OpenVPN server and port forwarding

[matteoi]

Hi all,

Thank you all for this community and Thank You Merlin and the other contributors for the firmware fork.

This summer, my port-forwarding stopped working while I am connected to my home network using the OpenVPN server.

The connection looks like this:
iPhone or Linux laptop running OpenVPN client -> Internet -> RT-AC68U running OpenVPN server -> home server

My ASUS router connects to my ISP with PPPoE, so it has its own IP address and I have a DDNS set up to point to my router.
I turned on the OpenVPN server on the ASUS router.
On the router I also set up port-forwarding to my personal server, port 80 and port 443.

In the following, let's assume that:
- mydomain.com is the domain associated with the DDNS;
- myserver is the hostname of the main server connected to my LAN;
- myraspi is the hostname of a second server connected to my LAN.

I have a web server running on ports 80 and 443 on myserver and another web server running on myraspi on port 8080.

Since version 384.12 (IIRC), and still with 384.13, I can no longer connect to myserver, or to mydomain.com from my laptop or my phone when I turn on my OpenVPN clients on them.
I can reach mydomain.com when the OpenVPN client is turned off.
I can reach myserver when I am connected to my LAN at home.
I can reach myraspi:8080 both when I am connected to my LAN at home and when I am connected with another network through the OpenVPN client.

Prior to the fatal upgrade, I was able to connect to all three mydomain.com, myserver and myraspi:8080 when I was outside and using the OpenVPN client.

OpenVPN server settings have not changed ever since.
I also tried setting up a new OpenVPN server on a different port, but I get the same reuslts.

Can you please give me some help in debugging this issue?

Thank you very much again,

Matteo

 

[miroco]

You never mentioned the port number used by your OpenVPN server.

This summer, my port-forwarding stopped working while I am connected to my home network using the OpenVPN server.

Is it perhaps tcp port # 443?

http://www.vpntutorials.com/tutorials/openvpn-sharing-a-port-with-a-webserver-on-port-80-443/

 

[martinr]

As a starter, you might try: go to the Firewall page in the GUI and set the response to ping from WAN to Yes. Then from a remote location (or wireless off and over 3G/4G) see if you can ping your DDNS address.

 

[matteoi]

Thank you for the replies!

Hi miroco,
I am sorry I forgot that detail. My OpenVPN server 1 is running on port 1194, the default one.
With the second server I tried different ports also.
I do not have shared ports or overlapping services on the same ports, at least that I know of.
I also have disabled GUI from WAN on the router.

Hi martinr,
I have the firewall turned off and I can confirm I can ping my DDNS from a remote location without using the VPN.
If I turn the VPN on, I can not ping my DDNS domain.
Without VPN the domain is correctly resolved to my current public IPv4 address, with the VPN the domain is resolved to my LAN IPv4 address (10.0.0.254).
Trying to ping the secondary server, myraspi, from a remote location I get what I expect: without VPN the hostname is not resolved to any IP address, with VPN it gets resolved to the address on the LAN and the ping is successful.

The only difference I see between the two servers is that I have ports forwarded to the first.

Thank you again for the attention,
Matteo

 

[netware5]

I am wondering what is the reason to keep forwarding the ports 80, 443 and 8080 from router to your LAN connected myserver and myraspi devices while in the same time you have working VPN server on the router. On my opinion you don't need anymore such forwarding, because you are able to access your LAN devices from within the LAN itself using the VPN tunnel. That is the idea of the VPN server - to be able to tunnel in the LAN thus avoiding to keep open ports to the external world. This improves significantly the security of your home network.

 

[matteoi]

Hi netware5,
I run websites and services on my server which are used not only by me but also from a bunch of friends and relatives, to which I do not want to give full access to my LAN.
That's why I want both local (through LAN or VPN) and remote (from public internet) access to my servers.
It used to work perfectly fine until a couple of months ago.

Port 8080 is not forwarded.
Many other ports are instead forwarded for a mailcow-dockerized instance (complete email solution with IMAP and WebMail).
Also the email services are blocked now when accessed through the VPN.

 

[martinr]

Thank you for the replies!

Hi miroco,
I am sorry I forgot that detail. My OpenVPN server 1 is running on port 1194, the default one.
With the second server I tried different ports also.
I do not have shared ports or overlapping services on the same ports, at least that I know of.
I also have disabled GUI from WAN on the router.

Hi martinr,
I have the firewall turned off and I can confirm I can ping my DDNS from a remote location without using the VPN.
If I turn the VPN on, I can not ping my DDNS domain.
Without VPN the domain is correctly resolved to my current public IPv4 address, with the VPN the domain is resolved to my LAN IPv4 address (10.0.0.254).
Trying to ping the secondary server, myraspi, from a remote location I get what I expect: without VPN the hostname is not resolved to any IP address, with VPN it gets resolved to the address on the LAN and the ping is successful.

