Port Forward TUN to LAN on RT-AC68U setup openVPN and connecting to router webGUI or server

[bfrank]

This is my first question here om this forum. Hoop it's not a noob one but I really can use some help here.

I have a Asus RT-AC68U with Asuswrt-merlin v380.59 running perfect and without problems. Connected to the router I have some cam's and mineOS server running. All is running without problems and can be accessed from the internet. Also de Routers webGUI can I connect from the internet.

Now I want to run the OpenVPN client on the router so that my whole network is behind the VPN connection. I have a VPN subscription at AirVPN and setting up the VPN connection is no problem at all.

So far so good.

Connecting to the server and webGUI on the local(internal) side is no problem but now I want to connect to de routers WebGUI or MineOS server of webcams from the internet side. I know my new VPN IP or DDNS from AirVPN. I can even do port forwarding on the AirVPN side. But whatever I try. I'm unable to reach the server and/or router WebUI.

I have searched a lot but unable to find any answer jet.

Is it what I want possible?
If yes, how is the setup then on the router side?


Thanks !!

 

[cliver]

If I read your question correctly, you currently have some cameras and a mineOS server running on your LAN and are accessing them via the internet site (presumably by port forwarding?)
Now you want to remove the port forwarding and access your LAN via VPN?
The best way to achieve this is to set up a VPN SERVER on your router and not a VPN client to an external VPN service. You will then be able to access your LAN from outside in the WAN via your external IP address (assuming you have a static IP) or via a DDNS service.
I'm no expert but I have set up such a VPN and can access my LAN from outside in the WAN successfully. I used Open VPN.

 

[bfrank]

If I read your question correctly, you currently have some cameras and a mineOS server running on your LAN and are accessing them via the internet site (presumably by port forwarding?)
Now you want to remove the port forwarding and access your LAN via VPN?
The best way to achieve this is to set up a VPN SERVER on your router and not a VPN client to an external VPN service. You will then be able to access your LAN from outside in the WAN via your external IP address (assuming you have a static IP) or via a DDNS service.
I'm no expert but I have set up such a VPN and can access my LAN from outside in the WAN successfully. I used Open VPN.

Thanks for your repley.
You are correct I want to be able to access the LAN side or routers webGui via a VPN connection. But I don't want to use my own IP address. I want to use the IP address from the VPN service. When I turn off the vpn connection I can connect to the router webGui as soon I turn on the OpenVPN connection and forward the routers webGui port at the VPN service side I'm unable to connect to the routers webGui with my new VPN IP address. I have the feeling it is something very simple. But I can not find the solution.

 

[cliver]

Sorry, I'm not sure how you would achieve that. Are you running a VPN server or client on your router?
Surely a DDNS service giving you a URL that points to your WAN interface as it changes isp address with a VPN server on your router and client on your external devices will give you what you want. And no need to forward any ports so more secure.
I use a DDNS address from asuscom.com as it's free with my router and does everything I want it to.

Sent from my Nexus 6P using Tapatalk

 

[bfrank]

After looking and reading a lot on the net I finaly found that what I need is to forward the ports from the vpn TUN to LAN.
And not the standard port forwarding GUI on the router because that will forward from WAN to LAN.

(see https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/)
I know it's for tomato but it's the same for ASUS-merlin

Now, this means that I have to manualy put the changes in the IPtables.
Or can I put these rules in the "Custom Confuguration"area of the OpenVPN-client page on the router?
Or ... is there a more simple GUI way?

Thanks.

 

[KennethSNB]

After looking and reading a lot on the net I finaly found that what I need is to forward the ports from the vpn TUN to LAN.
And not the standard port forwarding GUI on the router because that will forward from WAN to LAN.

(see https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables/)
I know it's for tomato but it's the same for ASUS-merlin

Now, this means that I have to manualy put the changes in the IPtables.
Or can I put these rules in the "Custom Confuguration"area of the OpenVPN-client page on the router?
Or ... is there a more simple GUI way?

Thanks.

I am also configuring my RT AC-68U to run behind my AirVPN service. My issue is very similar to yours. I am hosting my own web server and are having many failed attempts to port forward my MacMini server. I am also using OpenVPN and Merlin 380.62_1.

