Access to VPN Server over the internet, while Open VPN client is active

[mister]

Dear all,
i am using the Asus rt-68u with the actual beta2 of Merlin Firmware behind a Fritz Box 7490.
I have an openvpn client and a pptp vpn server running.

I installed the port forwarding in the 7490 an the access over the internet via vpn works as long as the openvpn client is not active.

But every time I activate the openvpn client (it doesn't depend onvpn service provider - I tested three different ones), the vpn connection over the internet couldn't established nor over pptp or over openvpn.

If I check the log files of the openvpn app of my smartphone, the public IP adress of my router (7490) is resolved correctly and the ports fit.
But I don't get a response of the asus router back to the Smartphone app. After a while, a time out error occurrs....


As I said, it works if vpnclient in my asus router is deactivated.

Any hints for solving the problem?

Thanks a lot for your support.

 

[demesmaeker]

Dear all,
i am using the Asus rt-68u with the actual beta2 of Merlin Firmware behind a Fritz Box 7490.
I have an openvpn client and a pptp vpn server running.

I installed the port forwarding in the 7490 an the access over the internet via vpn works as long as the openvpn client is not active.

But every time I activate the openvpn client (it doesn't depend onvpn service provider - I tested three different ones), the vpn connection over the internet couldn't established nor over pptp or over openvpn.

If I check the log files of the openvpn app of my smartphone, the public IP adress of my router (7490) is resolved correctly and the ports fit.
But I don't get a response of the asus router back to the Smartphone app. After a while, a time out error occurrs....


As I said, it works if vpnclient in my asus router is deactivated.

Any hints for solving the problem?

Thanks a lot for your support.

I have the same problem.
I googled for: "openvpn client and server same time asus" and then you get a lots of answers.

The reason why it does not work is that if you try to connect using the "real" internet ip address from your phone, that the traffic ("all the answers") is not going back where it come from, but it is routed through the openvpn client to your other ipaddress on your router. The connection is thus not made, so you get time-outs.

I know that people fixed it by making scripts, but I could not figure out how to create one myself.
If you find out please inform everyone here, so others can fix it too.

Good luck

 

[martinr]

Have you come across this - one of the many “answers” referred to above:

https://www.snbforums.com/threads/openvpn-server-and-client-at-same-time.12277/

It’s an oldish post though, so it might not be 100% accurate. As for pptp vpn server, for security reasons, people now advise ditching it in favour of OpenVPN.

 

[demesmaeker]

Thanks for the link martinr.
I cannot remember if I looked at that one, but I gave up a while ago.
Maybe I can find the energy to try again looking for solutions. I was just trying to inform "mister"

Hope he can use your link.

 

[mister]

Thanks a lot for the hints and advices.
It seems to be very complicated and I do not have the knowledge to program or to use scripts. I do not know, if my vpn provider has the ability for port forwarding. I don't think so...
The only way to solve would be to route the incoming vpn server connect not over the vpn client. But that would be less secure...
A workaround is the establish a connection to the primary router (7490) and then access over the wan 8443 Port.
But my original intension was to be able to control the router from outside via the Asus app e.g. switch wifi on or off.
One thing I am missing at my new Asus router compared to the Fritz Box: at my 7490 I have the possibility to leave the wifi on as long as a client is active. Here the wifi is switched off strictly according to the timetable. And so I have to turn it on manually preferred via the Asus app, because it is simple. But for this reason I need the vpn server access to the asus router via internet.....

yes, it is a very special problem I know

 

[martinr]

Do you really need both client and server running simultaneously? When you are at a remote location, would there be anyone using the vpn client? If not, you could either turn vpn client off before leaving home or SSH into the router remotely (changing the default port 22 to some obscure port number and allowing WAN access in the Admin tab, if you’re happy with that) and then, having accessed the webui via SSH remotely, turn off the vpn client and turn on the vpn server. Or do what you want to do via SSH anyway; I think they used to call SSH the poor man’s vpn.

 

[mister]

Yes I

Do you really need both client and server running simultaneously? When you are at a remote location, would there be anyone using the vpn client? If not, you could either turn vpn client off before leaving home or SSH into the router remotely (changing the default port 22 to some obscure port number and allowing WAN access in the Admin tab, if you’re happy with that) and then, having accessed the webui via SSH remotely, turn off the vpn client and turn on the vpn server. Or do what you want to do via SSH anyway; I think they used to call SSH the poor man’s vpn.

