1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Unable to connect to VPN server while connected as VPN client

Discussion in 'Asuswrt-Merlin' started by [email protected], Sep 15, 2018.

  1. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    Okay, VPN n00b here...

    I'm on a 7-day trial for ProtonVPN Plus and setting up the client went fine. Everything seems to work as supposed, except for one odd thing and I can't seem to figure it out.

    I'm also running my own VPN server on my RT-AC68U and when I'm not connected to ProtonVPN, I can connect to my own VPN server without any issues (using my iPhone, using the OpenVPN app over a 4G connection), I can even stay connected when I manually start the vpnclient to connect with ProtonVPN.

    However, when the ProtonVPN connection is up, I can't connect. Nothing shows up in syslog, connections just time out. Logs in the OpenVPN show the same, it times out. I tried connecting through my WAN IP, I tried connecting though the VPN Public IP (not sure which one I should use - can you run a VPN tunnel through a VPN tunnel?).

    ProtonVPN is using port 1194 (TUN/UDP) and my own server runs a non-default port (als TUN/UDP).

    I checked netstat (not sure how to correctly interprete this), but it seems vpnserver is listening on the correct port:

    Code:
    udp        0      0 :::3742                 :::*                                7402/vpnserver1
    Can anyone help me out? I'm on 384.7 beta 1 currently, not sure whether this is related to the changes in 384.7 - I just didn't try it out before updating.
     
    Last edited: Sep 15, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,188
    Are you routing all traffic over the tunnel? If so then the router VPN Server will only be reachable via the VPN provider, and typically they block all incoming connections

    Some, such as AirVPN allow you to set up a limit number of incoming ports

    Otherwise enable policy routing exclude the router's IP with a WAN rule, add your locla subnet to route through VPN, and the server should be reachable on your normal public IP
     
    [email protected] likes this.
  4. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    If this is the default behaviour? If so, yes I am :D (never have done anything with routing manually).

    That would explain why every attempt times out. Could it be that existing connections won't be dropped (like when I enable the client to connect to ProtonVPN, while I'm connected to the OpenVPN server on the router)?

    Never have done something like that before, but while searching I came across this Wiki-page. Is the policy at the bottom of the page what you just described?
     
  5. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,188
    That Wiki page sums it up nicely - it's the Redirect Internet Traffic option on the VPN Client you need to tweak.
     
    [email protected] likes this.
  6. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    After I finally spotted the 'Redirect traffic option' (apparently missed it several times, while browsing through the config screens, wondering whether the setting was located elsewhere), I found it. Posting it here for future near-sighted n00bs like yours truly.

    [​IMG]
     
    Last edited: Sep 15, 2018
  7. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    Thanks Jack, I just found it. Now checking if it works :)
     
    Jack Yaz likes this.
  8. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    Thanks again @Jack Yaz. It didn't work at first, then I discovered that my ddns wasn't updated (still used the VPN IP), but after forcing an update, it now works like charm now :) I have to do some more reading into the policy based routing matter, I see possibilities :cool:
     
  9. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,188
    No worries! And if you want to have easy management of guest network SSIDs dedicated to a VPN...https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/
     
    [email protected] likes this.
  10. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    Yes, I know. It's on my reading list. Went through it several times, but didn't fully get it. Now it starts to make more sense ;)

    One more question: with the settings in the screenshot above (Block routed clients if tunnel goes down set to 'No') will they be routed to WAN? So, if I'm not home and the VPN goes down, the wife and kid both still happy when dad comes home?
     
    Jack Yaz likes this.
  11. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,188
    AFAIK when the tunnel goes down, they lose internet access. The routing table gets modified to "prohibit"
     
  12. M@rco

    [email protected] Very Senior Member

    Joined:
    Dec 23, 2017
    Messages:
    533
    Location:
    /tmp
    Even when the setting is disabled? In that case the setting seems redundant, if both 'Yes' and 'No' causes them to loose internet access.
     
  13. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,188
    Sorry - misread. With setting off, yes they should use WAN
     
    [email protected] likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!