Acces to Fritzbox on WAN port via OpenVPN

[Rooby]

Hello

I have a Fritzbox on WAN port of a AC88U router which runs also an OpenVPN server.
I want to access the Fritzbox GUI from a client connected using OpenVPN.
Config is

Fritzbox: 10.10.10.1
Router WAN: 10.10.10.10
Router LAN: 10.10.1.0/255.255.255.0
Router OpenVPN subnet 10.10.0.0/255.255.255.0
OpenVPN client Router LAN 10.10.2.0/255.255.255.0

Currently I have access to the Fitzbox GUI from clients on the Router LAN port but it seems OpenVPN does not route it to the clients. I push the 10.10.10.0 to the client:
push "route 10.10.10.0 255.255.255.0"
additionally I also add the command:
route 10.10.10.0 255.255.255.0
but this give a fail in the log:
Ignore conflicted routing rule: 10.10.10.0 255.255.255.0

I need to route the Fritzbox at 10.10.10.1 to the clients.
Any help?

 

[JDB]

From the routers point of view the Fritzbox is on the public internet.
Are you allowing VPN clients internet access?


Sent from my iPhone using Tapatalk

 

[Rooby]

No they should have their own internet connection.
But if I push "route 10.10.10.0 255.255.255.0" to the clients then the Fritzbox IP (10.10.10.1) should be routed at least to the OpenVPN server (router where the Fritzbox is connected on the WAN).
But I guess on the server it may not be routed further.
At least on LAN of the server/router the Fritzbox is accessable.

 

[JDB]

That’s my point, push the route AND set the router to allow WAN/internet access for VPN clients. I suspect the router is not allowing traffic from VPN>WAN


Sent from my iPhone using Tapatalk

 

[JDB]

To be clear, this needs to be set to both...

Sent from my iPhone using Tapatalk

 

[Rooby]

Ok thanks I changed it and allowed WAN access to the clients. Now the Fritzbox is accessable but it looks like that also all internet traffic on the clients is now routed over the VPN which I do not want. Only the traffic for 10.10.10.0/255.255.255.0 shall be routed via vpn to the server WAN port.

 

[Mike S]

Ok thanks I changed it and allowed WAN access to the clients. Now the Fritzbox is accessable but it looks like that also all internet traffic on the clients is now routed over the VPN which I do not want. Only the traffic for 10.10.10.0/255.255.255.0 shall be routed via vpn to the server WAN port.

Did you ever figure out how to do this?

 

[Rooby]

Did you ever figure out how to do this?

Unfortunately not. I do not want to enable the WAN access to the clients. As I said it routes all internet traffic over the VPN.

 

[Mike S]

I figured it out. On the server Asus router, setup the OpenVPN server as LAN only. On the client Asus router, setup the OpenVPN client with Force Internet Traffic thru Tunnel set to "Policy Rules". Then add the following rules:

Rule1Name 0.0.0.0 192.168.xxx.0/24 VPN (The server LAN router subnet)
Rule2Name 0.0.0.0 192.168.yyy.0/24 VPN (The server router WAN subnet)

You can add additional rules for any other subnets that you want to route thru the tunnel.

Another thing you need to pay attention to: If you have a VPN network with multiple Asus router sites, when you setup the OpenVPN servers on each router, make sure that you configure unique subnet addresses for the VPN tunnels so that you don't end up with address conflicts if you have multiple OpenVPN client connections to server routers active at the same time from a single Asus client router.

 

[Rooby]

Unfortunately this does not work for me.
I guess if the server is set to "LAN only" it will not router traffic to the WAN interface.
Any other ideas?
I guess we need a route from the server TUN interface to WAN.

 

[Mike S]

To successfully implement a VPN connection between two Asus Routers to connect the LANs at two separate locations, configure the OpenVPN Server on one Router as follows:

You need to set Username Authentication to YES. The allowed Client Names are the Usernames that you configure in the OpenVPN client. Note the "--username-as-common-name" line in the Custom Configuration. This is essential to make this work. Note: In this example, the OpenVPN server is configured to accept clients from 3 separate routers, each with a different LAN subnet address.

The OpenVPN Client in the other router should be configured as follows:

In the client you need to change Force Internet Traffic thru Tunnel to "Policy Rules" and then configure the subnets on the remote router as shown. In addition, you should set Username Authentication to YES and Create NAT on Tunnel to NO.

 

[Rooby]

Thanks for your clarification but my setup is bit more complicated.
Maybe this is the reason while I have some trouble.

The idea of my setup is the following:

• Each client has a router (called now modem) behind the WAN port of the Asus router.
• Each client should have access to each clients (and servers) LAN interface and the router behind WAN port

The IP adresses should be set to the following (which are easily extandable and good to keep in mind )

Server:
DHCP LAN: 10.10.1.0/24
VPN tunnel: 10.0.1.0/24
WAN: 10.10.10.10
Modem: 10.10.10.1

Client x (no client1):
DHCP LAN: 10.10.x.0/24
VPN tunnel: 10.0.x.0/24
WAN: 10.10.x0.10
Modem: 10.10.x0.1

My setup is shown in the follwing figure and is working well except the acces to the servers modem (WAN port) 10.10.10.1.
https://a.uguu.se/HNaLbxjaeQmS_OpenVPNConfig.pdf
It could be that using ccd config folder and all this routes, iroutes etc. are not necessary anymore and can be done automatically when setting the correct options in the GUI.
What do you think?

