Vpn and remote access

[ARKASHA]

Not sure this is the right section to post in. I've a home setup including my provider's router, an Asus rt-68 connected to WAN port of provider's router and operating in DMZ, a NAS Asustor 3102 T connected to Asus router a nd connected to internet via ExpressVPN setup file. I want to access remotely to the NAS . I read a lot of posts about setting the VPN (done!), port forwarding (done), static IP (got) , but I still can't access remotely to my NAS. So my question is if could it be better an alternate setup connecting the NAS to a provider's router LAN port and setting the VPN on the NAS, hopefully mantaining the access to the NAS from my LAN.

 

[kfp]

Is your ISP router in bridge mode?

 

[ARKASHA]

Yes, sure, I've Dhcp server, WIFI, UPNP, DLNA, sharing files and Firewall all disabled on provider's router and all traffic DMZed to Asus router.

 

[kfp]

Cool, you definitely want your NAS behind your Asus (firewall’d+VPN’d+port forwarded).

Do you have connectivity issues? Why are you looking for an alternative setup?

 

[ColinTaylor]

Yes, sure, I've Dhcp server, WIFI, UPNP, DLNA, sharing files and Firewall all disabled on provider's router and all traffic DMZed to Asus router.

That isn't bridge mode. That's just router mode with stuff turned off.

 

[ARKASHA]

That isn't bridge mode. That's just router mode with stuff turned off.

Oh, I'm sorry, that was for me bridge mode. I have a FTTS type connection to my provider via an Askey RTV1907vW-D228. I'm looking to connect to my NAS, that I use mainly as download station, from outside my network for file download and Plex mediaserver.

 

[eibgrad]

This is actually a well-known problem. And I've discussed it many times on the dd-wrt forums (wrt dd-wrt, of course).

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1129398

Many of the proposed solutions discussed in the above link apply just as well to other firmware. In the case of my own dd-wrt scripts, I have equivalent scripts for tomato routers, and which may work for Merlin as well (iirc, Merlin is a tomato variant).

What's more important about the above link is understanding the source of the problem. At that point, you can then better decide the solution that works best for you, because there is no single perfect solution. Just depends on your needs.

 

[ARKASHA]

Ok, thank you, I'll keep studing

 

[Kamikaze01]

Hello friends...

I think i have a similar problem

My System:
An Modem from my ISP in Bridge modus.
Behind i use the ASUS RT-RC68U with Merlin 384.6

I have successfully created an OpenVPN connection.
With the "Policy Rules" I can now specify which devices are running via VPN and which not.
I have even managed that the router do the DDNS update over the WAN IP, so I always got the correct IP update.

Great - works all like a charme...

But now is the problem that once a device is connected via the routers VPN, I can not access it remotely.
This is driving my nuts !!!!!!!!!!!!! I spend hours of time and research.

Without a VPN client, I can externally access normal, for example, my NAS on 192.168.1.6
But as soon as I tell the router that all traffic from 192.168.0.6 shoult go through the VPN Tunnel, I can not access my NAS anymore from outside?


Please can someone help me to understand this issue?!?

 

[eibgrad]

Hello friends...

I think i have a similar problem

My System:
An Modem from my ISP in Bridge modus.
Behind i use the ASUS RT-RC68U with Merlin 384.6

I have successfully created an OpenVPN connection.
With the "Policy Rules" I can now specify which devices are running via VPN and which not.
I have even managed that the router do the DDNS update over the WAN IP, so I always got the correct IP update.

Great - works all like a charme...

But now is the problem that once a device is connected via the routers VPN, I can not access it remotely.
This is driving my nuts !!!!!!!!!!!!! I spend hours of time and research.

Without a VPN client, I can externally access normal, for example, my NAS on 192.168.1.6
But as soon as I tell the router that all traffic from 192.168.0.6 shoult go through the VPN Tunnel, I can not access my NAS anymore from outside?


Please can someone help me to understand this issue?!?

