Dual VPN, client and server on same router

ceephis

Occasional Visitor
OK all you routing geniuses

I have a RT-AC68R running the newest Merlin Firmware, and I am half way to my dream setup
I currently have a OPEN VPN server running amazing well and my phones can easily access all my files and network resources.
I also have a Proton VPN instance set up on my Router which connects well to open VPN and redirects all my traffic out.

The only issue i am experiencing is that both of these VPN options can not exist at the same time.

I was hoping to encrypt my traffic to my home (from remote) and then also use a VPN to encrypt all outbound traffic as well

Can you help me with this? AM I doing anything wrong?

Thanks for your wisdom and insight.

I found this sight, but it may be a little over my head, and it seems untested. but it may help us in problem solving this

Thanks again all
 

chongnt

Senior Member
OK all you routing geniuses

I have a RT-AC68R running the newest Merlin Firmware, and I am half way to my dream setup
I currently have a OPEN VPN server running amazing well and my phones can easily access all my files and network resources.
I also have a Proton VPN instance set up on my Router which connects well to open VPN and redirects all my traffic out.

The only issue i am experiencing is that both of these VPN options can not exist at the same time.

I was hoping to encrypt my traffic to my home (from remote) and then also use a VPN to encrypt all outbound traffic as well

Can you help me with this? AM I doing anything wrong?

Thanks for your wisdom and insight.

I found this sight, but it may be a little over my head, and it seems untested. but it may help us in problem solving this

Thanks again all
Do you mean remote device dial back to router via it's VPN server, then has local LAN access and at the same time have internet access via router's VPN Client to your VPN provider? It is possible. I have been doing this with x3mRouting. With current Merlin release, it is much easier by making use of the VPN Director feature. Just add a new rule by select your VPN Client interface and in Local IP field enter the network configured in your VPN Server.
 

ceephis

Occasional Visitor
Do you mean remote device dial back to router via it's VPN server, then has local LAN access and at the same time have internet access via router's VPN Client to your VPN provider? It is possible. I have been doing this with x3mRouting. With current Merlin release, it is much easier by making use of the VPN Director feature. Just add a new rule by select your VPN Client interface and in Local IP field enter the network configured in your VPN Server.
From what I understand this is exactly what I am trying to do. HOwever I am not necessary sure how to do it. Would you have a screenshot or some sort of walk through you could share

Thanks for your wisdom and quick reply
 

ceephis

Occasional Visitor
This is my current setup and when the VPN client is turned on on my router my phone simply says waiting for server. But the second I turn it off my phone can connect to my routers VPN server
 

Attachments

  • Router.JPG
    Router.JPG
    85.8 KB · Views: 67

ceephis

Occasional Visitor
Thanks

I tried the steps above but to no avail.
Am I doing what your post Suggested?

Thanks again for your feedback and fast reply
 

eibgrad

Part of the Furniture
The problem is that you still have "Yes(all)" specified for "Redirect Internet traffic through tunnel" on the OpenVPN client. It needs to be "VPN Director (policy rules)". Then your rule needs to force 10.0.0.0/24 (10.0.0.1/24 is NOT a valid IP/network) (I assume 10.0.0.x is your local network) over the VPN. That will keep the router itself OFF the OpenVPN client, making its OpenVPN server accessible over the WAN.
 

ceephis

Occasional Visitor
The problem is that you still have "Yes(all)" specified for "Redirect Internet traffic through tunnel" on the OpenVPN client. It needs to be "VPN Director (policy rules)". Then your rule needs to force 10.0.0.0/24 (10.0.0.1/24 is NOT a valid IP/network) (I assume 10.0.0.x is your local network) over the VPN. That will keep the router itself OFF the OpenVPN client, making its OpenVPN server accessible over the WAN.
Thank you again for your quick reply

I am trying to figure out how to change it from yess all to Policy rules

Is there a walk through for this or do I need to make a new VPN connection?

Thanks
 

ceephis

Occasional Visitor
It's an option/setting on the OpenVPN client GUI (Network Settings sub-section).
Thank you so much for pointing that out and for all the help

Things are working perfectly.

You guys rock.

