connect to OpenVPN from same lan

[JensM]

I've setup openvpn on my asus router running Merlin firmware. I'm able to connect from the internet to my DDNS domain without any issues. But I'm unable to connect to 192.168.1.1 with my client (openvpn client for android). So I assume the openvpn server only listens to the WAN interface. Is there a setting to be done so that the openvpn server is listening to the LAN-interface as well? This would help me being able to use "always on" VPN on android while still using my own wifi at home.

 

[JDB]

I’d just use automate or similar app on Android to enable the VPN when not on your home SSID and disable when you are


Sent from my iPhone using Tapatalk

 

[elorimer]

My understanding is the opposite; that by default openvpn server will bind to all the interfaces. The local command in the config can specify that it will only listen on the wan side (that is if you put "local <ddns.ip.address>" in the custom config box).

From the 2.4 manual:

--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

In any case, I never thought to try it, but if your configuration specifies your remote address as your ddns address, and you are on wifi within your home lan, you can still connect to the openvpn server on the wan side. Just did it now. So your problem is elsewhere.

Not following your use case either. I follow when you are using your phone or laptop over a wifi connection over an insecure site like an airport wifi, and you are visiting an http site. Then I connect to my home ovpn server, knowing my home ISP can snoop. But if you are using your phone on a cellular connection and connected through your home ovpn server and on an https site, then you have the https encryption, plus the ovpn encrypted tunnel, plus the cellular connection encryption piped only to you, plus being limited by your home ISP upstream speed.

 

[JensM]

My understanding is the opposite; that by default openvpn server will bind to all the interfaces. The local command in the config can specify that it will only listen on the wan side (that is if you put "local <ddns.ip.address>" in the custom config box).

From the 2.4 manual:

--local host
Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.

Thanks for your detailled answer and for that hint, I will have a look at this.

In any case, I never thought to try it, but if your configuration specifies your remote address as your ddns address, and you are on wifi within your home lan, you can still connect to the openvpn server on the wan side. Just did it now. So your problem is elsewhere.

Mhhh, maybe the issue is something about my double-NAT setup. I have a router from my ISP that I have to use and have my ASUS routers WAN port on it's LAN port.
So there is Internet -> Unsecure Crap Router (192.168.0.X) -> ASUS router (192.168.1.X). I can also reach 192.168.0.x from my ASUS LAN.
I've put the port forwarding rule into the crap router and this part works so far since I'm able to connect from the outer world to my ASUS routers openvpn server. But maybe it raises another issue that I'm not aware of?

So far I've tried to connect from my ASUS router wifi to 192.168.1.1 as well as 192.168.0.1 (in the hopes the router would portforward me back to the ASUS). But I get no connection in both cases.

Not following your use case either. I follow when you are using your phone or laptop over a wifi connection over an insecure site like an airport wifi, and you are visiting an http site. Then I connect to my home ovpn server, knowing my home ISP can snoop. But if you are using your phone on a cellular connection and connected through your home ovpn server and on an https site, then you have the https encryption, plus the ovpn encrypted tunnel, plus the cellular connection encryption piped only to you, plus being limited by your home ISP upstream speed.

I know that I don't have to use VPN when I'm in my WIFI but in Android there is no option for "always on VPN, except if wifi equals X". It blocks any data package as long as there is no VPN connection established.
If I would be able to connect to 192.168.1.1 I would setup DNS to resolve my DDNS domain to the lanip in my network and openvpn should run fine even if I enable a hostname check.

 

[M@rco]

No answer to your question, but doesn't the unsecure crap router have a bridge mode which you (or your ISP) can enable? It saves me a lot of hassle, even though I can't put it in bridged mode myself, my ISP has to do it remotely.

 

[JDB]

I know that I don't have to use VPN when I'm in my WIFI but in Android there is no option for "always on VPN, except if wifi equals X".

Yes there is, see above!!


And definitely your issue is the double NAT. The crap router will be failing to do loopback NAT properly.


Sent from my iPhone using Tapatalk

 

[JensM]

Yes there is, see above!!

Which option do you mean? In android you have 2 sliders:

• always/automatically connect to vpn
• block everything when not connected

Both together make it an "always on" connection.

And definitely your issue is the double NAT. The crap router will be failing to do loopback NAT properly.

Since an outside-to-in solution is not my preferred solution I'll first have a look into the issue why theres nothing listening on 192.168.1.1 openvpn port.

 

[elorimer]

I'm supposing the first router is already bridged to a modem and has a WAN side routable IP address, and on its LAN side the address scheme is 192.168.0.xx, with its address being 0.1. Then the Asus router on the WAN side either picks up a reserved IP address or is set to 0.2. Then, on Asus router on the LAN side is 192.168.1.1, and handing out IP addresses in the 1.xx range.

