acces to LAN devices through VPN client on router

[johna45]

Good evening everyone,

I'm new here, so please don't kill me for asking dumb questions...

I'm trying to remote access a NAS on my LAN, while my router is connected as client to a VPN server.

Here is my config:

LAN0: internet provider's modem
192.168.11.0/24 255.255.255.0

LAN1: ASUS RT-AC66U B1
Asuswrt-Merlin 384.18
connected to LAN0 in router mode (ASUS router LAN0 IP: 192.168.11.2)
192.168.12.0/24 255.255.255.0

NAS: connected to LAN1 (192.168.12.10)

What's working so far:
_ I've done port forwarding on both modem and router, so I can access my NAS remotely when NOT using VPN
_ when OpenVPN client set on ASUS router, all LAN1 devices access WAN through VPN (got dedicated IP from VPN provider)
_ when OpenVPN is set directly on the NAS (synology), I can access it remotely through VPN tunnel (using the dedicated IP)

What's NOT working:
When OpenVPN tunnel is set on the ASUS router, I can't access my NAS remotely anymore.

I don't know what to do, especially that I've reach my networking knowledge limits...

Do I need to set a route in VPN client conf? If yes, which one?

I've read a few threads on similar issues, but never identical. Despiste many attempts, nothing worked.

Any help would be greatly appreciated.

Thanks!

 

[eibgrad]

[SOLVED] OpenVPN server and Client not allowed at same time?

I have both OpenVPN server and OpenVPN client configs in my router, and I use them for different purposes. I have noticed that if I am connected by client to a remote vpn server, if I connect from outside my lan to my openVPN server on my router that I am unable to get to any internal machine...

www.snbforums.com

 

[johna45]

[SOLVED] OpenVPN server and Client not allowed at same time?

I have both OpenVPN server and OpenVPN client configs in my router, and I use them for different purposes. I have noticed that if I am connected by client to a remote vpn server, if I connect from outside my lan to my openVPN server on my router that I am unable to get to any internal machine...

www.snbforums.com

Hi eibgrad,
Thank you for the link, but I'm not sure this would solve my issue, as I'm trying to do something slightly different (don't have VPN server running).
I'd like to access my NAS through a VPN client connection (calling my VPN dedicated IP), so PBR is not going to help that (that would only make my NAS avoid the VPN if I'm correct). And this is already working when VPN client is set on the NAS itself, but not with the router. In that case, only the NAS would benefit from the VPN tunnel, so not a solution I want...
That's also why I think VPN server settings are fine, but VPN client settings on my router need some adjustments...

I might be wrong, as I'm no expert.

I've noticed on my router's log this line:
/sbin/route add -net 77.77.77.77 (VPN server's IP) netmask 255.255.255.255 gw 192.168.11.1 (which is my ISP's modem IP on LAN0, while VPN connection is set on ASUS router, ie LAN1...)

then I have those lines:
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 77.77.77.1 (probably VPN server gateway?)
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 77.77.77.1

Could that be part of the issue ?

 

[eibgrad]

The link I provided is a specific example of a more general problem. IOW, the problem you're experiencing is NOT limited to a concurrent OpenVPN server, but *any* service you need to access over the WAN when either the router or any LAN devices beyond it are bound to the router's OpenVPN client.

I've noticed on my router's log this line:
/sbin/route add -net 77.77.77.77 (VPN server's IP) netmask 255.255.255.255 gw 192.168.11.1 (which is my ISP's modem IP on LAN0, while VPN connection is set on ASUS router, ie LAN1...)

That is the OpenVPN client binding the public IP address of the OpenVPN server to the WAN/ISP so that it doesn't mistakenly get routed over the VPN tunnel (due the following routes). This is normal and expected.

then I have those lines:
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 77.77.77.1 (probably VPN server gateway?)
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 77.77.77.1

These routes override the default gateway (which normally points to the WAN/ISP) and force all traffic (router and LAN devices behind it) over the VPN. Once again, this is normal and expected.

As I said, this setup will *always* present a problem to anyone attempting to access services over the WAN because the replies end up getting routed over the VPN rather than back over the WAN/ISP! The link I provided suggests ways to deal with it. There are others, but those are the most common.

 

[johna45]

Hi,
I've been busy lately, so sorry for the delay since my last message.
Thanks eibgrad for the explanations about the few lines I didn't understood.
So what could be the solution?
The link you've sent is suggesting routing my NAS' traffic around the VPN, which exactly what I don't wish, as I want my NAS to the secure connection my VPN is providing...
So any ideas? Anyone?
What should I set in ASUSwrt-Merlin to make it work?
Thank you!

 

[eibgrad]

Assuming those other options are not viable, then what you need is a very specific kind of PBR (policy based routing), something the Merlin firmware doesn't support. The kind of PBR that can route based not just on source IP, put a specific port, such as the ssh port (22). I assume that's the service you need to access on the NAS.

Has anyone gotten SSH over WAN to work on VPN device?

I seem to have tried and tweaked several bastardizations of scripts. I'd like to be able to have my main workstation VPN everything, except SSH (as that doesn't work at all with VPN). This client has an IP address of 192.168.2.3 (Static/Manual DHCP), and Port 22003 is forwarded to go to Port...

www.snbforums.com

I can't personally vouch for the above code, but it's definitely the kind of PBR I'm referring to. I have my own PBR script that works similarly and has been written specifically for FT (freshtomato), and probably could be adpated for use w/ Merlin (for all I know, it might work as-is, given FT and Merlin are both tomato variants, and are thus very similar).

tomato-ovpn-split-advanced.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

But you might first try to browse that thread and see if it provides a workable solution.

 

[johna45]

Hi,

To anyone insterested, I've found a solution to my issue (port fowarding over VPN when Asuswrt-merlin router is VPN client), after a few month standing by and eventually getting help from someone understanding networking and linux quite well (not my case).

Diagnosis is simple: Asuswrt-Merlin doesn't forward ports over VPN when connected as a VPN client. Web UI only offers to forward ports over WAN, and all settings you could do would stop working as soon as you connect your router to a VPN as client.

Solution is quite simple, once you know it. You have to connect via ssh in a terminal and execute this:

iptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT -j DNAT --to-destination IP_ADDRESS
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT -j DNAT --to-destination IP_ADDRESS

replacing PORT with actual port number, and IP_ADDRESS with the lan ip address of the device you want to access from outside.

Full solution is well explained here : https://www.ovpn.com/en/faq/miscellaneous/port-forwarding-in-asuswrt-merlin

Only downside is that you will have to redo it every time you restart your router.

Solution is then to create a script like this one:

Script: /jffs/scripts/nat-start

#!/bin/sh
iptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT -j DNAT --to-destination IP_ADDRESS
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT -j DNAT --to-destination IP_ADDRESS

That way you won't have to deal with it anymore, even after a router reboot.