My dreams are a reality

What are your thoughts on adding TOR to this setup as well? Would it add extra ananimity or security? is it even doable with my setup?

Thanks again for your wisdom
 

eibgrad

Part of the Furniture
I don't use TOR all that much anymore. IMO, it's just too slow to be practical for day to day usage. It has also been criticized in recent years quite a bit for not offering as much anonymity as it originally claimed, esp. due to the fact that exit nodes can't necessarily be trusted. I suppose if you run your VPN through the TOR network (which I seem to recall trying a few years ago), that helps further your anonymity. But again, I find TOR so slow that it's only practical for very specific situations, like a dissident who's willing to accept the abysmal performance in exchange for the less likely possibility of being discovered. But for the average person, it's hard to imagine someone using it on a daily basis for normal operations.

JMTC
 

chongnt

Senior Member
Thank you so much for pointing that out and for all the help

Things are working perfectly.

You guys rock.

My dreams are a reality

What are your thoughts on adding TOR to this setup as well? Would it add extra ananimity or security? is it even doable with my setup?

Thanks again for your wisdom
That's great! By the way, welcome to the forum.
I don't use TOR so not able to comment on that.
 

ceephis

Occasional Visitor
I don't use TOR all that much anymore. IMO, it's just too slow to be practical for day to day usage. It has also been criticized in recent years quite a bit for not offering as much anonymity as it originally claimed, esp. due to the fact that exit nodes can't necessarily be trusted. I suppose if you run your VPN through the TOR network (which I seem to recall trying a few years ago), that helps further your anonymity. But again, I find TOR so slow that it's only practical for very specific situations, like a dissident who's willing to accept the abysmal performance in exchange for the less likely possibility of being discovered. But for the average person, it's hard to imagine someone using it on a daily basis for normal operations.

JMTC
Thanks so much for you wisdom on this. Yeah I'd rather not slow everything down for almost no benefit. Thanks again for all your help and wisdom in this matter have a great day
 

ceephis

Occasional Visitor
I don't use TOR all that much anymore. IMO, it's just too slow to be practical for day to day usage. It has also been criticized in recent years quite a bit for not offering as much anonymity as it originally claimed, esp. due to the fact that exit nodes can't necessarily be trusted. I suppose if you run your VPN through the TOR network (which I seem to recall trying a few years ago), that helps further your anonymity. But again, I find TOR so slow that it's only practical for very specific situations, like a dissident who's willing to accept the abysmal performance in exchange for the less likely possibility of being discovered. But for the average person, it's hard to imagine someone using it on a daily basis for normal operations.

JMTC

It's an option/setting on the OpenVPN client GUI (Network Settings sub-section).
OK guys

Got something wierd going on here.

I purchased an identical router for my friend and copied all my settings over to it.

The only thing I changed is the Wireless name and password and the routers IP.

Now when trying to test the openVPN on their router I get a certificate error.

I changed the vpn director rule to 10.0.100.1 and set them up with their own DDns.

Could it be because both of these routers are currently on my network? (trying to test before bringing it to their house)

Or could the copied settings have corrupted a key?

Dont really know what I am doing wrong here and it may be very obvious to you all

Thanks again for the wisdom and help
 

eibgrad

Part of the Furniture
OK guys

Got something wierd going on here.

I purchased an identical router for my friend and copied all my settings over to it.

The only thing I changed is the Wireless name and password and the routers IP.

Now when trying to test the openVPN on their router I get a certificate error.

I changed the vpn director rule to 10.0.100.1 and set them up with their own DDns.

Could it be because both of these routers are currently on my network? (trying to test before bringing it to their house)

Or could the copied settings have corrupted a key?

