Unable to reach upstream modem from OpenVPN

RSengine

Occasional Visitor
I have an AC68P running merlin 386.3_2 firmware. WAN port is hooked up to a modem, whose IP address is 192.168.1.1. Router's IP is 192.168.3.1/Subnet Mask 255.255.255.0. I have OpenVPN servers running on ports 1194 and 443, Client will use VPN to access - Both. VPN Subnet / Netmask are 10.8.0.0/255.255.255.0 and 10.16.0.0/255.255.255.0

Connected locally:
I can access internet, local NAS, and also the upstream modem via 192.168.1.1 (to manage the modem) if I'm at home.

Connected via OpenVPN:
I can access internet and local NAS, but I am unable to access or ping 192.168.1.1. The packet logs show packets are DROPPED. Doesn't matter if I use TCP or UDP.

Workaround:
If I set up Dual WAN (Load Balance) and set the secondary WAN as an empty port (like ethernet LAN 4 or USB, both of which are empty) and also set up routing rule of 192.168.1.1 (Source IP - all, Destination IP - 192.168.1.1, WAN Unit - Primary WAN), the OpenVPN clients can access 192.168.1.1. This workaround is a less than elegant solution.

Can someone explain what I'm doing wrong and how can I open up 192.168.1.1 to OpenVPN clients using single WAN?
 

eibgrad

Part of the Furniture
Try adding the following to the OpenVPN server custom config field.

Code:
push "route 192.168.1.1 255.255.255.255"
route 192.168.1.1 255.255.255.255 net_gateway
 
Last edited:

RSengine

Occasional Visitor
Try adding the following to the OpenVPN server custom config field.

Code:
push "192.168.1.1 255.255.255.255"
route 192.168.1.1 255.255.255.255 net_gateway
Didn't work

Here's a screenshot of my OpenVPN config. Maybe I should just try TAP instead of TUN? But TAP doesn't work for my use case because I need to run this VPN on android smartphones

OpenVPN unable to reach WAN IP.PNG
 
Last edited:

eibgrad

Part of the Furniture
Time to dump some of the underlying data structures to see if we can identify anything that seems abnormal.

Code:
cat /tmp/etc/openvpn/server1/config.ovpn
cat /tmp/etc/openvpn/server2/config.ovpn
ip route
iptables -t nat -vnL
iptables -vnL

Of course, feel free to hide your public IP, but just do so consistently.
 

RSengine

Occasional Visitor
Time to dump some of the underlying data structures to see if we can identify anything that seems abnormal.

Code:
cat /tmp/etc/openvpn/server1/config.ovpn
cat /tmp/etc/openvpn/server2/config.ovpn
ip route
iptables -t nat -vnL
iptables -vnL

Of course, feel free to hide your public IP, but just do so consistently.
Sorry noob question, do I run these over SSH?
 

RSengine

Occasional Visitor
I just factory reset my router and reconfigured my WAN and VPN as above. So this is basically a fresh machine and I now have just one OpenVPN server running instead of 2 servers. I still run into the same issue.

Here's my SSH output

cat /tmp/etc/openvpn/server1/config.ovpn

Code:
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
auth SHA512
keepalive 15 60
verb 3
push "route 192.168.50.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "dhcp-option DNS 192.168.50.1"
push "redirect-gateway def1"
tls-auth static.key 0
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5


# Custom Configuration
push "192.168.1.1 255.255.255.255"
route 192.168.1.1 255.255.255.255 net_gateway

ip route

Code:
default via 153.XXX.XXX.XXX dev ppp0
default via 192.168.1.1 dev eth0 metric 1
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
127.0.0.0/8 dev lo scope link
153.XXX.XXX.XXX dev ppp0 proto kernel scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5
192.168.1.1 via 153.XXX.XXX.XXX dev ppp0
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
239.0.0.0/8 dev br0 scope link

iptables -t nat -vnL

Code:
Chain PREROUTING (policy ACCEPT 463 packets, 77952 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
   30  1664 GAME_VSERVER  all  --  *      *       0.0.0.0/0            27.YYY.YYY.YYY
   30  1664 VSERVER    all  --  *      *       0.0.0.0/0            27.YYY.YYY.YYY
    0     0 GAME_VSERVER  all  --  *      *       0.0.0.0/0            192.168.1.5
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.5


