WAN access to LAN device (bypass VPN)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Pseudomax

Occasional Visitor
Hi,

I currently run a LAN server behind my Asus Router. It connects to a commercial VPN provider as a client and this is the router for all WAN access. Because of this, as you will be aware better than I, it tunnels through the router before being visible to the Internet and this means that it is not by default accessible to the WAN in reverse.

On my home LAN however, I have normal access to the device through the local IP4 address and can access the files and apps without a problem from any LAN device. However, there is an app on the LAN server that I would like to have access to from the WAN. I thought I may be able to set up port forwarding (I have a Dynamic DNS configured) as I assumed that the router would treat the port forward as a tunnel to the LAN server. But that assumption is incorrect (probably as there are layers of settings attached to the IP4 protocol that means the LAN server knows the requests originates outside the LAN ... I am not very familiar with all the network protocols).

I wonder whether there is a solution to this problem? Essentially to open up 1 port to allow a connection to the LAN server so that I can access just this one app externally?

Thanks in advance...
 

eibgrad

Very Senior Member
The one obvious solution would be to NOT access it directly over the WAN, but establish your own OpenVPN server. OpenVPN clients of that OpenVPN server will have no problems accessing it since they will be seen as local to the LAN server, although on a different local network (e.g., 10.8.0.0/24). Only issue *might* be a local firewall on the LAN server that needs to be modified to allow access by a foreign (from its perspective) local network.

This has the advantage of making *anything* you do remotely over the WAN very secure, even protocols that otherwise wouldn't be secure (ftp, http, telnet, etc.). Because imo, remote access over the raw WAN (except for a VPN) should be avoided whenever possible.
 

Pseudomax

Occasional Visitor
Thanks and this is a possible solution, but the problem is that I and my family will access this. It is essentially a home video server and so others externally will be able to stream from the server. As such both the speed of OpenVPN and the limitation on others having OpenVPN installed will make this difficult. The app itself has security built-in so I am less concerned about the security with the App (perhaps a false assumption but one I am willing to take). So really looking for something that will create a simple hole in the firewall/VPN...
 

eibgrad

Very Senior Member
Since I'm well aware some users are going to insist on directly accessing over the WAN for numerous reasons, here's a few other options.

1) If you know w/ certainty which public IP(s) from which remote access will happen (workplace, school, commonly visited wifi cafe, etc.), you can add static routes to the LAN server that bind them to the private network's default gateway.

2) Some VPN providers support port forwarding, and if configured correctly, would make LAN devices accessible inbound over the VPN.

3) Depending on whether the router stock firmware supports it (I assume this is stock), you could add a firewall rule to NAT the inbound WAN traffic over the private network so it appears to be coming from the router's LAN ip rather than a public IP. Because it's the fact the LAN server sees a public IP on the incoming packet that makes it route the replies from remote access over the VPN rather than back to the WAN. The NAT rule fixes that problem. But that assumes you have the ability to add arbitrary firewall rules w/ the stock firmware.
 

Pseudomax

Occasional Visitor
Your option 3 would seem to be the best option for me! Can you tell me where in an Asus (stock) firmware to add this rule? I assume it is not in the 'port forward' rules as this is obviously what I tried.

(option 2 may be an option with my current provider, but ideally I don't wish to be fixed with a VPN provider if I can help it!)
 

eibgrad

Very Senior Member
Your option 3 would seem to be the best option for me! Can you tell me where in an Asus (stock) firmware to add this rule? I assume it is not in the 'port forward' rules as this is obviously what I tried.

I have no idea where, or if it's even possible w/ the stock firmware (I suspect NOT). I don't use the ASUS stock firmware, but instead Merlin third-party firmware, which makes this a trivial exercise.
 

Pseudomax

Occasional Visitor
Where is it in Merlin? I user to use Merlin until my old Asus died and I upgraded to a new router which Merlin does not support (unfortunately). But if I know what the page is in Merlin then I can try to find the same settings if they exist!
 

eibgrad

Very Senior Member
Where is it in Merlin? I user to use Merlin until my old Asus died and I upgraded to a new router which Merlin does not support (unfortunately). But if I know what the page is in Merlin then I can try to find the same settings if they exist!

Merlin supports changes to the firewall using event scripts. IOW, when the firewall is being configured by the system, it calls your firewall script(s) to include your own modifications. There's no way that capability exists in the stock firmware. The best you could hope for is perhaps someplace else in the stock GUI that had a field for similar modifications to the firewall. But I seriously doubt that's there.
 

Pseudomax

Occasional Visitor
Is this the page?
 

Attachments

  • Static Route.PNG
    Static Route.PNG
    603.6 KB · Views: 23

eibgrad

Very Senior Member
The former is for establishing static routes, the latter for port forwarding.

This is why ppl turn to third-party firmware!
 

RMerlin

Asuswrt-Merlin dev
I can`t think of any solution with the stock firmware, it does not offer policy-based routing or user-configurable scripting.
 

Pseudomax

Occasional Visitor
Hi Merlin, thanks for taking the time to reply... I guess the absence of other routers being mentioned means I should not expect so in the near future...
 

Pseudomax

Occasional Visitor
Hi,

I have purchased a reasonably priced tp-link router. Will the settings shown sort this problem out?

Thanks
 

Attachments

  • TL-R470T-.png
    TL-R470T-.png
    78.8 KB · Views: 22

Pseudomax

Occasional Visitor
@eibgrad, not sure if you are able or willing to help me with this? I have installed this new router, and it works well (£30 v £320 for the Asus) with no obvious speed loss and many more options.

I have explored the settings and tried to setup a (policy based) route but it seems like it should work ... but does not?! I found the following guide that provides some insight into the options the TP_Link firmware has (https://www.tp-link.com/us/support/faq/2134/)... but I am not really sure which options are the ones that should provide the functionality I am after?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top