RT-AC66U two openvpn servers. Don't work port forwarding when LAN only

[tymchyshyn90]

Hello!
My router is RT-AC66U_B1 (FW Merlin AC68U 384.14_2)

Two openvpn servers work on it:
1. TAP. My private computer connect and works well. Receive IP 192.168.0.11 and have access to all LAN resources. On WEB interface I set - Client will use VPN to access LAN only.
2. TUN (10.16.0.0) I connect with my iPhone (TAP not supported). And sometimes my friends can connect. Clients use VPN to access LAN and INTERNET (set Both).

I used only one server TUN before. Clients used LAN and internet over openvpn. The most important thing why I use VPN - remote control PC via RD client. I installed openvpn client on my PC with non-public IP. Than I made Port Forwarding to openvpn client. For example, I can connect to my remote PC like this - DDNSname : port. The advantage is that it doesn't need client's public IP. It's very simple and easy.

But few days ago I decided to run another server (TAP). Because this is better for LAN resources access. And I don't want that remote PC use my internet. I set LAN only access on my router. And I saw some problem. My method with port forwarding doesn't work anymore. I tried connect my iphone to TUN server. And another problem. I can't connect to 192.168.0.11 (PC over TAP). But from LAN this IP ping ok. I found out that the two VPN networks have route with LAN, but don't have between each other.
I solved this problem. On TAP server configuration in Allowed Clients fields I put 10.16.0.0 255.255.255.0. After that I can connect to 192.168.0.11 when I connected to TUN.

But first problem not solved, and I need your help. I found out that I can't connect with port forwarding only when LAN only is set in server configuration. When I set Both (LAN+internet) everything works fine and as I wish. But I don't want that client use internet over vpn. How can I do that?

Thank You!

 

[tymchyshyn90]

Can anybody help me?

 

[heysoundude]

Are you running any of the scripts along with Merlin, ie, diversion or skynet or FreshJR's QoS? I believe one of Jack Yaz's might be of use to you...installing @thelonelycoder 's amtm will get you off to the races there, but the first place to start is to upgrade Merlin to 384.15

EDIT: This is the one I was thinking of. Apologies to @Xentrk
https://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware.57793/

 

[tymchyshyn90]

Are you running any of the scripts along with Merlin, ie, diversion or skynet or FreshJR's QoS? I believe one of Jack Yaz's might be of use to you...installing @thelonelycoder 's amtm will get you off to the races there, but the first place to start is to upgrade Merlin to 384.15

EDIT: This is the one I was thinking of. Apologies to @Xentrk
https://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware.57793/

x3mRouting is great, but not for me. This add-on can route selected LAN to selected OpenVPN or WAN. But there are no openvpn clients in my router, only two servers

 

[tymchyshyn90]

Any ideas?

 

[Maverickcdn]

The gist of what Im getting is you're trying to use a DDNS (Public IP) address to connect to what is essentially a local client through a vpn and its rules are set to LAN only....

If the VPN client is set to LAN only... how is it supposed to access the Internet to lookup the DDNS address?? and why use port forwarding/ddns address at all. If you're connecting via VPN you can access clients using their local DHCP address without having to forward ports

 

[tymchyshyn90]

The gist of what Im getting is you're trying to use a DDNS (Public IP) address to connect to what is essentially a local client through a vpn and its rules are set to LAN only....

If the VPN client is set to LAN only... how is it supposed to access the Internet to lookup the DDNS address?? and why use port forwarding/ddns address at all. If you're connecting via VPN you can access clients using their local DHCP address without having to forward ports

If I connected to VPN, no problem, I can connect to local ip. But I want connect with PC without openvpn on my mobile or any other device, I want direct connection

 

[Maverickcdn]

You say you have the PC as a VPN client.... whats it connecting to? Not back to the vpn server on the same router it get its local DHCP from?

 

[tymchyshyn90]

You say you have the PC as a VPN client.... whats it connecting to? Not back to the vpn server on the same router it get its local DHCP from?

PC1 is located in my second house, where live my parents. Is very imortant to be in TAP tunel, easy acces to all resources. But usually torrents are downloading on PC1, and i don't want to share internet with him.
When I want remote control PC2, I take any remote terminal client and enter DDNS name of my router and port. And router's port forwarding connect me successully. This is convenient, I don't must install and configure openvpn client on remete termial devices.
And I want to do the same with access to PC1. Now I only can connect over openVPN and local IP

 

[Maverickcdn]

OP edited post...

