What's new

Question about IP of VPN

Dee dee

Regular Contributor
Hi All,

I am currently running a VPN Server with OpenVPN on my Asus Merlin router RT-AC68U with Firmware 384.15

I am currently remote and when i connect to my VPN I get a IP Of 10.8.0.2, the VPN's subnet and netmask are defined as:
Subnet:10.8.0.0
Mask:255.255.255.0

I might have a stupid Q, but is it possible to set the subnet to be in the range of my home LAN's IP like is there a way I can get on my VPN Connection 192.168.2.200 ?

The reason I am asking as I am trying to unbind my NVR and it states I need to be on wifi on the same LAN, but I am not home and remote and am unable to administer it.

Thanks for reading.
 

eibgrad

Senior Member
You need to use a *bridged* (tap) OpenVPN server configuration in order to be on the same network as home. Only problem is that most mobile devices don't support a bridged VPN (at least the last time I attempted it). But if it's a PC or laptop, it's doable.
 

eibgrad

Senior Member
P.S. If the only problem is that the NVR is looking at the IP of the device that's attempting to access it and requiring that it be the same as the home network (192.168.2.x), then instead of using a bridged VPN, you can SNAT the incoming traffic from the OpenVPN server w/ the IP of that device (typically the router's LAN IP) before it's dumped on the local network, thus it appears to be coming from the router itself (which of course is on the 192.168.2.x network).

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
 
Last edited:

Dee dee

Regular Contributor
You need to use a *bridged* (tap) OpenVPN server configuration in order to be on the same network as home. Only problem is that most mobile devices don't support a bridged VPN (at least the last time I attempted it). But if it's a PC or laptop, it's doable.
P.S. If the only problem is that the NVR is looking at the IP of the device that's attempting to access it and requiring that it be the same as the home network (192.168.2.x), then instead of using a bridged VPN, you can SNAT the incoming traffic from the OpenVPN server w/ the IP of that device (typically the router's LAN IP) before it's dumped on the local network, thus it appears to be coming from the router itself (which of course is on the 192.168.2.x network).

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
If I do this will it mess up my ability to reboot or login to my router through my existing openvpn connection?

How do I remove this if it removes my ability to login to my router via web or SSH while on the openvpn?
 

Dee dee

Regular Contributor
You need to use a *bridged* (tap) OpenVPN server configuration in order to be on the same network as home. Only problem is that most mobile devices don't support a bridged VPN (at least the last time I attempted it). But if it's a PC or laptop, it's doable.
Can you please post instructions how to do this on a computer?
I'll be using the sadp Program to unbind my NVR and be able to associate with my email to enable P2P to get push notifications from my nvr
 

distilled

Regular Contributor
For a computer, just go to the VPN Server tab, pick Advanced and select TAP as the Interface Type. Set anything else you want, then export the file and import it into your client software. Like eibgrad said, it won't work on mobile, but for a computer, it works like a champ.

There are other ways you could get notifications if you want to do it on a mobile. Depending upon the platform of your phone, you could check out TinyCam. It has pretty good motion detection for a ton of different cameras, and it has a Background mode to keep the app alive.

Edited to correct reference
 

Attachments

Last edited:

eibgrad

Senior Member
If I do this will it mess up my ability to reboot or login to my router through my existing openvpn connection?
I don't see how. All we're doing is masking the OpenVPN client's IP (as assigned from the 10.8.0.0/24 network) w/ that of the router's LAN IP, so it *appears* as if the request from the OpenVPN client is coming from the router rather than the OpenVPN client. The target of the OpenVPN client still works normally. It replies to the router, which in turn replies to the OpenVPN client.

If it's any comfort, this is a common solution for other similar problems. For example, Windows security has gotten tighter over the years. At one point, Windows stopped letting two local IP networks (e.g., 192.168.1.x and 10.8.0.x) communicate on the same ethernet segment, at least not by default. The Windows firewall prevents it. One way around it (short of changing the Windows firewall to allow it) is to NAT the inbound traffic from the OpenVPN client w/ the router's LAN IP. You also typically need to do this when the OpenVPN server is NOT hosted on the primary router (i.e., default gateway).

So it's not as if this is all that unusual. And it's probably makes more sense than implementing a bridged OpenVPN server just to deal w/ this one case. But ultimately the choice is yours.

How do I remove this if it removes my ability to login to my router via web or SSH while on the openvpn?
Code:
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Note, you should always test any firewall rules via SSH (just paste them into the window) before committing them to the router. That way if something goes wrong, you simply reboot the router and all it back to normal.

Once you're convinced it works and has done no harm, make sure you have JFFS custom scripts enabled under Administration->System. Then open a shell (ssh) to the router and paste the following script into the window. It will create and install the necessary script. That script will be automatically executed by the router whenever the firewall is updated.