Chain INPUT (policy ACCEPT 214 packets, 13346 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 234 packets, 18024 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain POSTROUTING (policy ACCEPT 228 packets, 17496 bytes)
 pkts bytes target     prot opt in     out     source               destination
  249 59027 PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  111 49994 MASQUERADE  all  --  *      ppp0   !27.YYY.YYY.YYY         0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0   !192.168.1.5          0.0.0.0/0
    6   528 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24


Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain GAME_VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination


Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination


Chain VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination
   30  1664 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
 

RSengine

Occasional Visitor
iptables -t nat -vnL

Code:
Chain PREROUTING (policy ACCEPT 463 packets, 77952 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
   30  1664 GAME_VSERVER  all  --  *      *       0.0.0.0/0            27.YYY.YYY.YYY
   30  1664 VSERVER    all  --  *      *       0.0.0.0/0            27.YYY.YYY.YYY
    0     0 GAME_VSERVER  all  --  *      *       0.0.0.0/0            192.168.1.5
    0     0 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.5

Chain INPUT (policy ACCEPT 214 packets, 13346 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 234 packets, 18024 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 228 packets, 17496 bytes)
 pkts bytes target     prot opt in     out     source               destination
  249 59027 PUPNP      all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
  111 49994 MASQUERADE  all  --  *      ppp0   !27.YYY.YYY.YYY         0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0   !192.168.1.5          0.0.0.0/0
    6   528 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain GAME_VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination
   30  1664 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination


iptables -vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    udp dpt:1194
    0     0 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    icmptype 8
 3343  690K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state INVALID
 1796  344K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0                                                                                           
  850 69801 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                           
  850 69801 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW
 1754  342K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW
   42  2212 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    udp spt:67 dpt:68
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                          
   42  2212 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
  401 20836 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
  717  186K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state RELATED,ESTABLISHED
    0     0 other2wan  all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0                                                                                           
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0                                                                                           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0                                                                                           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state INVALID
  416 75092 NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           
  416 75092 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0                                                                                           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    ctstate DNAT
    0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain OUTPUT (policy ACCEPT 6576 packets, 2215K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain ACCESS_RESTRICTION (0 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain DNSFILTER_DOT (0 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain ICAccept (0 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain ICDrop (0 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain INPUT_ICMP (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    icmptype 8
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    icmptype 13
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain INPUT_PING (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 DROP       icmp --  ppp0   *       0.0.0.0/0            0.0.0.0/0                                                                                           
    0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0                                                                                           

Chain NSFW (1 references)
 pkts bytes target     prot opt in     out     source               destination
 

RSengine

Occasional Visitor
Continued (sorry had to split these replies because 10000 char limit)
Code:
Chain OVPN (2 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0                                                                                          


Chain PControls (0 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                          


Chain PTCSRVLAN (1 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        


Chain PTCSRVWAN (1 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        


Chain SECURITY (0 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    tcpflags: 0x17/0x02
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    tcpflags: 0x17/0x04
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    icmptype 8 limit: avg 1/sec burst 5
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    icmptype 8
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                          


Chain default_block (0 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        


Chain logaccept (0 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW LOG flags 7 level 4 prefix "ACCEPT "
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                          


Chain logdrop (0 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                    state NEW LOG flags 7 level 4 prefix "DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                          


Chain other2wan (1 references)
pkts bytes target     prot opt in     out     source               destination                                                                                        
    0     0 RETURN     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0                                                                                          
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 

RSengine

Occasional Visitor
I should also say the results are from an AX86U. I have both AC68P and AX86U and they both have this problem, with the workaround working on both.
 

RSengine

Occasional Visitor
I just also noticed when I put your two lines into the OpenVPN server custom config, both OpenVPN clients and local clients refuse to connect to 192.168.1.1, whereas before only local clients could connect
 

eibgrad

Part of the Furniture
Don't know if it would have helped anyway, but I just realized I made a typo in my previous suggestions for the custom config field. It should be ...

Code:
push "route 192.168.1.1 255.255.255.255"
route 192.168.1.1 255.255.255.255 net_gateway

I corrected my original post as well.
 

eibgrad

Part of the Furniture
Something doesn't make sense here in the dump of your routing table.

