Help: VPN Server + DDNS +Double NAT

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Krauss

Occasional Visitor
Hello everyone,
From what I read here on the forum, goolgle, stackoverflow, etc..., I have already done what is described and despite getting OK to ASUS DDNS, I can't "connect" to my home network or use the router's capabilities as a VPN server.
I made a scheme of my wan/lan configuration (attached), to explain how I'm trying to do this.

I would appreciate your help in finding out what I may be doing wrong.

Best regards
Krauss
 

Attachments

  • SETUP.jpg
    SETUP.jpg
    49.4 KB · Views: 34

eibgrad

Very Senior Member
Did you specify "External" for the "Method to retrieve WAN IP" option on the DDNS setup page?

Do you also have an active OpenVPN client running on the router at the same time?
 

Krauss

Occasional Visitor
No, I did not!

And when I did it (now), the domain name was already registered.
Will try again all the steps again with this changes.

Thank you for your patience teaching others.

Best
Krauss
 

Krauss

Occasional Visitor
I'm feeling so stupid!
I'll try to explain:

The ISP router cannot be in bridge mode, so I use DMZ.
If I use DMZ, I have to assign an IP so that traffic is redirected to that IP.
This IP is from my router (ASUS) and the question is:
If I must assign an IP (on the ISP router, ASUS MAC Router's static IP because DMZ needs to know that), how could the router get another external IP besides the one defined to conduct the DMZ traffic to?

Despite this question, I don't understand how but I can now see at http://iplookup.asus.com/nslookup.php the IP that the ISP gave me (it's equal to IPleaks, for example) , but…. If I try to access through a webbrowser, for example, I can't get anything.

What am I missing here?

Thank you for all the help you can give!
 

eibgrad

Very Senior Member
The ISP router cannot be in bridge mode, so I use DMZ.
If I use DMZ, I have to assign an IP so that traffic is redirected to that IP.
This IP is from my router (ASUS) and the question is:
If I must assign an IP (on the ISP router, ASUS MAC Router's static IP because DMZ needs to know that), how could the router get another external IP besides the one defined to conduct the DMZ traffic to?

That's why you specify External when configuring DDNS. This causes the router to make an online check w/ a public website to determine the public IP assigned to your *ISP's* WAN, NOT the WAN ip of your ASUS router. Once an attempt is made remotely to access your public IP, it reaches the ISP's router, which then automatically forwards it to your ASUS router on its WAN ip.

Despite this question, I don't understand how but I can now see at http://iplookup.asus.com/nslookup.php the IP that the ISP gave me (it's equal to IPleaks, for example) , but…. If I try to access through a webbrowser, for example, I can't get anything.

I don't understand the question.

If you visit https://ipchicken.com, do you see the public IP assigned to the WAN of your ISP's router? That's what matters, since that's the first point of contact for remote access purposes. The DMZ setting will then forward any remote access to your ASUS router on its WAN. Of course, you have to have port forwarding enabled on the ASUS to reach anything, or in the case of the ASUS GUI, enable the remote access option w/ Adminstration->System->Remote Access Config (btw, NOT something I recommend doing since it's NOT a good idea to expose your router's GUI to the internet, but just to explain how the process works).
 

Krauss

Occasional Visitor
"That's why you specify External when configuring DDNS. This causes the router to make an online check w/ a public website to determine the public IP assigned to your *ISP's* WAN, NOT the WAN ip of your ASUS router."

Got that!
What you mean is that despite not changing the IP (198.162.1.77, in my case) the ASUS router is reachable. Make a kind of bridge between the entry (IP you can see on https://ipchicken.com) and the ASUS WAN entry (198.162.1.77).

____________________________________________


"Once an attempt is made remotely to access your public IP, it reaches the ISP's router, which then automatically forwards it to your ASUS router on its WAN ip."

I was missing this piece of the puzzle. "External" for the "Method to retrieve WAN IP", it's like changing the ASUS IP (without actually changing). Makes it reachable even without changing it.

"If you visit https://ipchicken.com, do you see the public IP assigned to the WAN of your ISP's router? That's what matters, since that's the first point of contact for remote access purposes. The DMZ setting will then forward any remote access to your ASUS router on its WAN."

Now I do! Thanks!

___________________________________________




"Of course, you have to have port forwarding enabled on the ASUS to reach anything, or in the case of the ASUS GUI, enable the remote access option w/ Adminstration->System->Remote Access Config (btw, NOT something I recommend doing since it's NOT a good idea to expose your router's GUI to the internet, but just to explain how the process works)."

Ok, now I'm on the next step! uff!

I split the wanted access in two parts:
a) Access just to USB disk attached to router (don't have to do "port forwarding" because I already can do that without doing any PF)
b) Access to a PC (for example) inside LAN


a) As I said, I'm already able to do this, with AiCloud apk and web browser (without enabling access from wan), from outside my wifi.
I don't get how is that possible but I'll find out.

b) I understand the need of port forwarding. Will think about this necessity later


What's the risk if I only use option a) (that doesn't need enabling access from wan)?


