Asus Merlin openvpn both server and client

[torleif]

Hi
I have installed the great Merlin firmware.
I have a openvpn server running on it and I wish to also use the client to connect to PIA.
I managed to set up the client, but when connecting to PIA my openvpn server disconnects.

I wish to use the openvpn server to access my lan securely from work etc. and I wish to connect my NAS to the vpn client (pia) for downloads.

Is it possible to run both vpn client and server at the same time and only route my NAS traffic throug the client?

Thanks

 

[Martineau]

Hi
I have installed the great Merlin firmware.
I have a openvpn server running on it and I wish to also use the client to connect to PIA.
I managed to set up the client, but when connecting to PIA my openvpn server disconnects.

I wish to use the openvpn server to access my lan securely from work etc. and I wish to connect my NAS to the vpn client (pia) for downloads.

Is it possible to run both vpn client and server at the same time and only route my NAS traffic throug the client?

Thanks

Until the .53 firmware is released

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-15#post-177236

, the main Selective Routing thread has all the answers ...so try the following

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-13#post-166336

and simply replace 192.168.1.105 with the I/P address of your NAS.

NOTE: About the next firmware .53: RMerlin has recently exposed the failings of the '-t mangle' table tagging technique (particularly when using the TrendMicro DPI enabled firmware) and the more robust method is to exploit the Kernel Routing Policy directive

ip   rule   add   from xxx.xxx.xxx.xxx lookup $MY_VPNTAB

which should be preferred over the original 'iptables -t mangle' command.

 

[torleif]

Until the .53 firmware is released

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-15#post-177236

, the main Selective Routing thread has all the answers ...so try the following

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-13#post-166336

and simply replace 192.168.1.105 with the I/P address of your NAS.

NOTE: About the next firmware .53: RMerlin has recently exposed the failings of the '-t mangle' table tagging technique (particularly when using the TrendMicro DPI enabled firmware) and the more robust method is to exploit the Kernel Routing Policy directive

ip   rule   add   from xxx.xxx.xxx.xxx lookup $MY_VPNTAB

which should be preferred over the original 'iptables -t mangle' command.

Thanks
It worked but when my nas is connected to vpn client (pia) i can not reach my nas from outside, even not when connected to my vpn server using lan address. I have both client and server running on my Asus rt-ac87.

 

[Martineau]

Thanks
It worked but when my nas is connected to vpn client (pia) i can not reach my nas from outside, even not when connected to my vpn server using lan address. I have both client and server running on my Asus rt-ac87.

Computers eh? they only do what you tell them to do; rarely what you meant them to do!

So clearly having forced ALL NAS services via the encrypted PIA VPN to mask the torrent downloads etc., you really meant to only obfuscate certain NAS activities whilst still allowing a teeny bit of access from the LAN or remotely from work via the RT-AC87 Openvpn server WAN?

So I assume you have tried to access the NAS remotely via the PIA VPN I/P address, although I suspect PIA may not allow unsolicited inbound access from the WAN to your client PIA VPN address.

If you have a Synology (v5.0+) NAS then you can set up the NAS to create/establish its own PIA Client VPN connection (Openvpn/PPTP/L2TP), however, the split-tunnelling requirement may still be broken, although there is online evidence of tweaking the Synology NAS Advanced Network settings to allow WAN/LAN access to the NAS admin GUI whilst the NAS itself is concurrently connected to the VPN - but this may be more by luck than by design? (NAT/VPN loopback anyone?)

I know that having an always on (low power) device such as the RT-AC87 or NAS reduces the need to have a dedicated small laptop/PC performing the torrent downloads, but this may be the easiest option so that the NAS remains fully visible to your local LAN whilst still allowing the VPN connected torrent laptop/PC to dump its encrypted/secure payload to the NAS.

Alternatively, you may need to selectively route your NAS traffic based on port/destination criteria

e.g. if your NAS torrent download uses port 12345 to destination 123.456.789.1 then tag only this traffic via the RT-AC87 VPN client rather than everything from the NAS I/P address.

Good luck.

 

[torleif]

Computers eh? they only do what you tell them to do; rarely what you meant them to do!

So clearly having forced ALL NAS services via the encrypted PIA VPN to mask the torrent downloads etc., you really meant to only obfuscate certain NAS activities whilst still allowing a teeny bit of access from the LAN or remotely from work via the RT-AC87 Openvpn server WAN?

So I assume you have tried to access the NAS remotely via the PIA VPN I/P address, although I suspect PIA may not allow unsolicited inbound access from the WAN to your client PIA VPN address.

