What's new

VPN setup and forwarding RDP port through OpenVPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dlandon

Regular Contributor
I want to set up all devices connected to my LAN default to be on a VPN, and then selectively exclude some devices that need location in order to work properly. i.e. Spectrum TV app on a Roku device will not work unless it detects I am on my home network.

I have set up one OpenVPN client with all my devices with IP 192.168.1.0/24 and a second client where I set the excluded devices to WAN. Is this the best way to do this, or can it all be done in one client VPN? I was not able to make one client VPN to work to do this.

I also want to be able to access my desktop (IP 192.168.1.4) on my LAN while out of my house. The desktop computer is also on the VPN. I have tried many ideas from Googling and browsing this forum, but have not come up with anything that works. How does one port forward the RDP port (3389) so RDP will work out of my home?

EDIT: I ended up with an arrangement of IP address assignments and policy rules under the OpenVPN client that achieved what I was looking for.

I set up the DHCP server to only assign IP addresses from 192.168.1.21 to 192.168.1.254 so IP addresses from 192.16.1.2 to 192.168.1.20 were reserved. This gives me several IP addresses (192.168.1.16 to 192.168.1.20) to use for fixed IP addressed devices that will go to the VPN.

I set up the Client VPN for Policy Rules and added the following policy rules:
192.168.1.0/28 WAN
192.168.1.0/24 VPN

I assign devices in the IP range of 192.168.1.2 to 192.168.1.15 that I want to go to the WAN. Devices in the range of 192.168.1.16 to 192.168.1.254 will default to the VPN. This way everything I don't explicitly assign an iP address in the range of 192.168.1.2 to 192.168.1.15 will default to the VPN.

I don't have to specify specific device IP addresses in the policy rules that can get quite tedious.
 
Last edited:
I want to set up all devices connected to my LAN default to be on a VPN, and then selectively exclude some devices that need location in order to work properly. i.e. Spectrum TV app on a Roku device will not work unless it detects I am on my home network.

I have set up one OpenVPN client with all my devices with IP 192.168.1.0/24 and a second client where I set the excluded devices to WAN. Is this the best way to do this, or can it all be done in one client VPN? I was not able to make one client VPN to work to do this.

I also want to be able to access my desktop (IP 192.168.1.4) on my LAN while out of my house. The desktop computer is also on the VPN. I have tried many ideas from Googling and browsing this forum, but have not come up with anything that works. How does one port forward the RDP port (3389) so RDP will work out of my home?
I think the issue is with the setting 192.168.1.0/24 routing all devices thru Client 1. Then, you specify in client 2 to have some of the same devices to use the WAN. This is probably creating a conflict. If you just list the clients that will use the VPN, any devices not listed will default to the WAN. Try listing devices separately.

You need to install Remote Desktop on your workstation in order to connect to it once you are connected to the LAN via a VPN connection. I did not have to do anything else for my use case. Just make sure the workstation has a static IP on the LAN. Post your OpenVPN server settings if you can’t get it to work and I will compare them with my settings.

If you look at the Last 15 pages of the Selective Routing thread, you will see other examples of routing streaming media traffic to different vpn clients using scripts.
 
Last edited:
I think the issue is with the setting 192.168.1.0/24 routing all devices thru Client 1. Then, you specify in client 2 to have some of the devices to use the WAN. If you just list the clients that will use the VPN, any devices not listed will default to the WAN. Try listing devices separately.

You need to install Remote Desktop on your workstatio lastn in order to connect to it once you are connected to the LAN via a VPN connection. I did not have to do anything else for my use case. Just make sure the workstation has a static IP on the LAN.
I was able to get what I wanted by using one VPN client and assigning all the IP rules that would go to the WAN first and then the rule 192.168.1.9/24 assigned to the VPN. This seems to get what I want. I think it works by going through the list until it resolves where the specific IP would go and if there is no rule for the IP, it would go to the VPN as the last rule. The best I can tell, without any rules, the traffic would go to the WAN. I like this setup, because any device on my LAN will automatically be routed to the VON tunnel unless I exclude it.

I have the RDP working when the desktop is not on the VPN. I have port forwarded the RDP port (3389) in the router to the desktop and it works fine when the desktop is not on the VPN. The issue is when the desktop is on the VPN, the port (3389) on the tunnel needs to be forwarded to the desktop. The best I can tell is it is a firewall setting to forward the port to the desktop at 192.168.1.4.
 
