Routing through VPN from LAN - Asus RT-N66U

[KristianB]

Hi,

Im trying to talk to my RPi that is connected to my VPN (a PPTP hosted by Asus RT-N66U) while my PC is connected to the router's LAN network. The RPi is connected from an external network. I have tried adding routes as suggested in these links:
- https://superuser.com/questions/120...oute-selective-traffic-by-destination-network
- https://serverfault.com/questions/6...-network-if-the-default-gateway-ip-is-dynamic
- https://unix.stackexchange.com/questions/315793/enabling-an-internet-route-through-ppp0
So far I'm not able to ping or ssh into my RPi. Here are some settings from my router and PC:

The VPN settings and connections:

As you can see I can ping the RPi with the router:

PC information:
- ipconfig /all:

PPP adapter GarenCam:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : GarenCam
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.10.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.5.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
Physical Address. . . . . . . . . : B8-8A-60-91-16-30
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::50d8:5773:ad08:fc4%5(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.5.172(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : søndag 21. mars 2021 00:20:58
Lease Expires . . . . . . . . . . : mandag 22. mars 2021 00:22:12
Default Gateway . . . . . . . . . : 192.168.5.1
DHCP Server . . . . . . . . . . . : 192.168.5.1
DHCPv6 IAID . . . . . . . . . . . : 62425696
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-A4-78-52-B8-8A-60-91-16-30
DNS Servers . . . . . . . . . . . : 192.168.5.1
NetBIOS over Tcpip. . . . . . . . : Enabled

route print:
===========================================================================
Interface List
15...28 f1 0e 49 dc ac ......Intel(R) Ethernet Connection (2) I219-LM
43...00 15 5d b8 bf 17 ......Hyper-V Virtual Ethernet Adapter
13...b8 8a 60 91 16 31 ......Microsoft Wi-Fi Direct Virtual Adapter
9...ba 8a 60 91 16 30 ......Microsoft Wi-Fi Direct Virtual Adapter #3
16...00 ff a6 07 f0 e0 ......TAP Adapter OAS NDIS 6.0
53...........................GarenCam
5...b8 8a 60 91 16 30 ......Intel(R) Dual Band Wireless-AC 8260
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.5.1 192.168.5.172 4280
0.0.0.0 0.0.0.0 On-link 192.168.10.11 36
XX.XXX.XX.XXX 255.255.255.255 192.168.5.1 192.168.5.172 4281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
172.28.80.0 255.255.240.0 On-link 172.28.80.1 4496
172.28.80.1 255.255.255.255 On-link 172.28.80.1 4496
172.28.95.255 255.255.255.255 On-link 172.28.80.1 4496
192.168.5.0 255.255.255.0 On-link 192.168.5.172 4536
192.168.5.172 255.255.255.255 On-link 192.168.5.172 4536
192.168.5.255 255.255.255.255 On-link 192.168.5.172 4536
192.168.10.11 255.255.255.255 On-link 192.168.10.11 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 192.168.5.172 4536
224.0.0.0 240.0.0.0 On-link 172.28.80.1 4496
224.0.0.0 240.0.0.0 On-link 192.168.10.11 36
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 192.168.5.172 4536
255.255.255.255 255.255.255.255 On-link 172.28.80.1 4496
255.255.255.255 255.255.255.255 On-link 192.168.10.11 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
5 306 fe80::/64 On-link
43 271 fe80::/64 On-link
5 306 fe80::50d8:5773:ad08:fc4/128
On-link
43 271 fe80::e5e6:e076:4b72:5d6/128
On-link
1 331 ff00::/8 On-link
5 306 ff00::/8 On-link
43 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


If anyone could help or give some pointers I would be very grateful!
BR Kristian

 

[eibgrad]

I'm confused. Is the PPTP server and RPi on a *remote* system, hosted by the RT-N66U, and your client is remotely located? Or is the PPTP server and client on the *same* local network (i.e., you're trying to route a client through the PPTP server locally)?

 

[KristianB]

The RPi is the only thing on a remote system, connected to the PPTP from WAN. But my computer is on the local network, but it is also connected to the PPTP server. Yes, I just want to talk to the RPi from a local (relevant to the PPTP server) computer.

 

[eibgrad]

So I assume like the following:

[pc (pptp client)]<-->[router (pptp server)]<-- internet -->[router]<-->[rpi (pptp client)]

If the RPi is connected to the PPTP server, it will have its own ppp# network interface on that same router (according to the routing table, ppp10). But there is no need for your PC to be connected to that same PPTP server. The ppp10 device (RPi) is directly accessible from the router, as proven by the successful ping. Likewise, any client on the network behind that router should be able to ping the RPi (192.168.10.10).

What may be required is for you to configure the remote network (your local network where the PC is located, 192.168.5.0/24) w/ the PPTP client so the RPi knows how to route back to that network. Most PPTP clients provide fields for those purposes. This isn't a requirement for the router itself since it will use its own PPTP server IP (e.g., 192.168.10.1) to communicate w/ the RPi, and the RPi obviously knows how to route back to that IP.

Alternatively, you should be able to NAT any traffic routed to 192.168.10.10 w/ the server's PPTP ip.

iptables -t nat -I POSTROUTING -d 192.168.10.10 -j MASQUERADE

Again, there's no need to have the PC connected to the PPTP server. At least not for this specific purpose.

 

[KristianB]

Ok, thanks a lot for you help. Your first assumption is correct. Sorry I'm very new to this, should the iptable configuration command you mention be done with the RPi? (unfortunatly the RPi is off physical reach for some time). Could I make a portforwarding rule straight to the RPi via the PPTP somehow? If you also know some easy literature to read up on that is appreciated, I find this topic having very step learning curve for newbies.

 

[eibgrad]

The iptables rule needs to be added on the router hosting the PPTP server.

The reason you're probably having problems is because your client on the 192.168.5.x network is attempting to contact the RPi on the 192.168.10.x network, but the RPi doesn't know how to route them back! It doesn't know anything about the 192.168.5.x network or where it's located. That's why most PPTP clients have a pair of fields called Remote Network and Remote Netmask (or something similar) so you can tell it the network that lies across the PPTP tunnel, and then it knows how to route those packets back should it receive any (like from your PC).

If that is NOT possible for some reason, then the alternative is to use the NAT rule I suggested earlier, in order to *mask* the source IP of packets from the 192.168.5.x network w/ the router's IP on the PPTP interface (let's assume that's 192.168.10.1), so all the traffic appears to be coming from that IP. Now the RPi has no problem routing those packets back since it's established on that same network over the VPN.

One other possibility (and it's the one I most recommend so you don't have these types of problems) is to configure the PPTP server w/ the same network as the local network (e.g., 192.168.5.x). You just need to reserve a small portion of your network, outside the scope of the local DHCP server and any static routes, for these purposes (e.g., 192.168.5.200-204). Now there are no routing issues because the PPTP client(s) are established on the remote network as if they are part of that same network! IOW, everyone's using 192.168.5.x. That's why PPTP allows you to use the same IP network as the local network. It makes things so much easier.