What's new

Questions setting up a VPN on my Asus router using Merlin firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cgcmgr

New Around Here
Hello everyone,


I’m new to this forum and hoping you’d be able to help me. I’m looking to create a VPN on my Asus RT-AC88U router. I have updated the firmware to Merlin version 386.7. This post may be a little drawn out and I apologize in advance.

Here is what I’m trying to accomplish. I want to be able start a VPN server within the Asus router (VPN Server tab) but only have two out of all of the devices connected to my router on that VPN. One device is my Emby server which is located on my TrueNAS NAS. Both the Emby and TrueNAS server have their own IP address on my LAN. The other is another PC. My current network connection is as follows. FIOS Router to my Asus router and all peripherals connected to the Asus router. I understand I will need to port forward a port in the FIOS router to my Asus router.

Here is what I did. I clicked on the VPN Server tab in the router’s interface and set it up. I had watched some Youtube videos about the “Redirect Internet Traffic” setting and how I can select “Policy Rules.” I figured I would just set the PC, NAS and Emby server to be on the VPN while all other traffic gets routed through my WAN. Unfortunately, that setting is only available on the VPN Clients tab. Essentially, I wanted to create a VPN on the router (VPN Client tab) using the OpenVPN settings. I wanted to just have three IP addresses behind that VPN and be able to remotely access the VPN via the OpenVPN client app on my phone, Firestick and PC so that I can access the Emby server and the other PC. Is this possible with a VPN server created by the router itself?


I do understand that I can setup a VPN client (VPN Client tab) on the router using clients such as ExpressVPN, which I have an account for and I can set the Policy Rules there to only have the desired devices on the VPN. If I did this, would I be able to connect to that same VPN remotely through an app and access the devices on the VPN? If so, how?


Thanks for reading and hoping to get an understanding of this so I can configure the VPN to yield what I need.



Chris
 
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.
 
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.
The way he's asked the question is a bit confusing, yes. But I think he was just using the VPN client/VPN Director options as an example of something similar to what he wants to achieve with the VPN server.

In other words, he wants to restrict the devices on his LAN that are reachable by a client connecting to the router's VPN server. He doesn't want the client to have access to all devices on the LAN.
 
Take a look @ this:
Thanks, I'm aware of VPN Director, but isn't that just for the VPN Clients that users set up in their routers and not for the server side? I'd like to create a server via the VPN Server tab and allow VPN director to do its thing. Is that possible? If not, I'll setup a VPN client in the router using ExpressVPN and set the IP address in VPN Director, I need to be able to connect to that same VPN remotely so that I can access my devices on the VPN. Is that possible?

Chris
 
In order to limit access to the local network by the remote OpenVPN clients to your OpenVPN server, as @ColinTaylor described, you need to create your own firewall rules w/ iptables and install them using a firewall-start script.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
...

Edit: Updated the example to still allow internet access.
 
Last edited:
Either you or I (or both of us) are confused.

You configure the OpenVPN server to remotely access your *own* resources back home, such as your Emby and TrueNAS servers. OTOH, you configure the OpenVPN client to remotely access someone else's OpenVPN server, such as ExpressVPN or NordVPN, usually for the purposes accessing internet resources (e.g., websites).

As it reads to me, you're mixing the two as if they are related. They are NOT.

The way he's asked the question is a bit confusing, yes. But I think he was just using the VPN client/VPN Director options as an example of something similar to what he wants to achieve with the VPN server.

In other words, he wants to restrict the devices on his LAN that are reachable by a client connecting to the router's VPN server. He doesn't want the client to have access to all devices on the LAN.
That is correct. This is exactly what I would like to achieve. I was just using the VPN Client as an example showing that IPs can be limited there.
 
In order to limit access to the local network by the remote OpenVPN clients to your OpenVPN server, as @ColinTaylor described, you need to create your own firewall rules w/ iptables and install them using a firewall-start script.

Code:
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
...

Edit: Updated the example to still allow internet access.
Thanks, this is exactly what I need. This is all new to me, but I will research this. Do you know of any tutorials that explain how to do this?

Chris
 
Thanks, this is exactly what I need. This is all new to me, but I will research this. Do you know of any tutorials that explain how to do this?

Chris

Exactly the same as in the following link, except you'll be using your own firewall rules.

 

As per @eibgrad's example, you would create a firewall-start script that looks like this. Where 192.168.1.100 and 192.168.1.200 are the addresses that you want access to.

Code:
#!/bin/sh

OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.100 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.1.200 -j ACCEPT
 
Exactly the same as in the following link, except you'll be using your own firewall rules.

Appreciate it. You guys rock, so fast to respond.

Just two more questions.
1. Since the PC that I use all the time will be excluded from the VPN per the IPtable, will I still be able to access my Emby server from it or would I have to connect to the VPN first?
2. Since the Emby server is located on the NAS, I would need to include the NAS IP address in the table as well correct?

Thanks,
Chris
 
1. This only effects incoming connections via the VPN server. It doesn't effect any locally connected devices. Is this PC on your local network? If so it wouldn't be connecting through the VPN.
2. The script blocks by destination IP address. I don't see why you would need to include the NAS address if the Emby server has it's own IP address on the LAN.
 
