Help: VPN Server + DDNS +Double NAT

Krauss

Occasional Visitor
Hello everyone,
From what I read here on the forum, goolgle, stackoverflow, etc..., I have already done what is described and despite getting OK to ASUS DDNS, I can't "connect" to my home network or use the router's capabilities as a VPN server.
I made a scheme of my wan/lan configuration (attached), to explain how I'm trying to do this.

I would appreciate your help in finding out what I may be doing wrong.

Best regards
Krauss
 

Attachments

  • SETUP.jpg
    SETUP.jpg
    49.4 KB · Views: 313

eibgrad

Part of the Furniture
Did you specify "External" for the "Method to retrieve WAN IP" option on the DDNS setup page?

Do you also have an active OpenVPN client running on the router at the same time?
 

Krauss

Occasional Visitor
No, I did not!

And when I did it (now), the domain name was already registered.
Will try again all the steps again with this changes.

Thank you for your patience teaching others.

Best
Krauss
 

Krauss

Occasional Visitor
I'm feeling so stupid!
I'll try to explain:

The ISP router cannot be in bridge mode, so I use DMZ.
If I use DMZ, I have to assign an IP so that traffic is redirected to that IP.
This IP is from my router (ASUS) and the question is:
If I must assign an IP (on the ISP router, ASUS MAC Router's static IP because DMZ needs to know that), how could the router get another external IP besides the one defined to conduct the DMZ traffic to?

Despite this question, I don't understand how but I can now see at http://iplookup.asus.com/nslookup.php the IP that the ISP gave me (it's equal to IPleaks, for example) , but…. If I try to access through a webbrowser, for example, I can't get anything.

What am I missing here?

Thank you for all the help you can give!
 

eibgrad

Part of the Furniture
The ISP router cannot be in bridge mode, so I use DMZ.
If I use DMZ, I have to assign an IP so that traffic is redirected to that IP.
This IP is from my router (ASUS) and the question is:
If I must assign an IP (on the ISP router, ASUS MAC Router's static IP because DMZ needs to know that), how could the router get another external IP besides the one defined to conduct the DMZ traffic to?

That's why you specify External when configuring DDNS. This causes the router to make an online check w/ a public website to determine the public IP assigned to your *ISP's* WAN, NOT the WAN ip of your ASUS router. Once an attempt is made remotely to access your public IP, it reaches the ISP's router, which then automatically forwards it to your ASUS router on its WAN ip.

Despite this question, I don't understand how but I can now see at http://iplookup.asus.com/nslookup.php the IP that the ISP gave me (it's equal to IPleaks, for example) , but…. If I try to access through a webbrowser, for example, I can't get anything.

I don't understand the question.

If you visit https://ipchicken.com, do you see the public IP assigned to the WAN of your ISP's router? That's what matters, since that's the first point of contact for remote access purposes. The DMZ setting will then forward any remote access to your ASUS router on its WAN. Of course, you have to have port forwarding enabled on the ASUS to reach anything, or in the case of the ASUS GUI, enable the remote access option w/ Adminstration->System->Remote Access Config (btw, NOT something I recommend doing since it's NOT a good idea to expose your router's GUI to the internet, but just to explain how the process works).
 

Krauss

Occasional Visitor
"That's why you specify External when configuring DDNS. This causes the router to make an online check w/ a public website to determine the public IP assigned to your *ISP's* WAN, NOT the WAN ip of your ASUS router."

Got that!
What you mean is that despite not changing the IP (198.162.1.77, in my case) the ASUS router is reachable. Make a kind of bridge between the entry (IP you can see on https://ipchicken.com) and the ASUS WAN entry (198.162.1.77).

____________________________________________


"Once an attempt is made remotely to access your public IP, it reaches the ISP's router, which then automatically forwards it to your ASUS router on its WAN ip."

I was missing this piece of the puzzle. "External" for the "Method to retrieve WAN IP", it's like changing the ASUS IP (without actually changing). Makes it reachable even without changing it.

"If you visit https://ipchicken.com, do you see the public IP assigned to the WAN of your ISP's router? That's what matters, since that's the first point of contact for remote access purposes. The DMZ setting will then forward any remote access to your ASUS router on its WAN."

Now I do! Thanks!

___________________________________________




"Of course, you have to have port forwarding enabled on the ASUS to reach anything, or in the case of the ASUS GUI, enable the remote access option w/ Adminstration->System->Remote Access Config (btw, NOT something I recommend doing since it's NOT a good idea to expose your router's GUI to the internet, but just to explain how the process works)."

