Can't connect to local machines when router connected to vpn using openvpn client

[amoney]

Hi All

I am having issues reaching machines in my lan from outside my network once i enabled a vpn client on my router.

Router: RT-AC88u
Firmware: Merlin 384.9

Before i enabled the vpn client the setup was working fine. I have wireguard running on a raspberry pi 3 and i was forwarding the udp port. I would connect to it and then would have access to my local network. I also had a similar setup using an openvpn server running on the router itself.

I then followed the mullvad vpn guide and got the client setup. Client came up fine and all my lan devices were now going through the VPN.

However once this was setup i was no longer able to access my lan machine as i was before. IP i was using to connect to wireguard/openvpn server was the ISP IP and not the VPN IP. Reason i used ISP IP is that i could not get port forwarding via vpn to work for wireguard/vpn server. I confirmed that port forwarding via the vpn is working in general as other services were able to use the forwarded ports.

So i am curious am i running into issues because i am trying to access using the ISP IP vs VPN IP or do i need additional steps.

I have strict policy rules setup in vpn client with

192.168.1.0/24 -> 0.0.0.0 -> VPN
192.168.1.1 -> 0.0.0.0 -> WAN: Interesting issue here as well. Once VPN client was up i was not able to issue a ping command to any site while on the router. Did not matter if i had this rule or not.

I am novice in networking in general and a new user of merlin. I switched because i wanted better dns controls to get clients to use pihole which is working great .

 

[Jack Yaz]

Policy rules strict will do this, try normal policy rules instead

 

[amoney]

Policy rules strict will do this, try normal policy rules instead

Thanks for this. This got me unblocked. I can now connect to vpn server on my router and get access to my lan. Still having issues getting trying to get it to work via wireguard. I will reach out to the wireguard community to see what they suggest.

 

[amoney]

Question on policy rules vs strict. Am i more suspectible to vpn leaks if i do not use strict? Or since i have settings enabled to start vpn client on boot and block clients if tunnel goes down i should be safe?

On wireguard the only way i could get it to work is if i added a policy to send all traffic from the wiregaurd host through the WAN which is not ideal either as if i am routing all traffic through wireguard i would still like to use the vpn tunnel.

Also with the policy rules setup (non strict) when i connect to VPN server i can only get it to work to access LAN. When i change the VPN server to do both nothing works. Client can connect but it cant access the LAN or internet anymore.

 

[amoney]

I was finally able to get everyting working as expected. It was a pebkac issue. I now have strict policy rules being inforced. Issue i was running into with wireguard was that when i tried to reach it using vpn ip from within my home network it did not work. I did not realize to test it from external network as wireguard was working as is before as well.

Finally the light bulb clicked and i realized i cant make the same request to the vpn ip from within the same vpn.

So i added an iptable rule as follows

iptables -t nat -A PREROUTING -d $VPN_IP -p udp --dport xxxx -j DNAT --to-destination 192.168.1.63:54930

I run this rule after the vpn route is up using the openvpn scripts and remove it when it comes down. This way i am able to access wireguard to get acesss to my lan like i was before.