Redirect all traffic of OpenVPN Server connected client to OpenVPN client

[mancio]

Hi All,
I have bought new RT-AC66U_B1 Router.
I have already installed 384.6 Merlin firmware for RT-AC68U (i read in some topic in this forum that RT-AC66U_B1 is also compatible with RT-AC68U merlin firmware)

I have already established with success an OpenVPN Server tunne. All external clients connnected opn OpenVPN Server created on Asus Router and exit to internet with my ISP IP.

I also have a VPN Client tunnel established from the ASUS Router and another Private VPN provider.

I would like to redirect all the traffic of external client connected with the Asus OpenVPN Server through the Private VPN Provider. Is it possible?
If yes, which configuration i have to use?

This is an example an example of configuration i would like to achieve:

Thanks in advance.

 

[Martineau]

Hi All,
I have bought new RT-AC66U_B1 Router.
I have already installed 384.6 Merlin firmware for RT-AC68U (i read in some topic in this forum that RT-AC66U_B1 is also compatible with RT-AC68U merlin firmware)

I have already established with success an OpenVPN Server tunne. All external clients connnected opn OpenVPN Server created on Asus Router and exit to internet with my ISP IP.

I also have a VPN Client tunnel established from the ASUS Router and another Private VPN provider.

I would like to redirect all the traffic of external client connected with the Asus OpenVPN Server through the Private VPN Provider. Is it possible?
If yes, which configuration i have to use?

This is an example an example of configuration i would like to achieve:

See Openvpn server and client pass-thru;

 

[mancio2]

See Openvpn server and client pass-thru;

Hi Martineau,
thank you so much for your reply.

I have read your interesting post about iptables. I have enabled (manually.), as you have suggested, pass-thru from Openvpn server (network is the default one: 10.8.0.0/24), to specific Openvpn Client chain tun11.

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

Unfortunately, when i looking for the IP of OpenVPN Server connected client, into Selective routing GUI i can't found it. And my client exits with ISP ip and not with Private VPN provider as i would wish.

I don't know if there is any issue in the OpenVPN Server config or i'm using specific merlin firmware version doesn't offer specific options that cover my requirements.
I have only this config options:

Thank you in advance for your help.

 

[Martineau]

I don't know if there is any issue in the OpenVPN Server config or i'm using specific merlin firmware version doesn't offer specific options that cover my requirements.

I have only this config options:

See this post openvpn server and client question to correctly configure the VPN Client

 

[mancio2]

See this post openvpn server and client question to correctly configure the VPN Client

Hi Martineau,
Thank you so much. It works! I believe there was specific client entry in the source IP select, but i had to insert it manually.

I have another 2 questions...

1) Even before i have configured Selective routing GUI for OpenVPN client, i wasn't enable to ping any clients in my LAN, except for the router itself. In the OpenVPN server configuration, i have set Client will use VPN to access to: Both. Have i to set another set of configurations to enable it?

2) I have create 2 scripts, as you suggested in your post, in /jffs/scripts/ one to enable pass-thru and one to disable it. The name of these scripts are vpnserver1-up and vpnserver1-down. If i run both manually, they achieve their purpose, so they enable and disable firewall rules respectively, but when i try to set up and tear down OpenVPN Server from the gui, it seems no scripts are executed. Is the scripts's name written properly?

Thank you so much.
Best Regards.

 

[mancio2]

Ok, for the 2nd question i have solved the problem myself.

I have written unique script openvpn-event with this code:

#!/bin/sh

logger "openvpn-event called ..."
logger "Type: ${script_type}, Interface: ${dev}"

if [ $script_type == "up" -a $dev == "tun21" ];
then
        logger "pass-thru enabled ..."
        iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
fi

if [ $script_type == "down" -a $dev == "tun21" ];
then
        logger "pass-thru disabled ..."
        iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
fi

 

[Martineau]

1) Even before i have configured Selective routing GUI for OpenVPN client, i wasn't enable to ping any clients in my LAN, except for the router itself. In the OpenVPN server configuration, i have set Client will use VPN to access to: Both.

Have i to set another set of configurations to enable it?

