Policy-based ruling VPN block outside access, how to fix it?

[Mikeyy]

Setup:
Latest Merlin FW on ASUS N66U. I'm using VPN provider and policy rules which dictate that only 2 IP's in my network use VPN for internet acess, lets say 192.168.1.10 and 192.168.1.11.
I have DDNS setup which reports my real IP (not VPN).

Problem is, when I was to access those devices from outside of my LAN (mobile phones, from work etc...), they are refusing connection. My guess is that they are responding to outside access, but probably via VPN and that won't work. They should respond via same route they were contacted.
Is there a workaround for this?

 

[Mikeyy]

Not one?
I found out if I establish VPN connection from my Synology NAS and not from router, same happens, NAS won't respond to contacts outside of VPN.
BUT, there is great little option in NAS network settings "Allow multiple gateways" and when I turn this on, NAS responds to contacts outside of VPN.

Is there similliar thing for Merlin firmware? I would like to establish VPN connection on router, and not on NAS, because I have more then one device which uses VPN connection.

 

[cosmoxl]

why not just connect through the VPN tunnel? that would be safer.

 

[Mikeyy]

Because, well, I didn't manage to connect trough VPN tunnel. Whatever I tried, couldn't reach NAS via VPN tunnel (which is established trough router).

I'm using AirVPN which is really great VPN provider, and supports port forwarding trough VPN tunnel. That port forwarding is working only if NAS creates tunnel. If my router creates tunnel, then it is not working (or I'm just not technical enough to forward that VPN port to LAN port).

Port forwarding section of Merlins settings reffer to WAN, not VPN. Not sure how to set it up for VPN.

 

[cosmoxl]

if you search the AirVPN site or this site you might find what you are looking for. but, I'll be nice and give it to you here.

iptables -I FORWARD -i tun11 -p udp -d 192.168.2.42 --dport 49749 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.42 --dport 49749 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 49749 -j DNAT --to-destination 192.168.2.42

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 49749 -j DNAT --to-destination 192.168.2.42

change tun, IP address, port to suit your needs. the port will be the one that AirVPN assigns you. make sure to have your servers listening on those ports too!

 

[Mikeyy]

Thank you for answer! I'm unable to test it right now, but I'll test it as soon as possible.
Where do I enter that? Admin part and then "on startup" and something similliar, or I need to ssh?

If you have link to thread, please post it here so I can familiarize my self more.

P.S. Searched airvpn site and google, but didn't find this kind of answers. Maybe I didn't search right tearms.

 

[cosmoxl]

ssh into router and just copy/paste the proper iptables.

 

[Mikeyy]

Didn't have chance to test it before, but did try today finally.

I SSH into router with WinSCP and created "nat-start" in /jffs/scripts/ with this content:

#!/bin/sh
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.5 --dport 11486 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.5 --dport 11486 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 11486 -j DNAT --to-destination 192.168.1.5
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 11486 -j DNAT --to-destination 192.168.1.5

Also I chmod-ed it to 0755:
Owner RWX
Group RX
Others RX

On my Synology NAS I changed HTTPS port to 11486 (was 5001 which is default).
On AirVPN I set port forwarding for that port.

No response from NAS when I try to contact it through tunnel.
Tested with other devices also.

What am I doing wrong?

EDIT: Solved it. Changed script to openvpn-event and when that didn't solve anything I tried adding "sleep" which actually worked. So my script is now:

#!/bin/sh
sleep 30
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.5 --dport 11486 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.5 --dport 11486 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 11486 -j DNAT --to-destination 192.168.1.5
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 11486 -j DNAT --to-destination 192.168.1.5

 

[cosmoxl]

to test things just paste the iptables at the command line of your SSH session. then you can check in system log/port forwarding to make sure it worked.

so the remote port and local port for your AirVPN forwarded port is 11486? Be sure that you're trying to access you NAS on that port - https://AirVPN_IP_address:11486

 

[Mikeyy]

It's working now after I changed it to "openvpn-event" custom script and added "sleep 30".
I tested with same ports and different ports, and it's working for both.
For example, I can setup on airVPN webpage that outside port 11486 points to internal port 443. In script I then add 443 instead of 11486.

Thanks for tips.

 

[Mikeyy]

To help others, since someone will probably need it.
If you want to forward more then one port to same machine via VPN you can do it like this:

#!/bin/sh
sleep 30
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.47 multiport --dports 80,443,61158 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.47 multiport --dports 80,443,61158 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp multiport --dports 80,443,61158 -j DNAT --to-destination 192.168.1.47
iptables -t nat -I PREROUTING -i tun11 -p udp multiport --dports 80,443,61158 -j DNAT --to-destination 192.168.1.47

Change 192.168.1.47 to your LAN IP.
Change 80,443,61158 to your own ports splitted with comma (,).

 

[Enghausen]

#!/bin/sh
sleep 30
iptables -I FORWARD -i tun11 -p udp -d 192.168.1.47 --match multiport --dports 80,443,61158 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.47 --match multiport --dports 80,443,61158 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --match multiport --dports 80,443,61158 -j DNAT --to-destination 192.168.1.47
iptables -t nat -I PREROUTING -i tun11 -p udp --match multiport--dports 80,443,61158 -j DNAT --to-destination 192.168.1.47

You need the --match multiport

 

[Mikeyy]

Good, thank you!
I tought it worked without that, need to check.

 

[Enghausen]

My router made a hiccup without the --match option (Firmware: Merlin 378.55)

 

[Mikeyy]

It seams you are right, it works better with your code. Thank you.

 

[Mikeyy]

I would like to get back to my original question in this thread which never got answered. I know we solved a different problem, but for many reasons, I would like to get my first question answered.

*****************
My setup:
Merlin 378.55 / PPPoE connection to ISP modem (bridge mode) / VPN Client 1 - all working
VPN Policy rules - only IP 192.168.1.5 goes trough VPN, rest goes trough regular WAN
192.168.1.1. - router IP

In VSERVER I have port 60001 forwarded to 192.168.1.5

Problem:
When I try to connect to http://"MY_REAL_IP":60001 connection times out.
This is probably because that connection never reaches 192.168.1.5 or maybe it does, but 192.168.1.5 responds via VPN and that's a no go.

How to fix this, so 192.168.1.5 answers connection via regular internet and not VPN?

P.S. This was suggestion, it should change source to gateway so it "fools" policy rules. But it didn't work.
iptables -t nat -A POSTROUTING -o br0 -d 192.168.1.5 -j SNAT --to-source 192.168.1.1
Tested also with "ppp0" instead of "br0" but nothing.

Any other tips?