I was able to get what I wanted by using one VPN client and assigning all the IP rules that would go to the WAN first and then the rule 192.168.1.9/24 assigned to the VPN. This seems to get what I want. I think it works by going through the list until it resolves where the specific IP would go and if there is no rule for the IP, it would go to the VPN as the last rule. The best I can tell, without any rules, the traffic would go to the WAN. I like this setup, because any device on my LAN will automatically be routed to the VON tunnel unless I exclude it.
Very creative! What does the command "ip rule" show?

I have the RDP working when the desktop is not on the VPN. I have port forwarded the RDP port (3389) in the router to the desktop and it works fine when the desktop is not on the VPN. The issue is when the desktop is on the VPN, the port (3389) on the tunnel needs to be forwarded to the desktop. The best I can tell is it is a firewall setting to forward the port to the desktop at 192.168.1.4.
Interesting. I guess the difference is the server I connect to does not use a VPN client tunnel.

I have these settings on my VPN Server page that have an impact on how clients play with other LAN resources over the VPN tunnel.

Direct clients to redirect Internet traffic No
Respond to DNS Yes
Advertise DNS to clients Yes
 
I have the RDP working when the desktop is not on the VPN. I have port forwarded the RDP port (3389) in the router to the desktop and it works fine when the desktop is not on the VPN. The issue is when the desktop is on the VPN, the port (3389) on the tunnel needs to be forwarded to the desktop. The best I can tell is it is a firewall setting to forward the port to the desktop at 192.168.1.4.

It might be easier to enable the OpenVPN Server on the router, to save having to explicitly add a port forwarding rule for each service?

However, as per the Selective Port routing posts... have you tried:
Code:
ip rule del fwmark 0x7000/0x7000 2> /dev/null 
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.4 -p udp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.4 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000 2> /dev/null 
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.4 -p udp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.4 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000

then attempt an RDP session from the WAN and check if the PREROUTING rule has any hits
Code:
iptables -nvL PREROUTING -t mangle --line

EDIT: Qualified the PREROUTING rule by explicitly including the desktop IP, although it shouldn't matter as hopefully RDP is only forwarded to one LAN device!
Also as pointed out by @dlandon RDP uses both UDP and TCP.
 
Last edited:
Very creative! What does the command "ip rule" show?

0: from all lookup local
10001: from 192.168.1.9 lookup main
10002: from 192.168.1.11 lookup main
10003: from 192.168.1.12 lookup main
10004: from 192.168.1.13 lookup main
10005: from 192.168.1.14 lookup main
10006: from 192.168.1.8 lookup main
10007: from 192.168.1.5 lookup main
10008: from 192.168.1.4 lookup main
10101: from 192.168.1.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
 
It might be easier to enable the OpenVPN Server on the router, to save having to explicitly add a port forwarding rule for each service?

However, as per the Selective Port routing posts... have you tried:
Code:
ip rule del fwmark 0x7000/0x7000
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.4 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.4 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000

then attempt an RDP session from the WAN and check if the PREROUTING rule has any hits
Code:
iptables -nvL PREROUTING -t mangle --line

EDIT: Qualified the PREROUTING rule by explicitly including the desktop IP, although it shouldn't matter as hopefully RDP is only forwarded to one LAN device!

Wow, that worked perfectly! You made it seem so easy.

Yes, I need to forward this port to a specific IP because I have several computers on the LAN that are remote desktop accessible. Only the 192.168.1.4 is accessed through the WAN. I also put a port forward in the WAN Virtual Server / Port Forwarding of the router. I forward the port 3390 to 3389 to this IP to keep the default port of 3389 closed to the Internet. I them access the RDP with the :3390 port attached in remote desktop. The idea here is that hackers are lazy and won't generally look at a non standard port for RDP.

I think some of what you had here was for debugging. What do I need to put into my firewall-start script?

EDIT: I need to do this setup rather than a VPN server because access is sometimes done without a VPN.
 
Wow, that worked perfectly! You made it seem so easy.

