Cannot get VPN Server to allow me to access internal devices

[remsta]

This is absolutely doing my head in and I have spent hours trying to solve it but am getting no where. I see that there are a number of threads on this, but none seem to solve my issue.

I have the latest Merlin firmware
- ISP Modem: 192.168.1.1 with DMZ setup for the Asus Router
- Asus RT-AX88U Pro: 192.168.177.1

VPN Server: OpenVPN
I have created a user

I export the OpenVPN file, open it in text editor, change the IP to my public ISP IP.
Save the file - Airdrop to my iPhone - install in OpenVPN and Connect

When I connect, I can access the routers IP 192.168.177.1 but cannot access any other devices on my LAN - i.e. my RaspberryPi at 192.168.177.225 does not work.

When I connect I get this: 10.8.0.2 ( 178.xxx.xxx.xxx:32708 )

It is not activated at the moment but I also have PiHole on my network but I have deactivated it and set the standard DNS servers in the Asus router to try and solve the issue

Can anyone help?

Thank you

 

[ColinTaylor]

How are your trying to "access" the LAN devices? HTTP/S, SSH, FTP, etc?

What type of devices have you tried accessing other than the Pi? (e.g. NAS, Windows PC, network printer)

Can you ping any devices on the LAN?

 

[bennor]

Have you set the OpenVPN Server option "Client will use VPN to access" to Both?

If that option is set to Both then perhaps give more detail about your router configuration including any changes you've made to it. Are you running Pi-Hole or anything like it on the local network? Is the router acting as the DHCP server or some other device on the local network?

 

[remsta]

How are your trying to "access" the LAN devices? HTTP/S, SSH, FTP, etc?

What type of devices have you tried accessing other than the Pi? (e.g. NAS, Windows PC, network printer)

Can you ping any devices on the LAN?

Trying to access a RaspberryPi with VNC, cameras over Chrome and their native apps etc... When connected to my Wifi I can access it via my iPhone and the VNC app. When connected via OpenVPN, I cannot access it. Same with HomeAssistant running on the Pi on port 8123.

PiHole is running and the DNS under LAN is normally set to the IP of the RaspberryPi but I have removed that for the moment because I am going overseas tomorrow and last time the Pi died while I was away and I wasn't able to get to anything anymore

 

[remsta]

Update: I have tried setting up IPSEC - again, I can connect, access the router IP but cannot access any LAN devices

 

[TheLostSwede]

I'd suggest trying WireGuard, there's a simple "Access Intranet" switch option in the settings for it that allows you to access your local network devices and it's also a lot faster than OpenVPN.

That said, you are aware that your devices that you connect to your router end up on a different subnet, right?
For example, my devices are on 10.x.x.x, whereas when I connect over VPN, those devices end up on 10.y.x.x.

 

[elorimer]

And the answer to benmor's question? That is critical.

 

[visortgw]

Have you set the OpenVPN Server option "Client will use VPN to access" to Both?

View attachment 69587

If that option is set to Both then perhaps give more detail about your router configuration including any changes you've made to it. Are you running Pi-Hole or anything like it on the local network? Is the router acting as the DHCP server or some other device on the local network?

It should be able to be set to either LAN only or Both in order to reach devices on LAN.

 

[remsta]

And the answer to benmor's question? That is critical.

Sorry, I accidentally left that out of my original post. I have tried all three, none make a difference

 

[remsta]

Not sure why this is still a problem after 4 years! But the following solution solved my problem - added the code via SSH and problem solved.

Does anyone understand what it actually does and why is it not in Merlin by default?

Solved - (Asus Rt-ac88u) can connect openvpn but no access to LAN

i enable openvpn server and i can connect to openvpn server but i can not access to LAN, only access to LAN when using putty to run command "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE" rightnow i have to run this command everrytime after reboot, because after reboot...

www.snbforums.com

 

[ColinTaylor]

Not sure why this is still a problem after 4 years! But the following solution solved my problem - added the code via SSH and problem solved.

Does anyone understand what it actually does and why is it not in Merlin by default?

Solved - (Asus Rt-ac88u) can connect openvpn but no access to LAN

i enable openvpn server and i can connect to openvpn server but i can not access to LAN, only access to LAN when using putty to run command "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE" rightnow i have to run this command everrytime after reboot, because after reboot...

www.snbforums.com

What that command does is change the source address of the incoming traffic from 10.8.0.x to that of the router itself (192.168.177.1). This is the issue mentioned in post #6. You wouldn't normally want to do this for security reasons which is why it doesn't do it by default. The "proper" solution is to change the firewall or access control lists on your LAN devices so that they accept connections from 10.8.0.x.