VPN client and server over Wan

[nihon]

Hi
I have a VPN client active in the router.
Policy routing
192.168.1.2/24 VPN
192.168.1.1 WAN

I have a DDNS setup based on the wan external ip (not ip retrieved from VPN).
I have port forward of 80 and 443 and another port to 192.168.1.5 where I have some services running (home assistant)

How can I make it work so access using the non vpn ip allows access to the forwarded ports on 192.168.1.5 still making sure other services and outgoing requests in general from 192.168.1.5 uses VPN. Is it at all possible?

At the moment the services at the ports I have forwarded are not accessible from outside using the ddns. Probably because the responses goes through the VPN rather than back through Wan where the request came from.

 

[ColinTaylor]

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

 

[nihon]

Thanks
Just a follow up question.
Using this port routing approach one point is still unclear to me (sorry if it is a basic question)

If a connection in to the router through public Wan IP using ddns to port 80 is forwarded to 192.168.1.5 and one configure port 80 to be routed over wan for 192.168.1.5 I agree it should solve the problem making sure the home assistant is being accessible.

But my other service (tv headend) running also on the 192.168.1.5 will request streams over http. Will those requests from the 192.168.1.5 also go over Wan then or will they use VPN. That is not clear to me.

What I want is that home assistant running on 192.168.1.5 should be accessible over port 80 and 443 from the ddsns.

But when the tv headend also running on 192.168.1.5 requests a http stream it should retrieve it through the VPN.

So only request from public wan should get the responses routed back over public wan while any requests outwards from. 192.168.1.5 should use VPN.

If this approach does not solve that, is there a way to do it?



Skickat från min SM-G973F via Tapatalk

 

[ColinTaylor]

But my other service (tv headend) running also on the 192.168.1.5 will request streams over http. Will those requests from the 192.168.1.5 also go over Wan then or will they use VPN.

No, not if you set it up correctly. The thing to realise is that the streaming connection from the headend will be from a random high port to port 80 (assuming http) on the remote internet server. The incoming (non-VPN) connection will be from a random high port to ports 80 or 443 on the headend.

So provided you set the source and destinations correctly in theory it shouldn't be a problem.

 

[nihon]

No, not if you set it up correctly. The thing to realise is that the streaming connection from the headend will be from a random high port to port 80 (assuming http) on the remote internet server. The incoming (non-VPN) connection will be from a random high port to ports 80 or 443 on the headend.

So provided you set the source and destinations correctly in theory it shouldn't be a problem.

Thanks a lot. I will try it out.

If I understood this guide correctly the following should be added to /jffs/scripts/nat-start
Please let me know if this looks correct.

#!/bin/sh

sleep 10 # During the boot process nat-start may run multiple times so this is required

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.5 -p tcp -m multiport --sport 443 -j MARK --set-mark 0x8000/0x8000

 

[ColinTaylor]

I've never tried this myself (I have no need) so I only know what I've read in that wiki. But as far as I can tell it should work provided you have also forwarded port 443 in the GUI as per example 2.

 

[nihon]

I've never tried this myself (I have no need) so I only know what I've read in that wiki. But as far as I can tell it should work provided you have also forwarded port 443 in the GUI as per example 2.

Just want to get back and again say thank you for directing me to that resource.
I just tried it and it works perfect. I made sure to query my external IP using curl both over http and https and using the dig short approach (from inside the 192.168.1.5 rpi device)
All of the calls report my public IP to be my VPN ip, still the service on port 443 is now reachable =)
Many thanks this was an awesome solution !