Is there a way to connect to the second router connected to the vpn client?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

fgsdfes

New Around Here
There is a root router (rt-ac58u) that is directly connected to the external Internet,
and a second router (rx-ax58u) associated with it. The second router is also connected to the vpn client (expressvpn).

I think the root router is directly connected to the external Internet, so I can access the second router through this. But I can't access it.

I tried various methods to access.
1. Attempted to forward 3389 ports to both root and second router.
2. Attempted to forward DMZ to root router and forwarded 3389 port to second router.
3. VPN SERVER has been run on the root router. I forwarded 3389 port to the second router. Since then, I have tried to connect to the root router through VPN.

All three methods did not work when the second router was connected to the vpn client(expressvpn).
However, when I disconnected from the vpn client, all three methods worked normally.

In addition, the second router was accessible while connected directly to the first router (ethernet or Wi-Fi, not external).

Is there a way to connect to the second router connected to the vpn client?
 

eibgrad

Very Senior Member
I assume the secondary router is daisy-chained to the primary router, WAN to LAN respectively.

The good news is, it's all working normally (although it doesn't feel that way).

When the second router is connected as an OpenVPN client, the OpenVPN server reconfigures its default gateway to point to the VPN rather than its WAN. Then when you attempt to access it remotely through the primary router, its replies get routed over the VPN rather than back over the WAN of the second router. It's doing exactly what you told it to do.

Of course, the problem is that in this one particular case, you want an exception made so any remote access over the WAN of the second router is forced back over that same WAN, and NOT the VPN.

One way to do that would be to NAT the remote inbound traffic to the WAN of the primary router w/ its LAN ip so that it appears to be coming from the primary router rather than the internet, and now the secondary router would finally route that back over its WAN since it *knows* that LAN ip address is only accessible over the WAN.

It's a relatively easy fix provided you're using third-party firmware (e.g., Merlin, DD-WRT, FreshTomato). If it's OEM/stock firmware, you probably won't have the necessary low-level access to the firewall in order to add the NAT rule.

There are other ways, but most have their own set of limitations. Before suggesting any other alternatives, let's first determine if the above is possible in your situation.
 
Last edited:

fgsdfes

New Around Here
I assume the secondary router is daisy-chained to the primary router, WAN to LAN respectively.

The good news is, it's all working normally (although it doesn't feel that way).

When the second router is connected as an OpenVPN client, the OpenVPN server reconfigures its default gateway to point to the VPN rather than its WAN. Then when you attempt to access it remotely through the primary router, its replies get routed over the VPN rather than back over the WAN of the second router. It's doing exactly what you told it to do.

Of course, the problem is that in this one particular case, you want an exception made so any remote access over the WAN of the second router is forced back over that same WAN, and NOT the VPN.

One way to do that would be to NAT the remote inbound traffic to the WAN of the primary router w/ its LAN ip so that it appears to be coming from the primary router rather than the internet, and now the secondary router would finally route that back over its WAN since it *knows* that LAN ip address is only accessible over the WAN.

It's a relatively easy fix provided you're using third-party firmware (e.g., Merlin, DD-WRT, FreshTomato). If it's OEM/stock firmware, you probably won't have the necessary low-level access to the firewall in order to add the NAT rule.

There are other ways, but most have their own set of limitations. Before suggesting any other alternatives, let's first determine if the above is possible in your situation.
Thank you for your kind reply.
Thanks to you, I could understand why it didn't work.

I looked for ways to solve this problem.
I'm going to try the following methods when I get home, can you review it?

1. Install Merlin firmware on the second router, rt-ax86u.
2. When setting up the openvpn client, the Policy based routing function is used as follows.

========= current router settings =========
root router: 192.168.1.1 (WAN: my real ip)
second router: 192.168.50.1 (WAN: 192.168.1.201)
=================================

== TODO: Policy based routing ==
LAN 192.168.50.0/24 0.0.0.0 VPN
Router 192.168.50.1 0.0.0.0 WAN
=======================

It may be a hassle, but if you have time, please review whether it can be solved in the above way.
Thank you.
 

eibgrad

Very Senior Member
If the ultimate target of your remote access is the secondary router itself, then sure, it will now become reachable. But based on your original post, I had the impression you ultimately needed RDP (port 3389) access to some LAN device beyond the secondary router (e.g., 192.168.50.100). That remains unreachable unless it too is removed from the VPN w/ its own routing policy rule. But that's obviously only viable if you can live w/ the fact that everything else on the target (NOT just RDP) will be bound to the WAN as well. IOW, it's an all or nothing proposition.

As I said there, are other solutions (and routing policy was one of them, provided you decided to install Merlin). Another is to access the device over the VPN, provided your VPN provider supports port forwarding (some do, most don't). Or if you *know* the public IPs from which you will be doing the remote access (e.g., workplace, school, commonly visted wifi cafe), you can simply create static routes (in the form of route directives in the custom config field of the OpenVPN client) that bind those IPs to the WAN.

Code:
route 199.199.199.199 255.255.255.255 net_gateway # single public IP
route 188.188.188.0 255.255.255.0 net_gateway # class C network

net_gateway is an OpenVPN reserved word. It will determine the gateway IP of the WAN at runtime and create these routes accordingly.
 

fgsdfes

New Around Here
If the ultimate target of your remote access is the secondary router itself, then sure, it will now become reachable. But based on your original post, I had the impression you ultimately needed RDP (port 3389) access to some LAN device beyond the secondary router (e.g., 192.168.50.100). That remains unreachable unless it too is removed from the VPN w/ its own routing policy rule. But that's obviously only viable if you can live w/ the fact that everything else on the target (NOT just RDP) will be bound to the WAN as well. IOW, it's an all or nothing proposition.

As I said there, are other solutions (and routing policy was one of them, provided you decided to install Merlin). Another is to access the device over the VPN, provided your VPN provider supports port forwarding (some do, most don't). Or if you *know* the public IPs from which you will be doing the remote access (e.g., workplace, school, commonly visted wifi cafe), you can simply create static routes (in the form of route directives in the custom config field of the OpenVPN client) that bind those IPs to the WAN.

Code:
route 199.199.199.199 255.255.255.255 net_gateway # single public IP
route 188.188.188.0 255.255.255.0 net_gateway # class C network

net_gateway is an OpenVPN reserved word. It will determine the gateway IP of the WAN at runtime and create these routes accordingly.
Thank you for your support.
I found an appropriate way and solved it.

1. Run vpn server on Root Router.

2. Implement split tunneling in Second Router as follows:
Source Destination iface
192.168.50.0/24 0.0.0.0 VPN (All connections in second router)
192.168.50.0/24 192.168.1.0/24 WAN (Except for connections to the root router.)

3. Add port forwarding rules for 3389 ports in Second Router.

Thank you.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top