 

[Martineau]

My setup is shown in the follwing figure and is working well except the acces to the servers modem (WAN port) 10.10.10.1.

https://a.uguu.se/HNaLbxjaeQmS_OpenVPNConfig.pdf

Did you add the modem IP to the OPVN chain?

iptables -t filter -A OVPN -d 10.10.10.1 -i tun2+ -j ACCEPT

It could be that using ccd config folder and all this routes, iroutes etc. are not necessary anymore and can be done automatically when setting the correct options in the GUI.

It never hurts to be explicit, but the need for explicit ccd config files may no longer be strictly necessary if you use the correct GUI customisation.

 

[Mike S]

Thanks for your clarification but my setup is bit more complicated.
Maybe this is the reason while I have some trouble.

The idea of my setup is the following:

• Each client has a router (called now modem) behind the WAN port of the Asus router.
• Each client should have access to each clients (and servers) LAN interface and the router behind WAN port

The IP adresses should be set to the following (which are easily extandable and good to keep in mind )

Server:
DHCP LAN: 10.10.1.0/24
VPN tunnel: 10.0.1.0/24
WAN: 10.10.10.10
Modem: 10.10.10.1

Client x (no client1):
DHCP LAN: 10.10.x.0/24
VPN tunnel: 10.0.x.0/24
WAN: 10.10.x0.10
Modem: 10.10.x0.1

My setup is shown in the follwing figure and is working well except the acces to the servers modem (WAN port) 10.10.10.1.
https://a.uguu.se/HNaLbxjaeQmS_OpenVPNConfig.pdf
It could be that using ccd config folder and all this routes, iroutes etc. are not necessary anymore and can be done automatically when setting the correct options in the GUI.
What do you think?

Are each of the computer icons in your figure ASUS routers? If so, you should be able to setup all of this with the GUI interface on each router. The only Custom Configuration you need is the one "--username-as-common-name" line on the OpenVPN Server configuration. The Clients don't need any Custom Configuration commands.

 

[Rooby]

After a lot of unsuccessful testing with the settings mentioned above I found a solution.
The problem is the access of the routers behind the WAN port of the Asus routers for all clients.
A folder at /etc/openvpn/server1/ccd will be generated by the GUI and a file for each client is stored where only the local LAN ip range is defined.
But I need to define also the WAN IP range and additionally I would even like to specify the virtual openvpn IP address on the clients. Then openvpn knows which ip range belong to which clients.
My client2 file will look like
iroute 10.10.2.0 255.255.255.0 ( for the client LAN ip range)
iroute 10.10.20.0 255.255.255.0 ( for the client WAN ip range)
ifconfig-push 10.0.1.20 255.255.255.0 (the client virtual openvpn address)
For the client3 the file is similar but 2 and 20 will be replaced by 3 and 30 and so on.

Additionally also a route must be pushed for all the client LAN and WAN ip ranges , that the clients know from the other client LAN/WAN ip ranges
push "route 10.10.2.0 255.255.255.0"
push "route 10.10.3.0 255.255.255.0"
push "route 10.10.10.0 255.255.255.0"
push "route 10.10.20.0 255.255.255.0"
push "route 10.10.30.0 255.255.255.0"
...

Additionall a route must be defined that openvp routes all tis LAN/WAN ip ranges
route 10.10.2.0 255.255.255.0
route 10.10.3.0 255.255.255.0
route 10.10.20.0 255.255.255.0
route 10.10.30.0 255.255.255.0
...

But at this point everything worked well except I could not access the router behind the WAN interface of openvpn server at 10.10.10.1 from any client.
I then set the server access from "LAN only" to "Both" and it was possible to access the router behind the WAN port. But I do not want internet traffic going through vpn tunnel at all. But I saw that one entry of the iptable rules for the openvpn server had changed (/etc/openvpn/fw/server1-fw.sh):
from iptables -I OVPN -i tun21 -d 10.10.1.0/24 -j ACCEPT to iptables -I OVPN -i tun21 -d 10.10.1.0/24 -j ACCEPT.
Then it was clear I could c ontact the router but the packets where blocked on the way back.
So I add
iptables -I OVPN -i tun21 -d 10.10.0.0/16 -j ACCEPT
and everythink worked well all client can see the router behind the WAN port of the server as expected.
Nevertheless I don't think this could be done only by GUI settings....

 

[Mike S]

To successfully implement a VPN connection between two Asus Routers to connect the LANs at two separate locations, configure the OpenVPN Server on one Router as follows:
View attachment 23118
You need to set Username Authentication to YES. The allowed Client Names are the Usernames that you configure in the OpenVPN client. Note the "--username-as-common-name" line in the Custom Configuration. This is essential to make this work. Note: In this example, the OpenVPN server is configured to accept clients from 3 separate routers, each with a different LAN subnet address.

The OpenVPN Client in the other router should be configured as follows:
View attachment 23119
In the client you need to change Force Internet Traffic thru Tunnel to "Policy Rules" and then configure the subnets on the remote router as shown. In addition, you should set Username Authentication to YES and Create NAT on Tunnel to NO.

One thing I forgot to mention. On the VPN Server Configuration, you need to set "Client will use VPN to access" = BOTH. With that setting, all connections to LANs that you configure on the VPN Client (except for the VPN Server's own LAN subnet), will be routed by the Server Router thru its WAN interface using NAT. This setting will NOT cause the Internet traffic from the Client Router to use the VPN connection, if the VPN Client's routes are configured properly.