1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Access LAN through OpenVPN server only when OpenVPN client is disconnected??

Discussion in 'Asuswrt-Merlin' started by Rene1978, Feb 22, 2019.

Tags:
  1. Rene1978

    Rene1978 New Around Here

    Joined:
    Mar 7, 2018
    Messages:
    8
    Hello all,

    I cannot find a similar topic using the search. I have a RT-86U running Merlin 384.9. I use NordVPN and have configured that connection in the openVPN client section in accordance with the NordVPN manual. I have configured an OpenVPN server which I use to access my LAN devices from any location outside of my own LAN. The NordVPN client uses a 10.8.8.0/255.255.255.0 IP mask, the internal LAN is 10.1.0.0/255.255.255.0, the openVPN server uses 10.16.0.0/255.255.255.0.

    The issue described:
    1. In all situations I can connect to my openVPN server using my phone on 4G;
    2. In all situations I can connect to my RT-86U through SSH (10.1.0.254) when on the openVPN server;
    3. I cannot access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected to NordVPN. The LAN device I try to connect should use the NordVPN VPN allways (configured in the openVPN client strict policy);
    4. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is disconnected from NordVPN.
      • In this situation the LAN device I try to connect should allways use the NordVPN VPN (configured in the openVPN client strict policy);
    5. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected from NordVPN.
      • In this situation the LAN device I try to connect should allways connect using the WAN connection (configured in the openVPN client strict policy);
    Looking in the openVPN log in my phone it reveals that the openVPN server adds a route 10.1.0.0/24 when connected, so that seems to be OK. Furthermore, I use ip adresses to connect to my LAN devices so it is unlikely a DNS issue. The LAN devices I try to connect to have been

    I think it is somwhere in the routing where the response from my LAN devices gets redirected through the NordVPN connection to my phone based on the openVPN client strict policy. The routing table in the GUI curently looks like this (the blurred is my ISP external IP address):

    upload_2019-2-22_10-52-25.png

    I am not savvy enough to find my way to a solution in the command line where I guess I need to put in place a rule somewhere that makes sure that all replies from LAN (10.1.0.X) devices to clients connected to the openVPN server (10.16.0.X) always get redirected through the WAN connection instead of the NordVPN...?? Would this be the solution or is there a better way? Need some help from experts here. Thanks!
     
    Last edited: Feb 22, 2019
  2. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,616
    Policy Rules (strict) will cause this. Use normal Policy Rules and see if this helps
     
  3. Rene1978

    Rene1978 New Around Here

    Joined:
    Mar 7, 2018
    Messages:
    8
    Ok, this does fix the issue and makes sense since the LAN device is (apparently) no longer forced to use the NordVPN tunnel. However, this does raise a question on what the exact difference between Policy Rules (Strict) and Policy Rules is. In more detail, can I assume (want to be sure) that when I use Policy Rules my LAN devices will always use the NordVPN tunnel for Internet access?
     
  4. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,616
    I think the main difference is the routes that are added to the routing table. In Strict, only the LAN subnet/route is added to the routing table of the VPN client's routing table. In non-strict, all subnets (including the VPN server) are added.

    You can compare
    Code:
    ip route show table ovpnc1
    
    in both modes to compare the VPN client's routing table
     
  5. Rene1978

    Rene1978 New Around Here

    Joined:
    Mar 7, 2018
    Messages:
    8
    Thanks, the routing tables are indeed very different. The table in Strict mode does not contain the openVPN server, the one in normal mode does. It also shows that traffic to the internet get directed through the NordVPN tunnel. Thanks. The routing table in the GUI is nog as complete BTW..... ;)