1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

<routing / firewall config question> 2 router VPN setup works but has a small problem

Discussion in 'Asuswrt-Merlin' started by bobo221, Jun 13, 2018.

  1. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Hello - I'm hoping that someone can help me (long-time forum lurker/ first time poster) with a small issue that I have with my home network setup. Apologies in advance for the wall of text ....

    Basically, I have the following setup:

    Internet
    |
    Cable Modem
    |
    Primary router (AC66u: 192.168.1.1) <--> Computer_1 connected via hardwired lan connection
    |
    VPN router (AC86u: 192.168.9.1 - running merlin and OPENvpn client to VPN provider)
    |
    Wireless clients

    Right now, everything works according to plan. For example, computer_1 that connects to the primary router is given a 192.168.1.x address and can access open internet. Any wireless client that connects to the VPN router is given a 192.168.9.x address and can access the internet via VPN. Static routes have been set up on primary router to route all 192.168.9.x traffic to VPN router and vice versa so that clients in the 192.168.9.x address can access computer_1 and computer_1 can access 192.168.9.x addresses. Both firewalls are enabled - with the VPN router with a single line in the firewall-start script that forwards 192.168.1.x traffic.

    The Question: Is there a way to update firewall rules or routing rules to allow computer_1 (keeping a 192.168.1.x address) to use 192.168.9.1 (the VPN router) as a gateway to route out via VPN? I don't want to change the topology and don't have a way to connect to the VPN router directly (long story)

    I have searched the forum but every post that I've looked at deals with the initial 2 router VPN setup not working and not with this specific scenario .... I'm hoping somebody can point me in the right direction with this issue.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    708
    Sounds like you’re already on the right track. You’ll probably have to set the gw on computer_1 to the ‘WAN’ address of the VPN router (192.168.1.x), then add a firewall rule on VPN router to route that traffic through the OpenVPN tunnel.

    You’ll probably also have to set all 192.168.1.x IPs statically so your computer_1 doesn’t set gw back to 192.168.1.1.
     
  4. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    thanks for the quick reply! I've got the config done on computer_1 but I'm currently stuck on the iptables rules to add to the VPN router (192.168.9.1) - I've tried to add the following to firewall-start but doesn't seem to work .... maybe the forward rules need to go to the nat-start?

    iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
    iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
     
    Last edited: Jun 14, 2018
  5. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    708
    I think you’ll need a rule for the INPUT chain as well. OUTPUT should be ok since it’s generally not too restrictive.

    As a general rule when messing with iptables rules, you can reset the counters then make your connection and observe where the packets are being dropped:

    Code:
    # iptables -Z
    # iptables -nvL
    Edit: just saw you changed the interface from wl0 to etho, in any case I don’t think either is correct. Try br0, that is the WAN interface.
     
    Last edited: Jun 14, 2018
  6. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Ok - so I now have the following rules in my firewall-start and it still doesn't seem to want to work for computer_1 when i change it's gw to the VPN router:

    #accept all from 192.168.1.x subnet - get it to the top of the accept list
    iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT

    #forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig.
    iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
    iptables -A FORWARD -i tun11 -o br0 -j ACCEPT

    #enable nat for traffic from wan to the vpn tunnel
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE

    I've looked at the output from iptables -vL and it looks like the packets are being accepted from 192.168.1.x and the only place that has any dropped packets are those in state = INVALID. No traffic on the FORWARD rules that i put in though ....
    upload_2018-6-15_1-19-59.png

    ... hoping you have a suggestion on where I go from here.
     
  7. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    708
    Nothing is really jumping out at me, I’ll try to replicate this setup tomorrow.
     
  8. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,202
    You might need to add the 192.168.1.x to the routing table of the vpn client

    ovpnc1

    I'll find the syntax when I'm back from walking my dog!
     
    Last edited: Jun 15, 2018
  9. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,202
    What do these output on vpn router?

    Code:
    ip route show table ovpnc1
    
    ip rule show 
     
  10. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    the output from both commands - the ip route command returns nothing (!) ....
    upload_2018-6-15_13-19-30.png
     

    Attached Files:

  11. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,202
    Which vpn client are you using? And if redirect Internet is set to all, then try
    Code:
    ip route show
     
  12. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    34
    The INPUT chain is irrelevant to this process. The INPUT chain is only relevant when the destination IP on the packet is one that belongs to the router! But your destination IP is NOT the router, but a public IP on the internet, so only the FORWARDing rules apply.

    Also, the OpenVPN client's network interface name is tun11. And you can determine the WAN w/ the following command.

    Code:
    nvram get wan_iface
    IIRC, the OpenVPN client tunnel is already NAT'd unconditionally, so you probably don't need any additional NAT rules either. But it's good to check anyway.

    Code:
    iptables -t nat -vnL POSTROUTING
    So all you should really need is the following.

    Code:
    iptables -I FORWARD -i $(nvram get wan_iface) -o tun11 -j ACCEPT
    You don't even need the reverse of this (-i tun11 -o $(nvram get wan_iface)) since the ESTABLISHED rule will take care of it.
     
