How to check that a VPN Server set up on AX88U on Asuswrt-Merlin 386.3_2 is working?

Bitrudeuk

Occasional Visitor
Quick question, how do I know if I have successfully set my VPN server up? I am using a Windscribe VPN client, but it was suggested that I also set up a VPN server too, to ensure that my NAS is fully protected.

I have followed Yorgi's tutorial to set up an OpenVPN server and reviewed some of the other tutorials on here and it says it's "running" under VPN status, so that's a good sign right?

I can't see any errors in the activity log, so does that mean everything is ok, or is the only way to check to try and access from outside the LAN?

I don't need access from outside the LAN at the moment, I just want to make sure nothing can get in to attack my NAS etc! Is this the right way to do it?

Many thanks

David
 

eibgrad

Part of the Furniture
If you don't need remote access into your LAN (whether to access the NAS or anything else), it makes no sense to keep the OpenVPN server running.

If you just want to test the OpenVPN server to make sure it's accessible when you eventually *do* need it, yes, you need to test it remotely, from outside your WAN, perhaps w/ a smartphone and the OpenVPN client app.
 

Bitrudeuk

Occasional Visitor
Great, thank you eibgrad for confirming so quickly. I am not sure why it was suggested to create the server, other than to access the NAS externally? My initial question on that subject was that I just wanted to make sure the NAS is completely locked down going forward, which I thought would happen by adding Windscribe and making sure the NAS had nothing trying to access the NET. Perhaps I should post the same question on the NAS section here that I posted at the QNAP forum and see what other users suggest here.

I was thinking smartphone or laptop via the phone's internet connection would be best, though the IP may conflict, as I also use the laptop on the LAN?
 

eibgrad

Part of the Furniture
I don't know why OpenVPN server was suggested either. It doesn't add anything to the security of the OpenVPN client.

The only thing you'll want to do w/ the OpenVPN client is make sure have "Inbound Firewall" specified as Block (the default). This prevents some anyone from initiating a connection from remote side of the tunnel into your network.

I suggested testing the OpenVPN server via the smartphone so you could use the *cellular* network. You do NOT want to test it from wifi that's located inside the same LAN as the OpenVPN server!
 

Bitrudeuk

Occasional Visitor
Perhaps there was a misunderstanding (probably on my part), I was just trying to ensure that my NAS was locked down after being breached by QLocker earlier in the year and I was still getting blocked packets on the NAS firewall?

Thanks will bare that in mind. That said, my long term plan is to have a bi-directional tunnel set up between two AX88U's, so that wouldn't be an issue would it as the client would be on the other router and as long as my laptop is connected to that other router, it wouldn't need it's own client connection? And it would be like one big LAN? That's how i've been reading everything anyway?

But baby steps, I am still getting my head round this little lot first!
 

eibgrad

Part of the Furniture
By bi-directional tunnel, I assume you mean site-to-site, where each side can initiate connections into the other over a shared tunnel. Your choice which side is the server vs. client. Just depends on what works best for your situation. And yes, that OpenVPN client can then be leverage by the LAN clients behind it.
 

Bitrudeuk

Occasional Visitor
Yep, that's exactly what I mean. I will initially have my NAS at one site, so will need to access it via the VPN to upload new material etc. Down the line, I expect to have a NAS at each site and use the existing one as my central one and back up to the other site over night via the VPN tunnel.

What could go wrong??? ha ha

Going back to my initial query, when I set up the server, I couldn't get a DDNS address set up. Could this have been because the server was on? It mucked up my usual HTTPS way in and never formed the DDNS address and the GUI went all weird? Thankfully I was able to amend it without having to reset everything, but I did previously have DDNS working fine until I was worried about access without the server connection.

Should I set up the DDNS address first, and then switch the server on to test connection?
 
Last edited:

eibgrad

Part of the Furniture
Normally, DDNS should NOT be affected by whether you have either an active OpenVPN client or server. The router detects when the WAN ip changes, then reports it to the DDNS provider. Pretty simple. So I don't know why, or even if, anything involving DDNS issues is actually relevant to OpenVPN.

Something else to keep in mind.

Whenever you establish an OpenVPN client connection to a commercial OpenVPN provider (e.g., Windscribe), it will change the default gateway from the WAN/ISP to the VPN. And now *all* traffic will be routed over the VPN, whether initiated by the router itself, or any clients behind the router leveraging the tunnel.

Under such conditions, the OpenVPN server will be unreachable, since the remote access over the WAN will have its replies sent over the VPN. And the firewall will NOT allow it. You'll have to enable routing policy in order to remove the router itself from the VPN, thus making the OpenVPN server reachable again.

However, for testing purposes of the OpenVPN server, you can temporarily disable the OpenVPN client. But just realize that when *both* are active at the same time, you'll have the problem described above.
 

Bitrudeuk

Occasional Visitor
Hi eibgrad, I think I have finally managed to get my OpenVPN server up and running, via my mobile tethered to my laptop. I can access the router via the OpenVPN connection, but not my QNAP NAS or Plex server, which is hosted on the NAS. So despite having granted access to both LAN and Internet on the server, something isn't quite right?

I'm going to have a read through the NAS forum, but in theory I shouldn't need to do anything on the NAS, as the router is the gateway to everything on my LAN right? :oops:

I know i'm missing something and it's no doubt staring me right in the face...

