Openvpn server AND client...

[Alaska99]

Hello, I use openvpn server to connect my iphone on my asus RT-AC68U and I use client openvpn to connect to my VPN provider.

If I use only server or only client all run fine but when server openvpn is connected I can't connet to openvpn client with my iphone... There is special config to be able use client and server together?

I use latest firmware 378.50

Thank you.

 

[faria]

Hello, I use openvpn server to connect my iphone on my asus RT-AC68U and I use client openvpn to connect to my VPN provider.

If I use only server or only client all run fine but when server openvpn is connected I can't connet to openvpn client with my iphone... There is special config to be able use client and server together?

I use latest firmware 378.50

Thank you.

start here http://forums.smallnetbuilder.com/showthread.php?t=9311

Its called selective routing. You will need to enable jffs and create a script to let connect to you router vpn server.
if you want help to write the script please post your lan ip range and openvpn server port number.

 

[faria]

updated post

download zip paste the code to your script.sh

https://www.dropbox.com/s/y2eyx49pb6d5dqb/script.sh?dl=0

Also in the script there is rules for other router services if you need it, all you have to do is remove (#) from the start of the line of the service/port in order to become active.

 

[Cake]

You might be "double nat"ed. If your router sits behind another edge device like a cable modem. Sometimes you can turn off the NAT on the ISP's device, and have your router take care of everything. However mine is locked down with some customized firmware.

For me on the OpenVPN Server tab it reads in yellow letters - "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x, or 172.16.x.x). Please configure DDNS service before starting the VPN server."

Heading over to the DDNS tab in WAN section it reads in yellow- "The wireless router currently uses a private WAN IP address (192.168.x.x, 10,x,x,x, or 172.16.x.x). This router may be in the multiple-NAT environment and DDNS service cannot work in this environment."

I gave up after a few days of tinkering, I previously used dd-wrt on a wrt54gl. It had a option in Setup -->DDNS --> Do not use external ip check. If unchecjed it would check my ip (to a stun server?) and report that to my ddns provider instead of the wan ip of router. I was hoping ASUS would add the feature by now.

If your in the same situation, you could get a small raspberry pi, or similar device and run a vpn server on it. I had good results with that.

 

[faria]

You might be "double nat"ed. If your router sits behind another edge device like a cable modem. Sometimes you can turn off the NAT on the ISP's device, and have your router take care of everything. However mine is locked down with some customized firmware.

For me on the OpenVPN Server tab it reads in yellow letters - "The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x, or 172.16.x.x). Please configure DDNS service before starting the VPN server."

Heading over to the DDNS tab in WAN section it reads in yellow- "The wireless router currently uses a private WAN IP address (192.168.x.x, 10,x,x,x, or 172.16.x.x). This router may be in the multiple-NAT environment and DDNS service cannot work in this environment."

I gave up after a few days of tinkering, I previously used dd-wrt on a wrt54gl. It had a option in Setup -->DDNS --> Do not use external ip check. If unchecjed it would check my ip (to a stun server?) and report that to my ddns provider instead of the wan ip of router. I was hoping ASUS would add the feature by now.

If your in the same situation, you could get a small raspberry pi, or similar device and run a vpn server on it. I had good results with that.

You can achieve what you want by using a custom ddns on merlin firmware even when your router has a lan ip, with the proper ports forwarding etc.
Does your modem has a dmz feature?

 

[Zirescu]

updated post

download zip paste the code to your script.sh

https://www.dropbox.com/s/y2eyx49pb6d5dqb/script.sh?dl=0

Also in the script there is rules for other router services if you need it, all you have to do is remove (#) from the start of the line of the service/port in order to become active.

I started with your script as I'm also trying to do the same as the OP, but I'm still unable to connect to the OpenVPN server while the VPN client is running on the router. Not sure what I'm missing and hoping you can point me in the right direction.

I've added the following to the custom configuration section of the client 1 setting:
----
script-security 2
route-up /jffs/scripts/vpn_route.sh
----

and the following in my vpn_route.sh file: screen grab

Thanks

 

[Martineau]

@Zirescu

Try this version of vpn_route.sh

#!/bin/sh
# (Credit to SmallNetBuilder member DJR747 and Jobongo's Wiki - Howto Set SSID VPN)

MY_VPNTAB=100 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache

iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB



and reboot to ensure that no remnants of previous iptables modifications exist

Start the VPN client.

