Setup VPN Server and Client

[life1]

Hello, noob here with minimal CS background.

I've been trying to setup VPN server and client on my AX82U.

Once I activate my OpenVPN server (created with Vultr VPS, but considering testing NordVPN, because there was 30-40Mbps limit)

Once I activate VPN client on Router, I can't connect to Router VPN server anymore.

How do I fix this issue? Is there any simple solution?
I've found few articles in this forum, but solutions seems overly complex or I'm maybe missing out on something

Thanks for any help you guys may provide

 

[eibgrad]

The reason this happens is because once the OpenVPN client is established, all the router's replies are directed over the VPN, even if the incoming request is from a remote OpenVPN client to its OpenVPN server over the WAN! And that's NOT allowed due to RPF (reverse-path filtering). It's why sometimes router OEMs don't allow BOTH the server and client at the same time. They KNOW this will cause problems. Others may let you do it, only to have YOU discover it doesn't work for some unknown reason.

What's required is split tunneling on the OpenVPN client, so the router itself can be removed from its own OpenVPN client, thus making its OpenVPN server accessible again over the WAN. But most OEMs don't want to bother supporting split tunneling; it makes technical support that much more time consuming and costly. That's why many turn to third-party firmware like Merlin, where split tunneling is available.

There are other solutions, like using static routes to bind the public IP of remote OpenVPN clients to the router's WAN, or even accessing your OpenVPN server over the OpenVPN client (!), provided your OpenVPN provider supports port forwarding over the tunnel (some do, most don't, and I know NordVPN does NOT). So these solutions are usually NOT practical. But for a few ppl, they may be.

 

[life1]

Thank you very much for swift response!

Can Gnuton Fork achieve what I'm aiming for? Or is it still too unstable to use it in production?
If that works, do I still need to do additional configuration for NAS/SSD access?

I still have that custom OpenVPN server, but my speeds drop to 30Mbps (either server, router, ISP issues) from previous 350Mbps.
If I were to be setting up backward access, I would guess I need to use this section in OpenVPN settings?

Is there a way to support this forum? Or supporting Merlin project is the same?

 

[eibgrad]

Thank you very much for swift response!

Can Gnuton Fork achieve what I'm aiming for? Or is it still too unstable to use it in production?
If that works, do I still need to do additional configuration for NAS/SSD access?

I assume so. It appears to me these builds are a derivative of the latest Merlin builds (386.4). So it probably does support split tunneling via the VPN Director feature.

I still have that custom OpenVPN server, but my speeds drop to 30Mbps (either server, router, ISP issues) from previous 350Mbps.
If I were to be setting up backward access, I would guess I need to use this section in OpenVPN settings?

View attachment 39127View attachment 39129

Is there a way to support this forum? Or supporting Merlin project is the same?

The VULTR OpenVPN Access Server is a completely different subject, and I have NO CLUE what it offers or requires in terms of configuration options. It certainly had nothing to do w/ Merlin or the GNUton firmwares.

 

[carlucci]

Hi there, I'm brand new to the forum. Quite new to the deeper aspects of networking, but slowly learning.

I also have an DSL-AX82U and am experiencing the same issue. When the VPN client is activated (ProtonVPN), devices external to the network cannot connect to the VPN server. As soon as I deactivate it from being the default "gateway (?)", VPN connections work. I'm still running the stock ASUS firmware.

Did you successfully migrate to the Gnuton firmware and did it fix the issue?

With regard to VPN port forwarding, it sounds like Proton is on the way to implementing it (although it's been on the way for years apparently). Is all that's required from a port-forwarding enabled VPN provider to forward the OpenVPN port?

 

[eibgrad]

With regard to VPN port forwarding, it sounds like Proton is on the way to implementing it (although it's been on the way for years apparently). Is all that's required from a port-forwarding enabled VPN provider to forward the OpenVPN port?

It is provided the target of that port forward is the OpenVPN client itself. But if you ultimately want the port forward to reach a target beyond the OpenVPN client and into the LAN, then you also need port forwarding on your home router for those purposes as well. And it's highly unlikely the router's GUI will support it. You'd have to add your own port forwarding using the CLI.

 

[carlucci]

Thank you for the response, @eibgrad. I installed the Gnuton Fork of Merlin firmware on my router today and happy I did so. Grateful for the work put in by this community!

I've been playing with the settings all day, trying to learn. I've noticed that when I setup my VPN Client on the router and set it to redirect all traffic through the tunnel, the same issue in this ticket occurs -- I am not able to connect to the OpenVPN server. This makes sense as per the previous posts, so I'm trying to understand how to address this using split tunneling configuration.

I've managed to enable the simultaneous OpenVPN server and client connections by disabling the option to redirect tall traffic from the client and using VPN Director to add a custom rule for each (important) device to route through the OVPN1 tunnel. This is a workable option, but it's not quite my original idea of having a generic OpenVPN client shield and adding exceptions for rules. But as I currently understand, I would need to wait until ProtonVPN releases port forwarding and try that with the "redirect all traffic" setting back on. Is this right understanding?

Presently, the OpenVPN client on my Android phone can connect, but it doesn't appear to be able to directly access other devices on the network by local DNS name or IP address over the VPN. I currently have the "Accept DNS Configuration" setting set to "relaxed". Is there some additional configuration necessary to allow access to the devices?

 

[carlucci]

Actually, after a bit more fiddling, and connecting via an actual computer using mobile hotspot to test, I realized I can indeed access the other services via ping and via HTTP. There is just one especially problematic service that isn't responding via HTTP which gave me the wrong impression. So that last question is moot