No, but you should check if the OVPN iptables is set correctly:

iptables --line -t filter -nvL OVPN

2) I have create 2 scripts, as you suggested in your post, in /jffs/scripts/ one to enable pass-thru and one to disable it. The name of these scripts are vpnserver1-up and vpnserver1-down. If i run both manually, they achieve their purpose, so they enable and disable firewall rules respectively, but when i try to set up and tear down OpenVPN Server from the gui, it seems no scripts are executed. Is the scripts's name written properly?

see RMerlin Wiki e.g. openvpn-event but @john9527 provides a recommended template script:
@john9527's openvpn-event script template

 

[mancio2]

No, but you should check if the OVPN iptables is set correctly:

iptables --line -t filter -nvL OVPN

see RMerlin Wiki e.g. openvpn-event but @john9527 provides a recommended template script:
@john9527's openvpn-event script template

Hi Martineau,
thank you foru your reply, and i'm sorry for the delay of my answer.

These are my OVPN iptables:

iptables --line -t filter -nvL OVPN
Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2      316 81501 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0

Is there something wrong?

 

[Martineau]

Hi Martineau,
thank you foru your reply, and i'm sorry for the delay of my answer.

These are my OVPN iptables:

iptables --line -t filter -nvL OVPN
Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2      316 81501 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0

Is there something wrong?

No, the OVPN table shows no inbound restrictions for your local LAN from either of the OpenVPN Servers (although only OpenVPN Server #2 appears ACTIVE?).

If you are trying to PING Windows clients on the LAN, then check the Windows firewall on the clients.
However, for LAN devices such as IP Cameras/printers etc. then you may need to add iptables logging rules to track which rule are blocking the PINGs.

 

[mancio2]

No, the OVPN table shows no inbound restrictions for your local LAN from either of the OpenVPN Servers (although only OpenVPN Server #2 appears ACTIVE?).

If you are trying to PING Windows clients on the LAN, then check the Windows firewall on the clients.
However, for LAN devices such as IP Cameras/printers etc. then you may need to add iptables logging rules to track which rule are blocking the PINGs.

I'm using an android client connected to my OpenVPN Server. I'm not enable to access any devices except the ASUS router; Not only ping, i'm not enable to access any webserver (i have a NAS and a raspberry) or other application with my browser.

On stack overflow some user advice to enable Static Route on LAN configuration, but when i do this, all my clients, even those connected directly to my lan can't access to internet anymore.

 

[mancio2]

I'm using an android client connected to my OpenVPN Server. I'm not enable to access any devices except the ASUS router; Not only ping, i'm not enable to access any webserver (i have a NAS and a raspberry) or other application with my browser.

On stack overflow some user advice to enable Static Route on LAN configuration, but when i do this, all my clients, even those connected directly to my lan can't access to internet anymore.

EDIT:
I have solved the problem, adding new firewall rules:

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Could be this a firmware issue?

Thank you so much for you support.

Alessandro

 

[RMerlin]

I just tested it here, and I was able to succesfully connect to a Remote Desktop session using my smartphone over OpenVPN, with no special firewall configuration on the router.

Make sure your client properly enables the routes to your LAN subnet. In Windows' case, it means you have to make sure you run the client with administrator privileges. For Android nothing particular should be needed.

You also need to make sure your target devices does not firewall the 10.x.y.z subnet.

 

[Martineau]

I have solved the problem, adding new firewall rules:

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Could be this a firmware issue?

Hmmm, strange indeed....

I have both OpenVPN servers configured.

Access to my LAN devices (primarily IP Cameras via my Android phone) via OpenVPN Server #1 is unrestricted.

However, OpenVPN Server #2 assigns a unique static address to the connecting clients and the clients are therefore subject to ACL restrictions,

RT-AC68U daemon.notice ovpn-server2[7452]: xxx.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:xxx.xxx.xxx.xxx:36811
RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 v4.80 VPN Server 2 Client user 'SGA5' CCD configuration starting.... [/tmp/openvpn_cc_732ba27906fc5816.tmp]
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Processing Client_username file '/jffs/configs/openvpn/ccd2/client_SGA5'
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'staticip' will assign I/P address 10.16.0.22 to Client user 'SGA5'
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'restrictperiod' is being enforced.....
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 'IPGroup' CAMERAS
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.120 (CAM-W-JPT3815W.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.121 (CAM-L-F18918W.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.122 (CAM-W-JPT3815W.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.123 (CAM-L-IP2M841B.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.125 (CAM-W-IP2M841B.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.148 (RaspberryPiB.Martineau.lan)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'forcedns' (8.8.4.4) will be applied to I/P 10.16.0.22
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'wol' (ether-wake) will be applied to MAC=xx:xx:xx:xx:xx:xx (10.88.8.197) DS-416.Martineau.lan
RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'wol' (ether-wake) will be applied to MAC=xx:xx:xx:xx:xx:xx (10.88.8.195) DS-110J.Martineau.lan
RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client I/P xxx.xxx.xxx.xxx address is not on BLOCKED ACL list
RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client I/P xxx.xxx.xxx.xxx address is not PERIOD restricted(00:59-05:00)
RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client user 'SGA5' CCD config: ifconfig-push 10.16.0.22 255.255.255.0
RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client CCD configuration ended.
RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_732ba27906fc5816.tmp
RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI: Learn: 10.16.0.22 -> client/xxx.xxx.xxx.xxx
RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx: 10.16.0.22

