1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Redirect all traffic of OpenVPN Server connected client to OpenVPN client

Discussion in 'Asuswrt-Merlin' started by mancio, Sep 21, 2018.

Tags:
  1. mancio

    mancio New Around Here

    Joined:
    Sep 20, 2018
    Messages:
    1
    Hi All,
    I have bought new RT-AC66U_B1 Router.
    I have already installed 384.6 Merlin firmware for RT-AC68U (i read in some topic in this forum that RT-AC66U_B1 is also compatible with RT-AC68U merlin firmware)

    I have already established with success an OpenVPN Server tunne. All external clients connnected opn OpenVPN Server created on Asus Router and exit to internet with my ISP IP.

    I also have a VPN Client tunnel established from the ASUS Router and another Private VPN provider.

    I would like to redirect all the traffic of external client connected with the Asus OpenVPN Server through the Private VPN Provider. Is it possible?
    If yes, which configuration i have to use?

    This is an example an example of configuration i would like to achieve:

    [​IMG]
    [​IMG]


    Thanks in advance.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,765
    Location:
    UK
    See Openvpn server and client pass-thru;
     
    [email protected] likes this.
  4. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    Hi Martineau,
    thank you so much for your reply.

    I have read your interesting post about iptables. I have enabled (manually.), as you have suggested, pass-thru from Openvpn server (network is the default one: 10.8.0.0/24), to specific Openvpn Client chain tun11.

    iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

    Unfortunately, when i looking for the IP of OpenVPN Server connected client, into Selective routing GUI i can't found it. And my client exits with ISP ip and not with Private VPN provider as i would wish.

    I don't know if there is any issue in the OpenVPN Server config or i'm using specific merlin firmware version doesn't offer specific options that cover my requirements.
    I have only this config options:

    [​IMG][​IMG]


    Thank you in advance for your help.
     
    Last edited: Sep 22, 2018
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,765
    Location:
    UK
    See this post openvpn server and client question to correctly configure the VPN Client :rolleyes:
     
  6. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    Hi Martineau,
    Thank you so much. It works! I believe there was specific client entry in the source IP select, but i had to insert it manually.

    I have another 2 questions...

    1) Even before i have configured Selective routing GUI for OpenVPN client, i wasn't enable to ping any clients in my LAN, except for the router itself. In the OpenVPN server configuration, i have set Client will use VPN to access to: Both. Have i to set another set of configurations to enable it?

    2) I have create 2 scripts, as you suggested in your post, in /jffs/scripts/ one to enable pass-thru and one to disable it. The name of these scripts are vpnserver1-up and vpnserver1-down. If i run both manually, they achieve their purpose, so they enable and disable firewall rules respectively, but when i try to set up and tear down OpenVPN Server from the gui, it seems no scripts are executed. Is the scripts's name written properly?

    Thank you so much.
    Best Regards.
     
  7. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    Ok, for the 2nd question i have solved the problem myself.

    I have written unique script openvpn-event with this code:

    Code:
    #!/bin/sh
    
    logger "openvpn-event called ..."
    logger "Type: ${script_type}, Interface: ${dev}"
    
    if [ $script_type == "up" -a $dev == "tun21" ];
    then
            logger "pass-thru enabled ..."
            iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
    fi
    
    if [ $script_type == "down" -a $dev == "tun21" ];
    then
            logger "pass-thru disabled ..."
            iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
    fi
    
     
    Last edited: Sep 23, 2018
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,765
    Location:
    UK
    No, but you should check if the OVPN iptables is set correctly:
    Code:
    iptables --line -t filter -nvL OVPN
    see RMerlin Wiki e.g. openvpn-event but @john9527 provides a recommended template script:
    @john9527's openvpn-event script template
     
  9. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    Hi Martineau,
    thank you foru your reply, and i'm sorry for the delay of my answer.

    These are my OVPN iptables:

    Code:
    iptables --line -t filter -nvL OVPN
    Chain OVPN (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
    2      316 81501 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
    
    Is there something wrong?
     
  10. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,765
    Location:
    UK
    No, the OVPN table shows no inbound restrictions for your local LAN from either of the OpenVPN Servers (although only OpenVPN Server #2 appears ACTIVE?).

    If you are trying to PING Windows clients on the LAN, then check the Windows firewall on the clients.
    However, for LAN devices such as IP Cameras/printers etc. then you may need to add iptables logging rules to track which rule are blocking the PINGs.

     
  11. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    I'm using an android client connected to my OpenVPN Server. I'm not enable to access any devices except the ASUS router; Not only ping, i'm not enable to access any webserver (i have a NAS and a raspberry) or other application with my browser.

    On stack overflow some user advice to enable Static Route on LAN configuration, but when i do this, all my clients, even those connected directly to my lan can't access to internet anymore.
     
  12. mancio2

    mancio2 New Around Here

    Joined:
    Sep 22, 2018
    Messages:
    6
    EDIT:
    I have solved the problem, adding new firewall rules:

    Code:
    iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    Could be this a firmware issue?

    Thank you so much for you support.