I do have a few kernal lines in the system log with says things are not a mesh client and it can't update it's ip, could that be the/an issue?
 

eibgrad

Part of the Furniture
Can you access (even if just ping) *anything* on the home network via the VPN? Big difference between no access at all, vs. no access to only specific devices. In the latter case, it's often personal firewalls on the target devices that prevent access. Or perhaps the target device doesn't have a default gateway specified, so it doesn't know how to route back to the router, and subsequently back to the OpenVPN client.

Also, make sure you have either Both or LAN only specified for the "Client will use VPN to access" setting on the OpenVPN server.
 

Bitrudeuk

Occasional Visitor
Can you access (even if just ping) *anything* on the home network via the VPN?

OpenVPN Server is open to both LAN and Internet traffic by the way, just triple checked ;)

Thanks for the suggestion on pinging, I initially could only ping my Humax box and Ring doorbell. I then switched off my QUFirewall and was able to ping and access my NAS and Plex server :)

I was told on the QNAP forum that I may as well switch off the QUFirewall, as the AX88 router firewall is enough protection? Is that true or not??

If I still wanted to have it on, would I just need to add the OpenVPN server IP to the firewall rules to allow access? And I guess I would then need to make it static, so I didn't have to worry about it changing and loosing access?

I assume this would cover it? https://www.qnap.com/en/how-to/faq/article/how-to-setup-qufirewall-to-allow-vpn-connections

Would it mean i'd need to also add the OpenVPN server key etc to the QNAP VPN software QVPN?

Thanks again for all your help so far. I'm away next week, so it will be a good test before being off site for longer in a few months! Hopefully I can just leave QUFirewall off and it's nice and simple?
 
Last edited:

eibgrad

Part of the Furniture
I was told on the QNAP forum that I may as well switch off the QUFirewall, as the AX88 router firewall is enough protection? Is that true or not??

That's a matter of personally preference. Some ppl like maintaining personal firewalls as secondary protection. Just depends on whether it becomes too annoying imo. It may matter as well whether you consider all the other devices on your local network as trustworthy. Consider ppl foolish enough to place all those cheap IOT devices on their private network. If they're ever compromised, then you obviously have a potential threat lurking on the private network. But the correct solution is to place them on their own network.

If I still wanted to have it on, would I just need to add the OpenVPN server IP to the firewall rules to allow access? And I guess I would then need to make it static, so I didn't have to worry about it changing and loosing access?

You would need to add the OpenVPN server's IP pool on the tunnel (e.g., 10.8.0.0/24) as a valid subnet on the QUFirewall. I've never used that device, so I can't tell you exactly how to do it, but most firewall are very similar. There must be a way to add a rule for it.

The other option (which is sometimes useful if you have LOTs of device w/ personal firewall issues) is to NAT the traffic inbound from the OpenVPN server's tunnel w/ the LAN ip of the router as it's dropped on the private network.

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

You'd need to add it as a nat-start script to make it persistent.

So now your local devices believe the traffic is originating from within the local/private network, which is usually NOT an issue for personal firewalls. But it's really from the internet.

This is particularly popular w/ Windows users who don't want to run around to all their Windows machines and configure all those firewalls one by one.

Would it mean i'd need to also add the OpenVPN server key etc to the QNAP VPN software QVPN?

NO. The QNAP knows nothing about any VPNs here. The only issue is that sometimes devices will NOT allow access by any other private network other than the one on which they are running. If you do introduce another private network (e.g., 10.8.0.0/24), then you have to reconfigure the firewall to allow it (or else disable the firewall completely).
 

Bitrudeuk

Occasional Visitor
That's a matter of personally preference. Some ppl like maintaining personal firewalls as secondary protection. Just depends on whether it becomes too annoying imo. It may matter as well whether you consider all the other devices on your local network as trustworthy. Consider ppl foolish enough to place all those cheap IOT devices on their private network. If they're ever compromised, then you obviously have a potential threat lurking on the private network. But the correct solution is to place them on their own network.
Thank you, I have my IOT devices all (I think) on one of my guest networks ;) I discovered this suggestion after I had connected everything to my normal network, so had to spend some extra time re-configuring a few devices, but we got there in the end!

You would need to add the OpenVPN server's IP pool on the tunnel (e.g., 10.8.0.0/24) as a valid subnet on the QUFirewall. I've never used that device, so I can't tell you exactly how to do it, but most firewall are very similar. There must be a way to add a rule for it.
Yep, added the rule and it worked a treat, thanks! That way, the extra layer is there, just in case! After being bitten by QLocker once, I don't fancy doing all this again and re-installing the NAS etc from scratch again anytime soon!

One slightly different question, but will impact how I access the home server down the line. Reading around, it seems difficult to install OpenVPN on a firestick or Nvidea Shield? If I just install the "home" server as a client on the router at the other house, accessing the Plex app on the TV would still work the same as it is via my Laptop with a local OpenVPN connection on it right, because everything using the router is effectively accessing my LAN/Internet at the other house? I would just have to switch that "home server" client off, if I wanted to switch Windscribe on, to change geo location for other Apps right?

Ultimately I think it's gonna be best just to have a NAS at each location that are mirrored, and then I can just have Windscribe on the router and the firestick/Shield for geo location stuff... But until then, I need to try and get the above working, so thanks for all your help again!
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top