[SOLVED] OpenVPN server and Client not allowed at same time?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Sas

Regular Contributor
I have both OpenVPN server and OpenVPN client configs in my router, and I use them for different purposes. I have noticed that if I am connected by client to a remote vpn server, if I connect from outside my lan to my openVPN server on my router that I am unable to get to any internal machine. IF I disconnect the client vpn, I will then be able to get to lan devices over the server connection. Is there a way to allow both to be running and working at the same time? Like I said, I CAN connect to my router's OpenVPN server while the router's OpenVPN client is connected elsewhere, but I can't do anything with that connection because I can't get to anything on the lan while it is. Hope this makes sense.

BTW I am running an AC86U with 384.19
 

eibgrad

Very Senior Member
This is an old, well-known, well-understood issue, and there are several other threads concerning it.

The basic problem is that when you connect the OpenVPN client to a typical commercial OpenVPN provider, that changes the default gateway to the VPN. And that affects *everything* that relies on the default gateway setting for routing purposes, *including* remote access over the WAN. IOW, your inbound connection over the WAN is having its replies routed back over the VPN, which is NOT allowed by the stateful firewall (specifically, reverse path filtering).

One way to avoid the problem is to use PBR (policy based routing) and NOT let anything that needs remote access over the WAN (router or beyond to the LAN) use the VPN. Another is to port forward over the VPN instead, provided your VPN provider supports it. Or if you *know* the public IPs from which you will be doing remote access over the WAN, add them as static routes that point to the WAN/ISP as their gateway. There are other options as well, but those are the most common.
 
Last edited:
  • Like
Reactions: Sas

Sas

Regular Contributor
One way to avoid the problem is to use PBR (policy based routing) and NOT let anything that needs remote access over the WAN (router or beyond to the LAN) use the VPN. Another is to port forward over the VPN instead, provided your VPN provider supports it.

Thanks for your reply. Not sure if I am completely understanding you about PBR, but I believe I have already done that on the client, as only one device on my lan routes through it:

Screen Shot 2020-10-04 at 8.17.41 AM.png


And this works when the client is active, ONLY this device/IP uses the client. Nevertheless, when this is active and I try to connect to the router's OpenVPN Server as well from outside my lan, it can connect fine, but it has no access to ANY internal device on the lan, nor the router's web interface itself. Is there something else I am missing here?
 

eibgrad

Very Senior Member
Given your latest information, it should work. Only thing that immediately comes to mind as a potential (if highly unlikely) problem is if by chance the tunnel IP network you're using on your own OpenVPN server is in conflict w/ the OpenVPN client's tunnel on the router. As in all routing situations, the IP networks across all your network interfaces have to be unique and non-overlapping. And while it is rare, there's always a small risk this isn't case and you end up creating a routing conflict. At least I would check and make sure.
 
  • Like
Reactions: Sas

Sas

Regular Contributor
Given your latest information, it should work. Only thing that immediately comes to mind as a potential (if highly unlikely) problem is if by chance the tunnel IP network you're using on your own OpenVPN server is in conflict w/ the OpenVPN client's tunnel on the router. As in all routing situations, the IP networks across all your network interfaces have to be unique and non-overlapping. And while it is rare, there's always a small risk this isn't case and you end up creating a routing conflict. At least I would check and make sure.
Thank you! The remote vpn that I am connecting to is another ASUS router running the same merlin version (384.19) and OpenVPN...while I had made sure that their local lan subnets did not overlap (192.168.10.0 and 192.168.5.0), I neglected to consider the fact that the subnet being supplied to VPN clients (in this case default 10.8.0.0) DID overlap. So I changed my local vpn server to use 172.16.0.0 and voila!

Thanks again!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top