Yes, I need to forward this port to a specific IP because I have several computers on the LAN that are remote desktop accessible. Only the 192.168.1.4 is accessed through the WAN. I forward the port 3390 to 3389 to this IP to keep the default port of 3389 closed to the Internet. I them access the RDP with the :3390 port attached in remote desktop. The idea here is that hackers are lazy and won't generally look at a non standard port for RDP.

Perhaps you should use a far higher alias port rather than 3390 (assuming of course that truly is your real alias! :p) as you have 64000+ to choose from or perhaps implement my PortScanBlock.sh script to hopefully pre-empt the little blighters. :D

I think some of what you had here was for debugging. What do I need to put into my firewall-start script?
ALL of the commands!! - preferably in nat-start

NOTE: There are no 'debugging' commands, the '-D' iptables command ensures that there are no unnecessary duplicate rules to clog the '-t mangle' table to simply keep it human friendly, if not also ensuring performance efficiency!

I need to do this setup rather than a VPN server because access is sometimes done without a VPN.

Q. Is the WAN initiated RDP traffic encrypted, particularly during the login process? :eek:
A. I believe it is, although why take the risk!;)

P.S. As a favour, could you fix the VPM typo in the title! - not just to satisfy my OCD but may assist anyone searching the forum for a VPN keyword hit :p
 
Last edited:
I also added the following:
iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.4 -p udp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.4 -p udp -m multiport --sport 3389 -j MARK --set-mark 0x7000/0x7000

Because RDP also uses udp protocol.

I'm not familiar with the PortScanBlock.sh script. I do have my own URL and have several things exposed to the Internet. I don't like exposing things to the Internet, but I have some things I need for business. I would like to slow down or stop the hackers. Where can I get information on that script?

I fixed the title.
 
Is there a way to see which devices on the router are connected to the VPN tunnel?

It appears when OpenVPN Client can't connect to a VPN server it gets hung up and prevents internet access. I'd really like it better if OpenVPN would at least allow all devices to access the WAN if a connection gets hung if the "Block routed clients if tunnel goes down" is set to no.
 
It appears when OpenVPN Client can't connect to a VPN server it gets hung up and prevents internet access. I'd really like it better if OpenVPN would at least allow all devices to access the WAN if a connection gets hung if the "Block routed clients if tunnel goes down" is set to no.

I would suggest that you try and identify what symptoms contribute to a 'hung' VPN status in your environment.

The RPDB rules
Code:
ip rule | grep -v fwmark | grep ovpnc1
define which devices should be routed via the VPN Client 1, but the VPN Client 1 route table
Code:
ip route show table ovpnc1
ultimately determines if the device will physically be allowed to use the VPN Client connection.
i.e. if the VPN Client 1 connection is DOWN and 'Block routed clients if tunnel goes down=YES' then the VPN Client 1 route table contains
Code:
prohibit default
otherwise devices listed in the RPDB can use the WAN whilst the VPN Client connection is disconnected.

This was the original default behaviour until the new 'VPN privacy fail-safe' GUI options were added.

However, if the expected default behaviour is seemingly now broken in your environment, then this should be formally reported.

NOTE: If a VPN connection stalls, it may not always be possible to detect, so the contents of the RPDB/VPN route table entries may not be valid.

i.e. you may need to use the openvpn-event trigger to insert/delete the new fwmark RPDB entry using scripts vpnclient1-route-up and vpnclient1-route-pre-down
 
Last edited:
How can I direct the secure email port 465 to always go to the WAN?

Hmmm, not relevant to thread title? :rolleyes:

Code:
iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
 
Hmmm, not relevant to thread title? :rolleyes:

Code:
iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
When I make router changes, this setting seems to get lost after the nat-start script executes. I lose the ability to send emails. Any suggestions?
 
When I make router changes, this setting seems to get lost after the nat-start script executes. I lose the ability to send emails. Any suggestions?
Yeah,

1. Don't make router changes. :p
2. Did you follow my advice in post #9 ? :rolleyes:
 
....this setting seems to get lost after the nat-start script executes. I lose the ability to send emails

Well either the Selective fwmark port 465 tagging never works?, or if it does indeed (though suddenly cease to) correctly force emails out via the WAN, then you should provide detailed diagnostics to fully substantiate what you mean by "seems to get lost"
 
@Martineau Can you please tell me where i can find PortScanBlock.sh ? I would like to implement it on my router to prevent outside scans.

Thanks
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top