Code:
default via 153.XXX.XXX.XXX dev ppp0
default via 192.168.1.1 dev eth0 metric 1
…

There shouldn't be more than one default gateway at any given time. If there's more than one, then neither is actually a default, since it's ambiguous. I'm not even sure what the difference is between the ppp0 and eth0 network interfaces. Normally, I would have expected the modem's IP to be reachable over the WAN (presumably ppp0), but it seems the router is bound to 192.168.1.5 over eth0 for the purposes of reaching the modem @ 192.168.1.1. Presumably local clients are using *that* default gateway, whereas OpenVPN clients are using the one for ppp0 and have no such access to 192.168.1.1.

Is this modem actually a pure modem? Or is it really a modem+router combo that's been configured in bridge mode?

P.S. Maybe the multiple default gateways are part of your dual WAN configuration?? (I don't use it, so it's not something I've ever noticed before). For the purposes of solving this problem, you need to disable dual WAN.
 

RSengine

Occasional Visitor
Something doesn't make sense here in the dump of your routing table.

Code:
default via 153.XXX.XXX.XXX dev ppp0
default via 192.168.1.1 dev eth0 metric 1
…

There shouldn't be more than one default gateway at any given time. If there's more than one, then neither is actually a default, since it's ambiguous. I'm not even sure what the difference is between the ppp0 and eth0 network interfaces. Normally, I would have expected the modem's IP to be reachable over the WAN (presumably ppp0), but it seems the router is bound to 192.168.1.5 over eth0 for the purposes of reaching the modem @ 192.168.1.1. Presumably local clients are using *that* default gateway, whereas OpenVPN clients are using the one for ppp0 and have no such access to 192.168.1.1.

Is this modem actually a pure modem? Or is it really a modem+router combo that's been configured in bridge mode?

P.S. Maybe the multiple default gateways are part of your dual WAN configuration?? (I don't use it, so it's not something I've ever noticed before). For the purposes of solving this problem, you need to disable dual WAN.

The modem is a fiber optic ONU with router capabilities, but for my network, my ASUS router serves as the main router doing the PPPoE work. The modem/ONU has PPPoE bridge (passthrough) enabled.
 

RSengine

Occasional Visitor
Don't know if it would have helped anyway, but I just realized I made a typo in my previous suggestions for the custom config field. It should be ...

Code:
push "route 192.168.1.1 255.255.255.255"
route 192.168.1.1 255.255.255.255 net_gateway

I corrected my original post as well.
This didn't work either. I also tried with Dual WAN disabled. Using this prevents both local clients and OpenVPN clients from connecting to 192.168.1.1

When pinging 192.168.1.1 with this config, my local client says 153.XXX.XXX.XXX is the one responding and can't find the 192.168.1.1 host
 

RSengine

Occasional Visitor
Here's some more detail

For my workaround, I'm using Dual WAN with load balance (WAN port and LAN port 4).
2.5G WAN port = modem/ONU
LAN port 4 = unplugged empty port
Load balance ratio 9:1, preferring modem/ONU
Routing rules for 192.168.1.1 enabled to 2.5G WAN port

Using this setup, 192.168.1.1 is reachable by both local clients and OpenVPN clients

Dual WAN.PNG
 
Last edited:

RSengine

Occasional Visitor
Here's some more detail

For my workaround, I'm using Dual WAN with load balance (WAN port and LAN port 4).
WAN port = modem/ONU
LAN port 4 = unplugged empty port
Load balance ratio 9:1, preferring modem/ONU
Routing rules for 192.168.1.1 enabled to WAN port

Using this setup, 192.168.1.1 is reachable by both local clients and OpenVPN clients

View attachment 38066
Basically, I need something in single WAN mode that enables the same routing rule. I tried looking at "LAN - Route" (Advanced_GWStaticRoute_Content.asp) but I don't know what to put there
 

eibgrad

Part of the Furniture
Basically, I need something in single WAN mode that enables the same routing rule. I tried looking at "LAN - Route" (Advanced_GWStaticRoute_Content.asp) but I don't know what to put there

That was precisely the intent of the following directive (which you indicated didn't work).

Code:
route 192.168.1.1 255.255.255.255 net_gateway

That should create a static route in the main routing table that bind 192.168.1.1 to the WAN.
 

RSengine

Occasional Visitor
That was precisely the intent of the following directive (which you indicated didn't work).

Code:
route 192.168.1.1 255.255.255.255 net_gateway

That should create a static route in the main routing table that bind 192.168.1.1 to the WAN.
I'm still pretty stuck. If you'd like I can upload more SSH outputs. Tell me if I can give you more information.

Should I run those commands both with and without Dual WAN enabled?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top