_______________________________________

Finally:
I need to setup a VPN server. Imagine that I'm accessing internet from a public wifi. or I want to share my VPN (bought from GhostVPN, for example) with someone else.
How can I benefit from this ASUS functionality?
I setup a connection (openVpn, pptp, etc..) but what is the process that makes me go through my router when I'm using a cellphone or a PC anywhere outside my LAN?

Once again, thanks in advance!


Hope others can benefit from this basic questions I have and you are trying to clarify. !!!
 

eibgrad

Very Senior Member
a) As I said, I'm already able to do this, with AiCloud apk and web browser (without enabling access from wan), from outside my wifi.
I don't get how is that possible but I'll find out.

AiCloud and other services hosted by the router (e.g., OpenVPN server) don't need port forwarding. They just open their required ports on the WAN as they see fit. The GUI is a bit different in that it's only bound to the LAN side of the router (for security reasons), but if you enable remote access in the Administration->System->Remote Access Config section, the router automatically creates a port forward to its own LAN ip.

A more typical case for YOU needing to be concerned about creating your own port forwards is when you need to reach other devices behind the router (e.g., a Windows PC via RDP).

I need to setup a VPN server. Imagine that I'm accessing internet from a public wifi. or I want to share my VPN (bought from GhostVPN, for example) with someone else.
How can I benefit from this ASUS functionality?
I setup a connection (openVpn, pptp, etc..) but what is the process that makes me go through my router when I'm using a cellphone or a PC anywhere outside my LAN?

You need to configure the OpenVPN server. Then you configure your remote devices w/ OpenVPN client to access it. You can configure the OpenVPN server to allow access to LAN devices only, internet only, or both. Just up to you.
 

Krauss

Occasional Visitor
First point, I understand everything you said. THKS!

Second point:
I am able to setup and connect from outside of my LAN to VPN Router. No problem with that. THKS!

To better explain, I'll divide the connection in two parts:

a) from cybercoffe :) to my router (this is ok, I can do that as you described)

b) from router to internet.
This one (b), we can have 2 different scenarios:
1- Router has a VPN client "always on" and, because of that, all traffic will be "protected" (both devices outside and inside LAN). This has , at least, two disadvantages: speed decreased for everybody and every device must connect to the same server on same country. Brings some problems with some sites that are only reachable from certain countries and this may conflict if a device wants to connect to UK and other to China, for example.
More: It's possible to connect to router when connect the VPN (since IP changed to outside world)?
2- Router doesn't have a VPN client "always on" and every device must trigger an application on windows, Mac, android, etc.. to connect to desire server. This scenario avoids speed decreased for all devices, since you could choose a different country for any device.

Resuming: Is there a way to setup on router a VPN client for different devices, even when this device is outside LAN?

I can describe a situation where this is useful:
- I bought a VPN that doesn't supports PPTP protocol
- I have a device (satellite box that need some information planted on some sites that my ISP blocks) that only supports PPTP protocol
- When I travel, I would like to take it with me, connect box to router (with PPTP) and use my Openvpn client that I paid for to access internet from router.


I don't know if my English "sounds" strange, if so, sorry for that and I hope you understand my questions.

BIG Thank you!
 

Tech9

Very Senior Member
You need to configure the OpenVPN server.

Additional trick to what @eibgrad says - I have one AC86U in double NAT and the one thing needed to connect external clients to its OpenVPN server was to edit manually the ovpn file. When generated by the OpenVPN server It contains the local router IP address. Has to be replaced with DDNS address.
 

Krauss

Occasional Visitor
Thank you for your input, but I don't understand it.
Since I can use the openVPN file in any place (only need user and pass), how could it be included in the file?
I was looking for something that looks like my IP and there isn't any chance to have it (unless in the certificate part, witch doesn't make sense anyway because the downloaded is agnostic to where I will be using it )

Although it doesn't solve the problem , because it assumes all devices use the same VPN connection through the router client , could you be more explicit?

thank you too!


EDIT: I think i got it: https://www.asus.com/support/FAQ/1033906
Isn't it?

When I setup the connection from outside, I already give DDNS address. But, somehow, if I connect a VPN client on router the income connection stops work. (I used PPTP protocol wich is simple to understand: You have to give your DDNS as server address).
 
Last edited:

Krauss

Occasional Visitor
Probably, I'm not expressing myself the rigth way. Please consider my network design
 

Attachments

  • SCHEME2.jpg
    SCHEME2.jpg
    72.5 KB · Views: 21

Krauss

Occasional Visitor
Thank you for your help.
As soon as I "got it right" in the terminology I started to know how to search correctly. I am very close to solving all my questions.
Thank you very much once again!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top