Your NAS should be able to send its emails via your ISP, and external WAN clients should be able to connect to your OpenVPN server.

Then add a device to route via the VPN, by setting fwmark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK --set-mark $TAG_MARK

If this doen't work the you will need to dump the relevant iptables and rules to see if you have an incorrect entry.

Regards,

 

[Cake]

You can achieve what you want by using a custom ddns on merlin firmware even when your router has a lan ip, with the proper ports forwarding etc.
Does your modem has a dmz feature?

I have a ubiquity M5 dish on the roof, its firmware is customized by the ISP and locked down. I almost had to bribe the installers just to get the login name and password last year before they left. The dmz is grayed out, however I can set up port forwarding. That works well, and I can connect to the opnevpn server on my home network from outside (its running behind the ac68u on a raspi) using a selective routing script and proper port forwarding setup on the ubiquity and router.The ddns feature on the ubiquity/modem is broken I believe, so I have another script that does what you suggest placed in the jffs folder of my ac68u, and that updates noip/dnsomatic with my real wan ip (ubiquity). I think the problem is the openvpn server (ac68u) is listening on the wrong ip. I believe its listening to the double nat wan ip of 192.168.101.X or maybe it is the IP of openvpn client that is running. Its just plain not working!

I think all my trouble is how do I tell the "built in" openvpn server on my ac68u to listen to the ip from the script in my jffs folder? or to rephrase- how do I get the ac68u "built in" openvpn server to listen to the ip reported from IP=$(wget -qO - http://icanhazip.com) in my script up.sh below.
I can't use the ac68u built in ddns, it just reports my wan ip of 192.168.101.X.

Here is my dhcpc-event that works well, and is in my /jffs/scripts/

#!/bin/sh

sleep 5

cru a ddns "2 * * * * /jffs/scripts/up.sh"

sleep 5

and here is up.sh placed in the same folder

#!/bin/sh

while [ ! -n  "`ifconfig | grep tun11`" ]; do
    sleep 1
    done

    SERVICE="dnsomatic"
    USER="USER"
    PASS="PASS"
    HOST="all.dnsomatic.com"
    IP=$(wget -qO - http://icanhazip.com)

    ez-ipupdate -S $SERVICE -u $USER:$PASS -h $HOST -a $IP

    exit 0

 

[AdvHomeServer]

Hello, I use openvpn server to connect my iphone on my asus RT-AC68U and I use client openvpn to connect to my VPN provider.

If I use only server or only client all run fine but when server openvpn is connected I can't connet to openvpn client with my iphone... There is special config to be able use client and server together?

I use latest firmware 378.50

Thank you.

I'm only spitballing here, but they might be fighting over port 1194 UDP. Why not try changing the one you have control over to 443 TCP and see if that makes a positive difference.

 

[Cake]

I'm only spitballing here, but they might be fighting over port 1194 UDP. Why not try changing the one you have control over to 443 TCP and see if that makes a positive difference.

I am sure I tried that, but I can try changing ports, and port forwarding again tomorrow. If nobody else has the same setup and same issue as me then it must be operator's error.

 

[faria]

I started with your script as I'm also trying to do the same as the OP, but I'm still unable to connect to the OpenVPN server while the VPN client is running on the router. Not sure what I'm missing and hoping you can point me in the right direction.

I've added the following to the custom configuration section of the client 1 setting:
----
script-security 2
route-up /jffs/scripts/vpn_route.sh
----

and the following in my vpn_route.sh file: screen grab

Thanks

you are missing.....
script-security 2
route-nopull
route-up /jffs/scripts/vpn_route.sh

 

[Cake]

I have got both to work at the same time. Thanks forum members!
alaska- changing the vpn_route_up.sh made it work for me. I am using openvpn client 1 on the router to connect to pia.

The 192.168.101.X is my "ISP's" modem (NAT), I set up the openvpn server to udp port 2056 on the router.

hers is my vpn_route_up.sh

#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.44.2-192.168.44.254 -j MARK --set-mark 10 
iptables -t mangle -A PREROUTING -i br0 -s 192.168.44.1 -p udp --dport 2056 -j MARK --set-mark 12 
iptables -t mangle -A PREROUTING -i br0 -d 192.168.101.1/24 -p tcp --dport 80 -j MARK --set-mark 12
exit

The openvpn client config file that is generated just needed to be edited to the correct ip/host and port, and port forward 2056 on the isp's modem gui.

