and @ThH) the only one interested in having a “mixed environment” split based on the 2 wifi networks which would enable streamers and such to “be abroad” and the rest just work as usual?
my guess is that if there is enough interest in it, it might motivate the developers to take a look and possibly recommend (or fix) something.
IMO firewall rules impact very badly on this type of setup.
I’m interested too on a dual setup vpn for my clients and the ideal setup would be “use vpn for and do not use vpn for” at the same time.
I asked about this functionality to @alzhao but he answered that it’s to hard to implement…
not that you didn’t do this, but when playing with different configurations its best to perfom a reboot before running test scenarios not that it needs it but it cant hurt.
try not to use the same client machine for testing use two separate machines.
let me throw some ideas and see if one hits.
what hardware were you using?
did (direct to wan) mean ethernet -wan-connected or wireless repeater connnected to wan? (just making sure) assuming the first.
if you were wwan did you have a dualband router where wireless clients into router on 2g and wwan from router to another router on 5g
did you try a ethernet client for lan networks?
you can configure two ways were the wan is your vpn clients and your guest is your local internet access clients
were you using dns over tls cloudflare or dnscrypt-proxy? if so disable on test
were you overriding dns for all clients? if so, disable for test
@rp201rp -
you seem to have mentioned some potential culprits. I will test thoroughly and report back in the next couple of days (my baby is having her 3rd birthday this week so I am busy with “fun” errands LOL)
on a separate note -
I would like to re-iterate the (simple) desired behavior :
when traveling, we usually carry our “work tools” (laptop, phone) and our “entertainment tools”.
the idea is to have some devices to go thru vpn and the others directly to wan.
I have tried almost every conceivable combination (with or without using guest wifi) and it seems like the VPN policies simply don’t make any difference with that.
it might be that vpn policies work fine for dealing with destinations, but it does nothing to dealing with policing the clients/origins.
it is important to note that vpn policies for my use-case become useless if they only offer the ability to police destinations. trying to keep track of which addresses/urls are used by streaming services etc is not simple and time consuming.
all we need is a SIMPLE way to set a “policy” that can decide if a certain internal subnet/ip/mac can exit to vpn and default all others to wan, OR vice versa - default is vpn and specified is to wan.
either what exists now is really really broken, OR works but in an improperly documented and/or counter-intuitive.
I am willing to put time and effort in helping test it but I want to first understand if what I am trying to do is in fact included in the designs.
this is what I have observed too, but it simply doesn’t work.
I hope one of their support people will stumble on this post and clear things out (or pass it along to the developers for a fix).