One of the nicest features VPN users discover when upgrading to ASUSWRT-Merlin is the policy routing and killswitch feature. On stock ASUSWRT, all devices will be routed through the VPN tunnel when it’s active.
On Merlin, you can choose which devices you want to use the VPN and which should ignore it. You can even tell the router to use (or skip) the VPN for specific websites.
On top of that, Merlin adds a kill-switch feature, which optionally lets you kill internet access to all VPN-routed devices if the VPN tunnel goes down. This will prevent data or your real IP address from leaking in the event of VPN failure. This is perfect for Kodi/Torrent fans.
This guide will show you how to take advantage of all these powerful new features…
Introduction to Selective Routing
The selective routing/policy routing feature is only available for OpenVPN client connections. So makes sure you have a working OpenVPN connection before starting this tutorial. If you need help, checkout our guide to setting up OpenVPN on Merlin firmware.
To turn on selective routing:
Go to the OpenVPN client settings for your VPN connection which is found at: Advanced Settings > VPN > OpenVPN Clients (top tab)
The interface looks like:
and all the way at the bottom you’ll find the option to turn on selective routing under the line ‘Redirect Internet Traffic.’
Once you change the setting to ‘Policy Rules’ it will create the dropdown box shown above with routing rules that allows you to add new devices or IP ranges to be routed inside/outside the VPN tunnel.
Setting routing rules
Basically you have types of choices:
- What to route
- Individual devices
- Where to route it
- WAN (not VPN)
If you want most devices to USE the VPN…
We’ll route ALL traffic through the VPN, then specify individual devices that won’t use the VPN.
To route all local IP’s through the VPN, we need to use CIDR Notation.
First, make sure you know what subnet your router’s DHCP is using. The easiest way to check this is to go to Advanced Settings > LAN > DHCP Server and look at the IP Pool numbers.
My router is using the 192.168.138.x subnet (my choice) but by default ASUS routers will use 192.168.1.x unless you’ve specified another one.
Once you know your subnet (the 3rd digit block), go back to the VPN routing settings.
To route all traffic in that subnet IP block through the VPN, type:
so we did:
Then make sure to hit the ‘+’ icon in the Add/Delete column to actually add the rule.
Now you can manually add devices that will skip the VPN tunnel. For example, if you have a Chromecast and you want to be able to access Netflix (because your VPN is blocked), then you want the Chromecast not to use the VPN.
So click the arrow dropdown under ‘Source IP’ and your Chromecast will show up in the list as long as it’s currently connected to your router’s network.
Then select ‘WAN’ as the Interface for that device, and click ‘+’ to add.
And now you have all local IP’s going through the VPN tunnel, except the chromecast which you told to go direct to WAN (bypassing the VPN).
If you want only a few specific devices to use the VPN…
If most devices will bypass the VPN tunnel, then you don’t need to route any IP blocks. Instead, just pick the individual devices you want to use the VPN, and manually add them from the Source IP dropdown. Choose ‘VPN’ as the Iface.
Using the Kill-Switch
Using the kill-switch feature in ASUSWRT is simple. Just change the following setting:
Block routed clients if tunnel goes down:
That’s it. If the VPN connection drops, none of your devices that you routed to the VPN will have internet access until you either:
- Turn the kill-switch off
- Restart the VPN connection
When to use?
So when should use these different kill-switch and VPN routing options? Here are some simple guidelines…
Route a device through the VPN if:
Any of the following are true:
- You use the device for sensitive transfers or transactions
- You need to bypass geo-restriction locks (such as accessing Netflix)
- You want full-time encryption or IP-address anonymity
Route a device outside the VPN if:
- You need to access a service that blocks VPNs
- You need maximum speed and don’t really need security (such as video streaming/gaming)
- Your comfortable with the device broadcasting your real IP address
- You often switch between VPN/non-VPN connections (instead, install the VPN directly on the device).
Use the Kill-Switch if:
It’s very important that your VPN-protected devices are never routed insecurely. Torrent/Kodi devices are two types that are frequently used with a kill switch. Also, if you’re accessing a service that may ban you if your IP changes unexpectedly (multiplayer games, online poker) you should definitely use a kill switch.
As you can see, ASUSWRT-Merlin’s kill-switch and routing capabilities are incredibly powerful. I consider it will worth the (minimal) effort to upgrade to Merlin and get this (and other) powerful features.
Not only do you get device-level control over VPN usage, but you literally eliminate and entire router (and $100-200 worth of cost) to have separate VPN and non-VPN devices on your home network.
If you have any other selective routing tips, comments, or questions…please share them in the comments below!