The only difference I see between the two servers is that I have ports forwarded to the first.

Thank you again for the attention,
Matteo

I didn’t intend you should turn off your firewall, merely that you should enable ping access from the WAN. I hope your firewall is back on!

I hope also you’ve noted netware5’s remarks above.

 

[matteoi]

I didn’t intend you should turn off your firewall, merely that you should enable ping access from the WAN. I hope your firewall is back on!

I meant the firewall was already off because I was testing if it was interfering.
Anyway is back on and it does not affect the issue of this thread.

I hope also you’ve noted netware5’s remarks above.

Yes, I also replied to them motivating why I need both types of access.
Other than close friends and relatives, sometimes I need public services exposed to random people to let them send me large files or things like that.
I do not see any other easy solution other than having a public facing service, hence port forwarded.
Do you have any other suggestion?

Thank you

 

[netware5]

Hi netware5,
I run websites and services on my server which are used not only by me but also from a bunch of friends and relatives, to which I do not want to give full access to my LAN.
That's why I want both local (through LAN or VPN) and remote (from public internet) access to my servers.
It used to work perfectly fine until a couple of months ago.

Yes, I also replied to them motivating why I need both types of access.
Other than close friends and relatives, sometimes I need public services exposed to random people to let them send me large files or things like that.
I do not see any other easy solution other than having a public facing service, hence port forwarded.
Do you have any other suggestion?

Now I understood. This is pretty interesting case. I am thinking about more secure solution. It could be segmentation of your LAN in two segments - "strictly private" and "semi-public". Then you may run simultaneously two VPN servers - each of them providing access to one of these segments. But this is just a raw idea. The bad thing is that in the case of "public services exposed to random people to let them send me large files or things like that" these random people should have installed a VPN client on their devices, which seems to be not very convenient. So I understand your point now.

Regarding the main problem:

Hi all,
This summer, my port-forwarding stopped working while I am connected to my home network using the OpenVPN server.

I think that port forwarding does not work, because you are accessing your LAN from inside (via VPN tunnel) - you should be able to connect, but using the internal IP address and internal DNS, not the DDNS resolver, which points to your external IP address. At the same time it should work if the access is directly via public internet. Could you provide information what happens if you connect to the LAN via VPN from one device and simultaneously connect directly from separate device? I thing that you should be able to make connection to forwarded ports of your server using that second separate device.

 

[miroco]

Are you trying to build a type of cloud service?

I need public services exposed to random people to let them send me large files or things like that.

This sounds an awful lot like Dropbox or Onedrive.

 

[matteoi]

I think that port forwarding does not work, because you are accessing your LAN from inside (via VPN tunnel) - you should be able to connect, but using the internal IP address and internal DNS, not the DDNS resolver, which points to your external IP address. At the same time it should work if the access is directly via public internet. Could you provide information what happens if you connect to the LAN via VPN from one device and simultaneously connect directly from separate device? I thing that you should be able to make connection to forwarded ports of your server using that second separate device.

I think I already answered this question, but maybe it was not clear.

I want to browse the web pages at "mydomain.com" with the browsers on my phone and laptop.
The pages are hosted on the server with hostname "myserver" with internal IP 10.0.0.254.
"mydomain.com" is mapped to 1.2.3.4, the public IP address on my ASUS router.
The ASUS router forwards ports 80 and 443 to 10.0.0.254 in the LAN.

Without VPN I can browse using the address "mydomain.com" that gets correctly resolved to 1.2.3.4 by the public DNS.
With VPN, the DNS queries are replied by the ASUS router which answers 10.0.0.254 for both "mydomain.com" and for "myserver" to the OpenVPN and LAN clients.

I have a second server with hostname "myraspi" and LAN IP address 10.0.0.54 and a service listening on port 8080.
Without VPN I can not connect to "myraspi" or to "mydomain.com:8080", as expected, because I want that second server available only inside the LAN and I did not set any forwarding for port 8080.
With VPN I can connect to "10.0.0.54:8080" or "myraspi:8080" as expected.

I tried with both devices, with and without VPN, at the same time and at different times.

Are you trying to build a type of cloud service?
This sounds an awful lot like Dropbox or Onedrive.

Yes, it's a self hosted instance of Nextcloud, among the other things.

 

[netware5]

I think I already answered this question, but maybe it was not clear.

I want to browse the web pages at "mydomain.com" with the browsers on my phone and laptop.
The pages are hosted on the server with hostname "myserver" with internal IP 10.0.0.254.
"mydomain.com" is mapped to 1.2.3.4, the public IP address on my ASUS router.
The ASUS router forwards ports 80 and 443 to 10.0.0.254 in the LAN.

Without VPN I can browse using the address "mydomain.com" that gets correctly resolved to 1.2.3.4 by the public DNS.
With VPN, the DNS queries are replied by the ASUS router which answers 10.0.0.254 for both "mydomain.com" and for "myserver" to the OpenVPN and LAN clients.

