Solved Access modem Web UI on WAN port in OpenVPN Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

abcxyz

Occasional Visitor

I followed this article and now I can access ISP modem web UI in LAN but when I used OPENVPN Server, I can’t access the ISP modem web UI (with IPSEC VPN server, I can access this ISP modem normally).

I’m using AX56U router with 386.3_2 Merlin firmware.

Please help me. Thanks alot!
 

eibgrad

Very Senior Member
What have you specified for "Client will use VPN to access" on the OpenVPN server? You'll need either Internet Only or Both. If you have LAN Only, it will only allow access to the private network (e.g., 192.168.1.0/24).

P.S. I suppose you could use LAN Only, as long as you added a firewall rule exception for the modem's IP network.

Code:
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.0.0/24 -j ACCEPT

I'm just assuming the OpenVPN server is using the default IP network of 10.8.0.0/24. If you've change it, adjust accordingly.
 
Last edited:

abcxyz

Occasional Visitor
What have you specified for "Client will use VPN to access" on the OpenVPN server? You'll need either Internet Only or Both. If you have LAN Only, it will only allow access to the private network (e.g., 192.168.1.0/24).
I’ve chosen “Both” already but it didn’t work. I restored to lastest stock fw and chose “Both” and everything was ok. I don’t know why.
 

eibgrad

Very Senior Member
Another possibility. Unless you configured the OpenVPN client to use the OpenVPN server as its default gateway, it won't know that the 192.168.0.0/24 network is accessible over the VPN. You need to push that route from the server to the client in the OpenVPN server custom config field.

Code:
push "route 192.168.0.0 255.255.255.0"
 

abcxyz

Occasional Visitor
What have you specified for "Client will use VPN to access" on the OpenVPN server? You'll need either Internet Only or Both. If you have LAN Only, it will only allow access to the private network (e.g., 192.168.1.0/24).

P.S. I suppose you could use LAN Only, as long as you added a firewall rule exception for the modem's IP network.

Code:
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.0.0/24 -j ACCEPT

I'm just assuming the OpenVPN server is using the default IP network of 10.8.0.0/24. If you've change it, adjust accordingly.

Thanks for your help. This solution work fines. Is there any way to add this rule in to router via Web UI instead of SSH-ing and adding into firewall-start file?
 

eibgrad

Very Senior Member
Thanks for your help. This solution work fines. Is there any way to add this rule in to router via Web UI instead of SSH-ing and adding into firewall-start file?

The only way to make it permanent is via the firewall-start script.
 

abcxyz

Occasional Visitor
Another possibility. Unless you configured the OpenVPN client to use the OpenVPN server as its default gateway, it won't know that the 192.168.0.0/24 network is accessible over the VPN. You need to push that route from the server to the client in the OpenVPN server custom config field.

Code:
push "route 192.168.0.0 255.255.255.0"

I wrote your script to:

Code:
iptables -I FORWARD -s tun+ -d eth0 -j ACCEPT

And the script didn't work. I wrote script like that becauseI I don't want to change firewall-start if I change IP of ISP modem or OpenVPN server.
 

eibgrad

Very Senior Member
If you decide to use network interfaces in the firewall rule, then you need to change the options from -s and -d to -i for input-interface and -o for output-interface.

Code:
iptables -I FORWARD -i tun+ -o eth0 -j ACCEPT

Note: You may need to use vlan2 rather than eth0.
 

abcxyz

Occasional Visitor
If you decide to use network interfaces in the firewall rule, then you need to change the options from -s and -d to -i for input-interface and -o for output-interface.

Code:
iptables -I FORWARD -i tun+ -o eth0 -j ACCEPT

Note: You may need to use vlan2 rather than eth0.

What is vlan2 interface? I try to use vlan2 but the comman didn't work. Eth0 is okay.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top