Code:
mkdir -p /jffs/scripts
cat << "EOF" > /jffs/scripts/nat-start
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr) 2> /dev/null
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x /jffs/scripts/nat-start
 
Last edited:

Dee dee

Regular Contributor
I don't see how. All we're doing is masking the OpenVPN client's IP (as assigned from the 10.8.0.0/24 network) w/ that of the router's LAN IP, so it *appears* as if the request from the OpenVPN client is coming from the router rather than the OpenVPN client. The target of the OpenVPN client still works normally. It replies to the router, which in turn replies to the OpenVPN client.

If it's any comfort, this is a common solution for other similar problems. For example, Windows security has gotten tighter over the years. At one point, Windows stopped letting two local IP networks (e.g., 192.168.1.x and 10.8.0.x) communicate on the same ethernet segment, at least not by default. The Windows firewall prevents it. One way around it (short of changing the Windows firewall to allow it) is to NAT the inbound traffic from the OpenVPN client w/ the router's LAN IP. You also typically need to do this when the OpenVPN server is NOT hosted on the primary router (i.e., default gateway).

So it's not as if this is all that unusual. And it's probably makes more sense than implementing a bridged OpenVPN server just to deal w/ this one case. But ultimately the choice is yours.



Code:
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Note, you should always test any firewall rules via SSH (just paste them into the window) before committing them to the router. That way if something goes wrong, you simply reboot the router and all it back to normal.

Once you're convinced it works and has done no harm, make sure you have JFFS custom scripts enabled under Administration->System. Then open a shell (ssh) to the router and paste the following script into the window. It will create and install the necessary script. That script will be automatically executed by the router whenever the firewall is updated.

Code:
mkdir -p /jffs/scripts
cat << "EOF" > /jffs/scripts/nat-start
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr) 2> /dev/null
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x /jffs/scripts/nat-start
Thank you for all the input, @eibgrad , I'd rather just setup 2 OpenVPN server's for ease of setup.

Once i setup server 2 on my OPENVPN Server settings to TAP, it won't mess up my existing OpenVPN server nor stop my ability nor only allow 1 server to run will it?

Sorry if im asking pedantic questions, but I am remote and not to keen on SSH iptables etc and don't want to mess up my connection.

Also, If i set it to TAP, my VPN Connection from my remote location to my house would get a IP of 192.168.2.x (I think so)?
 

Dee dee

Regular Contributor
For a computer, just go to the VPN Server tab, pick Advanced and select TAP as the Interface Type. Set anything else you want, then export the file and import it into your client software. Like eibgrad said, it won't work on mobile, but for a computer, it works like a champ.

There are other ways you could get notifications if you want to do it on a mobile. Depending upon the platform of your phone, you could check out TinyCam. It has pretty good motion detection for a ton of different cameras, and it has a Background mode to keep the app alive.

Edited to correct reference
Thank for the input @distilled , didn't have a spare android device to do tinycam on and for it to push alerts to other devices.
 

distilled

Regular Contributor
Cool, good luck, hope you get it set up the way you like. Cameras are sorta fun, heh. When I started using cameras to watch over several properties, I set up Blue Iris as a NVR and used TinyCam on some cheap Android tablets to monitor the Blue Iris stream. B.I. records and sends notifications, and several sub-$50 Android tablets gave me an interactive screen of all my cameras in several rooms, and my office at work.
 

eibgrad

Senior Member
A word of caution when configuring a bridged OpenVPN server.

In my experience over many years, I've *never* seen the DHCP option (which relies on your remote DHCP server) properly configure the OpenVPN client. IIRC, one problem is that the default gateway gets stripped from the DHCP response (weird). I don't know if it's an OpenVPN bug or what. And when I've asked about it on the OpenVPN forums, no one seems to have an explanation.

Anyway, I've found the most reliable configuration is to disable this option and instead specify a range of IPs from your local network that are outside the DHCP range (e.g., 192.168.1.200 thru 192.168.1.204). IOW, define a pool specifically for these OpenVPN clients.

Perhaps this has since been fixed, but it's just that I've been burned numerous times by this issue, and so now I always define a pool for the OpenVPN client and avoid the (potential) problem.

In your case, it may not matter if you're already configured with another local network and using it as your default gateway. The OpenVPN client isn't intended to be your default gateway anyway in your scenario. But I still thought it worth mentioning.
 
Last edited:

Dee dee

Regular Contributor
@eibgrad thanks.

Just making sure it won't cause a issue running 2 VPN servers simultaneously one tap and one run, so it won't cause the other one to turn off?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top