View attachment 13995

I provided a link in a previous post explaining the problem, and the possible solutions.

https://www.snbforums.com/threads/vpn-and-remote-access.47917/#post-419729

The reason you can't access the target of remote access over the WAN while that same device is being routed over the VPN is because of the firewall and RPF (reverse path filtering)! The routing system is perfectly fine w/ having reply packets from remote access over the WAN sent back over the VPN because it is **stateless**. It doesn't care. All the routing system cares about is what is the best/fastest route to reach the given destination IP. However, the firewall is **stateful**. It **does** care. The firewall in conjunction w/ RPF says that for any given logical connection being actively tracked, the incoming and outgoing packets must use the **same** network interface! The purpose is to prevent spoofed packets. IOW, someone attempting to circumvent the firewall by creating bogus reply packets that have no corresponding originating packets. Most ppl never notice this type of firewall checking is taking place because 99.44% of the time you're only working w/ a single internet accessible network interface, specifically, the WAN. But now you've created an alternate internet accessible network interface (the VPN), and created situations where different network interfaces are now being used for the incoming and outgoing packets on the same logical connection. So now you have to take an active role in making sure you don't violate the firewall rules and RPF. I explain in my link how to do this (there are multiple solutions).

 

[Kamikaze01]

Thank u eibgrad for paticipating my problem...

I have read you other posts and understand the problem a little more [emoji55] thank u for ur time and for the help...

I am interested to use and try one of your sh scripts, but i dont realy know how to do that on a merlin system.
As u told, the scripts should work on merlin as well as on tomato [emoji18]

Maybe you could just give a short hint hiw to use them... And i will google the rest..
Learning by "try and error" [emoji6]

I do not have any complicate settings on my asus router, so if anything goes wrong, i just flash merlin again and do a factory reset (or other way round [emoji16]).


And last question: is it possible to let my asus do the ddns update... And ur script will check the ip in my ddns...
and (as u told in ur script description) when a change occurs, it installs a static route for the public IP assigned to that DDNS domain name that points to the WAN.

[emoji848]

So router do the ddns update and ur script checks the ip and installs the static route.


Is this possible? [emoji16]


Anyway - thank u soo much for telling me all that stuff and explaining that for me [emoji869][emoji106]

Kami


PS: what about the configuration in the LAN section under the ROUTE tab...
Could i set my wan ip here? And how to do that?

 

[eibgrad]

@Kamikaze01

I assume based on your response you're interested in the following option.

https://pastebin.com/gnxtZuqg

This has nothing to do w/ configuring DDNS on the router. What you are doing is establishing a DDNS domain name w/ some provider (e.g., www.duckdns.org), then as you remotely roam w/ your laptop, smartphone, whatever, you update that DDNS domain name from that same device. Meanwhile, thanks to the script, your router is monitoring that DDNS domain name for changes. And when it sees a change, it creates a static route over the WAN to the public IP currently assigned to that DDNS domain name.

IOW, this DDNS domain name is doing the *opposite* of what your router would do w/ DDNS. Normally your router is making it possible for your remote laptop, smartphone, etc., to find your home router. But the purpose of this script is to make it possible for your home router to find your remote laptop, smartphone, etc.!

The script is generic enough that it should work w/ Merlin, not just dd-wrt. I just tested it myself by adding it as a services-start script under /jffs/scripts and it seemed to worked.

I assume you know how to add firewall scripts to Merlin?

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[Kamikaze01]

Ahh...
Okay... Now i understand!!!
The script will check the IP of my domain and write in a static route of THAT IP.

So everytime i want to remotely access e.g. my NAS with my Smartphone, i first have to update my DDNS from the Smartphone (via there Homepage, or via Link,...), so that my Domain got the IP of my Smartphone...

Meanwhile your Script checks every few seconds this Domain for new IP and write in the static route of THAT IP (in this case my Smartphone).
(NOT the WAN IP of the router [emoji6])

And THEN i should be able to connect to the NAS in my LAN via my Smartphone.


[emoji848] Hmm... So every time i want to connect, there are some extra steps necessary...


When i put the vpn directly in my NAS, i got no problem at all... So maybe that could be an alternative [emoji57]


Anyway... I will think of it and hopefully get it sorted in a comfortabe way [emoji846]

Thank u soooooo much for all ur friendly help [emoji966][emoji954]️[emoji471]
You're my man... [emoji869][emoji106][emoji41]


Kami

Gesendet von meinem Redmi Note 3 mit Tapatalk

 

[eibgrad]

Hmm... So every time i want to connect, there are some extra steps necessary...

Yep. That's why I provided several other options beyond that particular script.

Alternatively, you could use the following tomato script instead. Once installed and configured properly, you're done.

https://pastebin.com/GMUbEtGj

Doesn't even require any special rules. However, because that particular script disables RPF (some ppl don't mind, some do), and doesn't work w/ certain other features enabled at the same time (e.g., QoS), it's not for everyone.

