1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-AC66U two openvpn servers. Don't work port forwarding when LAN only

Discussion in 'Asuswrt-Merlin' started by tymchyshyn90, Feb 26, 2020.

  1. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Hello!
    My router is RT-AC66U_B1 (FW Merlin AC68U 384.14_2)

    Two openvpn servers work on it:
    1. TAP. My private computer connect and works well. Receive IP 192.168.0.11 and have access to all LAN resources. On WEB interface I set - Client will use VPN to access LAN only.
    2. TUN (10.16.0.0) I connect with my iPhone (TAP not supported). And sometimes my friends can connect. Clients use VPN to access LAN and INTERNET (set Both).

    I used only one server TUN before. Clients used LAN and internet over openvpn. The most important thing why I use VPN - remote control PC via RD client. I installed openvpn client on my PC with non-public IP. Than I made Port Forwarding to openvpn client. For example, I can connect to my remote PC like this - DDNSname : port. The advantage is that it doesn't need client's public IP. It's very simple and easy.

    But few days ago I decided to run another server (TAP). Because this is better for LAN resources access. And I don't want that remote PC use my internet. I set LAN only access on my router. And I saw some problem. My method with port forwarding doesn't work anymore. I tried connect my iphone to TUN server. And another problem. I can't connect to 192.168.0.11 (PC over TAP). But from LAN this IP ping ok. I found out that the two VPN networks have route with LAN, but don't have between each other.
    I solved this problem. On TAP server configuration in Allowed Clients fields I put 10.16.0.0 255.255.255.0. After that I can connect to 192.168.0.11 when I connected to TUN.

    But first problem not solved, and I need your help. I found out that I can't connect with port forwarding only when LAN only is set in server configuration. When I set Both (LAN+internet) everything works fine and as I wish. But I don't want that client use internet over vpn. How can I do that?

    Thank You!
     
  2. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Can anybody help me?
     
  3. heysoundude

    heysoundude Very Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    746
    Last edited: Feb 28, 2020
  4. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    x3mRouting is great, but not for me. This add-on can route selected LAN to selected OpenVPN or WAN. But there are no openvpn clients in my router, only two servers
     
  5. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Any ideas?
     
  6. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    The gist of what Im getting is you're trying to use a DDNS (Public IP) address to connect to what is essentially a local client through a vpn and its rules are set to LAN only....

    If the VPN client is set to LAN only... how is it supposed to access the Internet to lookup the DDNS address?? and why use port forwarding/ddns address at all. If you're connecting via VPN you can access clients using their local DHCP address without having to forward ports
     
  7. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    If I connected to VPN, no problem, I can connect to local ip. But I want connect with PC without openvpn on my mobile or any other device, I want direct connection
     
  8. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    You say you have the PC as a VPN client.... whats it connecting to? Not back to the vpn server on the same router it get its local DHCP from?
     
  9. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    upload_2020-3-4_21-20-8.png
    PC1 is located in my second house, where live my parents. Is very imortant to be in TAP tunel, easy acces to all resources. But usually torrents are downloading on PC1, and i don't want to share internet with him.
    When I want remote control PC2, I take any remote terminal client and enter DDNS name of my router and port. And router's port forwarding connect me successully. This is convenient, I don't must install and configure openvpn client on remete termial devices.
    And I want to do the same with access to PC1. Now I only can connect over openVPN and local IP
     
    Last edited: Mar 4, 2020
  10. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    OP edited post...
     
  11. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    TAP and TUN servers are running on the router.. 192.168.0.11 is getting from DHCP. But only LAN acces PC1 have.
    I don't want use openvpn tunnel on clients. Want direct connection with port forwarding to router
     
  12. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    Making more sense now. PC1 (VPN client) will need access to the Internet otherwise it cant get passed the router to the client (iphone/tablet) on the Internet connecting through DDNS. Port Forwards wont help any.

    Your VPN tunnel is linking your two remote connections PC1 and Router, but your VPN rules (LAN only) are preventing the messages getting back out to your clients on the Internet connected to the router. As far as your Router is concerned clients from the Internet can send messages but its setup to not let traffic out from TAP VPN clients, PC1 (LAN only rule)

    With the way you have it setup, I dont think you can have what you want.

    I think your only option...