 

[tymchyshyn90]

So I guess Im still confused, do you have a TUN and a TAP server running on the router and the PC uses a VPN client to connect back and gets IP 192.168.0.11??

If so.... VPNs are for traffic over the Internet. Not the local lan.

Sorry if I have that mistaken.

It should read normally

Clients (smartphone/tablet etc) --> VPN Tunnel --> Router --> Router clients

Not

Clients --> router --> vpn tunnel --> vpn clients on router

TAP and TUN servers are running on the router.. 192.168.0.11 is getting from DHCP. But only LAN acces PC1 have.
I don't want use openvpn tunnel on clients. Want direct connection with port forwarding to router

 

[Maverickcdn]

Making more sense now. PC1 (VPN client) will need access to the Internet otherwise it cant get passed the router to the client (iphone/tablet) on the Internet connecting through DDNS. Port Forwards wont help any.

Your VPN tunnel is linking your two remote connections PC1 and Router, but your VPN rules (LAN only) are preventing the messages getting back out to your clients on the Internet connected to the router. As far as your Router is concerned clients from the Internet can send messages but its setup to not let traffic out from TAP VPN clients, PC1 (LAN only rule)

With the way you have it setup, I dont think you can have what you want.

I think your only option...

Setup TUN clients on your devices (tablet/iphone etc) and connect to your TUN server over the Internet and they should (im pretty sure anyway) be able to connect to 'LAN only TAP clients, ie PC1' assuming you have the client-client routing enabled on your TAP server.

ie iphone/tablet VPN client --> router tun server --> mapped to TAP server
PC 1 wont have internet access but your TUN VPN clients should be able to access PC1 over the internet

 

[tymchyshyn90]

Making more sense now. PC1 (VPN client) will need access to the Internet otherwise it cant get passed the router to the client (iphone/tablet) on the Internet connecting through DDNS. Port Forwards wont help any.

Your VPN tunnel is linking your two remote connections PC1 and Router, but your VPN rules (LAN only) are preventing the messages getting back out to your clients on the Internet connected to the router. As far as your Router is concerned clients from the Internet can send messages but its setup to not let traffic out from TAP VPN clients, PC1 (LAN only rule)

With the way you have it setup, I dont think you can have what you want.

I think your only option...

Setup TUN clients on your devices (tablet/iphone etc) and connect to your TUN server over the Internet and they should (im pretty sure anyway) be able to connect to 'LAN only TAP clients, ie PC1' assuming you have the client-client routing enabled on your TAP server.

ie iphone/tablet VPN client --> router tun server --> mapped to TAP server
PC 1 wont have internet access but your TUN VPN clients should be able to access PC1 over the internet

Yes, you got it right! And it still works if connect iphone/tablet over TUN to router, after add route on TAP server configuration.
My question is whether it is possible to configure the server configuration file (not necessarily through WebUI) so to dilute the TAP traffic to the client. I mean, the remote control traffic must going through the router to internet. And router must allow it. While all other traffic went separately, in LAN only mode

 

[Maverickcdn]

There is nothing in ASUS/RMerlin firmware for customizing OpenVPN server traffic (policy routing) short of the allow/disallow client-client

You should be able to use IPtables to create any rules blocking the VPN LAN ip (PC1 192.168.0.11) to anywhere destined for the internet.

You could in theory, revert to TAP allow internet, use a port forward to 192.168.0.11, then IPtables to allow Established connections and then drop the rest of the traffic from 192.168.0.11. Then you could DDNS w/port forward to your VPN client from the Internet to your PC1 and drop its internet traffic on the VPN..... I think.... this was a 30second pondering...

Other people here might have other suggestions/ideas...

I think this may work

iptables -I FORWARD -s 192.168.0.11 -j DROP  # drops traffic to internet
iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT  # allows internet connections to PC1 back out

 

[tymchyshyn90]

There is nothing in ASUS/RMerlin firmware for customizing OpenVPN server traffic (policy routing) short of the allow/disallow client-client

You should be able to use IPtables to create any rules blocking the VPN LAN ip (PC1 192.168.0.11) to anywhere destined for the internet.

