How to allow openvpn clients to access my LAN PC?

gecongjie

New Around Here
Hey, guys!
I set up an OpenVPN server on my ASUS AC66U-B1 (running Merlin 386.3_2). I have to use tun mode to allow android phones. I set "Client will use VPN to access" to Both (the other two choices are "LAN only" and "Internet only"). My phone can access the USB drive connected to the router(192.168.2.1), but I can't access my PC(192.168.2.11).
After some searching, I added "iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE" which doesn't work. (192.168.3.0 is my VPN Subnet setting)
What can I do to make my VPN clients able to access my PC on LAN?
Any help is appreciated.
 

winger_13

New Around Here
So, I am having same question/issue, except I am using an Asus RT-AX86u router. Where do I add the following line of code ? :
"iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE"
in the Config file in the client?

And, in above line, I will need to change 192.168.3.0 to 10.8.0.0 (my VPN subnet)

Also, do I change the "eth1" to the IP address of the local LAN PC I want to ping/access? LOL I do not understand the following comment :
ColinTaylor said:

You should use br0 instead of eth1.
 
Last edited:

eibgrad

Part of the Furniture
So, I am having same question/issue, except I am using an Asus RT-AX86u router. Where do I add the following line of code ? :
"iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE"
in the Config file in the client?

And, in above line, I will need to change 192.168.3.0 to 10.8.0.0 (my VPN subnet)

Also, do I change the "eth1" to the IP address of the local LAN PC I want to ping/access? LOL I do not understand the following comment :
ColinTaylor said:

You should use br0 instead of eth1.

Let's first make clear what this thread is all about. Because it goes unstated, which adds to the confusion.

The problem the OP was experiencing was due to a personal firewall on the target device preventing access by the remote OpenVPN client. The most common culprit is Windows. By default, Windows will NOT allow access by any *private* IP network other than the one on which it is currently running. It's a security measure MS added several years ago. And some other devices and platforms have done likewise.

So the *correct* solution is to reconfigure the personal firewall on the device to permit the remote access by 10.8.0.0/24.

But sometimes ppl prefer to use the above POSTROUTING trick so they don't have run around their network reconfiguring firewalls. What that rule does is mask the source IP of the OpenVPN client (e.g., 10.8.0.2) w/ the ip of the router on its LAN network interface (e.g., 192.168.1.1). So now when the target is reached, it *sees* 192.168.1.1 rather than 10.8.0.2, and since the target and router share the *same* IP network, the personal firewall allows the access.

If you want to do the same thing, then you need to create a nat-start script like the following.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Enable jffs scripts in Administration > System, copy/paste the above into the terminal window of an SSH session, and reboot.
 

winger_13

New Around Here
Let's first make clear what this thread is all about. Because it goes unstated, which adds to the confusion.

The problem the OP was experiencing was due to a personal firewall on the target device preventing access by the remote OpenVPN client. The most common culprit is Windows. By default, Windows will NOT allow access by any *private* IP network other than the one on which it is currently running. It's a security measure MS added several years ago. And some other devices and platforms have done likewise.

So the *correct* solution is to reconfigure the personal firewall on the device to permit the remote access by 10.8.0.0/24.

But sometimes ppl prefer to use the above POSTROUTING trick so they don't have run around their network reconfiguring firewalls. What that rule does is mask the source IP of the OpenVPN client (e.g., 10.8.0.2) w/ the ip of the router on its LAN network interface (e.g., 192.168.1.1). So now when the target is reached, it *sees* 192.168.1.1 rather than 10.8.0.2, and since the target and router share the *same* IP network, the personal firewall allows the access.

If you want to do the same thing, then you need to create a nat-start script like the following.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Enable jffs scripts in Administration > System, copy/paste the above into the terminal window of an SSH session, and reboot.
Thank you for the details. It is helpful to understand that underlying issue is with Windows Firewall.

I would rather update my Desktop's Window 7 Firewall than do add the code you listed above. For the Windows Firewall approach, can you provide some details on how I would accomplish this? Also, my router's IP is 192.168.1.1, the PC (running Windows 7) is static IP @192.168.1.101, and I set the router's OpenVPN Client Subnet to be 192.168.5.0/24 (example - I have seen a few times where the Client's IP is assigned as 192.168.5.6 ).

One question with this approach, however. Will Window's Firewall be working to allow the VPN Client to communicate with the Desktop when no user has logged on? I ask because I normally VPN into the house, then use WOL to power on the Desktop. I then access the Desktop at that point.


Side note - that above script that you included. Where would I place that, in the router or the Desktop I am trying to access ? This part went over my head ; )
 

eibgrad

Part of the Furniture
I would rather update my Desktop's Window 7 Firewall than do add the code you listed above. For the Windows Firewall approach, can you provide some details on how I would accomplish this?

I don't use Windows. I'm a Linux desktop user. There are plenty of resources on the internet for configuring the Windows firewall.

Also, my router's IP is 192.168.1.1, the PC (running Windows 7) is static IP @192.168.1.101, and I set the router's OpenVPN Client Subnet to be 192.168.5.0/24 (example - I have seen a few times where the Client's IP is assigned as 192.168.5.6 ).

Well originally you said 10.8.0.0/24. But if it's now 192.168.5.0/24, then change the rule or configure the Windows firewall (whichever you prefer) accordingly.

One question with this approach, however. Will Window's Firewall be working to allow the VPN Client to communicate with the Desktop when no user has logged on? I ask because I normally VPN into the house, then use WOL to power on the Desktop. I then access the Desktop at that point.

The firewall requirements in terms of access based on the client's source IP has *nothing* to do w/ anything else that may be at issue, including whether there is or isn't an active user logged into Windows. All we're talking about is how to deal w/ this one narrow issue.

Side note - that above script that you included. Where would I place that, in the router or the Desktop I am trying to access ? This part went over my head ; )

If you want to use the POSTROUTING rule rather than reconfigure the Windows firewall, then you need to enable JFFS scripts on the router, copy/paste that script into the terminal window of an SSH session w/ the router, and reboot. It will install and configure the necessary nat-start script, which will be activated once rebooted.
 

mister

Regular Contributor
Hi eibgrad,
Thanks a lot for your Script. One question regarding that.
I have both openvpnserver enabled. One "protected 192.168.10.0/24" where all Traffic is routed through openvpn 1 and one "unprotected 192.168.11.0/24" where the Traffic is routed via wan.

If I want to use your Script for both ip adress areas , what I have to change?
Should I just add one additional line to the Script?

iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

iptables -t nat -I POSTROUTING -s 192.168.11.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Many thanks for your support.
Hugo
 

eibgrad

Part of the Furniture
Hi eibgrad,
Thanks a lot for your Script. One question regarding that.
I have both openvpnserver enabled. One "protected 192.168.10.0/24" where all Traffic is routed through openvpn 1 and one "unprotected 192.168.11.0/24" where the Traffic is routed via wan.

If I want to use your Script for both ip adress areas , what I have to change?
Should I just add one additional line to the Script?

iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

iptables -t nat -I POSTROUTING -s 192.168.11.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Many thanks for your support.
Hugo

That should work.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top