What's new

Solved Accessing Guest Network Clients Remotely Using VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Sonofdavidsfather

Occasional Visitor
I recently moved my security cameras from my main wireless network to guest network 3. Since then, when I remote in to the OpenVPN server I have running on my router, I am not able to access the security cameras. If I remote in using Asus's Instant Guard, I am able to access the cameras. My router is an AC86U running 386.4. I also have YazFi installed, but I don't think that is where the issue lies asiit works with one VPN and not the other.

I assume this is a difference in routing configuration between Asus's Instant Guard implementation and what I have setup for the OpenVPN server. OpenVPN is giving my phone the IP address 10.10.8.1. Instant Guard is giving my phone the IP Address 10.10.10.1. The guest network is 192.168.4.1. So neither VPN is on the same range as the guest network.

Does anyone have any ideas on what that difference is and how I could fix it?
 
Most ppl use YazFi so they can route the guest network(s) over a local OpenVPN client on the router, either in whole or part (using the VPN Director). And there is a known issue w/ running the OpenVPN server and OpenVPN client at the same time when attempting to access a WLAN/LAN device from a remote OpenVPN client of the local OpenVPN server, while that WLAN/LAN client is bound to the local OpenVPN client.


So it it's NOT that you're using YazFi, as much as the fact it strongly suggests you're using the OpenVPN server and OpenVPN client at the same time, and the above problems would affect both clients of the private and guest networks similarly.
 
Most ppl use YazFi so they can route the guest network(s) over a local OpenVPN client on the router, either in whole or part (using the VPN Director). And there is a known issue w/ running the OpenVPN server and OpenVPN client at the same time when attempting to access a WLAN/LAN device from a remote OpenVPN client of the local OpenVPN server, while that WLAN/LAN client is bound to the local OpenVPN client.


So it it's NOT that you're using YazFi, as much as the fact it strongly suggests you're using the OpenVPN server and OpenVPN client at the same time, and the above problems would affect both clients of the private and guest networks similarly.
I am not using a VPN client on my router, so that post is not applicable to my situation. Thanks for the reply. I use YazFi so that I can have more control over the behaviour of my guest network. So I do not have any VPN clients running on my router, just the OpenVPN server and Instant Guard server.
 
I need to see how you have YazFi configured for guest #3. And is intranet access for guest #3 enabled or disabled?

Here is the guest wifi config in YazFi, and yes I do have Intranet access enabled in the guest network settings. I have it set to 1 way to guest in YazFi. I have no problem accessing them from the primary network on 192.168.50.X or while using Instant Guard while off-site. Thanks for looking in to this.
Screenshot_20220310-105226.png
 
Try adding the following firewall rule.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.4.0/24 -j ACCEPT

You can connect to the router w/ SSH and simply copy/paste the rule into the terminal window to see if it works. To make it persistent will require adding it to a firewall-start script (which probably already exists due to YazFi).
 
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
 
The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.
I way to deal with that is to add to the client config file pull-filter ignore redirect-gateway. The client then ignores redirection of the default gateway to the OpenVPN server that is pushed by "Both".
 
Try adding the following firewall rule.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.4.0/24 -j ACCEPT

You can connect to the router w/ SSH and simply copy/paste the rule into the terminal window to see if it works. To make it persistent will require adding it to a firewall-start script (which probably already exists due to YazFi).
Thanks I will give that a try today, and let you know. I appreciate you taking the time to assist me.
 
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
Interesting. I only use the VPN to log in and check my cameras when I need to look at them. so I'm not normally connected for long, and I'm not doing anything else while connected. I'm going to try this change first, and I'll let you know.
 
P.S. I'm assuming you have "Client will use VPN to access" on the OpenVPN server set to "LAN only". The problem w/ that setting is that the firewall only allows access to the default private network (e.g., 192.168.1.0/24 or 192.168.50.0/24). YazFi is a third-party script, and is adding its own IP networks (e.g., 192.168.4.0/24), which the router is otherwise unaware of.

The other option would be to set "Client will use VPN to access" to Both, but that would have the side-effect of redirecting remote OpenVPN clients of the OpenVPN server through your own ISP for internet access. That may not be your intention or desire.

BTW, I assume you're pushing the 192.168.4.0/24 network to the remote OpenVPN clients of the OpenVPN server.

Code:
push "route 192.168.4.0 255.255.255.0"

That's required if you have "Client will use VPN to access" set to LAN only.

That's the problem sometimes w/ third-party scripting. It's working outside the normal operations of the router. And so you may have to make adjustments to deal w/ these kinds of issues.
I switched my VPN server from LAN Only to both, and that is allowing me to access the cameras over VPN. Thanks again for your help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top