VPN management with Asuswrt-Merlin
The Asuswrt-Merlin firmware has VPN servers such as OpenVPN and IPsec, as well as different advanced VPN clients, including an OpenVPN client. One of the most important characteristics of this firmware is that we can forward all the traffic of a certain client on the LAN through an OpenVPN tunnel that we build. Now, the Asuswrt-Merlin developer has done a full review on OpenVPN routing, serving as the basis for the new VPN Director functionality, which is coming soon, and which is currently in beta for testing.
Starting with the new version 386.3, all OpenVPN routing will be done directly by the firmware, instead of the OpenVPN client that we configure and the firmware modifies later. Now the internal routing will be cleaner, it will no longer be necessary to remove unwanted routes that were incorporated by the OpenVPN server. Thanks to this revision, now the possibility of “redirecting Internet traffic” will behave much better, because the remote server will not override it silently, in addition, we can allow or not certain routes to be installed from the OpenVPN server (when we we act as a customer). Now there will no longer be a policy and a strict policy as previously in the Asuswrt-Merlin firmware, now we will simply have a single policy.
Another feature that has changed is the operation of the so-called Kill-Switch, a function that allows you to block traffic if it does not go to a remote OpenVPN server, with the aim of protecting us from possible tunnel drops and filtering information. Now the Kill-switch will not activate if we manually stop the VPN tunnel, either through the graphical user interface or via SSH by commands. Now the Kill-switch works in these cases:
- If the VPN client is configured to connect to the router startup, and the kill-switch is enabled, then all traffic will be blocked until the OpenVPN client connects.
- If the VPN client terminates the connection abruptly, then this Kill-switch will work too.
In addition, this Kill-switch would also work in the case of configuring a policy of “redirect all traffic through a VPN client”.
What is VPN Director?
VPN Director replaces the strict policy and policy-based routing policies that we had up to now. Now all the rules will be configured in a centralized location that will be in charge of managing all the VPN client connections (only with the OpenVPN protocol), ideal for making it easier for users to configure them. The new menu will be in the “Advanced / VPN Settings” section, as you can see below:
This new functionality will allow us to configure in detail all the policies we want, up to 199 rules in total, and assign which VPN tunnel we want a specific client on the LAN to access. In this way, we can easily configure certain clients to go to the Internet through different VPN services, or to go directly if we select the Internet WAN interface. In this menu we can also start the different VPN clients, see if we have the kill-switch enabled and much more.
A very important detail is that the “policy” to be followed by this VPN Director will be:
- OpenVPN clients to redirect all traffic will have the highest priority.
- WAN rules will also have high priority, but below total traffic redirection.
- The OpenVPN 1 client rules will take precedence over the OpenVPN 5 client rules.
- The rules can be easily enabled and disabled by clicking on the “Enable” section in the rules.
Another important aspect is that we can “mark” specific IP addresses, or using CIDR notation to put subnets.
As you have seen, for users who use the OpenVPN client with VPN services such as Surfshark, PureVPN, NordVPN and many other services, this new functionality is ideal because we can see all the rules directly in a single menu. All these rules will be stored directly in JFFS (internal FLASH memory), and not in NVRAM, with the aim of saving space and being able to store up to 199 rules in total. We recommend you access the VPN Director beta thread where you will find all the details.