VPN Server and VPN Client Routing - Access Internet through Paid VPN

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

jorgsmash

Regular Contributor
Hi everyone. Sorry if this isn't the right place to post this question but I tried to ask over at PiVPN support with no luck. I had the same issue with the built in VPN server as well. So even if we can't answer any question regarding the Pi-VPN, I would understand, but I also tried with the VPN server and client in WRT-Merlin settings.

What I'm trying to accomplish: Have a VPN Server at my house that my remote clients can connect to, take advantage of my DNS (Diversion/Pi-hole, DNS-crypt), and finally have those clients access the Internet through a VPN service I pay for.

I posted most of the details in a post here: https://github.com/pivpn/pivpn/issues/1094

I tried implementing a Pi-VPN server, which is a breeze to set up, and gave both WireGuard and OpenVPN protocols a shot. I was able to connect to the server in both instances, but the clients could not reach the Internet if my paid VPN service was enabled. Disabling it allowed the clients to reach the Internet, but through my ISP's IP.

Thirdly, I tried the VPN server and client configurations built into WRT-Merlin. Again, I was able to connect to the server, but clients could not reach the Internet if the VPN client was also enabled and I set the policy rules to have the VPN clients use the paid VPN service to try to reach the Internet.

I'm sure it's just a routing issue that I am not able to figure out, but I believe I tried every combination of settings that I could think of to make it work. I even believe I had this working about a year ago, but that was with Pi-VPN and Pi-Hole, before I got my new Asus Router. Ideally, I would run my VPN server in a VM on a Windows Host. That Windows host has a VPN client on it (the one I pay for), and I would port forward from my router WAN to the private IP of that VM, and the Windows Host would access the Internet through the paid VPN client.

Again I'm sorry if this isn't the right place to put this, but you guys seem like a great wealth of knowledge and any help would be appreciated!

Thanks!
 

Martineau

Part of the Furniture
What I'm trying to accomplish: Have a VPN Server at my house that my remote clients can connect to, take advantage of my DNS (Diversion/Pi-hole, DNS-crypt), and finally have those clients access the Internet through a VPN service I pay for.

Does this post # help?
 

jorgsmash

Regular Contributor

I'll give that a shot! Thank you for your direction! I assume this behavior is not normal by default and not usually a requested function? Seems like it would be pretty highly requested for this functionality but maybe not many people require/want this particular setup. Would you also have a post on how to backup my current firewall rules in case I need to revert back? I assume this is with Skynet?
 

jorgsmash

Regular Contributor

After reading through that post a bit, I tried following the recommendation from user Salles, post #39. I was connected remotely, via SSH. I copied the existing /jffs/scripts/firewall-start to a backup file and commented out all of the lines in the backup. I then proceeded to add the lines:


# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

and saved the file. Rebooted the router via the GUI. Now my ssh tunnel is down. The port I access to SSH from WAN is not responding.

I also added the policy rules in the VPN client to direct the VPN server (10.8.0.1/24) to go through the VPN.

Any ideas why the SSH tunnel isn't responding?

Thanks again!

Edit: I figured it out. The device I was trying to SSH into was configured to use the VPN client on the router as well. So after disabling the VPN client, I can SSH back into it. So...... I guess I can't SSH into that device via my DDNS name (configured on my WAN), if I have it set to route Internet traffic through the VPN client as well? I'm trying to think how this would work logically. But I'm not sure it's possible. The SSH tunnel wouldn't be accessible through the WAN if the same device is set to access the Internet through the VPN client tunnel?
 
Last edited:

Martineau

Part of the Furniture
Edit: I figured it out. The device I was trying to SSH into was configured to use the VPN client on the router as well. So after disabling the VPN client, I can SSH back into it. So...... I guess I can't SSH into that device via my DDNS name (configured on my WAN), if I have it set to route Internet traffic through the VPN client as well? I'm trying to think how this would work logically. But I'm not sure it's possible. The SSH tunnel wouldn't be accessible through the WAN if the same device is set to access the Internet through the VPN client tunnel?

Can you SSH to your LAN device hosting the SSH service from any of your LAN devices? - if so, then there may be a firewall rule on the SSH Server blocking the VPN Server subnet?