    Setup TUN clients on your devices (tablet/iphone etc) and connect to your TUN server over the Internet and they should (im pretty sure anyway) be able to connect to 'LAN only TAP clients, ie PC1' assuming you have the client-client routing enabled on your TAP server.

    ie iphone/tablet VPN client --> router tun server --> mapped to TAP server
    PC 1 wont have internet access but your TUN VPN clients should be able to access PC1 over the internet
     
  13. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Yes, you got it right! And it still works if connect iphone/tablet over TUN to router, after add route on TAP server configuration.
    My question is whether it is possible to configure the server configuration file (not necessarily through WebUI) so to dilute the TAP traffic to the client. I mean, the remote control traffic must going through the router to internet. And router must allow it. While all other traffic went separately, in LAN only mode
     
  14. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    There is nothing in ASUS/RMerlin firmware for customizing OpenVPN server traffic (policy routing) short of the allow/disallow client-client

    You should be able to use IPtables to create any rules blocking the VPN LAN ip (PC1 192.168.0.11) to anywhere destined for the internet.

    You could in theory, revert to TAP allow internet, use a port forward to 192.168.0.11, then IPtables to allow Established connections and then drop the rest of the traffic from 192.168.0.11. Then you could DDNS w/port forward to your VPN client from the Internet to your PC1 and drop its internet traffic on the VPN..... I think.... this was a 30second pondering...

    Other people here might have other suggestions/ideas...

    I think this may work

    Code:
    iptables -I FORWARD -s 192.168.0.11 -j DROP  # drops traffic to internet
    iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT  # allows internet connections to PC1 back out
     
  15. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Where I must set IPtables?
    I tried to make script with that IPtables, but internet on TAP Client PC doesn't work after that fully
     
    Last edited: Mar 5, 2020
  16. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    Firstly, does your remote PC1 always get IP 192.168.0.11 from the VPN/router do you know? If it ever disconnects and reconnects and gets a different IP this will be broken...

    IF thats your only TAP client, on your TAP server you can set IP pool range and have just that one IP in it

    CLICK ME
    Option 1 for testing ONLY iptables rules will disappear on reboots/wan state change etc.
    1) Enable SSH in router admin page (LAN only!)
    2) SSH into router (use Putty free program)
    3) type 'iptables -L INPUT -n' and look at what it returns, just keep that in mind (dont type the ' quotes)
    4) type in one line at at time in this order
    Code:
    iptables -I FORWARD -s 192.168.0.11 -j DROP 
    iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT 
    5) type 'iptables - L INPUT -n' again and look, it should have the details of those two lines at the top, the established rule will come first then the drop rule second

    Then you can test it out, if it works to your needs, use the permanent solution below

    Option 2 permanent

    1) Enable SSH in router admin page (LAN only!) (should already be done if you tested)
    2) SSH into router (use Putty free program)
    3) type 'cd /jffs/scripts'
    4) type 'nano firewall-start'
    5) enter this into that
    Code:
    #!/bin/sh
    
    iptables -I FORWARD -s 192.168.0.11 -j DROP  # drops traffic to internet
    iptables -I FORWARD -s 192.168.0.11 -m state --state ESTABLISHED -j ACCEPT  # allows internet connections to PC1 back out
    6) hit ctrl+x to exit nano, y to save
    7) type 'chmod a+rx firewall-start'
    8) type 'service restart_firewall'
    9) type 'iptables -L INPUT -n' and you should see these two rules at the top
     
  17. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    You have the client Openvpn config set to send all traffic through the tunnel then, you need to look into configuring your tap client (PC1) to retain its own internet access

    Look here https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
    for how to get clients to ignore pushed routes for internet
     
  18. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    Rereading through all of this and taking more than 60 secs to think about it

    You dont even need any of the iptables rules on the router. All you need to do is reconfigure the VPN client PC1 to ignore the pushed internet gateways. Then you should have the setup you wanted.

    Sorry for the run around.
     
  19. tymchyshyn90

    tymchyshyn90 Occasional Visitor

    Joined:
    Feb 25, 2020
    Messages:
    15
    Thank you for support!
    Just tried --pull-filter ignore redirect-gateway. On router server set Both ( LAN +internet). Client connected, don't use my gateway, as if everything is ok. But remote access still does not work with port forwarding...
     
  20. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    132
    Just to be sure the option needs to go on PC1 the VPN client config... not the server...

    If thats how you set it, did the client have internet through its own connection? you can google 'my ip' to see what internet connection its using or was it just the port forward didnt work?

    This could be more complicated, I may have to sit this one out short of trying to replicate your setup myself. Its definitely out of the norm for 95% of users.

    On the assumption you had the option on the client and the internet was working with its own connection on PC1

    I think the issue could be your router is passing your client Public IP (port forward) eg 1.2.3.4 as a source address for the RD connection, your client sent the request to your router Public IP address eg 6.7.8.9 which doesnt match the source address of the reply because PC1 is using its own internet eg 5.6.7.8 and its dropping the mismatch connection.

    Client sends packet from 1.2.3.4 RD to 6.7.8.9 .... on PC1 saw connection from 1.2.3.4 but its reply was sent from 5.6.7.8...not 6.7.8.9