Yes I need the remote access because my family uses the client either and they are more technical newbies than I

Because I can establish a vpn connection with my fritzbox the asus is reachable over the wan port as you said. It seeks to me, that this is the only way in this content.

 

[martinr]

Because I can establish a vpn connection with my fritzbox...

From your first post I thought the OpenVPN Client and PPTP Server were both on the RT-AC68U, behind the FritzBox. Have I misunderstood the setup?

 

[mister]

you undersrood it right. That is what I tried to do, because I degraded the fritzbox only to a modem and telephone box.
So everything with network is managed by the Asus router. that is why I want to access to him via vpn server from remote while the open vpn client is active. but as I know now, that is not possible. so my workaround is to access the fritzbox via vpn and over the fritzbox the wan interface on port 8443 of my asus. not a very elegant way, but better than nothing.....
But I thought, that perhaps one of you knows a better or direct solution....

 

[Jack Yaz]

Stupid question - what ports do you have the server and the client on?

 

[martinr]

Stupid question - what ports do you have the server and the client on?

Stupid my butt: I should have asked that!

 

[Wingsfan87]

you undersrood it right. That is what I tried to do, because I degraded the fritzbox only to a modem and telephone box.
So everything with network is managed by the Asus router. that is why I want to access to him via vpn server from remote while the open vpn client is active. but as I know now, that is not possible. so my workaround is to access the fritzbox via vpn and over the fritzbox the wan interface on port 8443 of my asus. not a very elegant way, but better than nothing.....
But I thought, that perhaps one of you knows a better or direct solution....

Three questions

1) The Fritzbox is that set in bridged mode (modem only) so your ASUS picks up a public IP address not a private LAN address from the FRITZ box subnet?
2) If the answer to question #1 is yes then there is no need for a port forward on the Fritzbox to access the ASUS. That leads to question 3.
3) As the other's stated above what port is the VPN server on and client on? I would assume the VPN client service is using 1194 the default port and your server by default is set to the same. You need to change the VPN server port # and regenerate a new OVPN file for the remote user to connect the server. Then you will be able to run the VPN client service and the VPN server at the same time.

 

[mister]

Hi , regarding to your questions:
1) No the fritzbox has the dhcp server active 192.168.0.1 and my asus router has a wan ip from the subnet of the fritzbox, not a public IP. 192.168.0.2 . I don't know how to configure the fritzbox alternatively.
The asus itself is configured as a DHCP router itself 192.168.1.1

2) As far as I know, you need port forwarding in that configuration.

3) I had similar thoughts about the possible interferring ports (without having knowledge) and so I used openvpn connection as vpn client in the asus and for pptp for the asus vpn server.
Alternatively I tested the openvpn server function, but it didn't work either. So if I understand you right y I have to modify the openvpn file.
I edited that file in the past and changed the internal private IP against the dyndns service of my fritzbox. e.g. testmyasusrouter.homelinux.org
I see the public IP is resolved correctly and my smartphone is trying to connect at the ports I had forwarded in the fritzbox to the asus router.
What changes I have to do in detail in the openvpn client file from exported by my asus router in detail?

Thanks a lot for your assistance.

 

[Wingsfan87]

Hi , regarding to your questions:
1) No the fritzbox has the dhcp server active 192.168.0.1 and my asus router has a wan ip from the subnet of the fritzbox, not a public IP. 192.168.0.2 . I don't know how to configure the fritzbox alternatively.
The asus itself is configured as a DHCP router itself 192.168.1.1

2) As far as I know, you need port forwarding in that configuration.

3) I had similar thoughts about the possible interferring ports (without having knowledge) and so I used openvpn connection as vpn client in the asus and for pptp for the asus vpn server.
Alternatively I tested the openvpn server function, but it didn't work either. So if I understand you right y I have to modify the openvpn file.
I edited that file in the past and changed the internal private IP against the dyndns service of my fritzbox. e.g. testmyasusrouter.homelinux.org
I see the public IP is resolved correctly and my smartphone is trying to connect at the ports I had forwarded in the fritzbox to the asus router.
What changes I have to do in detail in the openvpn client file from exported by my asus router in detail?

Thanks a lot for your assistance.

So there are a few ways to solve this. But I have some questions first. Once you answer what your intent on usage I can provide better steps on how to configure both the FritzBox and the Asus router to work better.

