Dual router VPN

[davelian]

Hei, Want to create VPN server on on of my asus router but i can't get access VPN router from outside.

In VPN server i get this messages. The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x, or 172.16.x.x). Please configure DDNS service before starting the VPN server.

But when i crate No ip ddns i got the following message.

The wireless router currently uses a private WAN IP address.
This router may be in the multiple-NAT environment and DDNS service cannot work in this environment.

Here's my current setup.

 

[ColinTaylor]

Install Merlin's firmware on your router. It has an option for DDNS to work behind double-NAT. Then all you need to do is create a port forwarding rule on your primary router.

 

[davelian]

Install Merlin's firmware on your router. It has an option for DDNS to work behind double-NAT. Then all you need to do is create a port forwarding rule on your primary router.

Ok. I've installed Merlin both of them. BTW attached pictures is from VPN router ac66u.

Sent fra min SM-N950F via Tapatalk

 

[ColinTaylor]

If your router is an RT-AC66U (not the _B1 model) then Merlin hasn't updated that firmware for years and the option won't be present. You'll need to use John's firmware instead:

 

[davelian]

Install Merlin's firmware on your router. It has an option for DDNS to work behind double-NAT. Then all you need to do is create a port forwarding rule on your primary router.

If your router is an RT-AC66U (not the _B1 model) then Merlin hasn't updated that firmware for years and the option won't be present. You'll need to use John's firmware instead:

View attachment 19562

Thanks. Do you have link? Almost 1 A.M here I'll try tomorrow.

Sent fra min SM-N950F via Tapatalk

 

[ColinTaylor]

Thanks. Do you have link? Almost 1 A.M here I'll try tomorrow.

https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e3.18914/

 

[davelian]

https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v39e3.18914/

Can't get to work even John's firmware. Same problem.

Here's my config a gain AC66U not B1 version.

 

[ColinTaylor]

Have you done an nslookup on your DDNS address? Does it match your public IP address as reported by the main router?

What does your port forwarding rule look like on the main router?

 

[TinkerMan0412]

Hey Dave, did you get it to work? I'm asking because I have the same setup, and no matter what I try, I can't get it to work. Read everything on this board that could relate, still, nothing. Can't even ping VPN router from Primary router (router 1), despite existing static route on primary router. Both routers talk to internet, can ping router 1 from router 2 (VPN router). Will post my setup and configs later tonight.

 

[davelian]

Hey Dave, did you get it to work? I'm asking because I have the same setup, and no matter what I try, I can't get it to work. Read everything on this board that could relate, still, nothing. Can't even ping VPN router from Primary router (router 1), despite existing static route on primary router. Both routers talk to internet, can ping router 1 from router 2 (VPN router). Will post my setup and configs later tonight.

nope.

 

[TinkerMan0412]

Have you done an nslookup on your DDNS address? Does it match your public IP address as reported by the main router?

What does your port forwarding rule look like on the main router?

Thanks, CT,

This is my setup

I have a static route defined on 10.25.1.1 as follows:

10.25.2.1 255.255.255.0 10.25.1.2

Now i think that is incorrect, from reading many comments, and should be referring to entire sub-net, as

10.25.2.0 255.255.255.0 10.25.1.2

Maybe I'm wrong. Still Tinkering with it. As you may understood, I'm new at this. I can ping router 1 from router 2, but not router 2 from router 1. I have video cameras connected to router 2, and NVR. I can access them and see video feeds when connected to router 2 (hard wire or WiFi) that's not a problem.

I feel, that if I get router 2 talking to router 1, it will start "breathing" at least. I turned off firewall on router 2. It serves DHCP to its sub-net, with video cameras and NVR getting static IP's around DHCP.
Locally, everything seams to be fine.

Also, do you think I will need to define port forwarding on VPN router (router 2), something I', reading in manuals:
push "route 10.25.1.2 255.255.255.0"

Going to play with it today. Started to think to do a hard reset on both routers and start from fresh.

Many thanks for any help.

 

[TinkerMan0412]

nope.

Thanks, Dave.

Still working at this.

 

[ColinTaylor]

@TinkerMan0412 You will not be able to access anything with an address of 10.25.2.x from 10.25.1.x unless you setup a port forwarding rule on router 2 for each target device because router 2 is NATing everything through 10.25.1.2.

An alternative (better) method would be to turn off NAT and the firewall on router 2 so that you have a more "traditional" routing setup. Of course you may not want to do this for security reasons if you're trying to isolate the two subnets.