    Last edited: Jun 15, 2018
    kfp likes this.
  13. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    here is the output from the 'ip route show' command - using the built-in openvpn client in merlin:
    upload_2018-6-15_18-36-43.png
     
  14. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    708
    Port for OpenVPN at least should be open in the INPUT chain but I get where you’re coming from
     
  15. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Code:
    nvram get wan_iface
    no results ...
    upload_2018-6-15_18-40-41.png


    Code:
    iptables -I FORWARD -i $(nvram get wan_iface) -o tun11 -j ACCEPT
    ... so i assume that this won't work without the first command working.
     
  16. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    34
    If you know the WAN's network interface name, you can just insert it in-place of the command. Since you didn't dump ifconfig or reveal the routing table (until just recently), I wasn't sure. I'm a little surprised though that the command returned nothing. That's a common variable. Try eth0.

    Code:
    iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT
     
  17. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Hi all - thanks again for all of the help ....

    @eibgrad - about your suggestion to add:

    Code:
    iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT
    [/QUOTE]

    My first attempt with my firewall-start script did initially have reference to 'eth0' for my wan connection in my forward chain but that didn't seem to work so the suggestion from @kfp was to reference 'br0' instead so the code now (still not working) is:

    Code:
    #accept all from 192.168.1.x subnet - get it to the top of the accept list
    iptables -I INPUT 1 -s 192.168.1.0/24 -j ACCEPT
    
    #forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig. 
    iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
    iptables -A FORWARD -i tun11 -o br0 -j ACCEPT
    
    #enable nat for traffic from wan to the vpn tunnel
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE
    
    .... maybe you're suggesting that I use -i instead of -a for the FORWARD rule? dumping ifconfig which i guess was missing in all of this (thanks @eibgrad)

    upload_2018-6-15_23-53-0.png
    upload_2018-6-15_23-53-30.png

    thanks again.
     
  18. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    34
    While the OpenVPN client is active, please post the results of the following command.

    Code:
    iptables -t nat -vnL
     
  19. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Here it is ...

    upload_2018-6-17_1-32-59.png
     
  20. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    34
    The reason I asked you to dump the nat table was because I want to see exactly what was going on in there.

    One thing is clear. The NAT rule for the OpenVPN client is specifically limited to 192.168.9.0/24. So you will have to add a rule for the primary router's network.

    Code:
    iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE
    As I said before, the following rule allows forwarding of traffic from the WAN (eth0) of the second router, to the OpenVPN client (tun11).

    Code:
    iptables -I FORWARD -i eth0 -o tun11 -j ACCEPT
    I can clearly see from the previous ifconfig dump that eth0 is the network interface since it has the WAN ip of the second router (192.168.1.134). But if there remains any doubt, the way to settle the issue is to simply reference the source IP network (-s) rather than the input network interface (-i).

    Code:
    iptables -I FORWARD -s 192.168.1.0/24 -o tun11 -j ACCEPT
    So now it doesn't matter what the network interface is, it just matches on the IP network of the primary router!

    So take your pick, either FORWARD rule should work.

    An appropriate FORWARDing rule and NAT rule should be all that's required to gain access to the OpenVPN client from the 192.168.1.0/24 network.

    Please realize that I'm only telling you how to navigate the firewall of the second router. I assume you've managed to change the default gateway, for whatever device on the 192.168.1.0/24 network needs to use the VPN, to point to the WAN ip of the second router (192.168.1.134).

    When you test the connection, I recommend NOT using a browser (at least initially), but just a simple ping, and preferably not using a domain name, but an explicit IP.

    Code:
    ping 8.8.8.8
    If that works, then trace the routing. If this is a Windows client, you can use the following command from a DOS prompt.

    Code:
    tracert -d 8.8.8.8
    Notice the routing the path that's taken. It should indicate 192.168.1.134 if it's being correctly directed at the second router. Then the path should continue over the VPN's local assigned IP, etc.

    IOW, avoid relying solely on the browser. When you use the browser, because it initially relies on DNS to get to a website, sometimes the connection is working, but there's a DNS problem. And so it looks like you don't have the basic connectivity working (which can be confirmed w/ ping and tracert), when in fact it is working but it's just DNS that's the problem.
     
  21. bobo221

    bobo221 Occasional Visitor

    Joined:
    Jun 13, 2018
    Messages:
    10
    Success! Thanks to @eibgrad, @kfp, and @Jack Yaz for all of your help.

    The solution - the NAT rule (below) needs to be run from the nat-start script (and not the firewall-start script where I had it)

    Code:
     iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o tun11 -j MASQUERADE 
    the other 2 rules (below) can still run from the firewall-start script

    Code:
     
    #accept all from 192.168.1.x subnet - get it to the top of the accept list
    iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT
    
    #forward anything from the vpn tunnel to the wan interface (and vice versa) - i renamed the vpn interface to tun11 from ifconfig.
    iptables -I FORWARD -s 192.168.1.0/24 -o tun11 -j ACCEPT
    
    the final clue was the 'iptables -t nat -vL' output after changes suggested by @eibgrad. It didn't show any POSTROUTING rule for 192.168.1.0/24 traffic - so there must have been some reason why the firewall-start script didn't execute that command. I tried it manually via command line and it worked so after a bit of investigation, I inserted the POSTROUTING rule into the nat-start script instead and it all worked!

    Thanks again to everyone!
     
    Jack Yaz and kfp like this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!