VPN Policy Rules - Understanding the basics

[PC Pilot]

Hi to all,

I have been wrestling with an OpenVPN Server configuration to direct any remote browsing and WAN access via my RT-AX88U home router whilst further directing that remote browsing via my OpenVPN Client (Express VPN) as already configured on my router.

Thanks to kind guidance from these forums (and a fair degree of experimentation!) I eventually managed to accomplish the first part (i.e. To configure remote access using an OpenVPN Server and connect to the OpenVPN Connect IOS App utilising my ISP generated IP for internet connection). Part 2 (to also direct that remote browsing via my existing VPN client IP in lieu of the ISP IP) presently eludes me as I do not fully understand the necessary Policy Routing requirements.

Following FW update from Merlin's 384.14 to the latest 314.16 (with no configuration changes) remote browsing is no longer able to connect as before when using the VPN Server, however disabling it enables access once more. UPDATE 27.04.20: Not sure what was causing the browsing to fail as I couldn't identify a specific issue when troubleshooting. Several router reboots later and all was once again working as before!!

This led me to re-appraise my knowledge ahead of troubleshooting the issue with a view to re-establishing the previously successful part 1 connection and (only then) to consider resolving the part 2 dilemma.

I was guided to create a Client 'Policy Rule' to go through the WAN with a destination of 192.168.1.0/24 (IP adjusted to that of my LAN IP). This led me to question my basic understanding and whether I had even correctly interpreted the advice. Truthfully, I am not at all clear of the basics....

I have always considered the Router IP Address and the LAN IP Address to be one and the same but research online does not necessarily appear to confirm this assertion....

Accordingly, if my Router (subnet suitably obfuscated) is accessed via 192.168.xxx.1 what do each of the following actually represent?? when/where should they be used?? ….and which should I be using as the basis of my VPN policy rules??

192.168.xxx.0 ?
192.168.xxx.1 ?
LAN IP Address ?
the inclusion of the /24 ?

Apologies for the knowledge gap!

Thanks,

PC Pilot.

 

[PC Pilot]

I have always considered the Router IP Address and the LAN IP Address to be one and the same but research online does not necessarily appear to confirm this assertion.....

OK, having studied as much material as I am currently able to understand I believe I may finally have a clearer definition. As I now understand it, the following applies:

192.168.xxx.o represents ALL of the Local (LAN) IP's (note plural!) allocated from the IP Pool on the given subnet (xxx).
192.168.xxx.1 represents (in my case) the individual IP address of the Router itself (i.e. The address used to access the Router's interface).
LAN IP Address is in fact not one single address but represents the combined IP Addresses of the individual client devices allocated from the IP pool signified by the ".0" .
The inclusion of the /24 signifies (as a Classless Inter-Domain Routing (or CIDR) notation) the subnet mask of the LAN IP address (192.168.xxx.0 has a subnet mask of 255.255.255.0) - expressed as a binary value (11111111.11111111.11111111.00000000) with the number "24" representing the number of consecutive "1's" in each of the "8 bit" (for IPv4 networks) binary groups and hence 8+8+8 = 24

I would very much appreciate confirmation/clarification/correction of any of the above by the forum experts. If correct I hope that this is of assistance to others attempting to grasp these somewhat 'basic' concepts!

Part 2 (to also direct that remote browsing via my existing VPN client IP in lieu of the ISP IP) presently eludes me as I do not fully understand the necessary Policy Routing requirements.

Now to attempt to grasp the complexities of Policy based VPN routing ...…and rapidly getting out of my depth I feel !!

My Requirements:

1. To route remote client (iPhone) through home router (secure WAN remote access to Router) via OpenVPN Server in conjunction with OpenVPN Connect iOS Client App - ?
2. To route remote client (iPhone) through home router (for secure internet browsing) via OpenVPN Server (Policy Rule - 192.168.xxx.o/24 - as Dest to WAN) - Working, but presently broadcasts Public (ISP) IP
3. To route majority of LAN clients (global Policy Rule - 192.168.xxx.o/24 - as source to VPN) via OpenVPN Client (VPN Express) - Working, correctly broadcasts VPN IP.
4. To route (using policy rules for individual client devices (e.g. Plex, WinTV and SMTP's via WAN) - Working, correctly routes devices using Public (ISP) IP.
5. To further route 2. above via the OpenVPN Client (VPN Express) so that ALL remote browsing is privately routed through the home router via VPN Express (as the VPN Client) replicating the current setup for 'local' internet browsing, as at 3. above.
6. To maintain the exceptions in 4. above