I have a second server with hostname "myraspi" and LAN IP address 10.0.0.54 and a service listening on port 8080.
Without VPN I can not connect to "myraspi" or to "mydomain.com:8080", as expected, because I want that second server available only inside the LAN and I did not set any forwarding for port 8080.
With VPN I can connect to "10.0.0.54:8080" or "myraspi:8080" as expected.

I tried with both devices, with and without VPN, at the same time and at different times.

So we reached the same conclusion and problem is solved The system works as designed

Regarding why it used to work with previous versions: may be the reason is related to "NAT loopback" feature. See this thread: https://www.snbforums.com/threads/nat-loopback-missing-rt-ac86u.48525/

 

[matteoi]

So we reached the same conclusion and problem is solved The system works as designed

Great!

Regarding why it used to work with previous versions: may be the reason is related to "NAT loopback" feature. See this thread: https://www.snbforums.com/threads/nat-loopback-missing-rt-ac86u.48525/

Thanks, I read this thread.
It is from last year, when everything was working as expected for me.
The only suggestion I found there for me is to try to disable the hardware acceleration.
I tried and it did not solve my issue.

I made some more tests.
I can connect to my server using both the local and the public IP when I am on the LAN.
I just tested using curl and forcing it to resolve the domain to the IP address I want:
1) curl -v --resolve mydomain.com:443:10.0.0.254 https://mydomain.com
2) curl -v --resolve mydomain.com:443:1.2.3.4 https://mydomain.com

Without VPN, both commands work when I am connected to the LAN, command 2 works also when I am connected through another network.
When I use the VPN connection from another network, only command 2 works, while command 1 does not. The connection is not established.
If I try to connect to myraspi while connected to VPN, it works
3) curl -v --resolve myraspi:8080:10.0.0.54 myraspi:8080

Thus I conclude that using the VPN I can not connect to a LAN IP address for which ports are forwarded.
Is this analysis correct? How can I further debug this thing?

Thanks

 

[matteoi]

I also found out that using the VPN connection I can not reach my modem which is connected to the WAN port of the ASUS router and has address 192.168.1.1.
I can reach it while I am directly connected to the LAN.

 

[martinr]

No idea if this makes any difference but you could try:

1. Tools > Other settings > WAN:Use local caching DNS Server as system resolver. I think the fault is now No as from 384.13. So just try setting it back to Yes.

2. On the VPN General page set Client will use VPN to access.to Both (if not already) and try that.

Apologies if it’s a wild goose chase.

 

[matteoi]

Thanks!

No idea if this makes any difference but you could try:
1. Tools > Other settings > WAN:Use local caching DNS Server as system resolver. I think the fault is now No as from 384.13. So just try setting it back to Yes.

Tried, no changes wrt my issue.

2. On the VPN General page set Client will use VPN to access.to Both (if not already) and try that.

Already set to both, since sometimes I want to surf to website just like I am visiting them from my home (during trips abroad, for example).

Is there something to check with iptables or advanced things like that? I am still not an expert with iptables, so I am not sure what I should look for.

 

[foz]

I have the similar issue on my RT-AC86U Merlin with the last two firmware's 384.12 & 384.13 when connecting over OpenVPN I can no longer reach my NAS, I have Qnap TS253pro NAS on local port 8080 running security cameras and connecting through Vmobile android app on Samung S9+, that has always worked until these last two firmware updates on my RT-AC86U, the qnap apps connects fine on LAN but no longer able to reach the NAS over the VPN tunnel. I can ping the nas over vpn but I can't reach the nas with phone apps or browser as it has previously.
I prefer to connect over vpn to view my cameras so I don't need to open any ports up to outside world keeping it a lot safer.
The problem is not the vpn as I can reach my pc and other devices on my lan without any problems.
Tried factory reset and reconfigured fresh setup not restore settings but still the same, you guys are my only hope or I will have to return to older firmware.
Any help appreciated

Added:
Resolved my problem Seems this issue has been resolved by me adding the VPN tunnel ip range 10.8.0.1-254 in the allowed ip list on my nas,
i thought this would have been handled within the router?
my normal subnet / ip range is 192.168.49.1-259
isn't the phone given a local ip when connecting over the vpn? eg. 192.168.49.101 so it can connect to everything on my network?
so i either changed something on my nas which maybe the case but i dont remember changing anything previously or something changed in the Merlin firmware that is stopping this from connecting over normal subnet/ip range?

 

[matteoi]

Hi all,

I upgraded to 384.14_2 version my RT-AC68U and the problem is still here.
I do not have a firewall on my webserver blocking access from VPN assigned IPs (which are on a different subnet as for foz).
The problem is still that I can not access forwarded ports when I connect from outside through the VPN.

How can I debug and fix this?

Thank you