 

[TinkerMan0412]

@TinkerMan0412 You will not be able to access anything with an address of 10.25.2.x from 10.25.1.x unless you setup a port forwarding rule on router 2 for each target device because router 2 is NATing everything through 10.25.1.2.

An alternative (better) method would be to turn off NAT and the firewall on router 2 so that you have a more "traditional" routing setup. Of course you may not want to do this for security reasons if you're trying to isolate the two subnets.

Thank you, CT

That would be on the WAN side of VPN router. Forward port 1194 to 10.25.1.2. Is that what you mean?
I will need just one device to be forwarded to 10.25.1.2 side (WAN IP of VPN router), NVR only.

Thank you.

 

[ColinTaylor]

If router 2 is running your VPN server and it is listening on its WAN IP address (10.25.1.2) then you just need to forward port 1194 on router 1 to 10.25.1.2.

My previous comments were just about inter-subnet routing of LAN clients. That's a separate issue to the VPN question.

 

[TinkerMan0412]

If router 2 is running your VPN server and it is listening on its WAN IP address (10.25.1.2) then you just need to forward port 1194 on router 1 to 10.25.1.2.

My previous comments were just about inter-subnet routing of LAN clients. That's a separate issue to the VPN question.

Thank you, CT,
I'll try that.

 

[TinkerMan0412]

If router 2 is running your VPN server and it is listening on its WAN IP address (10.25.1.2) then you just need to forward port 1194 on router 1 to 10.25.1.2.

My previous comments were just about inter-subnet routing of LAN clients. That's a separate issue to the VPN question.

Colin, THANK YOU.

Thank you so much for your help. Finally, finished construction and building home network. All pieces in a puzzle connected and configured. Had some trouble with VPN server, but read posts again and again, and it works now. After forwarding UDP port trough main gate, it all came to life. Again, Thank you.

At first, I could only access NVR via VPN, but next day, I found out tomy horror, that they also could be accessed from WAN, given that Reolink connects to AWS.

Went back to SNB, and found this link:
https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785

Would it be too imposing of me to ask if solution by Martineau is viable in my case?

In my setup, I have disabled firewall on VPN server, since it sits behind main router. Is my understanding correct, that I need to enable firewall and load scripts onto USB drive (/jffs/configs and /jffs/scripts directories). Custom scripts are already enabled, since I run ddns_update script?

Thank you again

 

[ColinTaylor]

Hi @TinkerMan0412 . Thanks for the update. Glad to hear you got it working.

Regarding your other question; I don't know how your NVR works or how it communicates with AWS. But in the first instance I suggest you try blocking it in the GUI normally. e.g. on Router 2 go to Network Map > Clients, select the NVR and choose "Block Internet Access".

In your current configuration I don't believe it will make a difference whether the firewall is on or off for router 2. But if the blocking doesn't work try turning it back on again (that won't effect the VPN server). EDIT: Having re-read your original post it is not clear to me whether you have turned off NAT on router 2? If that is the case then you should also leave the firewall off.

 

[TinkerMan0412]

Hi @TinkerMan0412 . Thanks for the update. Glad to hear you got it working.

Regarding your other question; I don't know how your NVR works or how it communicates with AWS. But in the first instance I suggest you try blocking it in the GUI normally. e.g. on Router 2 go to Network Map > Clients, select the NVR and choose "Block Internet Access".

In your current configuration I don't believe it will make a difference whether the firewall is on or off for router 2. But if the blocking doesn't work try turning it back on again (that won't effect the VPN server). EDIT: Having re-read your original post it is not clear to me whether you have turned off NAT on router 2? If that is the case then you should also leave the firewall off.

Thank you again.

On Router 2, I have NAT enabled. It dishes out dynamic IP's on 10.25.2.x subnet, with DHCP 1 - 50 reserved, egg. 10.25.2.50 - 10.25.2.254

All PoE cameras assigned IP around DHCP server, essentially static. I have disabled uPnP on cameras and NVR, and also on both routers. I'm guessing, I will have to turn firewall on router 2 ON, and load script generously provided by Martineau.

Thank you much

 

[ColinTaylor]

I'm guessing, I will have to turn firewall on router 2 ON, and load script generously provided by Martineau.

As I said, first try blocking it using the router's built-in function. No need to make things unnecessarily hard for yourself. The only problem with that is it might prevent it from getting the current date and time from the internet.