I have an RT-AX88U running Merlin 384.16 & the following building blocks from which to devise one (or more) working policy rules appear likely to satisfy both 1 & 5 above:

Public (ISP issued) IP Address,
Client IP Address (in this case an iPhone),
VPN Server - VPN Subnet/Netmask,
VPN Client - VPN Local (Private) IP,
VPN broadcast IP address.

I am thinking iPhone Client IP > VPN Server Subnet > VPN Client Subnet ??

Policy Rule: VPN Server IP 10.8.0.0/CIDR (if so which) (source) > 0.0.0.0 (destination) > VPN Interface
OR
Policy Rule: VPN Server IP 10.8.0.0/CIDR (if so which) (source) > VPN Client IP 10.xxx.1.xxx (destination) > VPN Interface
OR
Policy Rule: 192.168.xxx.iPhone (source) > VPN Client IP 10.xxx.1.xxx (destination) > VPN Interface

Perhaps somebody can advise whether I am even going in the right direction here and maybe nudge me gently back on track (ideally with an explanation) so that I can not only achieve the desired resolution but also understand the principle(s) behind it!

Thanks again,

PC Pilot.

 

[Jeffrey Young]

Yes the /24 represents the subnet mask. As you pointed out /24 can be expressed as 255.255.255.0 or 11111111.11111111.11111111.00000000. In this example, it means that the first three octets of the IP address is the "network" (or your subnet) and the forth octets is the clients on your network.

staying with a subnet mast of /24, then 192.168.xxx.0 represents the whole of your subnet (not just the pool ips from your DHCP, but all clients between 192,168.xxx.1 to 192.168.xxx.254).

You would use the 192.168.xxx.0 in a routing statement if you wanted to route traffic from one subnet/or single address to another subnet. For example, if your VPN gateway address is 10.8.0.1/24 and you wanted traffic to pass from your VPN gateway to your local lan at 192.168.xxx.0, then you need a routing policy that says to route traffic from anyone on your VPN subnet (0.0.0.0) through gateway 10.8.0.1 to destination network 192.168.xxx.0.

This link is not exactly what you are doing, but it may help sort some things out;
https://www.snbforums.com/threads/u...o-asus-routers-via-openvpn-in-tun-mode.54868/

Hope this helps, even a little.

 

[PC Pilot]

Hi Jeffrey,

Thank you for taking the time to respond..... much appreciated!

Your clarification concerning the forth octet as representing the clients on the network is helpful and I am especially grateful for the correction that the "whole" of the subnet between 192.168.xxx.1 to 192.168.xxx.254 is included. This most likely results from a misunderstanding upon my part as my own DHCP IP Pool spans 192.168.xxx.2 to 192.168.xxx.254 and appeared representative of the information I read .

In regards to the VPN Server (BTW. I have read that the VPN Server is considered to function much like a router rather than as a traditional VPN) it has an advanced setting labelled as "VPN/Subnet" with a value of 10.8.0.0 the VPN Status Tab lists (for the VPN Server) the iPhone as Client (192.168.xxx.iPhonerandom port)) with a virtual address of 10.8.0.2. On the other hand under "Service State" on the VPN Client tab the connection shows a "local IP" of 10.xxx.0.xxx (entirely different subnet to the VPN Server).

In your example you kindly identify 10.8.0.1 as the VPN Server Gateway. I have been experimenting using 10.8.0.0/24 as the basis for my policy rule tests with no success which I guess explains why!! I am rather confused though about the construction of the routing policy as to how the "VPN subnet (0.0.0.0)" in your example relates to the gateway address "10.8.0.1". Is it as the "Source"? ...with 192.168.xxx.0 as destination? or is "0.0.0.0" the source as in my second example below?

