Solved (Asus Rt-ac88u) can connect openvpn but no access to LAN

[admjral3]

i enable openvpn server and i can connect to openvpn server but i can not access to LAN, only access to LAN when using putty to run command "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE"
rightnow i have to run this command everrytime after reboot, because after reboot again can not access LAN
firmware 368.1.2
this is my default setting openvpn server

 

[ColinTaylor]

What do you have set under OpenVPN General settings > Client will use VPN to access ?

 

[admjral3]

Client will use VPN to access LAN only

,i just need access to LAN office to work distance

 

[eibgrad]

The fact you're using that NAT rule and it works tells me the problem is local firewalls on the devices you're trying to access (e.g., Windows). That NAT rule is one way to circumvent the problem (or else updating the individual firewalls, which is often impractical).

The only thing you need to do is make the NAT rule permanent using a nat-start script.

 

[admjral3]

The fact you're using that NAT rule and it works tells me the problem is local firewalls on the devices you're trying to access (e.g., Windows). That NAT rule is one way to circumvent the problem (or else updating the individual firewalls, which is often impractical).

The only thing you need to do is make the NAT rule permanent using a nat-start script.

may you help me , i just have bought this router for 2 days

 

[eibgrad]

may you help me , i just have bought this router for 2 days

Make sure JFFS and JFFS scripts is enabled under Administration->System. Then ssh into the router and copy/paste the script below into the window. It will automatically create and install the NAT rule. Then reboot.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

Note, if there's a pre-existing nat-start script, it will NOT overwrite it. In that case, you'll have to manually add it to the pre-existing nat-start script.

 

[admjral3]

Make sure JFFS and JFFS scripts is enabled under Administration->System. Then ssh into the router and copy/paste the script below into the window. It will automtically create and install the NAT rule. Then reboot.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

Note, if there's a pre-existing nat-start script, it will NOT overwrite it. In that case, you'll have to manually add it to the pre-existing nat-start script.

you are my savior, everything worked perfectly now

 

[Toby the Cat]

Thank you eibgrad, I had the same problem and after a few days searching and trying all sorts I found your script, and that did the job.

THANK YOU

 

[sporkington]

I'm having a similar issue on my AX86U Pro on my OpenVPN & WireGuard VPN. Unfortunately, adding the iptables rule mentioned above doesn't seem to work for me. If I flush the iptables, I'm able to connect to my lan through any of my VPNs. Is there a way I can systematically determine which iptables rule is preventing access? Thanks and happy to provide more info if it's helpful.

 

[sporkington]

OK I figured out what was happening in my situation, if anyone is interested...

I didn't have any problems with the IPSec VPN, but with OpenVPN & WireGuard I was not able to access some of the devices on my LAN. The devices that I couldn't reach are all set to be blocked under the 'Parental Controls'. This creates these iptables rules (MAC addresses hidden):

Chain PControls (5 references)
target     prot opt source               destination      
DROP       all  --  anywhere             anywhere             MAC ZZ:YY:XX:WW:VV:UU
DROP       all  --  anywhere             anywhere             MAC AA:BB:CC:DD:EE:FF

Adding a the following rules allow for the WireGuard & OpenVPN subnets to connect:

iptables -I PControls --dst 10.6.0.0/24 --src 192.168.0.0/16 --jump ACCEPT
iptables -I PControls --dst 10.8.0.0/24 --src 192.168.0.0/16 --jump ACCEPT

I believe that the reason the IPSec subnet can connect has something to do with the order of the 'FORWARD' chain rules. Note the 'IPSEC_STRONGSWAN' rules that are before the 'PControls' rules in this section and the 'OVPN' & 'WG' rules below them:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
IPSEC_DROP_SUBNET_ICMP  all  --  anywhere             anywhere           
IPSEC_STRONGSWAN  all  --  anywhere             anywhere           
PControls  all  --  anywhere             anywhere             MAC ZZ:YY:XX:WW:VV:UU
PControls  all  --  anywhere             anywhere             MAC AA:BB:CC:DD:EE:FF
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             policy match dir in pol ipsec
WGSF       all  --  anywhere             anywhere           
OVPNSF     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
WGCF       all  --  anywhere             anywhere           
OVPNCF     all  --  anywhere             anywhere           
VPNCF      all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere

So, I imagine another way to do this would be to somehow reorder the rules in the 'FORWARD' chain to place the OVPN & WG rules before the PControls. I'm not an iptables guru though, so I'm happy with my solution for now.

One continued annoyance is that I seem to be unable to use the Asus app to access my router from any of the VPNs. I suspect that the app is looking up the router by the router.asus.com domain name, which isn't pushed to the VPNs. Oh well, I'm still able to reach the router in my mobile browser by its IP address.