Alternatively, you may have success using the technique described in the Wiki Example 2 - obviously change RDP Port 3389 to your (non-standard) SSH Port.
 

jorgsmash

Regular Contributor
Can you SSH to your LAN device hosting the SSH service from any of your LAN devices? - if so, then there may be a firewall rule on the SSH Server blocking the VPN Server subnet?

Alternatively, you may have success using the technique described in the Wiki Example 2 - obviously change RDP Port 3389 to your (non-standard) SSH Port.

Responding at 3:30 AM... I knew I liked you! So here is what I have noticed so far:

1. The issue I mentioned above. If my SSH server is set in the WebUI to route through the VPN client, I can't SSH to that device from the WAN (ISP via DDNS).

2. On the same device, the SSH server, I have installed the paid VPN client software (VPN Unlimited). If I enable that VPN client software, I can still SSH into the device from the WAN. If I SSH into that device using the DDNS name of my WAN (ISP), then I issue the command:

Code:
$curl ifconfig.me

Then I see that my device is accessing the Internet through the VPN IP, not my ISP IP.

3. A side issue I noticed - when my cell phone is connected to the VPN Server on the router, I can't ping or SSH into any devices on my LAN. I have the 'Advanced Settings' on the Server set to allow VPN clients to access both the LAN and the Internet. Again, probably a routing issue since in the VPN client config I have all VPN clients set to use the VPN as recommended in the post you first sent:

VPN Clients10.8.0.1/240.0.0.0VPN


Do I need to add an additional rule here for my LAN subnet to go through Wan?

VPN Clients10.8.0.1/24Lan_SubnetWAN


Thank you kind fellow!


Edit: Here is my router routing table.


Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ISP_Gateway     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun21
10.200.0.73     *               255.255.255.255 UH    0      0        0 tun12
10.200.0.165    *               255.255.255.255 UH    0      0        0 tun11
6x.x.x.xx     *               255.255.248.0   U     0      0        0 eth0
6x.x.x.xx     *               255.255.255.255 UH    0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.50.0    *               255.255.255.0   U     0      0        0 br0

From what I can tell, the 10.8.0.0 subnet does not have a route to my 192.168.50.0 subnet. The 10.8.0.0 is my VPN Server (tun21), and the other two 10.x subnets are two VPN clients I have set up (tun12, tun11). Does that help in diagnosing my Issue?
 
Last edited:

jorgsmash

Regular Contributor
Coming back to this because I came across a weird issue.

1. I connected a remote client to my VPN server (not on the ASUS router) at my house.
2. I checked my IP. It was my home ISP IP
3. In my router settings, I added the VPN server LAN ip to my VPN client list to force the VPN server machine to use my paid VPN service to access the Internet.
4. I checked my IP again and it switched over to my paid VPN ip.
5. My connection remained in tact. I was able to remote into my home network through a VPN server, and then leave my home network through my paid VPN ip.

I come back a few hours later and the VPN connection to my home network broke. I couldn't reconnect back to my home network because the VPN server on my home network was still going through the VPN client on my router. After using an alternative method to access my home router, I removed the VPN server ip from the client list in the router setting. So now the VPN server was going out to the Internet through my ISP.

After making those changes I could reconnect to my home network VPN.

So it confuses me why I can remote in, change the router setting to route the server through the VPN client on the router with no problems. But when the VPN tunnel goes down, then I can't reconnect until I remove the VPN server from the VPN client list in the router.

Is there anything I can do to diagnose this further or find a fix for this strange scenario?

Thanks all!
 

eibgrad

Very Senior Member
Coming back to this because I came across a weird issue.

1. I connected a remote client to my VPN server (not on the ASUS router) at my house.
2. I checked my IP. It was my home ISP IP
3. In my router settings, I added the VPN server LAN ip to my VPN client list to force the VPN server machine to use my paid VPN service to access the Internet.
4. I checked my IP again and it switched over to my paid VPN ip.
5. My connection remained in tact. I was able to remote into my home network through a VPN server, and then leave my home network through my paid VPN ip.

I come back a few hours later and the VPN connection to my home network broke. I couldn't reconnect back to my home network because the VPN server on my home network was still going through the VPN client on my router. After using an alternative method to access my home router, I removed the VPN server ip from the client list in the router setting. So now the VPN server was going out to the Internet through my ISP.