Currently, as per assistance from other forum members I have the following VPN Client Policy Rules, the first to route the LAN Traffic through the VPN Client and the second for the VPN Server to direct 'server' traffic through the LAN to WAN :

Rule (1) LAN IP's
Source IP (1) 192.168.xxx.0/24
Destination IP (1) 0.0.0.0
Iface (1) VPN

Rule (2) LAN IP's
Source IP (2) 0.o.0.0
Destination IP (2) 192.168.xxx.0/24
Iface (2) WAN

Therefore as I would like to route any internet browsing (when away from the home network and using the iPhone) via the OpenVPN App & OpenVPN Server then, NOT as presently to my Public IP BUT RATHER, on to the OpenVPN Client and thus to the VPN (Client) Server IP and on to the internet. Can this be accomplished in a single policy rule? Or will a sequence of more specific rules applicable to each/either the client device (iPhone) or, the VPN Server Gateway IP or, the VPN Client IP be required??

VPN Server Gateway (10.8.0.1/24) > VPN Client Tunnel (10.xxx.0.xxx?) > Internet

Expressed as a rule ?

Rule VPN Server/VPN Client
Source IP 10.8.o.1/24
Destination IP 10.xxx.0.xxx
Iface VPN

Confused now …..!!

PC Pilot

 

[Jeffrey Young]

If I am reading right, what you want to do is have your client, when connected to the local donuts shop wifi, route all of your traffic to the internet via the VPN tunnel instead of through the donut's shop gateway. Is that right?

If so, the solution may easier than you thought. Assuming you are using Merlin's software for your VPN server, login in to your Router GUI, navage to the the VPN server, change VPN details to advance, go down to custom configuration and put the following into the box;

push "redirect-gateway def1"

click apply.

Some windows 10 systems have binding configurations that may override this setting.

In my example, i used a 10.8.0.1 as a gateway. That was simply an example for the sake of illustration. You would have to check on your own router what your VPN gateway actually is. Also, in my example, I used 0.0.0.0. That simply means "route any address" to the destination lan ......

You will have to bear with me here too. Most of my experience in building routing tables has been in windows environments. The concept is the same, just the how is different and I would have to do some reading myself as I am not used to using iptables and ebtables.

 

[PC Pilot]

Hi Jeffrey,

If I am reading right, what you want to do is have your client, when connected to the local donuts shop wifi, route all of your traffic to the internet via the VPN tunnel instead of through the donut's shop gateway. Is that right?

Almost, using your example: When connected to the local donuts shop wifi, route all of my traffic to the internet via the VPN (Client) tunnel instead of through my own “Public” IP (NB. This is the current effect when connected via the VPN Server, whereas my local (home network) traffic routes via the VPN Client’s external servers)

Hope this clarifies the position, don’t know what difference, if any, this makes to your proposed resolution?

Thanks for all of your guidance, greatly appreciated .

PC Pilot

 

[Jeffrey Young]

Ok, I think I missed that part. you say your public IP, are you saying the public IP on your home router (your VPN server)? Is your router a VPN client as well as a server?

Baby steps. When you are connected to your server from outside your home, you still want your client to route traffic to your server. So the push statement above would still be valid for your end device (your phone while connected to the foreign wifi).

Once connected to your server, then you want the traffic to pass from your server to a VPN client connected to the server (say NordVPN as an example).

Unless you need a service that resides on your own server, could you not just have your phone connect to the external VPN client tunnel instead of going through your server first?

I'll do some digging as I find it interesting enough to learn

 

[PC Pilot]

Ok, I think I missed that part. you say your public IP, are you saying the public IP on your home router (your VPN server)? Is your router a VPN client as well as a server?

Absolutely, you got it “concurrent use of VPN Server & VPN Client!! So, Yes & yes!

When you are connected to your server from outside your home, you still want your client to route traffic to your server. So the push statement above would still be valid for your end device (your phone while connected to the foreign wifi).

Wow, that does sound promising! Quick question, would this method still enable the iPhone to be used to ‘securely‘ remote access the Router Web GUI, and would that require a separate’Policy Rule’ to achieve?

Once connected to your server, then you want the traffic to pass from your server to a VPN client connected to the server (say NordVPN as an example).

Precisely, Express VPN in this case BTW!

Unless you need a service that resides on your own server, could you not just have your phone connect to the external VPN client tunnel instead of going through your server first?

