Menu
What's new
By:
Filters Better Search

OpenVPN server 2 (10.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

pekka

New Around Here
Dear forum

Hopefully you can help me. This should be so simple but I have been stuck with this for 2 days now.
And I cannot be the one person wanting to do this.

I am running 386.1_2 on RT-AC86U and my goal is to setup 2 OpenVPN servers.

Server1 (ip pool: 10.8.0.0) : access to all LAN (192.168.1.*)
Server2 (ip pool: 10.16.0.0): access to singe static IP in LAN (192.168.1.6)

Both servers work now providing access to all LAN like show in IPv4 routing table.

The question is this simple, how do I change the routing so that all traffic from 10.16.0.0 goes to 192.168.1.6?

Thank you for helping a newbie.

Pekka
 

Attachments

  • static.png
    static.png
    15 KB · Views: 89
Last edited:
@pekka welcome to the forums.

You haven't asked a question though, let alone give us any details of your hardware, firmware, or other aspects of your network that may be pertinent to a good reply. :)
 
L&LD said:
@pekka welcome to the forums.

You haven't asked a question though, let alone give us any details of your hardware, firmware, or other aspects of your network that may be pertinent to a good reply. :)
Click to expand...
@L&LD It seems than that I am failing in everything today :) ...apologies for accidentaly sending an uncomplete post. Hopefully completele message makes answering easier :)
 
pekka said:
Dear forum

Hopefully you can help me. This should be so simple but I have been stuck with this for 2 days now.
And I cannot be the one person wanting to do this.

I am running 386.1_2 on RT-AC86U and my goal is to setup 2 OpenVPN servers.

Server1 (ip pool: 10.8.0.0) : access to all LAN (192.168.1.*)
Server2 (ip pool: 10.16.0.0): access to singe static IP in LAN (192.168.1.6)

Both servers work now providing access to all LAN like show in IPv4 routing table.

The question is this simple, how do I change the routing so that all traffic from 10.16.0.0 goes to 192.168.1.6?

Thank you for helping a newbie.

Pekka
Click to expand...
Here is a firewall solution in lieu of a routing solution.

You probably should really put these in the OVPN chain (rather than directly into the FORWARD chain) when the OpenVPN server initialises, but try it as-as
Code: 
modprobe xt_comment 

iptables -I FORWARD -s 10.16.0.0/24 -d 192.168.1.0/24 -i tun22 -o br0 -m comment --comment "VPN Block LAN" -j REJECT --reject-with icmp-port-unreachable
iptables -I FORWARD -s 10.16.0.0/24 -d 192.168.1.6/32 -i tun22 -o br0 -m state --state NEW -m comment --comment "VPN to LAN Resource" -j ACCEPT
 
eibgrad said:
Code: 
iptables -I FORWARD -s 10.16.0.0/24 ! -d 192.168.1.6 -j REJECT
Click to expand...
Thank you @Martineau and @eibgrad OpenVPN iptables rules seems to be the right way forward and I can can see the change in routing table.
Unfortunatelly this also caused OpenVPN server not to start. I need to further study the iptables tomorrow.
 

Attachments

  • error.png
    error.png
    8.2 KB · Views: 84
  • static2.png
    static2.png
    5.9 KB · Views: 89
It would help if you labeled these snapshots. They're so narrowly cropped (no column headings, nothing), it's not always obvious what we're looking at.

Is that a static route for 192.168.1.6 pointing to the tunnel of the OpenVPN server?! If so, why? If 192.168.1.6 is routable from within the LAN, then there's no need to configure static routing, least of all back to the tunnel's IP network. It's just a firewall issue.
 
eibgrad said:
It would help if you labeled these snapshots. They're so narrowly cropped (no column headings, nothing), it's not always obvious what we're looking at.

Is that a static route for 192.168.1.6 pointing to the tunnel of the OpenVPN server?! If so, why? If 192.168.1.6 is routable from within the LAN, then there's no need to configure static routing, least of all back to the tunnel's IP network. It's just a firewall issue.
Click to expand...
After trying "iptables -I FORWARD -s 10.16.0.0/24 ! -d 192.168.1.6 -j REJECT" to OpenVPN CustomConfiguration (img: customconfiguration) I did see the changes in the Routing Table (Img: RoutingTable) but it also caused Open VPN Server failed to start error (img: OpenVPN_failedtostart).
 

