acces to LAN devices through VPN client on router

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

johna45

New Around Here
Good evening everyone,

I'm new here, so please don't kill me for asking dumb questions...

I'm trying to remote access a NAS on my LAN, while my router is connected as client to a VPN server.

Here is my config:

LAN0: internet provider's modem
192.168.11.0/24 255.255.255.0

LAN1: ASUS RT-AC66U B1
Asuswrt-Merlin 384.18
connected to LAN0 in router mode (ASUS router LAN0 IP: 192.168.11.2)
192.168.12.0/24 255.255.255.0

NAS: connected to LAN1 (192.168.12.10)

What's working so far:
_ I've done port forwarding on both modem and router, so I can access my NAS remotely when NOT using VPN
_ when OpenVPN client set on ASUS router, all LAN1 devices access WAN through VPN (got dedicated IP from VPN provider)
_ when OpenVPN is set directly on the NAS (synology), I can access it remotely through VPN tunnel (using the dedicated IP)

What's NOT working:
When OpenVPN tunnel is set on the ASUS router, I can't access my NAS remotely anymore.

I don't know what to do, especially that I've reach my networking knowledge limits...

Do I need to set a route in VPN client conf? If yes, which one?

I've read a few threads on similar issues, but never identical. Despiste many attempts, nothing worked.

Any help would be greatly appreciated.

Thanks!
 

johna45

New Around Here
Hi eibgrad,
Thank you for the link, but I'm not sure this would solve my issue, as I'm trying to do something slightly different (don't have VPN server running).
I'd like to access my NAS through a VPN client connection (calling my VPN dedicated IP), so PBR is not going to help that (that would only make my NAS avoid the VPN if I'm correct). And this is already working when VPN client is set on the NAS itself, but not with the router. In that case, only the NAS would benefit from the VPN tunnel, so not a solution I want...
That's also why I think VPN server settings are fine, but VPN client settings on my router need some adjustments...

I might be wrong, as I'm no expert.

I've noticed on my router's log this line:
/sbin/route add -net 77.77.77.77 (VPN server's IP) netmask 255.255.255.255 gw 192.168.11.1 (which is my ISP's modem IP on LAN0, while VPN connection is set on ASUS router, ie LAN1...)

then I have those lines:
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 77.77.77.1 (probably VPN server gateway?)
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 77.77.77.1

Could that be part of the issue ?
 

eibgrad

Very Senior Member
The link I provided is a specific example of a more general problem. IOW, the problem you're experiencing is NOT limited to a concurrent OpenVPN server, but *any* service you need to access over the WAN when either the router or any LAN devices beyond it are bound to the router's OpenVPN client.

I've noticed on my router's log this line:
/sbin/route add -net 77.77.77.77 (VPN server's IP) netmask 255.255.255.255 gw 192.168.11.1 (which is my ISP's modem IP on LAN0, while VPN connection is set on ASUS router, ie LAN1...)
That is the OpenVPN client binding the public IP address of the OpenVPN server to the WAN/ISP so that it doesn't mistakenly get routed over the VPN tunnel (due the following routes). This is normal and expected.

then I have those lines:
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 77.77.77.1 (probably VPN server gateway?)
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 77.77.77.1
These routes override the default gateway (which normally points to the WAN/ISP) and force all traffic (router and LAN devices behind it) over the VPN. Once again, this is normal and expected.

As I said, this setup will *always* present a problem to anyone attempting to access services over the WAN because the replies end up getting routed over the VPN rather than back over the WAN/ISP! The link I provided suggests ways to deal with it. There are others, but those are the most common.
 

johna45

New Around Here
Hi,
I've been busy lately, so sorry for the delay since my last message.
Thanks eibgrad for the explanations about the few lines I didn't understood.
So what could be the solution?
The link you've sent is suggesting routing my NAS' traffic around the VPN, which exactly what I don't wish, as I want my NAS to the secure connection my VPN is providing...
So any ideas? Anyone?
What should I set in ASUSwrt-Merlin to make it work?
Thank you!
 

eibgrad

Very Senior Member
Assuming those other options are not viable, then what you need is a very specific kind of PBR (policy based routing), something the Merlin firmware doesn't support. The kind of PBR that can route based not just on source IP, put a specific port, such as the ssh port (22). I assume that's the service you need to access on the NAS.


I can't personally vouch for the above code, but it's definitely the kind of PBR I'm referring to. I have my own PBR script that works similarly and has been written specifically for FT (freshtomato), and probably could be adpated for use w/ Merlin (for all I know, it might work as-is, given FT and Merlin are both tomato variants, and are thus very similar).


But you might first try to browse that thread and see if it provides a workable solution.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top