[AsusWrt Merlin][RT-AC68U] DDNS Multiple-NAT Issue

[W1nks]

Hi,

I am trying to set up OpenVPN on my ASUS RT-AC68U. To do that I was going to enable DDNS but this message comes up:

The wireless router currently uses a private WAN IP address.
This router may be in the multiple-NAT environment and DDNS service cannot work in this environment.

The reason this is happening because there are two routers on my network because I share the internet with my upstairs neighbor. His router is plugged into the modem and has the IP of 192.168.1.1 and my router plugs into that and has the IP 192.168.2.1. The WAN IP on my router is pointing back to his router (WAN IP 192.168.1.2).

I have Merlin's firmware installed.

Is there a way I can still make DDNS and OpenVPN with this type of setup?

Thanks for your help!

 

[RMerlin]

You will need to use a custom DDNS service, and also to forward the OpenVPN server port in your router that's fronting your Internet connection (ahead of your RT-AC68U).

 

[W1nks]

You will need to use a custom DDNS service, and also to forward the OpenVPN server port in your router that's fronting your Internet connection (ahead of your RT-AC68U).

Thanks I think I got it working by using NO-IP.

Is there any workaround I can do to have my NO-IP service running on my router and getting our external IP and not 192.168.1.1? Also, when connecting it says "This profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?" message. Should I have a client certificate? Is it more secure?

 

[RMerlin]

Is there any workaround I can do to have my NO-IP service running on my router and getting our external IP and not 192.168.1.1?

You will have to see if NO-IP offers a REST API to update through a web query. If they do, you will have to implement it in a ddns custom script - see the Wiki for more info on how to use them.

Also, when connecting it says "This profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?" message. Should I have a client certificate? Is it more secure?

When connecting how?

 

[W1nks]

You will have to see if NO-IP offers a REST API to update through a web query. If they do, you will have to implement it in a ddns custom script - see the Wiki for more info on how to use them.

Ok, it looks like they offer it here. I may be way over my head but I found this script here that seems like it should do it. My first question is what would I put in for
:local inetinterface "your_external_interface"?

When connecting how?

It was just saying that when I was connecting through the OpenVPN client on Android. I'm guessing it's looking for a certificate file also? I was able to continue still and it works but I just wanted to make sure I have everything as secure as I can.

 

[RMerlin]

My first question is what would I put in for
:local inetinterface "your_external_interface"?

Those scripts won't work as-is. They are designed for cases where your router's WAN interface has your public IP, not the double NAT'ed IP.

Someone posted an example on the Wiki on how to retrieve your public IP while in a double NAT situation. This could be used as a starting point, replacing the curl command with any REST URL provided by no-ip:

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS#double-nat---external-ip-example

It was just saying that when I was connecting through the OpenVPN client on Android. I'm guessing it's looking for a certificate file also? I was able to continue still and it works but I just wanted to make sure I have everything as secure as I can.

Sounds like an incomplete or incorrect configuration then. Typically, you just need to enable the OpenVPN server, export the config .ovpn file, and import that file on your mobile device (edit it to change the remote server name if it doesn't fully match your DDNS name).

By default, Asuswrt does not use certificate-based authentication but username/password authentication.

 

[W1nks]

Those scripts won't work as-is. They are designed for cases where your router's WAN interface has your public IP, not the double NAT'ed IP.

Someone posted an example on the Wiki on how to retrieve your public IP while in a double NAT situation. This could be used as a starting point, replacing the curl command with any REST URL provided by no-ip:

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-DDNS#double-nat---external-ip-example

Ok, I've been reading over a bunch of forum threads today trying to figure this out. If I build off the one you sent I got something like this:

#!/bin/sh
USER="YourUsername"
PASS="YourPassword"
HOST="yourhost.ddns.net"

# Should be no need to modify anything beyond this point
IP=$(wget -O - -q http://myip.dnsomatic.com/)
logger "Retrieved External IP: $IP"

RESULT=$(/usr/sbin/curl -k --silent "http://$USER:$PASS@dynupdate.no-ip.com/nic/update?hostname=$HOST&myip=$IP")

logger "Results: $RESULT"

if [[ ${RESULT:0:4} == 'good' ]]
then
/sbin/ddns_custom_updated 1
else
/sbin/ddns_custom_updated 0
fi

A couple of things with this. Is there a way for it somehow check what my current IP is set to and compare if it needs to send it? When I go to http://username:password@dynupdate.no-ip.com/nic/update?hostname=mytest.testdomain.com (with my info entered) it will tell me "nochg X.X.X.X". I was just going to do a cron job that I found in another thread where it runs every other hour but I read you can get banned for updating that often.

/usr/sbin/cru a ScheduledDDNS "5 1,3,5,7,9,11,13,15,17,19,21,23 * * * /jffs/scripts/up.sh"

Thanks for your patience! I am interested in learning about all of this and am new the Linux world.

Sounds like an incomplete or incorrect configuration then. Typically, you just need to enable the OpenVPN server, export the config .ovpn file, and import that file on your mobile device (edit it to change the remote server name if it doesn't fully match your DDNS name).

By default, Asuswrt does not use certificate-based authentication but username/password authentication.

That makes sense. It was asking me for a username/password so I think everything is good with that.

 

[RMerlin]

A couple of things with this. Is there a way for it somehow check what my current IP is set to and compare if it needs to send it? When I go to http://username:password@dynupdate.no-ip.com/nic/update?hostname=mytest.testdomain.com (with my info entered) it will tell me "nochg X.X.X.X". I was just going to do a cron job that I found in another thread where it runs every other hour but I read you can get banned for updating that often.

It's certainly possible, but I wouldn't know off the top of my head how to do it, I'd have to do some research.

 

[W1nks]

It's certainly possible, but I wouldn't know off the top of my head how to do it, I'd have to do some research.

I ended up going a different route and tried using Duck DNS' service since they seem to be ok with people running the update every 5 minutes. I created the script /jffs/scripts/duckdns.sh with this in it (from your wiki):

#!/bin/sh

# register a subdomain at https://www.duckdns.org/ to get your token
SUBDOMAIN="yoursubdomain"
TOKEN="your-token"

# no modification below needed
curl --silent "https://www.duckdns.org/update?domains=$SUBDOMAIN&token=$TOKEN&ip=" >/dev/null 2>&1
if [ $? -eq 0 ];
then
/sbin/ddns_custom_updated 1
else
/sbin/ddns_custom_updated 0
fi

I ran the duckdns.sh and it worked as it should. I then created /jffs/scripts/init-start with this in it:

#!/bin/sh
cru a duckdns "*/15 * * * * /jffs/scripts/duckdns.sh"

This runs it every 15 minutes and it seems to be working great!

 

[pankajvg]

Hi All,

Iam a complete noob in Linux , can someone help me to get script to run on noip.com as my router is double Nat ed...

Please help me.

Regards
Pankaj