Port forwarding is not working when OpenVPN client is active

[mrjayviper]

I got port forwarding working on my DD-WRT router. But whenever OpenVPN client is active, the port forwards doesn't work anymore. I tested it using my Macbook connected to my iPhone (on 4G) via hotspot.

sample port forward: My work PC trying to SSH (using ISP-provided static IP) into my home UNIX box (using 192.168.1.x IP) via port 22. This works if OpenVPN is not active.

ssh myacct@ISP-provided-static-IP

I can't even ping the static IP provided by my ISP. But I can ping the IP provided by the VPN provider. I've setup DDNS on the router and it's getting the IP from the VPN provider instead of the one given by my ISP.

Any ideas on how this can be fix?

Important info:

Router firewall is off.

root@myrouter:~# ip route list
0.0.0.0/1 via 10.208.185.5 dev tun1
default via my-wan-gateway-ip-here dev ppp0
my-wan-gateway-ip-here dev ppp0  proto kernel  scope link  src my-real-ip-here
10.208.0.1 via 10.208.185.5 dev tun1
10.208.185.5 dev tun1  proto kernel  scope link  src 10.208.185.6
127.0.0.0/8 dev lo  scope link
128.0.0.0/1 via 10.208.185.5 dev tun1
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
my-vpn-ip via my-wan-gateway-ip-here dev ppp0

My OpenVPN config runs the default router-up.sh that's created by dd-wrt automatically. I didn't make any changes to this script.

root@myrouter:/tmp# cat /tmp/openvpncl/route-up.sh
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT

root@myrouter:/tmp# cat resolv.dnsmasq
nameserver 8.26.56.26
nameserver 8.20.247.20
nameserver 208.67.222.222

(these DNS servers are from Comodo and OpenDNS)

I also used some script I found on the net so certain IPs can bypass the VPN. This script is part of my startup script (rc_startup). I need this so I can play this specific game on my tablets.

#!/bin/sh
sleep 30
NO_VPN_LST="192.168.1.11 192.168.1.2"
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 3
WAN_GWAY=`nvram get wan_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0

 

[System Error Message]

If you dont use the VPN link as your default gateway than it would fix the problem. When you use VPN set the VPN gateway metric to 1 or 2 as long as its higher than LAN.

 

[mrjayviper]

If you dont use the VPN link as your default gateway than it would fix the problem. When you use VPN set the VPN gateway metric to 1 or 2 as long as its higher than LAN.

can you please explain? I'm not really knowledgeable with network tech.

I didn't made any changes to routing except when I needed some boxes to bypass the VPN.

thanks a lot

 

[System Error Message]

Is your VPN provider giving you some weird IP with a single IP subnet or a LAN IP network? For my setup i have my router being the VPN server and both LAN and VPN use the same IP network which makes things much easier. If you are getting some weird IP for your VPN than you will have to set up static routing and give it a gateway metric of 1. Than you need to set your usual internet route of 0.0.0.0/0 with a gateway metric of 2. The gateway metric is usually the gateway weightage which means that a particular route is given priority over other when checking for the route to take. This prevents the internet route from interfering with LAN.

You do not need to set complicated routes for your name servers since the IP network that you would be given for VPN is private and wont route to the internet if you set your route correctly.

so check or reiterate
VPN -> LAN gateway Router LAN IP, metric 0
LAN -> VPN gateway Router VPN IP, metric 1
LAN -> WAN gateway Router LAN IP, metric 2 (make sure to NAT this)
VPN -> WAN gateway router VPN IP metric 2 (optional) (make sure to NAT this)

There need not be a WAN to LAN or VPN because you will use NAT for that. You didnt specify the gateway metrics and you router different IPs all over the place. You dont need to route specific IPs if you do your network routing correctly unless you are doing load balancing for your network clients.