What's new

OpenVPN LAN access + one external IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

swaaye

New Around Here
Hi,

I have an OpenVPN server running on an ASUS Merlin router with only LAN access but would like to have traffic to one external IP also go through this VPN connection. I tried adding a route (i.e. route 123.123.123.123 255.255.255.255 vpn_gateway) on the client but I can only access the IP from the VPN client if I disable the firewall on the VPN server / ASUS router. I suppose the packets coming back from the external IP to the VPN subnet are seen as unsolicited and blocked. Is there a solution to this?
 
Besides the route directive on the client (note, you could alternatively *push* that route to the client, which might make more sense given what follows), you also need to add an iptables rule w/ a firewall-start script on the server side.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 123.123.123.123 -j ACCEPT
 
Besides the route directive on the client (note, you could alternatively *push* that route to the client, which might make more sense given what follows), you also need to add an iptables rule w/ a firewall-start script on the server side.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 123.123.123.123 -j ACCEPT

Thank you. That works well.
 
FYI.

While it works, it only works for the OpenVPN client itself. But let's say the OpenVPN client is part of a site-to-site configuration w/ the same server. Under such circumstances, the OpenVPN client would NOT typically NAT the tunnel w/ its own assigned IP, and therefore the IP network seen on the server side of the tunnel would be that of the IP network *behind* the OpenVPN client, and thus NOT match the rule!

That's why upon further reflection, the following would be preferred since it is NOT specific as to the IP network coming through the tunnel. It only cares about the tunnel's network interface, which remains constant, no matter how the VPN is used.

Code:
iptables -I FORWARD -i tun2+ -d 123.123.123.123 -j ACCEPT

For simplicity, I used tun2+ (+ is a wildcard) to cover both possible OpenVPN servers (tun21 and tun22).

Again, what I originally suggested works in your case. But just in case someone else comes along and sees this thread, and is configured as site-to-site, I want it understood that the above is the better solution.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top