 

[nug]

Thanks to the posts here I managed to setup selective routing for an OpenVPN client. However I changed it around so that by default, all traffic by-passes the VPN and goes through WAN. Specified destination IPs go through the VPN. This works fine, on the local network, only certain traffic goes through the VPN and I can connect to my VPN server externally. I added a rule so that traffic on the VPN server port goes through the WAN, but this may be redundant?

However I also tried adding a firewall rule (using firewall-start) so that if the VPN client was not connected, traffic to the specified IPs would be blocked. I followed the topic on the wiki https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down On the local network this works, traffic is blocked when the VPN client is not running. However if I VPN into my server and then try to access a specified destination IP, this is blocked. Is there a way to tell the VPN server to push certain IPs to the VPN client?

Here's the code for the client and firewall.

#!/bin/sh

touch /tmp/000vpn_route_c1.ran
logger -t "($(basename $0))" $$ "Starting custom vpn_route_c1.sh"
echo "($(basename $0))" $$ "Starting vpn_route_c1.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 18746 -j MARK --set-mark 12 #VPN SERVER port (possibly redundant?)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12 #by default all traffic goes through WAN

#route the following through VPN client
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xxx.xxx.xxx.xxx -j MARK --set-mark 10

exit

#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -d xxx.xxx.xxx.xxx -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

 

[Alaska99]

Hello,
first my router is RT-AC68U with latest merlin firmware.
I have one server Openvpn running fine and one openvpn client with policy rules for one pc inside my network running fine too.

Now my problem is I try setup a second openvpn client (other vpn provider in other country) with policy rules for an other pc but I can't connect all clients at same time. I can connect client 1 or client 2 but not client 1 and 2.... Why?
Thank you.

 

[Martineau]

Hello,
first my router is RT-AC68U with latest merlin firmware.
I have one server Openvpn running fine and one openvpn client with policy rules for one pc inside my network running fine too.

Now my problem is I try setup a second openvpn client (other vpn provider in other country) with policy rules for an other pc but I can't connect all clients at same time. I can connect client 1 or client 2 but not client 1 and 2.... Why?
Thank you.

We believe it has been broken for the last couple of firmware releases

http://www.snbforums.com/threads/openvpn-policy-routing-guide.24384/page-4#post-225099

if you issue

ip   route   show   table   111
ip   route   show   table   112

...if they are identical then that will be the reason...

Effectively table 112 must have no references to tun11; it should only have tun12 route as the default!

Issue

ip   route

and there shouldn't be entries

0.0.0.0/1 via xxx.xxx.xxx.xxx dev tun1N
128.0.0.0/1 via xxx.xxx.xxx.xxx dev tun1N

and only the following tun11 and tun12 entries should be referred to in the RPDB tables 111 and 112 respectively as their default:

e.g.

10.200.4.0/22 dev tun11  proto kernel  scope link  src 10.200.5.49
10.200.4.0/22 dev tun12  proto kernel  scope link  src 10.200.7.1

So I suspect having two different VPN providers such as HMA and PIA to two different geo-locations may work, whereas attempting to use a single provider such as HMA to two different geo-locations concurrently won't work due to the vpnrouting.sh routing conflict.

 

[Alaska99]

I join print screen of what i obtain with ip route. I mask in blue my external ip address.
I wish this can help

 

[Martineau]

I join print screen of what i obtain with ip route. I mask in blue my external ip address.
I wish this can help

Which Firmware?

The screen print shows that you only have VPN Client 2 connected?..... so does table 111 exist after VPN Client 1 successfully connects?

 

[Alaska99]

If I connect client 1 before client 2 I got this print screen.

Firmware 380.57 Merlin

 

[Martineau]

If I connect client 1 before client 2 I got this print screen.

Firmware 380.57 Merlin

So if you issue

ip route show table 111

ip route show table 112

are the two tables identical?

If you are unable to start VPN Client 1 after VPN Client 2 has successfully connected, then I suggest you remove ALL custom directives.

On my system, if VPN Client 2 is started after VPN Client 1 then I get the 'expected' I/P Routing conflict on both VPN Clients.

 

[Alaska99]

I dont understand but look working today...?
I joined print screen ip table 111 and 112...