1) Your Fritz!Box 7490 is it also serving up your phones? Looking at the manual online its a VDSL Modem/Gateway.
2) How are you wanting to set this up? My proposals

1. Proposal 1
   1. Internet > Fritz!Box [handles telephone and all devices plugged into LAN and WLAN (Wifi) just go over ISP network normally] > to WAN port on VPN Router [WLAN (Wifi) devices and all LAN devices go over VPN client service like PIA, NordVPN etc and includes Open VPN server for outside devices to connect back to Home Network] This option would give you ability to flip devices between normal local country ISP or the VPN client network so you can surf privately or access other country content via VPN service. So you would manually switch your tablet/phone between the 2 wireless networks one from the FritzBox! or one from the Asus router depending on what you were trying to do.
2. Proposal 2
   1. Internet > Fritz!Box [handles telephone only use Asus as your primary network. disable wifi and only 1 LAN cable goes to VPN router] > to WAN port on VPN router [all devices LAN wise like PC's etc or mobile phones/tablets WLAN (Wifi) use the Asus] VPN client can be turned on or off to send all traffic over the VPN service for privacy and still includes VPN server for outside access to the Home network.

 

[mister]

You are right. I want to use the 2. proposal but with continuously active vpn client.

I used that German tutorial:
https://vpn-anbieter-vergleich-test.de/tipp-vpn-am-heimrouter-verwenden/

The only thing I need would be direct remote access to the asus router

 

[Wingsfan87]

You are right. I want to use the 2. proposal but with continuously active vpn client.

I used that German tutorial:
https://vpn-anbieter-vergleich-test.de/tipp-vpn-am-heimrouter-verwenden/

The only thing I need would be direct remote access to the asus router

Ok makes sense here is what I would do.

1. On the FritzBox change the following:
   1. Run a cable from FritzBox LAN port 1 to the WAN port on the Asus
   2. Change your LAN subnet from the default of 192.168.0.1 (example only change it to 192.168.50.1
   3. Set a DHCP reserved IP (example 192.168.50.2) for the ASUS on the FritzBox dhcp lan settings page (example your FritzBox LAN IP is 192.168.50.1 and your ASUS should get a WAN IP of 192.168.50.2)
   4. Disable Wireless on the FritzBox
   5. Set a static route for subnet 192.168.51.0 to point to gateway 192.168.50.2 (will explain on the Asus settings later) Metric set to 1 if there is this option
   6. Port forward port 1195 to LAN IP 192.168.50.2 (its the WAN IP for the Asus)
   7. Set up DDNS on the FritzBox to get your domain to point to the public IP of your home network.
2. On the Asus change the following
   1. Set the WAN IP to DHCP. It should get the IP that was reserved on the FritzBox DHCP page of 192.168.50.2 (remember the IP range is just example)
   2. All LAN devices should plug into ports 1-4 or plug a network switch into Port 1 on the Asus LAN and all other devices plug into a network switch.
   3. Set up your Wifi settings and connect all your wireless devices to the Asus
   4. Disable Asus Firewall (allows all incoming traffic) Firewall will be handled by the FritzBox
   5. In the OpenVPN Server (do not use PPTP) Turn on and then click General drop down and change to Advanced settings (Change the port number from default of 1194 to new port of 1195) Set all your other settings like Push LAN to client and apply. Export that OpenVPN .ovpn file there is a button for that and import into the OpenVPN client on the mobile device (both Android and IOS have one). Send to PC first and edit the OVPN file. You want to change the IP to the DDNS hostname so you can use a domain to access the home network remotely instead of an IP. Save and then export to your mobile devices (recommend to not send via email import via USB OTG or something or grab it from the local network via an app)
   6. In the Open VPN client use the settings/ovpn file by your VPN provider (set to start with WAN and redirect all traffic for internet so everything goes over the VPN client)

Your VPN client and server should run at the same time now because in step 5 you changed the port of the OpenVPN server (the client service uses the default 1194 and you can't run both at the same time. And you can now access the home network remotely because you port forwarded the 1195 to the Asus WAN IP.

Hope this helps.

 

[mister]

Thanks a lot for your explanation. I will test your setup .
May I ask some questions before I try:
1. Why it is important to disable the Asus firewall? wouldn't it decrease the overall security? is there a possibility to avoid that?

2. the clients on the asus server will get an ip 192.168.1.x or 192.168.50.x?

3. what is exactly static routing and why it is important ? sorry I am a total newbie...

4. will the fritzbox be accessible via 192.168.50.1 any more, if I make a static routing?(point 1.5.)

