OpenVPN and access to LAN from outside

[Gilbert]

Hello,

I use openVPN in my Asus AC86u (Asus WRT-Merlin 384.14) Router.
When i enable OpenVPN its connect to my VPN provider and i can access the internet from my devices.
But i can't access my devices (like Domoticz) from the outside anymore. I have search for solution, but i couldn't solve the problem. Can someone tell me what to do?

Greetz

 

[ColinTaylor]

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

 

[Gilbert]

I tried that, i don't work for me.
What ever i configure, i can't access my device from the wan (example : WANIP.COM:12345)

 

[ColinTaylor]

What policy rules are you using?

 

[Chris_J]

I had this issue and managed to solve it in two ways, either:
a) setting policy routing to "Policy Rules", i.e. not strict.
b) adding the router ip address to the openVPN client to route through the WAN

 

[Gilbert]

I had this issue and managed to solve it in two ways, either:
a) setting policy routing to "Policy Rules", i.e. not strict.
b) adding the router ip address to the openVPN client to route through the WAN

Where in the router? Can you provide me with screen dumps?

I found the policy rules....

for b, you mean this?:

Rules for routing client traffic through the tunnel (Max Limit : 100)
Description Source IP Destination IP Iface

 

[Chris_J]

See attached screenshot. 5th entry down is what I mean. This is found under the VPN client settings.

 

[cplay]

I had this issue and managed to solve it in two ways, either:
a) setting policy routing to "Policy Rules", i.e. not strict.
b) adding the router ip address to the openVPN client to route through the WAN

I did letter a to fix my problem.

However, could you quickly tell me how to do b?

 

[Chris_J]

VPN >> VPN Client >> Rules for routing client traffic...

Add an entry to the table with the following:
192.168.1.1 - 0.0.0.0 - WAN

I tried a) at first, but I wanted to retain strict policy routes, as otherwise it would occasionally mess with some settings that I have for specific WAN routes on my network. In the end b) was the one that worked in my use-case.

Also, stating the obvious here but you never know - make sure that your VPN server setting has "both" set under the "Client will use VPN to access" setting.

 

[cplay]

Yeah I have those set up in kill switch:

192.168.1.0/24 , VPN
192.168.1.1 WAN

However, when VPN is enabled I can't access my 4g modem (192.168.5.1) that is connected to the wan port of the asus router (192.168.1.1).

Only way I've found to remedy this issue is by chaning policy rules from strict to policy rules.

 

[Chris_J]

Try adding to the client table:

0.0.0.0 - 192.168.5.1 - WAN

(kind of like my entry for "ISP router" in the screenshot I posted, but with your IP address.)

 

[Gilbert]

See attached screenshot. 5th entry down is what I mean. This is found under the VPN client settings.

Thanx, I have added the rule with router IP.
But when i enable VPN client. I seems that VPN now expose my own ISP IP adress. What i am missing.
With Policy settings to No. My IP is hidden....

 

[ColinTaylor]

Thanx, I have added the rule with router IP.
But when i enable VPN client. I seems that VPN now expose my own ISP IP adress. What i am missing.
With Policy settings to No. My IP is hidden....

Show us a screenshot of your policy rules.

 

[Gilbert]

Show us a screenshot of your policy rules.

Or do i need to configure it for every device that i want to use with VPN?

 

[ColinTaylor]

Or do i need to configure it for every device that i want to use with VPN?

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing

By default, all traffic goes through the WAN. What you define there with a VPN iface will be routed through the VPN. Use the WAN iface to configure exceptions to configured VPN rules (for instance, if you configure a /24 to be routed through the VPN, but want one IP within that /24 to be routed through the WAN instead).

A common configuration setup where you want your whole LAN to go through the VPN, but not the router itself:

LAN        192.168.1.0/24    0.0.0.0        VPN
Router        192.168.1.1    0.0.0.0        WAN

 

[cplay]

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-routing

What do I do if i have a modem behind the router?

Currently only to access modem behind router when vpn is on with the common config you are referring to is to swap from policy rules strict to policy rules?

 

[Chris_J]

Did you try my suggestion? I have the situation when the router is behind the modem and the exception rule I gave works.

 

[ColinTaylor]

What do I do if i have a modem behind the router?

Currently only to access modem behind router when vpn is on with the common config you are referring to is to swap from policy rules strict to policy rules?

I would try creating a rule that specifies the IP address of the modem as the destination address.

EDIT: Yes, like @Chris_J said.

 

[cplay]

Did you try my suggestion? I have the situation when the router is behind the modem and the exception rule I gave works.

it doesn’t for me.

I have exclusive set for dns.
Policy rules strict and with all ips with vpn, and the router ip and modem ip set up to wan (I added the modem up per your instruction) and it won’t allow me access to my modem if policy rules are set to strict not just policy rules?

 

[Chris_J]

Can you send a screenshot of your policy rules table?