That is the current solution, but:

1. It relies upon me remembering to check I have enabled it!
2. It does not seem to be an ‘elegant’ solution.
3. The issue I pose was initially prompted by the need of a means to ‘securely’ remote access to Web GUI as noted in the last question. Indeed the VPN Server was proposed as a secure solution to this with the simultaneous security benefit of routing remote browsing through my own router. Although, I must confess at this point I did not appreciate that this would not route browsing traffic through the VPN Client (Express VPN) as already long established on the home network.
4. It may in the future be extended to other client devices (eg. iPad, Windows 10 Laptop etc.) and so VPN provider simultaneous device limitations becomes an issue.

I'll do some digging as I find it interesting enough to learn

Cool, that is most appreciated !

Thanks again,

PC Pilot.

 

[Martineau]

OpenVPN Server configuration to direct any remote browsing and WAN access via my RT-AX88U home router whilst further directing that remote browsing via my OpenVPN Client (Express VPN) as already configured on my router.

i.e. to also direct that remote browsing via my existing VPN client IP in lieu of the ISP IP) necessary Policy Routing requirements.

see thread openvpn server and client question

 

[Jeffrey Young]

@Martineau thread has all you need.

I also found this thread last night before calling it quits. The GUI inputs in the VPN Client section are better explained in this thread, but the same instructions are in the thread above as well. Both were excellent reading.

https://www.snbforums.com/threads/create-nat-on-tunnel.63158/#post-568107

I can't test for you as my ISP uses a GC NAT. It's a bummer as they are the only show in town (the joys of living in northern Ontario). I have a test router that I use behind my main router that I play with, including setting up a VPN server, but the testing I can do is limited due to my ISP.

Good luck and cheers

 

[PC Pilot]

Hi Jeffrey/Martineau,

Jeffrey, apologies for the delay in replying to your extremely informative post and my apologies too to Martineau for the delay in responding to your post and for the links to the detailed posts which finally provided me (following some experimentation) with the key to unlock the solution!.... thank you both so much, it really illustrates just what an incredible resource these forums are, especially so for novices to RMerlin's astonishing firmware like myself

I have to say that I trawled these forums seeking information prior to starting a thread on the Concurrent Use of both the VPN Server & VPN Client (which I intend to suitably update for the benefit of other novices similarly interested in resolving running VPN Server traffic through their VPN Client). I have always sought to advance my knowledge when seeking solutions. In the course of my research I identified several posts containing closely related material and yet for some reason I was never able to locate the particular post Martineau kindly linked to and which ultimately contained the final piece of the puzzle!

It would be useful if I could understand (at least the basics) of how Martineau's clever 'firewall-start' script works and given that I am not familiar either with the Linux file system or scripting, it would help greatly if you could decode what function each part of the code below represents and in what way it correspond to the desired actions?

#!/bin/sh
# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

I very much appreciate everyone's support and hope that you might indulge me just one stage further in clarifying the following Web GUI settings I have used to accompany the process based wholly upon my interpretations of the posts I have researched and otherwise as a result of advice received from other forum members. Please advise if I have incorrectly assigned any of the client octets, CIDR or otherwise inadvertently exposed my setup to any unnecessary risk.

OpenVPN Client - Policy Rules

Description > Source > Destination > Interface > Function

LAN IPs > 192.168.My IP.0/24 > 0.0.0.0 > VPN > Route all LAN Clients via VPN (VPN Client)
VPN Server 1 > 10.8.0.0/24 > 0.0.0.0 > VPN > Route all VPN Server 1 Clients via (VPN Client)
VPN Server 2 > 10.16.0.0/24 > 0.0.0.0 > VPN > Route all VPN Server 2 Clients via (VPN Client)
LAN IPs > 0.0.0.0 > 192.168.My IP.0/24 > WAN > Not clear the function intended by this rule ??
RT AX88U Router > 192.168.My IP.Address > 0.0.0.0 > WAN > Route access to Router Web GUI via WAN

Finally, I used Putty and the nano editor to compose the 'firewall-start.sh" file (prior to making it executable) having initially attempted to do so using the vi editor (as recommended by some users) but I was unable to ascertain the necessary commands to make it function. Some suggest that vi is easier to use as an editor, if this is so is there any sort of guide as to the necessary steps to take to compose and save/make executable files and the commands used to do so?