You could in theory, revert to TAP allow internet, use a port forward to 192.168.0.11, then IPtables to allow Established connections and then drop the rest of the traffic from 192.168.0.11. Then you could DDNS w/port forward to your VPN client from the Internet to your PC1 and drop its internet traffic on the VPN..... I think.... this was a 30second pondering...

Other people here might have other suggestions/ideas...

I think this may work

iptables -I FORWARD -s 192.168.0.11 -j DROP  # drops traffic to internet
iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT  # allows internet connections to PC1 back out

Where I must set IPtables?
I tried to make script with that IPtables, but internet on TAP Client PC doesn't work after that fully

 

[Maverickcdn]

Where I must set IPtables?

Firstly, does your remote PC1 always get IP 192.168.0.11 from the VPN/router do you know? If it ever disconnects and reconnects and gets a different IP this will be broken...

IF thats your only TAP client, on your TAP server you can set IP pool range and have just that one IP in it

CLICK ME

Spoiler: OP request

Option 1 for testing ONLY iptables rules will disappear on reboots/wan state change etc.
1) Enable SSH in router admin page (LAN only!)
2) SSH into router (use Putty free program)
3) type 'iptables -L INPUT -n' and look at what it returns, just keep that in mind (dont type the ' quotes)
4) type in one line at at time in this order

iptables -I FORWARD -s 192.168.0.11 -j DROP 
iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT

5) type 'iptables - L INPUT -n' again and look, it should have the details of those two lines at the top, the established rule will come first then the drop rule second

Then you can test it out, if it works to your needs, use the permanent solution below

Option 2 permanent

1) Enable SSH in router admin page (LAN only!) (should already be done if you tested)
2) SSH into router (use Putty free program)
3) type 'cd /jffs/scripts'
4) type 'nano firewall-start'
5) enter this into that

#!/bin/sh

iptables -I FORWARD -s 192.168.0.11 -j DROP  # drops traffic to internet
iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT  # allows internet connections to PC1 back out

6) hit ctrl+x to exit nano, y to save
7) type 'chmod a+rx firewall-start'
8) type 'service restart_firewall'
9) type 'iptables -L INPUT -n' and you should see these two rules at the top

 

[Maverickcdn]

I tried to make script with that IPtables, but internet on TAP Client PC doesn't work after that fully

You have the client Openvpn config set to send all traffic through the tunnel then, you need to look into configuring your tap client (PC1) to retain its own internet access

Look here https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
for how to get clients to ignore pushed routes for internet

 

[Maverickcdn]

Rereading through all of this and taking more than 60 secs to think about it

You dont even need any of the iptables rules on the router. All you need to do is reconfigure the VPN client PC1 to ignore the pushed internet gateways. Then you should have the setup you wanted.

Sorry for the run around.

 

[tymchyshyn90]

Rereading through all of this and taking more than 60 secs to think about it

You dont even need any of the iptables rules on the router. All you need to do is reconfigure the VPN client PC1 to ignore the pushed internet gateways. Then you should have the setup you wanted.

Sorry for the run around.

Thank you for support!
Just tried --pull-filter ignore redirect-gateway. On router server set Both ( LAN +internet). Client connected, don't use my gateway, as if everything is ok. But remote access still does not work with port forwarding...

 

[Maverickcdn]

Thank you for support!
Just tried --pull-filter ignore redirect-gateway. On router server set Both ( LAN +internet)

Just to be sure the option needs to go on PC1 the VPN client config... not the server...

If thats how you set it, did the client have internet through its own connection? you can google 'my ip' to see what internet connection its using or was it just the port forward didnt work?

This could be more complicated, I may have to sit this one out short of trying to replicate your setup myself. Its definitely out of the norm for 95% of users.

On the assumption you had the option on the client and the internet was working with its own connection on PC1

I think the issue could be your router is passing your client Public IP (port forward) eg 1.2.3.4 as a source address for the RD connection, your client sent the request to your router Public IP address eg 6.7.8.9 which doesnt match the source address of the reply because PC1 is using its own internet eg 5.6.7.8 and its dropping the mismatch connection.

Client sends packet from 1.2.3.4 RD to 6.7.8.9 .... on PC1 saw connection from 1.2.3.4 but its reply was sent from 5.6.7.8...not 6.7.8.9