Ok, now I'm on the next step! uff!

I split the wanted access in two parts:
a) Access just to USB disk attached to router (don't have to do "port forwarding" because I already can do that without doing any PF)
b) Access to a PC (for example) inside LAN


a) As I said, I'm already able to do this, with AiCloud apk and web browser (without enabling access from wan), from outside my wifi.
I don't get how is that possible but I'll find out.

b) I understand the need of port forwarding. Will think about this necessity later


What's the risk if I only use option a) (that doesn't need enabling access from wan)?


_______________________________________

Finally:
I need to setup a VPN server. Imagine that I'm accessing internet from a public wifi. or I want to share my VPN (bought from GhostVPN, for example) with someone else.
How can I benefit from this ASUS functionality?
I setup a connection (openVpn, pptp, etc..) but what is the process that makes me go through my router when I'm using a cellphone or a PC anywhere outside my LAN?

Once again, thanks in advance!


Hope others can benefit from this basic questions I have and you are trying to clarify. !!!
 

eibgrad

Part of the Furniture
a) As I said, I'm already able to do this, with AiCloud apk and web browser (without enabling access from wan), from outside my wifi.
I don't get how is that possible but I'll find out.

AiCloud and other services hosted by the router (e.g., OpenVPN server) don't need port forwarding. They just open their required ports on the WAN as they see fit. The GUI is a bit different in that it's only bound to the LAN side of the router (for security reasons), but if you enable remote access in the Administration->System->Remote Access Config section, the router automatically creates a port forward to its own LAN ip.

A more typical case for YOU needing to be concerned about creating your own port forwards is when you need to reach other devices behind the router (e.g., a Windows PC via RDP).

I need to setup a VPN server. Imagine that I'm accessing internet from a public wifi. or I want to share my VPN (bought from GhostVPN, for example) with someone else.
How can I benefit from this ASUS functionality?
I setup a connection (openVpn, pptp, etc..) but what is the process that makes me go through my router when I'm using a cellphone or a PC anywhere outside my LAN?

You need to configure the OpenVPN server. Then you configure your remote devices w/ OpenVPN client to access it. You can configure the OpenVPN server to allow access to LAN devices only, internet only, or both. Just up to you.
 

Krauss

Occasional Visitor
First point, I understand everything you said. THKS!

Second point:
I am able to setup and connect from outside of my LAN to VPN Router. No problem with that. THKS!

To better explain, I'll divide the connection in two parts:

a) from cybercoffe :) to my router (this is ok, I can do that as you described)

b) from router to internet.
This one (b), we can have 2 different scenarios:
1- Router has a VPN client "always on" and, because of that, all traffic will be "protected" (both devices outside and inside LAN). This has , at least, two disadvantages: speed decreased for everybody and every device must connect to the same server on same country. Brings some problems with some sites that are only reachable from certain countries and this may conflict if a device wants to connect to UK and other to China, for example.
More: It's possible to connect to router when connect the VPN (since IP changed to outside world)?
2- Router doesn't have a VPN client "always on" and every device must trigger an application on windows, Mac, android, etc.. to connect to desire server. This scenario avoids speed decreased for all devices, since you could choose a different country for any device.

Resuming: Is there a way to setup on router a VPN client for different devices, even when this device is outside LAN?

I can describe a situation where this is useful:
- I bought a VPN that doesn't supports PPTP protocol
- I have a device (satellite box that need some information planted on some sites that my ISP blocks) that only supports PPTP protocol
- When I travel, I would like to take it with me, connect box to router (with PPTP) and use my Openvpn client that I paid for to access internet from router.


I don't know if my English "sounds" strange, if so, sorry for that and I hope you understand my questions.

BIG Thank you!
 

Tech9

Part of the Furniture
You need to configure the OpenVPN server.

Additional trick to what @eibgrad says - I have one AC86U in double NAT and the one thing needed to connect external clients to its OpenVPN server was to edit manually the ovpn file. When generated by the OpenVPN server It contains the local router IP address. Has to be replaced with DDNS address.
 

Krauss

Occasional Visitor
Thank you for your input, but I don't understand it.
Since I can use the openVPN file in any place (only need user and pass), how could it be included in the file?
I was looking for something that looks like my IP and there isn't any chance to have it (unless in the certificate part, witch doesn't make sense anyway because the downloaded is agnostic to where I will be using it )

Although it doesn't solve the problem , because it assumes all devices use the same VPN connection through the router client , could you be more explicit?

thank you too!