Thanks again for your superb advice and guidance, by degrees my knowledge is advancing ....even if perhaps only in baby steps

Much appreciated guys !!

PC Pilot

 

[Martineau]

It would be useful if I could understand (at least the basics) of how Martineau's clever 'firewall-start' script works and given that I am not familiar either with the Linux file system or scripting, it would help greatly if you could decode what function each part of the code below represents and in what way it correspond to the desired actions?

IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet.

see figure 11.1

Usually in most home router environments, MASQUERADEing will occur by default for every device on the LAN subnet that uses the outbound WAN interface aka internet.

When you initiate a VPN Client tunnel, the same MASQUERADE must be applied for every device on the LAN subnet that uses the VPN 'tun1X' interface.

Now if you have 5 VPN clients, rather than explicitly reference every VPN tunnel interface tun11,tun12...tun15, i.e. 5 rules, it is easier (if appropriate) to reference ALL VPN interfaces using a single rule using 'tun1+' notation.

Do you see a pattern here?

So all my 'clever' rule does is simply MASQUERADE the additional OpenVPN Server subnets outbound via the target VPN Client 'tun1X' interface.

#!/bin/sh

# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client

iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE 2>/dev/null
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE 2>/dev/null
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

e.g. the two preceding ' -D' rules prevent unnecessary duplicates (I'm lazy so rather than tediously check if there is already an existing rule, it's quicker to silently (ignoring the error message if it doesn't actually exist!) always issue a delete regardless!) then we just add the two static rules, one for each of the OpenVPN Server subnets to ALL outbound VPN Client tunnel interfaces.

 

[Jeffrey Young]

I remember using vi 35 years ago when there was no such thing as GUIs in UNIX. The two OS that I broke my teeth on were OS2 and QNX.

I got away from networks shortly after moving jobs into railway signalling. In the last 5 years networking has become very big now in Canadian railway signalling. I know of one central plant now that has 4 remote sites where they all talk to each other now via 5g radios and a very simple local network.

Anyway, I degrees. Since moving to Merlin, I too have enjoyed getting back into UNIX (Linux) and am still learning (or re-learning) many things.

@Martineau, really appreciate the explanation as well. Also for the greater article where you draw your figure from.

Instead of vi or nano, you could also try https://winscp.net/ as a means of making your scripts. WinSCP's editor writes unix files. Personally, I find it so much easier using WinSCP to access the router when you need to just look around.

Cheers

 

[PC Pilot]

Hi Martineau & Jeffrey,

Have only just discovered your kind follow ups to my earlier message, think somehow I must have deleted the thread alert as I didn't receive one!

I have been attempting to get to grips with the new (to me!) Linux terminology reading various articles and following some careful experimentation along the lines suggested by Martineau. As a result I have recently tinkered with the VPN Server/Client setup after configuring Jack Yaz's excellent YazFi so that the VPN Servers (tun21 & tun22 - beginning to understand what the terms mean at last ...so thanks guys!) are configured to different VPN Clients utilising the tun11 and tun15 terms in lieu of tun1+ as guided by Martineau.

YazFi offered the opportunity to configure subnets discrete from the LAN thus providing the means to route specific client devices via a given VPN Client's remote server location (all using my VPN provider ExpressVPN) and hence the experiment to revise the tun1+ to accommodate different VPN clients once I had discovered that it was possible to configure more than one (active) VPN Client to run concurrently. Currently, whilst this is functioning I do have some outstanding policy rule issues to resolve as ExpressVPN configures the OpenVPN file for each server location to use the same UDP port (1195) and as it appears that this cannot be changed. I am yet to identify another way around it.

Jeffrey, you have made an excellent point in regards to WinSCP, I do have WinSCP but due to my lack of knowledge I had not properly explored its capabilities using it as a viewer and instead favouring Putty as that is where I had started this particular journey! As a result of your suggestion I have been exploring some of the wider capabilities including configuring Notepad++ as editor and using the Putty terminal from within WinSCP. In fact, I finished some of the above scripting mods with WinSCP so again many thanks for this helpful pointer.

Thanks again guys for the valuable education!

PC Pilot