Access LAN through OpenVPN server only when OpenVPN client is disconnected??

[Rene1978]

Hello all,

I cannot find a similar topic using the search. I have a RT-86U running Merlin 384.9. I use NordVPN and have configured that connection in the openVPN client section in accordance with the NordVPN manual. I have configured an OpenVPN server which I use to access my LAN devices from any location outside of my own LAN. The NordVPN client uses a 10.8.8.0/255.255.255.0 IP mask, the internal LAN is 10.1.0.0/255.255.255.0, the openVPN server uses 10.16.0.0/255.255.255.0.

The issue described:

1. In all situations I can connect to my openVPN server using my phone on 4G;
2. In all situations I can connect to my RT-86U through SSH (10.1.0.254) when on the openVPN server;
3. I cannot access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected to NordVPN. The LAN device I try to connect should use the NordVPN VPN allways (configured in the openVPN client strict policy);
4. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is disconnected from NordVPN.
   • In this situation the LAN device I try to connect should allways use the NordVPN VPN (configured in the openVPN client strict policy);
5. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected from NordVPN.
   • In this situation the LAN device I try to connect should allways connect using the WAN connection (configured in the openVPN client strict policy);

Looking in the openVPN log in my phone it reveals that the openVPN server adds a route 10.1.0.0/24 when connected, so that seems to be OK. Furthermore, I use ip adresses to connect to my LAN devices so it is unlikely a DNS issue. The LAN devices I try to connect to have been

I think it is somwhere in the routing where the response from my LAN devices gets redirected through the NordVPN connection to my phone based on the openVPN client strict policy. The routing table in the GUI curently looks like this (the blurred is my ISP external IP address):

I am not savvy enough to find my way to a solution in the command line where I guess I need to put in place a rule somewhere that makes sure that all replies from LAN (10.1.0.X) devices to clients connected to the openVPN server (10.16.0.X) always get redirected through the WAN connection instead of the NordVPN...?? Would this be the solution or is there a better way? Need some help from experts here. Thanks!

 

[Jack Yaz]

Hello all,

I cannot find a similar topic using the search. I have a RT-86U running Merlin 384.9. I use NordVPN and have configured that connection in the openVPN client section in accordance with the NordVPN manual. I have configured an OpenVPN server which I use to access my LAN devices from any location outside of my own LAN. The NordVPN client uses a 10.8.8.0/255.255.255.0 IP mask, the internal LAN is 10.1.0.0/255.255.255.0, the openVPN server uses 10.16.0.0/255.255.255.0.

The issue described:

1. In all situations I can connect to my openVPN server using my phone on 4G;
2. In all situations I can connect to my RT-86U through SSH (10.1.0.254) when on the openVPN server;
3. I cannot access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected to NordVPN. The LAN device I try to connect should use the NordVPN VPN allways (configured in the openVPN client strict policy);
4. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is disconnected from NordVPN.
   • In this situation the LAN device I try to connect should allways use the NordVPN VPN (configured in the openVPN client strict policy);
5. I can access clients in my LAN 10.1.0.X when connected to the openVPN server AND when the openVPN client is connected from NordVPN.
   • In this situation the LAN device I try to connect should allways connect using the WAN connection (configured in the openVPN client strict policy);

Looking in the openVPN log in my phone it reveals that the openVPN server adds a route 10.1.0.0/24 when connected, so that seems to be OK. Furthermore, I use ip adresses to connect to my LAN devices so it is unlikely a DNS issue. The LAN devices I try to connect to have been

I think it is somwhere in the routing where the response from my LAN devices gets redirected through the NordVPN connection to my phone based on the openVPN client strict policy. The routing table in the GUI curently looks like this (the blurred is my ISP external IP address):

View attachment 16348

I am not savvy enough to find my way to a solution in the command line where I guess I need to put in place a rule somewhere that makes sure that all replies from LAN (10.1.0.X) devices to clients connected to the openVPN server (10.16.0.X) always get redirected through the WAN connection instead of the NordVPN...?? Would this be the solution or is there a better way? Need some help from experts here. Thanks!

Policy Rules (strict) will cause this. Use normal Policy Rules and see if this helps

 

[Rene1978]

Policy Rules (strict) will cause this. Use normal Policy Rules and see if this helps

Ok, this does fix the issue and makes sense since the LAN device is (apparently) no longer forced to use the NordVPN tunnel. However, this does raise a question on what the exact difference between Policy Rules (Strict) and Policy Rules is. In more detail, can I assume (want to be sure) that when I use Policy Rules my LAN devices will always use the NordVPN tunnel for Internet access?

 

[Jack Yaz]

Ok, this does fix the issue and makes sense since the LAN device is (apparently) no longer forced to use the NordVPN tunnel. However, this does raise a question on what the exact difference between Policy Rules (Strict) and Policy Rules is. In more detail, can I assume (want to be sure) that when I use Policy Rules my LAN devices will always use the NordVPN tunnel for Internet access?

I think the main difference is the routes that are added to the routing table. In Strict, only the LAN subnet/route is added to the routing table of the VPN client's routing table. In non-strict, all subnets (including the VPN server) are added.

You can compare

ip route show table ovpnc1

in both modes to compare the VPN client's routing table

 

[Rene1978]

I think the main difference is the routes that are added to the routing table. In Strict, only the LAN subnet/route is added to the routing table of the VPN client's routing table. In non-strict, all subnets (including the VPN server) are added.

You can compare

ip route show table ovpnc1

in both modes to compare the VPN client's routing table

Thanks, the routing tables are indeed very different. The table in Strict mode does not contain the openVPN server, the one in normal mode does. It also shows that traffic to the internet get directed through the NordVPN tunnel. Thanks. The routing table in the GUI is nog as complete BTW.....