5. why I have to change the subnet of the fritzbox from 192.168.0.1 to another e.g. your proposed 192.168.50.1? What is the sense behind that action?

Thanks a lot for your support

 

[mister]

Set a static route for subnet 192.168.51.0 to point to gateway 192.168.50.2 (will explain on the Asus settings later) Metric set to 1 if there is this option

I looked about your instruction but about that point I am confused and I want to be clear before I will make some stupid things:

a) My fritzbox will have the Private IP 192.168.50.1 and the wan port of my asus will have the 192.168.50.2 , understood..

b) But the IP of the Asus DHCP will remain 192.168.1.1 and all clients connected to the asus router will have an Ip 192.168.1.X , correct? Or should I change the subnet of the asus router as well?

c) In the static routing settings I have 3 fields to fill out: IP network with 4 numbers, Subnet with 4 numbers and gateway with 4 numbers.
To be clear:
Gateway is the IP of asus router (WAN port)
Subnet is 255.255.255.0 but I am totally confused with the first field "ip network" - 192.168.51.0 ?? or 192.168.1.0 or 192.168.50.1? What I have to put in?

d) Regarding to my last reply: Would it be possible to leave the Fritzbox network at 192.168.0.1? Otherwise I will have to change all the clients with a manual IP (because at some of them the IP wasn't given by DHCP) and the VPN configuration of my fritzbox...
Could you explain it a little more, please?


A very big thank you for all you support.

 

[mister]

I don't think so, because it is working without an active vpn client.

I tried the above solution, but it didn't worked.
I found interesting links, it seems to be very complicated....

http://www.linksysinfo.org/index.ph...er-and-client-running-at-the-same-time.72148/

http://www.linksysinfo.org/index.php?threads/simultaneous-openvpn-server-client.72103/

 

[Wingsfan87]

I looked about your instruction but about that point I am confused and I want to be clear before I will make some stupid things:

a) My fritzbox will have the Private IP 192.168.50.1 and the wan port of my asus will have the 192.168.50.2 , understood..

b) But the IP of the Asus DHCP will remain 192.168.1.1 and all clients connected to the asus router will have an Ip 192.168.1.X , correct? Or should I change the subnet of the asus router as well?

c) In the static routing settings I have 3 fields to fill out: IP network with 4 numbers, Subnet with 4 numbers and gateway with 4 numbers.
To be clear:
Gateway is the IP of asus router (WAN port)
Subnet is 255.255.255.0 but I am totally confused with the first field "ip network" - 192.168.51.0 ?? or 192.168.1.0 or 192.168.50.1? What I have to put in?

d) Regarding to my last reply: Would it be possible to leave the Fritzbox network at 192.168.0.1? Otherwise I will have to change all the clients with a manual IP (because at some of them the IP wasn't given by DHCP) and the VPN configuration of my fritzbox...
Could you explain it a little more, please?


A very big thank you for all you support.

a) My fritzbox will have the Private IP 192.168.50.1 and the wan port of my asus will have the 192.168.50.2 , understood.. That is correct. It is getting an WAN IP from your Fritz instead of a Public IP.

b) But the IP of the Asus DHCP will remain 192.168.1.1 and all clients connected to the asus router will have an Ip 192.168.1.X , correct? Or should I change the subnet of the asus router as well? No you will want to change it as well. Change it to something like 192.168.51.1. It must be different than the Fritz subnet and I change from default so there is no interference when I am traveling for any remote subnet being the same.

c) In the static routing settings I have 3 fields to fill out: IP network with 4 numbers, Subnet with 4 numbers and gateway with 4 numbers.
To be clear:
Gateway is the IP of asus router (WAN port)
Subnet is 255.255.255.0 but I am totally confused with the first field "ip network" - 192.168.51.0 ?? or 192.168.1.0 or 192.168.50.1? What I have to put in? After you update the Asus LAN from the default 192.168.1.1 to the 192.168.51.0 you will want to use the .51 subnet instead of .1 So it should be 192.168.51.0 as you are specifying any IP on that subnet range. not a specific.

d) Regarding to my last reply: Would it be possible to leave the Fritzbox network at 192.168.0.1? Otherwise I will have to change all the clients with a manual IP (because at some of them the IP wasn't given by DHCP) and the VPN configuration of my fritzbox...
Could you explain it a little more, please? You can keep it the same if you want. But I always change it so it doesn't interfere with any other subnets when I travel or with any other device's defaults.