If you have a Synology (v5.0+) NAS then you can set up the NAS to create/establish its own PIA Client VPN connection (Openvpn/PPTP/L2TP), however, the split-tunnelling requirement may still be broken, although there is online evidence of tweaking the Synology NAS Advanced Network settings to allow WAN/LAN access to the NAS admin GUI whilst the NAS itself is concurrently connected to the VPN - but this may be more by luck than by design? (NAT/VPN loopback anyone?)

I know that having an always on (low power) device such as the RT-AC87 or NAS reduces the need to have a dedicated small laptop/PC performing the torrent downloads, but this may be the easiest option so that the NAS remains fully visible to your local LAN whilst still allowing the VPN connected torrent laptop/PC to dump its encrypted/secure payload to the NAS.

Alternatively, you may need to selectively route your NAS traffic based on port/destination criteria

e.g. if your NAS torrent download uses port 12345 to destination 123.456.789.1 then tag only this traffic via the RT-AC87 VPN client rather than everything from the NAS I/P address.

Good luck.

Thanks again
Im not an expert on networking (clearly )
My main server is a mac mini running Arch linux and I have qbittorrent running.
I also have a synology dsm 5, but replaced it with my server setup with connected usb 3 drives.
So I thougt the easiest way was to use the Nas to do all the downloading rather than directing all torrent download from my main server through vpn.
I have tried to connect the synology directly to Pia and I have tried going through my router. Both resulting in not reachable outside my lan.
The strange thing is that I can reach my synology from lan, but not when connected through the vpn server on my Asus router with "Push Lan to Client"

Regarding your last line: How can I find out what port downloadstation is using and can I modify the script you made (VPN_Select.sh) to only direct downloadstation through Asus vpn client?
The best thing would be to not using my Nas at all and rather direct all qbittorrent traffic from my main server, but I guess I would loose access to qbittorrent web interface from outside then?

 

[Martineau]

I have tried to connect the synology directly to Pia and I have tried going through my router. Both resulting in not reachable outside my lan.
The strange thing is that I can reach my synology from lan, but not when connected through the vpn server on my Asus router with "Push Lan to Client"!

This sounds like a firewall issue on the NAS?

To prove this, temporarily setup the PPTP server on the RT-AC87 with a very strong password - 20 characters!

Then when the NAS is connected to PIA VPN, you should still be able to access the NAS from the local LAN - correct?

Now connect remotely using PPTP and since PPTP will assign a local LAN I/P address you should have unrestricted access to the NAS from the WAN.

When connecting via the Openvpn, you will probably get I/P address (check the RT-AC87 VPN server config) 10.0.8.xxx assigned and that will not match the local LAN subnet so the firewall on the NAS will reject it.

However, if PPTP doesn't work, then I think you may need to spoof the NAS network settings...

Basically on the NAS Network Settings General Tab, set the Gateway address to the PIA VPN address, then under Advanced Settings tick both 'Reply to ARP....' and 'Enable Multiple Gateways'...which should implement the split tunnelling...if not then I'm sure the Synology forum can assist!

 

[torleif]

This sounds like a firewall issue on the NAS?

To prove this, temporarily setup the PPTP server on the RT-AC87 with a very strong password - 20 characters!

Then when the NAS is connected to PIA VPN, you should still be able to access the NAS from the local LAN - correct?

Now connect remotely using PPTP and since PPTP will assign a local LAN I/P address you should have unrestricted access to the NAS from the WAN.

When connecting via the Openvpn, you will probably get I/P address (check the RT-AC87 VPN server config) 10.0.8.xxx assigned and that will not match the local LAN subnet so the firewall on the NAS will reject it.

However, if PPTP doesn't work, then I think you may need to spoof the NAS network settings...

Basically on the NAS Network Settings General Tab, set the Gateway address to the PIA VPN address, then under Advanced Settings tick both 'Reply to ARP....' and 'Enable Multiple Gateways'...which should implement the split tunnelling...if not then I'm sure the Synology forum can assist!

You are correct!
I tried with PPTP and it worked.
It must be the NAS firewall. ( I have not setup any firewall rules in DSM)
My lan is 192.168.2.xxx and openvpn is 10.8.0.xxx
Can I set openvpn to use 192.168.2.xxx ? or will it conflict with my local lan?

I use openvpn because of security, I read that PPTP is both slower and less secure than openvpn.

 

[Martineau]

You are correct!
I tried with PPTP and it worked.
It must be the NAS firewall. ( I have not setup any firewall rules in DSM)
My lan is 192.168.2.xxx and openvpn is 10.8.0.xxx
Can I set openvpn to use 192.168.2.xxx ? or will it conflict with my local lan?

I use openvpn because of security, I read that PPTP is both slower and less secure than openvpn.

