Questions setting up a VPN on my Asus router using Merlin firmware

cgcmgr

New Around Here
Hello everyone,


I’m new to this forum and hoping you’d be able to help me. I’m looking to create a VPN on my Asus RT-AC88U router. I have updated the firmware to Merlin version 386.7. This post may be a little drawn out and I apologize in advance.

Here is what I’m trying to accomplish. I want to be able start a VPN server within the Asus router (VPN Server tab) but only have two out of all of the devices connected to my router on that VPN. One device is my Emby server which is located on my TrueNAS NAS. Both the Emby and TrueNAS server have their own IP address on my LAN. The other is another PC. My current network connection is as follows. FIOS Router to my Asus router and all peripherals connected to the Asus router. I understand I will need to port forward a port in the FIOS router to my Asus router.

Here is what I did. I clicked on the VPN Server tab in the router’s interface and set it up. I had watched some Youtube videos about the “Redirect Internet Traffic” setting and how I can select “Policy Rules.” I figured I would just set the PC, NAS and Emby server to be on the VPN while all other traffic gets routed through my WAN. Unfortunately, that setting is only available on the VPN Clients tab. Essentially, I wanted to create a VPN on the router (VPN Client tab) using the OpenVPN settings. I wanted to just have three IP addresses behind that VPN and be able to remotely access the VPN via the OpenVPN client app on my phone, Firestick and PC so that I can access the Emby server and the other PC. Is this possible with a VPN server created by the router itself?


I do understand that I can setup a VPN client (VPN Client tab) on the router using clients such as ExpressVPN, which I have an account for and I can set the Policy Rules there to only have the desired devices on the VPN. If I did this, would I be able to connect to that same VPN remotely through an app and access the devices on the VPN? If so, how?


Thanks for reading and hoping to get an understanding of this so I can configure the VPN to yield what I need.



Chris
 

eibgrad

Part of the Furniture
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.
 

ColinTaylor

Part of the Furniture
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.
The way he's asked the question is a bit confusing, yes. But I think he was just using the VPN client/VPN Director options as an example of something similar to what he wants to achieve with the VPN server.

In other words, he wants to restrict the devices on his LAN that are reachable by a client connecting to the router's VPN server. He doesn't want the client to have access to all devices on the LAN.
 

cgcmgr

New Around Here
Take a look @ this:
Thanks, I'm aware of VPN Director, but isn't that just for the VPN Clients that users set up in their routers and not for the server side? I'd like to create a server via the VPN Server tab and allow VPN director to do its thing. Is that possible? If not, I'll setup a VPN client in the router using ExpressVPN and set the IP address in VPN Director, I need to be able to connect to that same VPN remotely so that I can access my devices on the VPN. Is that possible?

Chris
 

eibgrad

Part of the Furniture
In order to limit access to the local network by the remote OpenVPN clients to your OpenVPN server, as @ColinTaylor described, you need to create your own firewall rules w/ iptables and install them using a firewall-start script.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
...

Edit: Updated the example to still allow internet access.
 
Last edited:

cgcmgr

New Around Here
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.

The way he's asked the question is a bit confusing, yes. But I think he was just using the VPN client/VPN Director options as an example of something similar to what he wants to achieve with the VPN server.

In other words, he wants to restrict the devices on his LAN that are reachable by a client connecting to the router's VPN server. He doesn't want the client to have access to all devices on the LAN.
That is correct. This is exactly what I would like to achieve. I was just using the VPN Client as an example showing that IPs can be limited there.
 

cgcmgr

New Around Here
In order to limit access to the local network by the remote OpenVPN clients to your OpenVPN server, as @ColinTaylor described, you need to create your own firewall rules w/ iptables and install them using a firewall-start script.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
...

Edit: Updated the example to still allow internet access.
Thanks, this is exactly what I need. This is all new to me, but I will research this. Do you know of any tutorials that explain how to do this?

Chris
 

eibgrad

Part of the Furniture
Thanks, this is exactly what I need. This is all new to me, but I will research this. Do you know of any tutorials that explain how to do this?

Chris

Exactly the same as in the following link, except you'll be using your own firewall rules.

 

ColinTaylor

Part of the Furniture

As per @eibgrad's example, you would create a firewall-start script that looks like this. Where 192.168.1.100 and 192.168.1.200 are the addresses that you want access to.

Code:
#!/bin/sh

OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
 

cgcmgr

New Around Here
Exactly the same as in the following link, except you'll be using your own firewall rules.

Appreciate it. You guys rock, so fast to respond.

Just two more questions.
1. Since the PC that I use all the time will be excluded from the VPN per the IPtable, will I still be able to access my Emby server from it or would I have to connect to the VPN first?
2. Since the Emby server is located on the NAS, I would need to include the NAS IP address in the table as well correct?

Thanks,
Chris
 

ColinTaylor

Part of the Furniture
1. This only effects incoming connections via the VPN server. It doesn't effect any locally connected devices. Is this PC on your local network? If so it wouldn't be connecting through the VPN.
2. The script blocks by destination IP address. I don't see why you would need to include the NAS address if the Emby server has it's own IP address on the LAN.
 

eibgrad

Part of the Furniture
1) Access to your local servers while on the local network (NOT remotely) is never an issue. LAN to LAN traffic is never effected by routing issues.

2) Yes, although nothing says you can't further limit that access to other criteria, such as protocol (tcp or udp), destination port(s), etc. As I provided in the examples, I assumed complete access to the device based on IP. But you can further qualify it as you wish.
 

cgcmgr

New Around Here
1. This only effects incoming connections via the VPN server. It doesn't effect any locally connected devices. Is this PC on your local network? If so it wouldn't be connecting through the VPN.
2. The script blocks by destination IP address. I don't see why you would need to include the NAS address if the Emby server has it's own IP address on the LAN.
Understood, appreciate your assistance.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top