Asus port forwarding to VPN network rather than WAN and external public

Miliano

New Around Here
I have an ASUS RT-AC59U V2, that is connected to my OpenVPN server.

VPN clients are able to reach each other, trough intranet IP's.

Basically i want to expose my home printer so I can reach it while I'm connected to my vpn.

Considering that on port 123 on my phone is exposed a specific service, i am able to reach it via ph_vpn_ip:123 from vpn network.

Now my printer is connected wirelessly to my Asus router and assigned a local home ip, i am able to reach it from home.

The big question is, how can I make IPP (RAW TCP IP printing ) reachable from my VPN network like router_vpn_ip:9100 or WS http://router_vpn_ip:8018/wsd?
 

eibgrad

Part of the Furniture
Let me be sure I have this configuration understood correctly (because I'm NOT 100% sure I do).

It sounds like you have an OpenVPN server established on the internet somewhere, perhaps running on a VPS (virtual private server). And perhaps because you don't have a public IP on your WAN for remote access purposes. So you've configured the OpenVPN client on your home router to connect to this OpenVPN server so that you can have other remote OpenVPN clients on the internet connect to that same OpenVPN server and be routed back into your home network, thus giving them remote access.

Am I on the right track here?

If so, the proper way to do what you want would be to configure the OpenVPN client connection from home to the OpenVPN server as site-to-site. That would create a route on the OpenVPN server that pointed to the tunnel as the way to reach your home network. And reach it by its own IP network (e.g., 192.168.1.0/24). At that point, just like any site-to-site configuration, your entire home network is reachable from the OpenVPN server by direct reference (e.g., 192.168.1.1:9100, assuming the router was 192.168.1.1 and was hosting the printer).

Also, any other remote OpenVPN clients to that same OpenVPN server can directly reference those same devices in the same way.

Now if you prefer NOT to require that OpenVPN clients on the internet connect to the OpenVPN server for these purposes, but would just like to expose specific devices and services directly on the VPS, then you can create port forwards on the VPS that map *its* external IP to those same devices and ports.

Again, all this assumes I properly understand your configuration. I found it somewhat ambiguous at times, so I had to read between the lines a bit and make an educated guess as to what you're really trying to accomplish here.
 

Miliano

New Around Here
You're right, this is roughly my setup, however i am able to connect already also to server network (site-to-site)

OpenVPN is running under a specific network eth0 "172.110.0.0/23". Under same is also pihole and many of other containers that I'm already able to access from any client that is using a dhcp pool 192.168.255.0/24 (vpn clients).

From VPN server I also can ping my router client (192.168.255.4), just not able to forward any ports.
And same from any client, I can reach openvpn container eth0 (172.110.1.3 ) and tun0 ( 192.168.255.1 ) .

eth0 Link encap:Ethernet HWaddr 02:42:AC:6E:01:03
inet addr:172.110.1.3 Bcast:172.110.1.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2472199 errors:0 dropped:0 overruns:0 frame:0
TX packets:2834485 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2486577934 (2.3 GiB) TX bytes:2595011466 (2.4 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1136 (1.1 KiB) TX bytes:1136 (1.1 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.255.1 P-t-P:192.168.255.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:840240 errors:0 dropped:0 overruns:0 frame:0
TX packets:1984250 errors:0 dropped:1780 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:122283738 (116.6 MiB) TX bytes:2273599605 (2.1 GiB)
 

eibgrad

Part of the Furniture
Again, if the server side is configured for site-to-site, then by definition *anything* on the 192.168.255.x network can be directly referenced by that same IP network. NOT just the router (192.168.255.4). There's no need for port forwarding in a site-to-site configuration. Devices on either end of the tunnel have *direct* access to each other's local IP networks.

What I'm now wondering is if you're really configured for site-to-site, despite your claims that you are. Simply being connected from the client to the server is NOT site-to-site. In a site-to-site configuration, the server side is capable of routing directly to the local network behind the client, without the need for port forwarding. But that requires additional configuration on the server side to make that happen. It doesn't happen by default.
 

eibgrad

Part of the Furniture
P.S. And when configured for site-to-site, and you happen to be using Merlin rather than OEM (I know some users using Merlin will sometimes NOT use the Merlin forum), you have to set the Inbound Firewall on the OpenVPN client of the router to Allow (the default is Block).
 

Miliano

New Around Here
RT-AC59U doesn't support Merlin because of the CPU, however I managed to get it working, somehow....

I configured OpenVPN as client-to-client, and ssh'd in my asus router.
From here i forced forwarding all necessary ports for tun15

ex:
Code:
iptables -I FORWARD -i tun15 -p udp -d 192.168.50.98 --dport 631 -j ACCEPT
iptables -t nat -I PREROUTING -i tun15 -p udp --dport 631 -j DNAT --to-destination 192.168.50.98

Now I'm able to print from vpn, but i have to add the printer manually for now, and still have to figure all the connection details so I can allow auto network discovery.
 

DMS11X

New Around Here
RT-AC59U doesn't support Merlin because of the CPU, however I managed to get it working, somehow....

I configured OpenVPN as client-to-client, and ssh'd in my asus router.
From here i forced forwarding all necessary ports for tun15

ex:
Code:
iptables -I FORWARD -i tun15 -p udp -d 192.168.50.98 --dport 631 -j ACCEPT
iptables -t nat -I PREROUTING -i tun15 -p udp --dport 631 -j DNAT --to-destination 192.168.50.98

Now I'm able to print from vpn, but i have to add the printer manually for now, and still have to figure all the connection details so I can allow auto network discovery.

Did you add the script to the client side or the server side?

THANKS!
 

Miliano

New Around Here
SSH in your ASUS router and run the above command where 192.168.50.98 is the wifi LAN IP of the printer.

Then you can check routing table in web gui to make sure forwarding is working.
 

Miliano

New Around Here
Did you add the script to the client side or the server side?

THANKS!
SSH in your ASUS router and run the above command where 192.168.50.98 is the wifi LAN IP of the printer.

Then you can check routing table in web gui to make sure forwarding is working.
Also make sure you take the correct interface by checking ifconfig after connecting to vpn
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top