Then I think you want the first router to port forward your ovpn port to the same port on 0.2, and the asus ovpn server should be listening there, if the loopback is working. Otherwise, try to set your config when you are on the .1.xx network to reach the port at 0.2. Try that.

Also, @JDB is suggesting this: https://llamalab.com/automate/

 

[JDB]

Which option do you mean? In android you have 2 sliders:

• always/automatically connect to vpn
• block everything when not connected

Both together make it an "always on" connection.

Since an outside-to-in solution is not my preferred solution I'll first have a look into the issue why theres nothing listening on 192.168.1.1 openvpn port.

Guess you didn’t read this?

I’d just use automate or similar app on Android to enable the VPN when not on your home SSID and disable when you are


Sent from my iPhone using Tapatalk

Sent from my iPhone using Tapatalk

 

[JDB]

Or “Tasker” is another app likely to be able to do this


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

My understanding is the opposite; that by default openvpn server will bind to all the interfaces. The local command in the config can specify that it will only listen on the wan side (that is if you put "local <ddns.ip.address>" in the custom config box).

The OpenVPN server is configured to bind only to the WAN address.

 

[elorimer]

The OpenVPN server is configured to bind only to the WAN address.

Do you mean, for the OP? Or by Asuswrt-Merlin? I don't see it in the config.ovpn files.

 

[ColinTaylor]

Do you mean, for the OP? Or by Asuswrt-Merlin? I don't see it in the config.conf files.

In Asuswrt-Merlin. I must admit that I'm using John's fork rather than the latest Merlin so it may have changed, but I wouldn't have thought so.

# netstat -lnp | grep vpn
udp        0      0 82.xxx.yyy.zzz:1194       0.0.0.0:*                           1167/vpnserver1

# cat /etc/openvpn/server1/config.ovpn
# Automatically generated configuration
daemon
topology subnet
server 10.8.0.0 255.255.255.0
local 82.xxx.yyy.zzz
proto udp
port 1194
dev tun21

 

[elorimer]

Interesting. My 87U is on 384.5, and this is what I have:

# Automatically generated configuration
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
port 443
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
keepalive 15 60
verb 3
push "route 192.168.0.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
duplicate-cn
push "dhcp-option DNS 192.168.0.1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
verify-client-cert none
username-as-common-name
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 5

# Custom Configuration
local my.ddns.domain
script-security 2
client-connect /jffs/scripts/ovpn-client-connect.sh

So my local command is not auto-generated. While my ovpn is 2.4, I think the default binding has been true since at least 2.1.

 

[ColinTaylor]

So my local command is not auto-generated. While my ovpn is 2.4, I think the default binding has been true since at least 2.1.

Ah, OK. A mistaken assumption on my part. My guess is it's a change in the firmware rather than the OpenVPN version.

 

[RMerlin]

If I remember correctly, interface binding behaviour is different for UDP and TCP.

 

[ColinTaylor]

If I remember correctly, interface binding behaviour is different for UDP and TCP.

Seems to be the same (binds to WAN IP) for both in John's firmware.

 

[john9527]

Seems to be the same (binds to WAN IP) for both in John's firmware.

It was a relatively recent change I made.....I don't remember if it was a Merlin backport or a change I made for security based on a thread discussion.

EDIT: Went in with V31

 

[JensM]

Then I think you want the first router to port forward your ovpn port to the same port on 0.2, and the asus ovpn server should be listening there, if the loopback is working. Otherwise, try to set your config when you are on the .1.xx network to reach the port at 0.2. Try that.

Thank you very much. This is working! And it's logical that it does since 192.168.0.2 goes out to frontrouters LAN and then back to the WAN port of the ASUS while 192.168.1.1 would go to the LAN interface of the ASUS.

Only strange thing I noticed is, that my download speed is now limited to my ISPs 10mbit upload speed. It's not a big issue on a mobile but I don't understand the reson since 192.168.0.2 should never leave the first router and so should only travel through the connection between both routers.

@john9527 is there a setting/configuration for the listen interface?
Edit: I'm also on your fork (V33), my router is btw. an AC66U

 

[martinr]

If I remember correctly, interface binding behaviour is different for UDP and TCP.

RT-AC68U. Firmware 384.6

If this helps... From inside my LAN, using wifi, I can connect to my router’s OpenVPN Server 1 (port 443 TCP), but cannot connect to Server 2 (UDP). (And it’s always been like that ie at least 4 years.)