1) Access to your local servers while on the local network (NOT remotely) is never an issue. LAN to LAN traffic is never effected by routing issues.

2) Yes, although nothing says you can't further limit that access to other criteria, such as protocol (tcp or udp), destination port(s), etc. As I provided in the examples, I assumed complete access to the device based on IP. But you can further qualify it as you wish.
 
1. This only effects incoming connections via the VPN server. It doesn't effect any locally connected devices. Is this PC on your local network? If so it wouldn't be connecting through the VPN.
2. The script blocks by destination IP address. I don't see why you would need to include the NAS address if the Emby server has it's own IP address on the LAN.
Understood, appreciate your assistance.
 
Last edited:
Hello everyone,

Sorry for the delayed response, but I finally finished configuring the VPN client on my family's devices and I'm ready to turn the VPN on. I have a few questions before I do so. I will be using the below script graciously provided by eibgrad. I have already enabled JFFS scripts in the router and the script is named AllowVPNScript.bash.

1. Is the naming of the script fine or does it have to be named something specific?
2. Do I just SSH into the router and go to the /jffs/scripts folder and "paste" the AllowVPNScript.bash into that folder? I understand I must reboot the router afterwards, but is that how I get the script into the router?
3. I read the script must be executable. Is mine set to be so?
4. Anytime I edit the script, do I have to reboot the router?
a. I'd like to test the script by removing the "allowed" IP addresses and see if I can access the devices while the VPN is on. I shouldn't be able to. Then I'd like to add the allow command back and test again and I should be able to access them this time.
5. What happens if I have the script in the router, but turn off the VPN? Is all access blocked? I would imagine it is
6. Lastly, If I have the VPN off and then turn it back on, do I have to reboot the router to allow the script to do its thing or will it just work?

Sorry for all the questions, just want to be sure of what I'm doing.

Thanks,
Chris



#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.0/24 -j REJECT # Blocks all Devices from Being on VPN
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.91 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.183 -j ACCEPT
#iptables -I FORWARD -s $OVPN_NET -d 192.168.2.200 -j ACCEPT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
echo "error: $SCRIPT already exists; requires manual installation"
else
create_script
echo 'Done.'
fi
:
 
1. The script can be named anything, it doesn't matter. But I suggest that you change it to AllowVPNScript.sh because it is script not a "bash script".
2. You can type the full path to the script so that it doesn't matter what directory you're in, e.g. /jffs/scripts/AllowVPNScript.sh
3. Type chmod 755 /jffs/scripts/AllowVPNScript.sh
4. Yes, but...
This is a run-once script. It will not allow you to run it again. Its purpose is to create another script called /jffs/scripts/firewall-start. If you want to make changes you need to manually edit the firewall-start script. See post #10. This begs the question, why are you bothering to use this run-once script at all when it's simpler to create the firewall-start script directly?
5. Nothing.
6. No, it will just work.
 
Last edited:
@ColinTaylor - I appreciate your response, but it looks as if I'm taking a few steps backwards here. As I mentioned in the original post, I'm new to all of this. so not really sure what I'm doing. I just copied the script laid out by eibgrad and made my adjustments. I do see how this script will just create another script. Basically I just want to create a script to allow access to only three devices when connected to my VPN. I'm not 100% sure how to get the script to the /jffs/scripts location. I'm using WinSCP to access the router, so is it as easy as just going to that location in the router using WinSCP and copying the script to that location?

I have enabled JFFS Scripts in the router . Would the below script do what I need it to do or is there more that I need to add? Meaning is there any other syntax that needs to be added to create a proper script? Something to tell it the end of the script has been reached or something like that?

#!/bin/sh
chmod 755 /jffs/scripts/AllowVPNScript.sh
OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.0/24 -j REJECT # Blocks all Devices from Being on VPN
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.91 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.183 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.200 -j ACCEPT


Lastly, the Merlin wiki says to user chmod a+rx /jffs/scripts/AllowVPNScript.sh to make the script executable. You wrote chmod 755 /jffs/scripts/AllowVPNScript.sh. Is there any difference? Googling basically says for a script like mine, they should do the same job. Is that correct?

Thanks,
Chris
 
Would the below script do what I need it to do or is there more that I need to add?
If you remove the chmod line from that script it will be correct.

Lastly, the Merlin wiki says to user chmod a+rx /jffs/scripts/AllowVPNScript.sh to make the script executable. You wrote chmod 755 /jffs/scripts/AllowVPNScript.sh. Is there any difference? Googling basically says for a script like mine, they should do the same job. Is that correct?
Both forms of chmod do the same thing.

If you're using WinSCP it's easy to do it all in the GUI. Just connect to the router and navigate to /jffs/scripts. Then create a new file (Files>New>File) called firewall-start using the built-in editor. Type in your script, e.g.
Code:
#!/bin/sh

OVPN_NET="$(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm)" # assumes OpenVPN server #1
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.0/24 -j REJECT # Blocks all Devices from Being on VPN
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.91 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.183 -j ACCEPT
iptables -I FORWARD -s $OVPN_NET -d 192.168.2.200 -j ACCEPT

Save the file and then close the editor. Right click on the filename and select Properties. Put ticks in all 3 "X" boxes to make it eXecutable. Click OK.

You're done.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top