Dont really know what I am doing wrong here and it may be very obvious to you all

Thanks again for the wisdom and help

This post was originally about how to configure the router so you can support access to its OpenVPN server while simultaneously connected w/ its OpenVPN client to some remote OpenVPN server (e.g., a commerical OpenVPN provider). Based on your description, I don't see the relevance. You don't even mention "what" certificate, or whether it's OpenVPN client or server. What exactly are you trying to accomplish. Be specific.
 

ceephis

Occasional Visitor
This post was originally about how to configure the router so you can support access to its OpenVPN server while simultaneously connected w/ its OpenVPN client to some remote OpenVPN server (e.g., a commerical OpenVPN provider). Based on your description, I don't see the relevance. You don't even mention "what" certificate, or whether it's OpenVPN client or server. What exactly are you trying to accomplish. Be specific.
Sorry about the lack of specificity
I guess I see the Client VPN as somthing other than open VPN but it is using that protocol. (and it connects and works well)

The issue I was having was with the server side connecting. I am unsure what certificate could be the problem but attached is an image of the error I am getting when I try to connect with my phone.

I also tried setting up a second server and turning off the first but it simply sits there and does not connect.

again these issues may be from both routers being connected to my cable modem but I really dont know.

Please feel free to ask if there is anything else that is unclear
 

Attachments

  • Screenshot_2022-01-15-05-29-30.png
    Screenshot_2022-01-15-05-29-30.png
    61.1 KB · Views: 6

eibgrad

Part of the Furniture
again these issues may be from both routers being connected to my cable modem but I really dont know.

This is the part I don't understand. How could *both* routers be connected to your cable modem, assuming you mean *directly*? There's typically only one internet/WAN port on the cable modem. And the ISP typically only offers a single public IP. Or perhaps by both being connected to the cable modem, you mean both are *accessible* over the cable modem, but only one router is connected directly to it, and the other is daisy-chained to that router, WAN to LAN.

You also mentioned copying settings from one router's OpenVPN server to the other. Did you also copy the certs and keys? Each router is capable of generating its own certs and keys, so that's neither necessary, nor recommended.
 

ceephis

Occasional Visitor
This is the part I don't understand. How could *both* routers be connected to your cable modem, assuming you mean *directly*? There's typically only one internet/WAN port on the cable modem. And the ISP typically only offers a single public IP. Or perhaps by both being connected to the cable modem, you mean both are *accessible* over the cable modem, but only one router is connected directly to it, and the other is daisy-chained to that router, WAN to LAN.

You also mentioned copying settings from one router's OpenVPN server to the other. Did you also copy the certs and keys? Each router is capable of generating its own certs and keys, so that's neither necessary, nor recommended.
These are great questions

I guess it is something like a cable router (has wifi and 4 ports on the back) (see Picture)

I turn off the wifi and usually set the firewall as low as it will go to avoid problems

So essentially I have two asus routers connected to this xfinity router by their wan ports.
I do know that only one public IP is given to the xfinity router and that is where I am hoping the error is. Hopefully the DDNs for the 2 routers is having issues and then it does not know wich port to connect to which router or something along that line.

I used the backup option to backup the settings from my modem and then restored them to the new one.
I dont know if that is what might be causing problems

Thanks again if you need more clairification please feel free to ask
 

Attachments

  • xfinity.jpg
    xfinity.jpg
    52.5 KB · Views: 5

ceephis

Occasional Visitor
These are great questions

I guess it is something like a cable router (has wifi and 4 ports on the back) (see Picture)

I turn off the wifi and usually set the firewall as low as it will go to avoid problems

So essentially I have two asus routers connected to this xfinity router by their wan ports.
I do know that only one public IP is given to the xfinity router and that is where I am hoping the error is. Hopefully the DDNs for the 2 routers is having issues and then it does not know wich port to connect to which router or something along that line.

I used the backup option to backup the settings from my modem and then restored them to the new one.
I dont know if that is what might be causing problems

Thanks again if you need more clairification please feel free to ask
This is the part I don't understand. How could *both* routers be connected to your cable modem, assuming you mean *directly*? There's typically only one internet/WAN port on the cable modem. And the ISP typically only offers a single public IP. Or perhaps by both being connected to the cable modem, you mean both are *accessible* over the cable modem, but only one router is connected directly to it, and the other is daisy-chained to that router, WAN to LAN.

You also mentioned copying settings from one router's OpenVPN server to the other. Did you also copy the certs and keys? Each router is capable of generating its own certs and keys, so that's neither necessary, nor recommended.
I just logged into the xfinity and found out I had port forwarded on the router My guess it that is what this whole thing could be about.

I will let you know if allowing this to the new ASUS corrects things
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top