Attachments

  • customconfiguration.png
    customconfiguration.png
    22.7 KB · Views: 120
  • OpenVPN_failedtostart.png
    OpenVPN_failedtostart.png
    49.1 KB · Views: 104
  • RoutingTable.png
    RoutingTable.png
    24.5 KB · Views: 90
The firewall rule does NOT go in custom config! It needs to be added as a firewall-start script!
 
I think 2048 RSA Encryption is required.
 
Here's a link to an example of adding a firewall-start script (just change the rule).

www.snbforums.com

NordVPN and DNS

Hello I was wondering IF I need to use Nordvpn's DNS servers or Can I use Cloudfare, Google or quad9 DNS servers. If yes how can I make this happen?
www.snbforums.com www.snbforums.com
 
@elorimer, I thought that was the default necessary from v2.5 (or v2.51) forward. (As weaker ciphers get removed with each update).
 
eibgrad said:
Here's a link to an example of adding a firewall-start script (just change the rule).

www.snbforums.com

NordVPN and DNS

Hello I was wondering IF I need to use Nordvpn's DNS servers or Can I use Cloudfare, Google or quad9 DNS servers. If yes how can I make this happen?
www.snbforums.com www.snbforums.com
Click to expand...
@eibgrad This is getting even more strange now.
With you help (and vi editor user manual) I was able to add the firewall rule to /jffs/scripts and the routing table now looks like in picture 1. Rule added OK.
But there is still the default rule in row three which gets pushed to OpenVPN client "add route 192.168.1.0/24 11 10.16..0.1" which means I am still able to access everything in 192.168.1.0. BUT when I make an OpenVPN client configuration "route-nopull route 192.168.1.6" everything is routed to 192.168.1.6 IP only. But I cannot take the risk that someone is smart enough will remote those 2 rows from clien configuration.
How to remove the default routing in row 3? Why the firewall rule does not work?
 

Attachments

  • picture1.png
    picture1.png
    18.2 KB · Views: 75
pekka said:
@eibgrad This is getting even more strange now.
With you help (and vi editor user manual) I was able to add the firewall rule to /jffs/scripts and the routing table now looks like in picture 1. Rule added OK.
But there is still the default rule in row three which gets pushed to OpenVPN client "add route 192.168.1.0/24 11 10.16..0.1" which means I am still able to access everything in 192.168.1.0. BUT when I make an OpenVPN client configuration "route-nopull route 192.168.1.6" everything is routed to 192.168.1.6 IP only. But I cannot take the risk that someone is smart enough will remote those 2 rows from clien configuration.
How to remove the default routing in row 3? Why the firewall rule does not work?
Click to expand...

Ok, let's back up, because I have no idea what you're trying to do here. What's w/ this "add route 192.168.1.0/24 11 10.16..0.1", or "route-nopull route 192.168.1.6." None of that makes any sense.

Normally you set the access mode on the OpenVPN server to LAN only (or Both), and the server pushes the LAN (e.g., 192.168.1.0/24) to the OpenVPN client. That gives the client the routing and access to that network over the tunnel. But you wanted to restrict that access to only *one* device/IP, specifically 192.168.1.6, which can be done w/ the firewall rule I provided.

That's all you need! Not unless there's some other objective here that you haven't made clear.
 
Last edited:
eibgrad said:
Ok, let's back up, because I have no idea what you're trying to do here. What's w/ this "add route 192.168.1.0/24 11 10.16..0.1", or "route-nopull route 192.168.1.6." None of that makes any sense.

Normally you set the access mode on the OpenVPN server to LAN only (or Both), and the server pushes the LAN (e.g., 192.168.1.0/24) to the OpenVPN client. That gives the client the routing and access to that network over the tunnel. But you wanted to restrict that access to only *one* device/IP, specifically 192.168.1.6, which can be done w/ the firewall rule I provided.