After making those changes I could reconnect to my home network VPN.

So it confuses me why I can remote in, change the router setting to route the server through the VPN client on the router with no problems. But when the VPN tunnel goes down, then I can't reconnect until I remove the VPN server from the VPN client list in the router.

Is there anything I can do to diagnose this further or find a fix for this strange scenario?

Thanks all!

Sounds to me like you're confusing the OpenVPN client-to-server connection (which is using public IPs), w/ the tunnel (which is typically a *private* network). You do NOT add the OpenVPN server's LAN ip to PBR (policy based routing). That needs to be established and maintained over the WAN via their respective public IPs. What you *do* want is the tunnel's IP network to be routed over the local OpenVPN client (PIA, PureVPN, whatever).
 

Xentrk

Part of the Furniture
Coming back to this because I came across a weird issue.

1. I connected a remote client to my VPN server (not on the ASUS router) at my house.
2. I checked my IP. It was my home ISP IP
3. In my router settings, I added the VPN server LAN ip to my VPN client list to force the VPN server machine to use my paid VPN service to access the Internet.
4. I checked my IP again and it switched over to my paid VPN ip.
5. My connection remained in tact. I was able to remote into my home network through a VPN server, and then leave my home network through my paid VPN ip.

I come back a few hours later and the VPN connection to my home network broke. I couldn't reconnect back to my home network because the VPN server on my home network was still going through the VPN client on my router. After using an alternative method to access my home router, I removed the VPN server ip from the client list in the router setting. So now the VPN server was going out to the Internet through my ISP.

After making those changes I could reconnect to my home network VPN.

So it confuses me why I can remote in, change the router setting to route the server through the VPN client on the router with no problems. But when the VPN tunnel goes down, then I can't reconnect until I remove the VPN server from the VPN client list in the router.

Is there anything I can do to diagnose this further or find a fix for this strange scenario?

Thanks all!
x3mRouting provides VPN Server to VPN Client Routing and does all of the necessary set-up.

You need a USB with entware installed on it. Install instructions here. You will need to select

[3] OpenVPN Event & x3mRouting Script

Usage:

Route from VPN Server 1,2 or both to VPN Client 1,2,3,4 or 5.

Code:
x3mRouting server=1 client=1

x3mRouting server=2 client=1

x3mRouting server=both client=1

x3mRouting Support Thread

All of the necessary set-up will be performed. The rule will only exist if the VPN Client is on. The rule will get deleted if the VPN Client is down so you can still access your home router. Set it and forget it!
 
Last edited:

jorgsmash

Regular Contributor
Sounds to me like you're confusing the OpenVPN client-to-server connection (which is using public IPs), w/ the tunnel (which is typically a *private* network). You do NOT add the OpenVPN server's LAN ip to PBR (policy based routing). That needs to be established and maintained over the WAN via their respective public IPs. What you *do* want is the tunnel's IP network to be routed over the local OpenVPN client (PIA, PureVPN, whatever).

If I understand you correctly, you are telling me to add the 10.8.0.0/24 ip range to the PBR in the VPN client settings. However, this VPN is running on a Ubuntu machine on my local network, so my router has no knowledge of that ip range. It does however have knowledge of the built-in VPN server 10.8.0.0/24 network. So if I turn on the VPN server on the router it can route clients on the 10.8.0.0/24 network through the VPN client. But it doesn't work for the VPN server on the Ubuntu machine. At least I think that is correct as I recall trying that at least once. Did I understand you correctly?
 

jorgsmash

Regular Contributor
x3mRouting provides VPN Server to VPN Client Routing and does all of the necessary set-up.

You need a USB with entware installed on it. Install instructions here. You will need to select

[3] OpenVPN Event & x3mRouting Script

Usage:

Route from VPN Server 1,2 or both to VPN Client 1,2,3,4 or 5.

Code:
x3mRouting server=1 client=1

x3mRouting server=2 client=1

x3mRouting server=both client=1

x3mRouting Support Thread

All of the necessary set-up will be performed. The rule will only exist if the VPN Client is on. The rule will get deleted if the VPN Client is down so you can still access your home router. Set it and forget it!

Sounds great I'll give that a try! I had x3mRouting on my list of programs I would like to try out! Thanks!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top