EDIT: I think i got it: https://www.asus.com/support/FAQ/1033906
Isn't it?

When I setup the connection from outside, I already give DDNS address. But, somehow, if I connect a VPN client on router the income connection stops work. (I used PPTP protocol wich is simple to understand: You have to give your DDNS as server address).
 
Last edited:

Krauss

Occasional Visitor
Probably, I'm not expressing myself the rigth way. Please consider my network design
 

Attachments

  • SCHEME2.jpg
    SCHEME2.jpg
    72.5 KB · Views: 172

Krauss

Occasional Visitor
Thank you for your help.
As soon as I "got it right" in the terminology I started to know how to search correctly. I am very close to solving all my questions.
Thank you very much once again!
 

tftcoelho

New Around Here
Thank you for your help.
As soon as I "got it right" in the terminology I started to know how to search correctly. I am very close to solving all my questions.
Thank you very much once again!
Hello Krauss, I have the same issue as you, I think.

I read this discussion but was not able to make de VPN server and the asus DDNS to work.

I enabled the DMZ in the ISP router and add the static IP of my asus router. But when you check the network map on the asus page the WAN IP address is still a static IP and not the public IP.
VDF dmz.png
asus network.png


As result the ddns service is disabled

asus ddns.png


Can you understand what I'm missing?

Thank you
 

eibgrad

Part of the Furniture
Hello Krauss, I have the same issue as you, I think.

I read this discussion but was not able to make de VPN server and the asus DDNS to work.

I enabled the DMZ in the ISP router and add the static IP of my asus router. But when you check the network map on the asus page the WAN IP address is still a static IP and not the public IP.View attachment 38593View attachment 38592

As result the ddns service is disabled

View attachment 38591


Can you understand what I'm missing?

Thank you

The problem is you're using OEM firmware. If you used Merlin instead, you'd have the option to check the public IP *externally*, which means the DDNS client would determine the public IP by making a request to a internet website, rather than relying solely on the *internal* IP as defined on the WAN, which when double-NAT'd means its a *private* IP, and NOT remotely accessible based on that IP.

Perhaps if you chose something other than www.asus.com for your DDNS provider (e.g., freeedns.afraid.org, my personal preference), the external/internal option might become available as an option (I don't know for sure because I don't ever use OEM firmare; it's too limiting).
 

ColinTaylor

Part of the Furniture
But when you check the network map on the asus page the WAN IP address is still a static IP and not the public IP.
That is correct. The router's WAN IP address does not change.

As result the ddns service is disabled
You need to install Merlin's firmware so that you have the "Method to retrieve WAN IP = External" option. This option is not present in the stock Asus firmware.


Untitled.png
 

RMerlin

Asuswrt-Merlin dev
The problem is you're using OEM firmware. If you used Merlin instead, you'd have the option to check the public IP *externally*, which means the DDNS client would determine the public IP by making a request to a internet website, rather than relying solely on the *internal* IP as defined on the WAN, which when double-NAT'd means its a *private* IP, and NOT remotely accessible based on that IP.

Perhaps if you chose something other than www.asus.com for your DDNS provider (e.g., freeedns.afraid.org, my personal preference), the external/internal option might become available as an option (I don't know for sure because I don't ever use OEM firmare; it's too limiting).
OEM firmware doesn't support external checks. However this is something that I've recently discussed with Asus, so I expect it to get added in the future.
 

PR3MIUM

Regular Contributor
If you set up the DNS from your VPN Provider it wont work, cloudflare 1.1.1.1 and google 8.8.8.8 are working fine (tested on Merlin Firmware 386.4 with killswitch).
 
Last edited:

Tech9

Part of the Furniture

PR3MIUM

Regular Contributor
1.jpg

2.jpg

using here a DNS Server from a VPN Provider wont work.

- Fixed DDNS issues where the WAN IP is IPv6 (3.0.0.4.386.46065)

doing a clean install of 3.0.0.4.386.46065 from ASUS today and test it.
 

Tech9

Part of the Furniture
- Fixed DDNS issues where the WAN IP is IPv6 (3.0.0.4.386.46065)

This is unrelated. Asuswrt can’t update DDNS with external IP in double NAT. The issue is not in DNS servers used.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top