That's all you need! Not unless there's some other objective here that you haven't made clear.
Click to expand...
@eibgrad Thanks for your support and patience as well.
Target is to have 2 client access profies to my home network.
trough Server1 (ip pool: 10.8.0.0) : access to all LAN (192.168.1.0)
trough Server2 (ip pool: 10.16.0.0): access to singe static IP in LAN (192.168.1.6)
with the firewall rule now in place in /jffs/scripts/firewall-start
the routing table looks like picture1 in previous message (looks OK to me)

after connecting to trough Server 2 my client has IP address of: 10.16.0.2 (which is OK) but I can still access for example NAS in 192.168.1.75 so somehow the firewall rule is not working.
 
pekka said:
@eibgrad Thanks for your support and patience as well.
Target is to have 2 client access profies to my home network.
trough Server1 (ip pool: 10.8.0.0) : access to all LAN (192.168.1.0)
trough Server2 (ip pool: 10.16.0.0): access to singe static IP in LAN (192.168.1.6)
with the firewall rule now in place in /jffs/scripts/firewall-start
the routing table looks like picture1 in previous message (looks OK to me)

after connecting to trough Server 2 my client has IP address of: 10.16.0.2 (which is OK) but I can still access for example NAS in 192.168.1.75 so somehow the firewall rule is not working.
Click to expand...

Well that part makes sense. But why it's not working, I have no idea. On the face of it, it's pretty simple. My biggest concern at this point is some of the strange things you've been adding to the custom config field in particular. But if everything else is working now except for this one remaining issue, then let's first check if the firewall rule even got applied.

Code: 
iptables -vnL FORWARD
 
Problem SOLVED. Thanks @eibgrad and @L&LD

Just to conclude in case this will help some one else in the future.

After realising that best (and only?) way to update and vefify changes is from console ( I used PuTTY from WIn10) things started get smoother.
Using route and iptables -L commands you can really start to see what is happening.
And like already mentoined in this chain, add route is not needed in server side. In my case the only reason is to use it in client side to prevent all traffic going trough VPN server.

The final piece of infomration was mentioned by @L&LD "put these in the OVPN chain (rather than directly into the FORWARD chain)"
so solution was iptables -I OVPN -s 10.16.0.0/24 ! -d 192.168.1.6 -j REJECT

The only remaining mystery is why it did not work in FORWARD chain, but I can live with that :)
 
It should have worked in the FORWARD chain since it should have hit that rule long before the OVPN chain, but without being able to see the FORWARD chain in context, we're left to guess. Anyway, at least it's working.
 
Just to clarify, I did not give that advice, but glad it fixed things for you.
 
You must log in or register to reply here.

Similar threads

M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
314
elorimer
E
P
Connect OpenVPN server with Client networks
Replies
3
Views
594
L&LD
L&LD
L
Openvpn internal error add route
Replies
0
Views
254
lucian
L
W
OpenVPN Server set to LAN only allows browsing
Replies
14
Views
644
ColinTaylor
C
Wishmaster1965
Solved OpenVPN Server Issue
Replies
5
Views
675
Wishmaster1965
Wishmaster1965
Similar threads
Thread starter Title Forum Replies Date
W OpenVPN Server set to LAN only allows browsing Asuswrt-Merlin 14
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1
Blankedy AC86U OpenVPN server whilst in AP mode Asuswrt-Merlin 3
M For AX68U and AX86S Merlin users: openvpn server - max user qty? Asuswrt-Merlin 1
C Openvpn server intermittently down Asuswrt-Merlin 6
Z Port forwarding for client connected to OpenVPN server Asuswrt-Merlin 0
P Connect OpenVPN server with Client networks Asuswrt-Merlin 3
P VPN Server Problem (wireguard and openvpn) Asuswrt-Merlin 7
O RT-AC86U - 386.12 : OpenVPN server crash when applying other network changes Asuswrt-Merlin 5
wavefunction How to retrieve OpenVPN server passwords? Asuswrt-Merlin 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 939 (members: 25, guests: 914)
Top