There is no perfect, one size fits all solution. Each solution has advantages and disadvantages. It's why I keep stressing that YOU have to decide the solution that works best for your situation.

 

[Kamikaze01]

@eibgrad

Thanks for the help and the possible alternatives.

I have downloaded both scripts and I will consider which solution is the best for me.
Since I only need a remote access for my NAS at the moment, I think I will deposit the VPN direct there.

On the router I will set the NAS as an exception over WAN.
Thus, all other devices such as laptops, smartphones, SmartTVs, Android boxes, ... over the VPN.

I think I can live well with this kind of solution.

Nevertheless, I am interested in the second script and will take a closer look some time ...

Thank you very very much for the information, the help, the quick answers and the education in this topic.

I have downloaded both scripts and the pages that have to do with it are saved as a favorite.

Topic is clear so far
happy again ;-)

Kami

 

[Matt87]

I've got a similar problem, but it's weirder... Wondering if you could suggest a solution @eibgrad.

Running an RT-AC88U firmware 384.7:

• Have VPN Server running (subnet 10.xx.xx.0).
  • TUN/UDP
    • tun21
  • VPN Subnet / Netmask: [10.xx.xx.0]/[255.255.255.0]
    
  • Advertise DNS to clients: [NO]
• Have VPN Client running and policy rules to:
  • Route to VPN:
    • 192.xxx.x.0/24
    • 10.xx.xx.0/24
  • Route to WAN:
    • Windows PC (192.xxx.x.106)
    • Printer (192.xxx.x.101)
    • NAS (192.xxx.x.100)
    • Router (192.xxx.x.1)
• Have firewall-start policies in place to allow subnet traffic from VPN server to follow aforementioned VPN client policy rules.
  • @Martineau's response on thread: openvpn server and client question

When I login to the VPN server from abroad on Windows laptop

• I can:
  • RDP into Windows PC (192.xxx.x.106)
  • Login to router via browser (192.xxx.x.1)
  • Login to printer via browser (192.xxx.x.101)
  • ping the NAS (192.xxx.x.100)
• I cannot:
  • Login to NAS via browser (192.xxx.x.100), or access it in any other way.
    • Says "Forbidden. You don't have permission to access/on this server"

I have tried:

• Shutting down VPN Client entirely, then rebooting router (with VPN Client still off), then rebooting NAS, then trying to log in.
• Turning all network share settings for Windows laptop (machine accessing VPN server) to [ON]
• Appending router iptables:
  • iptables -A FORWARD -i tun2+ -s 10.xx.xx.0/24 -d 192.xxx.x.0/24 -j ACCEPT
  • iptables -A FORWARD -o tun2+ -s 192.xxx.x.0/24 -d 10.xx.xx.0/24 -j ACCEPT
  • [EDIT: 16 October @ 0411EST]
    
    • iptables -A FORWARD -i tun2+ -s [VPN server client's real IP address] -d 192.xxx.x.0/24 -j ACCEPT
    • iptables -A FORWARD -i tun2+ -s 192.xxx.x.0/24 -d [VPN server client's real IP address] -j ACCEPT
• Sh!tting bricks

Any explanation as to why this is occurring would be greatly appreciated. I know it has something to do with the firewall settings, but am limited on knowledge to go further. I read over your post on DD-WRT forums, but am not fully understanding the "WAN in -> WAN out..... allowed" table you referred to.

Do iptables need to be appended such that the source is the real IP address, and not the virtual one? it's 2018 damnit...

 

[RMerlin]

I cannot:

• Login to NAS via browser (192.xxx.x.100), or access it in any other way.
  • Says "Forbidden. You don't have permission to access/on this server"

That error indicates this has nothing to do with the VPN, since you are actively being denied access by the NAS. Chances are the NAS firewall rejects the connection from a non-LAN IP.

 

[Matt87]

That error indicates this has nothing to do with the VPN, since you are actively being denied access by the NAS. Chances are the NAS firewall rejects the connection from a non-LAN IP.

If this is the case... then I have a pro tip for everyone who comes to this thread!

If your wife buys you a Western Digital My Cloud EX2 Ultra, return that shirt.... buy something else, and make her believe that what you purchased is what she bought you. Don't "live with it"..... venting complete.
​

Ty for the tip. I'll look into that and get back to you. Hopefully help someone else out who's having the same issues as I.

 

[Xentrk]

I searched a little last night on the issue and many people report having it. But not a lot of solutions. One person report his fix was to use the router IP address in the network share directive e.g. //192.168.1.1/networkshare_name