Example of working config on ASUS MERLIN firmware
Its a good idea to start with wan option enabled, though this of course is optional.
The Accept DNS option is best set to exclusive. If you want to change it you should know what the effect is. It defaults to disabled and other settings are less secure, which may be the source of DNS leak reports with this firmware.
Redirect Internet Traffic is set to “Policy Rules (strict)”. This option lets you direct by IP address (or by subnet) which boxes on your network direct traffic through the VPN. You should, of course, set the DHCP Server to give these boxes a fixed ip address. It is also possible to specify exceptions by destination.
Policy rules should be set to strict, though if you have static routing it can cause problems in which case you can use the less secure “policy rules” setup. You can also, of course, choose to divert all internet access through the VPN which is far less flexible.
Finally, there is the option to block internet access from any device routed through the VPN if the tunnel goes down.