openvpn server and client question

[nferguzl]

I have both these services running and connections are possible to the server only if policy routing is enabled in the client. The client connects to expressvpn. I want the client connection of the openvpn server to go through the vpn tunnel (expressvpn). If I choose to direct clients to redirect internet traffic in the server settings while the openvpn client is running, I loose all internet connection. Is this possible with merlin firmware?

 

[Xentrk]

Please go to the VPN forum and see yorgi's setup guide for vpn client and vpn server. Server and client both work for me.

 

[nferguzl]

Yes they both work for me also. What doesn't work for me is the part where the clients that connect to my routers asuswrt openvpn server don't go through the vpn client provider in this case expressvpn. These clients go directly through the routers WAN bypassing the vpn. If I enable redirect internet traffic in the servers setup, internet connection is lost (for example, web browsing no longer works). In DDWRT there is a similar option called redirect default gateway, which works and is equivalent to the push “redirect-gateway def1” option. So in DDWRT everything works as intended, I just wanted to try asuswrt stability to my vpn provider since sometimes DDWRT has problems with DNS name resolution after a while or after a reboot. Any ideas?

 

[Martineau]

I want the client connection of the openvpn server to go through the vpn tunnel (expressvpn). Is this possible with merlin firmware?

Try:

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

 

[nferguzl]

These commands go in the openvpn server custom config section? Just a simple copy and paste?

 

[Martineau]

These commands go in the openvpn server custom config section? Just a simple copy and paste?

No, they should be executed at a command prompt....cut'n'paste, then if they work, they should be added to the appropriate script.

 

[nferguzl]

Ok thanks, I'll try when I get home, if it works those commands should go in the firewall start script? Sorry I have no experience with user scripts, all info should be in the wiki I guess.

 

[Martineau]

Ok thanks, I'll try when I get home, if it works those commands should go in the firewall start script?

The two commands allow both OpenVPN Server instances to 'pass-thru' a connecting client directly out through ANY (active) VPN Client connection.

If you never change the OpenVPN Server IP pools from their defaults (10.8.0.0 and 10.16.0.0 for Server 1 and Server 2 respectively) then firewall-start is probably a good place for the rules as-is.
NOTE: It is good practice to also issue a delete command to prevent unnecessary duplicates

/jffs/scripts/firewall-start

#!/bin/sh

# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

However, your requirements may require a finer control, i.e. if the OpenVPN Server configuration changes, then it may be prudent to only insert the rule during the execution of the appropriate "openvpn-event" /jffs/scripts/vpnserverX-up script; similarly delete the rule during execution of the /jffs/scripts/vpnserverX-down script.

Also you may feel that use of 'tun1+' should really explicity only reference a specific VPN Client e.g. tun11.

I have no experience with user scripts, all info should be in the wiki I guess.

Yes

Usage

1. User scripts

There are numerous examples of scripts, just make sure you use the correct name, ensure that you don't use a Windows editor (if you do run dos2unix against the file on the router) and make sure the file is executable etc.

 

[nferguzl]

I can't thank you enough Martineau! Everything works as expected. The only problem which is a minor inconvenience has to do with the openvpn client which won't turn on after the router reboots. I have to manually turn it on. Any ideas?

 

[Martineau]

... the openvpn client which won't turn on after the router reboots. I have to manually turn it on. Any ideas?

PEBKAC??

or now you are a wiz with scripts , you can force it to start with a command in say wan-start (or even later when you are ready etc.)

e.g. Manually start VPN Client 1 (rather than use 'start_', 'restart_' will work if it is either DOWN or obviously UP)

service restart_vpnclient1

 

[nferguzl]

LoL, coming from DDWRT firmware and a night with no sleep I barely missed that option! Thanks alot for your help.

 

[Jack Yaz]

In my setup, I have a VPN client using Policy Rules to direct 1 IP to always use the tunnel. If I use the rules provided by @Martineau , do I need to make any changes to the VPN client config so the OpenVPN server clients can also use the tunnel?

 

[nferguzl]

Yes looking at my client config I notice I have a policy rule for the openvpn server clients to use the vpn instead of the wan interface.

 

[Jack Yaz]

Awesome thanks, I now have a working guest network that routes straight over the VPN client

 

[kingskib]

Could you offer some help? My clients are not exiting the VPN Client. I have added the code to the firewall-start script but it still shows the VPN Server's ISP IP address.

 

[Martineau]

Could you offer some help? My clients are not exiting the VPN Client. I have added the code to the firewall-start script but it still shows the VPN Server's ISP IP address.

Did you add the OpenVPN Server subnet or specific OpenVPN Server assigned client address to the Selective routing GUI?

 

[kingskib]

facepalm. Working now, thanks.

 

[Matt87]

Just changed my DDNS, and pass-thru is no longer working.

Server 1 setup to pass-thru to VPN client services.
Server 2 setup to use WAN interface.

Server 2 works fine, but server 1 now does not load anything.

• firewall-start is still configured just as Martineau suggested above
• router VPN client is still configured for s1_subnet/24 to use the VPN
• device VPN client was updated by changing only the DDNS address in the .ovpn file

Any ideas? This was working fine before I changed the DDNS, and it's throwing me for a loop.

 

[Matt87]

Just changed my DDNS, and pass-thru is no longer working.

Server 1 setup to pass-thru to VPN client services.
Server 2 setup to use WAN interface.

Server 2 works fine, but server 1 now does not load anything.

• firewall-start is still configured just as Martineau suggested above
• router VPN client is still configured for s1_subnet/24 to use the VPN
• device VPN client was updated by changing only the DDNS address in the .ovpn file

Any ideas? This was working fine before I changed the DDNS, and it's throwing me for a loop.

NVM! I was rebooting the router from the GUI. Needed to just power cycle it manually.

FIXED

 

[Ro berto]

If you never change the OpenVPN Server IP pools from their defaults (10.8.0.0 and 10.16.0.0 for Server 1 and Server 2 respectively) then firewall-start is probably a good place for the rules as-is.

I did change the default from 10.8.0.0 because sometimes with NordVPN I would get the same subnet 10.8.0.X and that would result in problems, right?

either way, I'll try it and I'll report back.