Solved Accessing Guest Network Clients Remotely Using VPN

Sonofdavidsfather

Occasional Visitor
I recently moved my security cameras from my main wireless network to guest network 3. Since then, when I remote in to the OpenVPN server I have running on my router, I am not able to access the security cameras. If I remote in using Asus's Instant Guard, I am able to access the cameras. My router is an AC86U running 386.4. I also have YazFi installed, but I don't think that is where the issue lies asiit works with one VPN and not the other.

I assume this is a difference in routing configuration between Asus's Instant Guard implementation and what I have setup for the OpenVPN server. OpenVPN is giving my phone the IP address 10.10.8.1. Instant Guard is giving my phone the IP Address 10.10.10.1. The guest network is 192.168.4.1. So neither VPN is on the same range as the guest network.

Does anyone have any ideas on what that difference is and how I could fix it?
 

eibgrad

Part of the Furniture
Most ppl use YazFi so they can route the guest network(s) over a local OpenVPN client on the router, either in whole or part (using the VPN Director). And there is a known issue w/ running the OpenVPN server and OpenVPN client at the same time when attempting to access a WLAN/LAN device from a remote OpenVPN client of the local OpenVPN server, while that WLAN/LAN client is bound to the local OpenVPN client.


So it it's NOT that you're using YazFi, as much as the fact it strongly suggests you're using the OpenVPN server and OpenVPN client at the same time, and the above problems would affect both clients of the private and guest networks similarly.
 

Sonofdavidsfather

Occasional Visitor
Most ppl use YazFi so they can route the guest network(s) over a local OpenVPN client on the router, either in whole or part (using the VPN Director). And there is a known issue w/ running the OpenVPN server and OpenVPN client at the same time when attempting to access a WLAN/LAN device from a remote OpenVPN client of the local OpenVPN server, while that WLAN/LAN client is bound to the local OpenVPN client.


So it it's NOT that you're using YazFi, as much as the fact it strongly suggests you're using the OpenVPN server and OpenVPN client at the same time, and the above problems would affect both clients of the private and guest networks similarly.
I am not using a VPN client on my router, so that post is not applicable to my situation. Thanks for the reply. I use YazFi so that I can have more control over the behaviour of my guest network. So I do not have any VPN clients running on my router, just the OpenVPN server and Instant Guard server.
 

Sonofdavidsfather

Occasional Visitor
I need to see how you have YazFi configured for guest #3. And is intranet access for guest #3 enabled or disabled?

Here is the guest wifi config in YazFi, and yes I do have Intranet access enabled in the guest network settings. I have it set to 1 way to guest in YazFi. I have no problem accessing them from the primary network on 192.168.50.X or while using Instant Guard while off-site. Thanks for looking in to this.
Screenshot_20220310-105226.png
 

eibgrad

Part of the Furniture
Try adding the following firewall rule.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.4.0/24 -j ACCEPT

You can connect to the router w/ SSH and simply copy/paste the rule into the terminal window to see if it works. To make it persistent will require adding it to a firewall-start script (which probably already exists due to YazFi).
 

eibgrad

Part of the Furniture
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
 

elorimer

Very Senior Member
The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.
I way to deal with that is to add to the client config file pull-filter ignore redirect-gateway. The client then ignores redirection of the default gateway to the OpenVPN server that is pushed by "Both".
 

Sonofdavidsfather

Occasional Visitor
Try adding the following firewall rule.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.4.0/24 -j ACCEPT

You can connect to the router w/ SSH and simply copy/paste the rule into the terminal window to see if it works. To make it persistent will require adding it to a firewall-start script (which probably already exists due to YazFi).
Thanks I will give that a try today, and let you know. I appreciate you taking the time to assist me.
 

Sonofdavidsfather

Occasional Visitor
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
Interesting. I only use the VPN to log in and check my cameras when I need to look at them. so I'm not normally connected for long, and I'm not doing anything else while connected. I'm going to try this change first, and I'll let you know.
 

Sonofdavidsfather

Occasional Visitor
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
I switched my VPN server from LAN Only to both, and that is allowing me to access the cameras over VPN. Thanks again for your help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top