i.e. the following shows that the Android phone (10.16.0.22) connected to OpenvPNS server #2 and the ACL rules will only allow access to specific devices namely the IP Cameras:

iptables  --line -t filter -nvL OVPN
Chain OVPN (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun13  *       0.0.0.0/0            0.0.0.0/0
2       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.148
3       35  2100 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.125
4       36  2160 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.123
5       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.122
6       30  1800 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.121
7       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.120
8        0     0 RETURN     all  --  tun22  br0     10.16.0.22           10.88.8.0/24
9      112 25091 RETURN     all  --  tun22  eth0    10.16.0.22           0.0.0.0/0
10    2886  190K ACCEPT     all  --  tun21  *       0.0.0.0/0            10.88.8.0/24
11     188 11280 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0
12       0     0 ACCEPT     all  --  tun13  *       0.0.0.0/0            0.0.0.0/0

and All LAN IP camera feeds were correctly viewable on the Android phone.

Here is my -t nat POSTROUTING table:

iptables  --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 83 packets, 5864 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      tun13   10.88.8.0/24         0.0.0.0/0
2        0     0 MASQUERADE  all  --  *      tun13   10.88.8.0/24         0.0.0.0/0
3     434K   39M PUPNP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
4     132K   20M MASQUERADE  all  --  *      eth0   !xxx.xxx.xxx.xxx      0.0.0.0/0
5     4795  581K MASQUERADE  all  --  *      br0     10.88.8.0/24         10.88.8.0/24
6        0     0 MASQUERADE  all  --  *      tun13   10.8.0.0/24          0.0.0.0/0

and clearly my POSTROUTING table is missing your proposed SNAT rule

0        0     0 SNAT       all  --  *      br0     10.8.0.0/24          0.0.0.0/0            to:10.88.8.1

yet everything works?

In summary, I personally don't believe it is a bug in the firmware.

 

[mancio2]

Unfortunately also with the latest update, it doesn't work without add the firewall rules.

Another question,
Is it possible to add Policy based routing for a specific client in a bash script?

Thank you in advance!

 

[mancio2]

Hi all,
i restore router configuration, and remove vpn client, to avoid any possible interference. But even if i have set Client will use VPN to access Both, without underlying firewall rule i can connect to internet and to router but i can't access my Synology NAS web server hosted in my LAN

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

My router model is : RT-AC66U_B1
My firmware version is 384.7_2

 

[Ditch]

@Martineau please I need help on this. I did setup the routing and everything is working but I need clients on 10.8.0.x to use my pi-hole server for DNS on 192.168.1.2. Any ideas how to make this work?

Thank you

 

[Martineau]

@Martineau please I need help on this. I did setup the routing and everything is working but I need clients on 10.8.0.x to use my pi-hole server for DNS on 192.168.1.2. Any ideas how to make this work?

By default, the OpenVPN server(s) will usually push the router as the DNS server to their inbound clients:

push "dhcp-option DNS $(nvram get lan_ipaddr)"

However, you can add additional DNS servers to be used by the clients by using the following directive in Custom Configuration
e.g.

push "dhcp-option DNS 192.168.1.2"

If you wish to override the default DNS server, then you will need to exploit the 'openvpnserverX.postconf' script to replace the routers default.

Not sure if this helps/works?

 

[Ditch]

@Martineau I pushed the DNS as you say and I can see the pi-hole getting the query but nothing works on my mobile, browser spinning forever. However if i set the pihole in WAN DNS everything works but i see the router making the requests on pihole not the client.

 

[Ditch]

@Martineau now router generates too many loops.