Unable to connect to VPN server while connected as VPN client

[M@rco]

Okay, VPN n00b here...

I'm on a 7-day trial for ProtonVPN Plus and setting up the client went fine. Everything seems to work as supposed, except for one odd thing and I can't seem to figure it out.

I'm also running my own VPN server on my RT-AC68U and when I'm not connected to ProtonVPN, I can connect to my own VPN server without any issues (using my iPhone, using the OpenVPN app over a 4G connection), I can even stay connected when I manually start the vpnclient to connect with ProtonVPN.

However, when the ProtonVPN connection is up, I can't connect. Nothing shows up in syslog, connections just time out. Logs in the OpenVPN show the same, it times out. I tried connecting through my WAN IP, I tried connecting though the VPN Public IP (not sure which one I should use - can you run a VPN tunnel through a VPN tunnel?).

ProtonVPN is using port 1194 (TUN/UDP) and my own server runs a non-default port (als TUN/UDP).

I checked netstat (not sure how to correctly interprete this), but it seems vpnserver is listening on the correct port:

udp        0      0 :::3742                 :::*                                7402/vpnserver1

Can anyone help me out? I'm on 384.7 beta 1 currently, not sure whether this is related to the changes in 384.7 - I just didn't try it out before updating.

 

[Jack Yaz]

Are you routing all traffic over the tunnel? If so then the router VPN Server will only be reachable via the VPN provider, and typically they block all incoming connections

Some, such as AirVPN allow you to set up a limit number of incoming ports

Otherwise enable policy routing exclude the router's IP with a WAN rule, add your locla subnet to route through VPN, and the server should be reachable on your normal public IP

 

[M@rco]

Are you routing all traffic over the tunnel?

If this is the default behaviour? If so, yes I am (never have done anything with routing manually).

If so then the router VPN Server will only be reachable via the VPN provider, and typically they block all incoming connections

That would explain why every attempt times out. Could it be that existing connections won't be dropped (like when I enable the client to connect to ProtonVPN, while I'm connected to the OpenVPN server on the router)?

Otherwise enable policy routing exclude the router's IP with a WAN rule, add your locla subnet to route through VPN, and the server should be reachable on your normal public IP

Never have done something like that before, but while searching I came across this Wiki-page. Is the policy at the bottom of the page what you just described?

 

[Jack Yaz]

If this is the default behaviour? If so, yes I am (never have done anything with routing manually).



That would explain why every attempt times out. Could it be that existing connections won't be dropped (like when I enable the client to connect to ProtonVPN, while I'm connected to the OpenVPN server on the router)?



Never have done something like that before, but while searching I came across this Wiki-page. Is the policy at the bottom of the page what you just described?

That Wiki page sums it up nicely - it's the Redirect Internet Traffic option on the VPN Client you need to tweak.

 

[M@rco]

After I finally spotted the 'Redirect traffic option' (apparently missed it several times, while browsing through the config screens, wondering whether the setting was located elsewhere), I found it. Posting it here for future near-sighted n00bs like yours truly.

 

[M@rco]

That Wiki page sums it up nicely - it's the Redirect Internet Traffic option on the VPN Client you need to tweak.

Thanks Jack, I just found it. Now checking if it works

 

[M@rco]

Thanks again @Jack Yaz. It didn't work at first, then I discovered that my ddns wasn't updated (still used the VPN IP), but after forcing an update, it now works like charm now I have to do some more reading into the policy based routing matter, I see possibilities

 

[Jack Yaz]

Thanks again @Jack Yaz. It didn't work at first, then I discovered that my ddns wasn't updated (still used the VPN IP), but after forcing an update, it now works like charm now I have to do some more reading into the policy based routing matter, I see possibilities

No worries! And if you want to have easy management of guest network SSIDs dedicated to a VPN...https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

 

[M@rco]

No worries! And if you want to have easy management of guest network SSIDs dedicated to a VPN...https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/

Yes, I know. It's on my reading list. Went through it several times, but didn't fully get it. Now it starts to make more sense

One more question: with the settings in the screenshot above (Block routed clients if tunnel goes down set to 'No') will they be routed to WAN? So, if I'm not home and the VPN goes down, the wife and kid both still happy when dad comes home?

 

[Jack Yaz]

Yes, I know. It's on my reading list. Went through it several times, but didn't fully get it. Now it starts to make more sense

One more question: with the settings in the screenshot above (Block routed clients if tunnel goes down set to 'No') will they be routed to WAN? So, if I'm not home and the VPN goes down, the wife and kid both still happy when dad comes home?

AFAIK when the tunnel goes down, they lose internet access. The routing table gets modified to "prohibit"

 

[M@rco]

AFAIK when the tunnel goes down, they lose internet access. The routing table gets modified to "prohibit"

Even when the setting is disabled? In that case the setting seems redundant, if both 'Yes' and 'No' causes them to loose internet access.

 

[Jack Yaz]

Even when the setting is disabled? In that case the setting seems redundant, if both 'Yes' and 'No' causes them to loose internet access.

Sorry - misread. With setting off, yes they should use WAN