Yes, we need to forward ports from TUN to LAN. I am also using the IPtables. I could not get my ports to forward. Materials on the internet are plentiful but none are specific to my needs. Have you SSH or Telnet into your router and create a Nat-Start or a similar configuration file? My issue lies somewhere in the firewall (router settings), resolving my DNS or my web server settings. Thanks!

 

[bfrank]

I am also configuring my RT AC-68U to run behind my AirVPN service. My issue is very similar to yours. I am hosting my own web server and are having many failed attempts to port forward my MacMini server. I am also using OpenVPN and Merlin 380.62_1.

Yes, we need to forward ports from TUN to LAN. I am also using the IPtables. I could not get my ports to forward. Materials on the internet are plentiful but none are specific to my needs. Have you SSH or Telnet into your router and create a Nat-Start or a similar configuration file? My issue lies somewhere in the firewall (router settings), resolving my DNS or my web server settings. Thanks!

Sorry for the late reply.

Yes I have done it all. I'm pulling my hairs with this. Creating nat-start or firewall-start script. Turning all port forwarding of even reset the router to its basic state and then created the script for Iptables. Until now it's a no go. I'm unable to forward the right ports from a vpn TUN connection to the LAN side.

I'm a bit surprised that this it so difficult.

It would be really nice if there is anyone who could tell how this can be done.

Thanks.

 

[Martineau]

Sorry for the late reply.

Yes I have done it all. I'm pulling my hairs with this. Creating nat-start or firewall-start script. Turning all port forwarding of even reset the router to its basic state and then created the script for Iptables. Until now it's a no go. I'm unable to forward the right ports from a vpn TUN connection to the LAN side.

I'm a bit surprised that this it so difficult.

It would be really nice if there is anyone who could tell how this can be done.

Thanks.

So this technique definitely doesn't work?

#!/bin/sh

TUNID=1
LANIP="192.168.x.x"
PORT=54321

iptables -I FORWARD -i br0 -o tun1$TUNID -j ACCEPT
iptables -I FORWARD -i tun1$TUNID -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun1$TUNID -j MASQUERADE

iptables -I FORWARD -i tun1$TUNID -p tcp -d $LANIP --dport $PORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun1$TUNID -p tcp --dport $PORT -j DNAT --to-destination $LANIP:$PORT

My current VPN Client provider (seemingly) doesn't allow unsolicited inbound VPN connections (so I am unable to test), but I may consider switching to AirVPN if this feature was available and working.

 

[KennethSNB]

Sorry for the late reply.

Yes I have done it all. I'm pulling my hairs with this. Creating nat-start or firewall-start script. Turning all port forwarding of even reset the router to its basic state and then created the script for Iptables. Until now it's a no go. I'm unable to forward the right ports from a vpn TUN connection to the LAN side.

I'm a bit surprised that this it so difficult.

It would be really nice if there is anyone who could tell how this can be done.

Thanks.

Finally I managed to get it working over the weekend ... It took me a while to find out why my port forwarding was not successful. My issue was with my web server (Macmini) configuration. I did not assign those ports that I have port forwarded in the AirVPN Client Area. Let me know where you are having issue; I may be able to provide some helpful hints .....

 

[bfrank]

So this technique definitely doesn't work?

#!/bin/sh

TUNID=1
LANIP="192.168.x.x"
PORT=54321

iptables -I FORWARD -i br0 -o tun1$TUNID -j ACCEPT
iptables -I FORWARD -i tun1$TUNID -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun1$TUNID -j MASQUERADE

iptables -I FORWARD -i tun1$TUNID -p tcp -d $LANIP --dport $PORT -j ACCEPT
iptables -t nat -I PREROUTING -i tun1$TUNID -p tcp --dport $PORT -j DNAT --to-destination $LANIP:$PORT

My current VPN Client provider (seemingly) doesn't allow unsolicited inbound VPN connections (so I am unable to test), but I may consider switching to AirVPN if this feature was available and working.

I have AirVPN and they allow port forwarding. Have to say that AirVPN is realy stable. They use openVPN and nothing else. It's working on my phone without problems. So i only have to get it working on the router side. Was traveling a lot last weeks. Will try it the up comming week again. Lets see if i get it to work. Updated the AC68U to Merlin latestst.

Regards,