    Alessandro
     
    Last edited: Sep 30, 2018
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,975
    Location:
    Canada
    I just tested it here, and I was able to succesfully connect to a Remote Desktop session using my smartphone over OpenVPN, with no special firewall configuration on the router.

    Make sure your client properly enables the routes to your LAN subnet. In Windows' case, it means you have to make sure you run the client with administrator privileges. For Android nothing particular should be needed.

    You also need to make sure your target devices does not firewall the 10.x.y.z subnet.
     
    Last edited: Sep 30, 2018
  14. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,765
    Location:
    UK
    Hmmm, strange indeed....

    I have both OpenVPN servers configured.

    Access to my LAN devices (primarily IP Cameras via my Android phone) via OpenVPN Server #1 is unrestricted.

    However, OpenVPN Server #2 assigns a unique static address to the connecting clients and the clients are therefore subject to ACL restrictions,
    Code:
    RT-AC68U daemon.notice ovpn-server2[7452]: xxx.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:xxx.xxx.xxx.xxx:36811
    RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 v4.80 VPN Server 2 Client user 'SGA5' CCD configuration starting.... [/tmp/openvpn_cc_732ba27906fc5816.tmp]
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Processing Client_username file '/jffs/configs/openvpn/ccd2/client_SGA5'
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'staticip' will assign I/P address 10.16.0.22 to Client user 'SGA5'
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'restrictperiod' is being enforced.....
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 'IPGroup' CAMERAS
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.120 (CAM-W-JPT3815W.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.121 (CAM-L-F18918W.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.122 (CAM-W-JPT3815W.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.123 (CAM-L-IP2M841B.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.125 (CAM-W-IP2M841B.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'lanonly' will BLOCK ALL LAN access except to 10.88.8.148 (RaspberryPiB.Martineau.lan)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'forcedns' (8.8.4.4) will be applied to I/P 10.16.0.22
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'wol' (ether-wake) will be applied to MAC=xx:xx:xx:xx:xx:xx (10.88.8.197) DS-416.Martineau.lan
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 Psuedo command 'wol' (ether-wake) will be applied to MAC=xx:xx:xx:xx:xx:xx (10.88.8.195) DS-110J.Martineau.lan
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client I/P xxx.xxx.xxx.xxx address is not on BLOCKED ACL list
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client I/P xxx.xxx.xxx.xxx address is not PERIOD restricted(00:59-05:00)
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client user 'SGA5' CCD config: ifconfig-push 10.16.0.22 255.255.255.0
    RT-AC68U user.warn (VPNClientConnect.sh): 27213 VPN Server 2 Client CCD configuration ended.
    RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_732ba27906fc5816.tmp
    RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI: Learn: 10.16.0.22 -> client/xxx.xxx.xxx.xxx
    RT-AC68U daemon.notice ovpn-server2[7452]: client/xxx.xxx.xxx.xxx MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx: 10.16.0.22
    i.e. the following shows that the Android phone (10.16.0.22) connected to OpenvPNS server #2 and the ACL rules will only allow access to specific devices namely the IP Cameras:
    Code:
    iptables  --line -t filter -nvL OVPN
    Chain OVPN (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 ACCEPT     all  --  tun13  *       0.0.0.0/0            0.0.0.0/0
    2       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.148
    3       35  2100 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.125
    4       36  2160 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.123
    5       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.122
    6       30  1800 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.121
    7       29  1740 ACCEPT     all  --  tun22  br0     10.16.0.22           10.88.8.120
    8        0     0 RETURN     all  --  tun22  br0     10.16.0.22           10.88.8.0/24
    9      112 25091 RETURN     all  --  tun22  eth0    10.16.0.22           0.0.0.0/0
    10    2886  190K ACCEPT     all  --  tun21  *       0.0.0.0/0            10.88.8.0/24
    11     188 11280 ACCEPT     all  --  tun22  *       0.0.0.0/0            0.0.0.0/0
    12       0     0 ACCEPT     all  --  tun13  *       0.0.0.0/0            0.0.0.0/0
    and All LAN IP camera feeds were correctly viewable on the Android phone.

    Here is my -t nat POSTROUTING table:
    Code:
    iptables  --line -t nat -nvL POSTROUTING
    Chain POSTROUTING (policy ACCEPT 83 packets, 5864 bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 MASQUERADE  all  --  *      tun13   10.88.8.0/24         0.0.0.0/0
    2        0     0 MASQUERADE  all  --  *      tun13   10.88.8.0/24         0.0.0.0/0
    3     434K   39M PUPNP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    4     132K   20M MASQUERADE  all  --  *      eth0   !xxx.xxx.xxx.xxx      0.0.0.0/0
    5     4795  581K MASQUERADE  all  --  *      br0     10.88.8.0/24         10.88.8.0/24
    6        0     0 MASQUERADE  all  --  *      tun13   10.8.0.0/24          0.0.0.0/0
    and clearly my POSTROUTING table is missing your proposed SNAT rule
    Code:
    0        0     0 SNAT       all  --  *      br0     10.8.0.0/24          0.0.0.0/0            to:10.88.8.1
    yet everything works?o_O

    In summary, I personally don't believe it is a bug in the firmware.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!