1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Using Multiple OpenVPN Clients

Discussion in 'VPN' started by TonyK132, May 15, 2019.

  1. TonyK132

    TonyK132 Regular Contributor

    Joined:
    Jul 24, 2017
    Messages:
    115
    Is there a tutorial somewhere that talks about configuring Merlin for handling multiple OpenVPN clients? I have Client 1 running PIA and Client 2 running ExpressVPN. I would like all of my traffic to go to Client 1 except for a small range of IP addresses to use Client 2. Can I configure the Policy Rules for doing this?
     
  2. Butterfly Bones

    Butterfly Bones Very Senior Member

    Joined:
    Apr 10, 2017
    Messages:
    763
    Location:
    California central coast
  3. TonyK132

    TonyK132 Regular Contributor

    Joined:
    Jul 24, 2017
    Messages:
    115
    I did see that post, and I reviewed again after your post. I believe it does not address the 2 client situation. Still, I experimented a bit and I think what works is:

    1. In Client 1, you leave the range of IP addresses undefined that you want to use in Client 2. This will cause that client to view those addresses as going through the WAN
    2. In Client 2, you declare the addresses you want to go through that client as part of the undefined addresses from Client 1

    What does NOT work is defining the address range in both Client 1 and Client 2 hoping that Client 2 will prevail since it follows Client 1 in the order of execution. I guess it does not work that way.
     
  4. CaptainSTX

    CaptainSTX Very Senior Member

    Joined:
    May 2, 2012
    Messages:
    1,807
    So I can tell exactly what is happening when using 2-3 VPN clients I do the following:

    1. For all devices that regularly connect to this router I assign static IPs
    2. I use policy routing or strict policy routing on all VPN clients.
    3. In the lowest numbered client I select all devices that I want to use VPN Tunnel 1.
    4. In the lowest numbered client I also select all devices that I want to use the WAN and assign them to the WAN. Some people recommend assigning the router's LAN IP to the WAN also. In my experience it doesn't seem to make a difference. I prefer to include the WAN connections so I know exactly where a device is connecting and you don't have to make an assumption
    5. On the second VPN Tunnel 2, assign the IPs you want to use this tunnel. As you found out IPs can't be listed under policy routing in more than one tunnel.
    6. Be careful if you select block routed clients if the tunnel goes down. In my case I feel it is more important to keep certain IoT clients connected as long as I have a viable Internet connection. Not much of an issue for me as my ISP connection is rock solid as is Merlin's 384.9 -11 so If one of my tunnels goes down it is a very rare occurence.
    7. I do have all my VPN clients set to start with the WAN.

    FYI: It is possible to have more that one VPN clients from PIA running on your router at the same time. If you are interested search my posts on this forum for information on how to do so. Very simple.
     
  5. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,175
    Location:
    UK
    Presumably you have now created the following Selective Routing GUI tables?

    e.g. For ExpressVPN (VPN Client 1)
    Code:
    Express1      192.168.1.111    0.0.0.0   VPN
    Express2      192.168.1.123    0.0.0.0   VPN
    e.g. For PIA (VPN Client 2) - Everything else
    Code:
    ALL_LAN_PIA   192.168.1.0/24   0.0.0.0   VPN
    Router        192.168.1.1      0.0.0.0   WAN
    NOTE: You don't have to use the GUI to statically define the Selective Routing of the devices, you can always exploit the openvpn-event triggers to rebuild the RPDB table to enforce your requirements.

    Optionally, you may wish to enable the KILL switch for VPN Client 1, then that should ensure that ExpressVPN devices .111/.123 do not leak via VPN Client 2 or the WAN
     
  6. TonyK132

    TonyK132 Regular Contributor

    Joined:
    Jul 24, 2017
    Messages:
    115
    Thanks for your reply. Yes, that is basically the configs that I have, although I found that when I had PIA as Client 1 with 192.168.1.0/24 VPN then tried to do 192.168.1.123 on the WAN for ExpressVPN on Client 2, that it did not work. I need to put the .123 device to a range that was not declared in Client 1, say .250, then put .250 on the VPN in Client 2.

    For the Kill Switch, I'll need to research how to do that. I'll also have to research about the openvpn-event triggers.
     
  7. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,175
    Location:
    UK
    Thanks for the feedback. - I'm glad you got it sorted, and hopefully my example configuration proves the exception to the myth "IPs can't be listed under policy routing in more than one tunnel" .

    i.e. 192.168.1.111 and 192.168.1.123 appear in both VPN Client 1 and VPN Client 2 (implicitly), yet this doesn't cause any undesired Selective Routing issues for your user case where .111/.123 will prefer VPN Client 1 if it is UP otherwise they will use VPN Client 2.

    NOTE: If you would rather 192.168.1.123 should use the WAN if VPN Client 1 is DOWN, then you need to simply explicitly add the following to VPN Client 2
    Code:
    ExpressVPN2   192.168.1.123   0.0.0.0   WAN
     
    Last edited: May 16, 2019
    Fingers likes this.