Openvpn soaks up more CPU cycles on the router but the latest ARM routers (according to RMerlin) are about 3-10 times quicker than a Mipsel router such as RT-N66U etc. For the Asus VPN Client1, RMerlin dedicates one of the CPUs to increase performance, but L2TP is slower than PPTP but it all really depends on other factors such as your VPN provider etc.

I recommend that anyone who wishes to access their LAN remotely ONLY uses Openvpn given PPTP is an easier target to password hackers...but is a useful tool (as proven in your case) to diagnose remote connectivity issues.

Also, I suggest you don't use 192.168.xxx.xxx for your local LAN. - change it to 10.xxx.xxx.xxx (but not 10.0.8.xxx as the Asus router will use this for the Openvpn Server) ...i.e. what are the chances that you won't encounter 192.168.2.xxx externally? e.g. if you are at a location where they give out free Wifi (Starbucks etc.) you will probably never get a remote connection to your LAN resources as the I/P addresses will/could conflict with say Starbuck's local LAN.

Hopefully dedicating the NAS to VPN torrent duties is more efficient (as you won't need to run the VPN client on the router) but if the NAS CPU is saturated you may have to get a faster NAS!

 

[torleif]

Openvpn soaks up more CPU cycles on the router but the latest ARM routers (according to RMerlin) are about 3-10 times quicker than a Mipsel router such as RT-N66U etc. For the Asus VPN Client1, RMerlin dedicates one of the CPUs to increase performance, but L2TP is slower than PPTP but it all really depends on other factors such as your VPN provider etc.

I recommend that anyone who wishes to access their LAN remotely ONLY uses Openvpn given PPTP is an easier target to password hackers...but is a useful tool (as proven in your case) to diagnose remote connectivity issues.

Also, I suggest you don't use 192.168.xxx.xxx for your local LAN. - change it to 10.xxx.xxx.xxx (but not 10.0.8.xxx as the Asus router will use this for the Openvpn Server) ...i.e. what are the chances that you won't encounter 192.168.2.xxx externally? e.g. if you are at a location where they give out free Wifi (Starbucks etc.) you will probably never get a remote connection to your LAN resources as the I/P addresses will/could conflict with say Starbuck's local LAN.

Hopefully dedicating the NAS to VPN torrent duties is more efficient (as you won't need to run the VPN client on the router) but if the NAS CPU is saturated you may have to get a faster NAS!

Thank you very much for all yor help! I am learning a lot
I have been reading a little about lan adresses.
I will change my lan.
I have under 10 machines inside my lan. Should I choose something like 10.333.555.1 for my lan? and what will the subnet mask be? Just like before 255.255.255.0 ?

 

[Martineau]

Thank you very much for all yor help! I am learning a lot
I have been reading a little about lan adresses.
I will change my lan.
I have under 10 machines inside my lan. Should I choose something like 10.333.555.1 for my lan? and what will the subnet mask be? Just like before 255.255.255.0 ?

Here is a list of valid Private subnets

http://en.wikipedia.org/wiki/Private_network

and clearly values such as octet values 333 and 555 are invalid.

For home use, applying subnet mask 255.255.255.0 is recommended.

 

[RMerlin]

and clearly values such as octet values 333 and 555 are invalid.

Except in Hollywood

I always cringe when I see a movie/TV show showing what looks like IPv5 or something

 

[Martineau]

Except in Hollywood

I always cringe when I see a movie/TV show showing what looks like IPv5 or something

..but how many could nowadays instantly verify a valid IPv6 address during the couple of seconds it appears on screen?

Perhaps an apocryphal tale, but the BBC TV series Spooks actually showed a valid I/P address that was in the story supposedly being used by a terrorist group, only for the BBC to be informed that the address was actually assigned to NASA in real life!

 

[torleif]

..but how many could nowadays instantly verify a valid IPv6 address during the couple of seconds it appears on screen?

Perhaps an apocryphal tale, but the BBC TV series Spooks actually showed a valid I/P address that was in the story supposedly being used by a terrorist group, only for the BBC to be informed that the address was actually assigned to NASA in real life!

I have set up a network 10.0.5.1/255.255.255.0
I can now reach my network when connectet to my asus openvpn server
Thanks a lot !!

 

[madfusker]

Can anyone tell me if it's still possible in 380.65_4, is it still possible to run both OpenVPN Server and Client at the same time? Currently I run PIA Client, and PPTP Server, however I want to change to OpenVPN server.

 

[Xentrk]

Can anyone tell me if it's still possible in 380.65_4, is it still possible to run both OpenVPN Server and Client at the same time? Currently I run PIA Client, and PPTP Server, however I want to change to OpenVPN server.

Yes, you can run OpenVPN Client and Server at the same time.