Asuswrt-Merlin OpenVPN Server NAT - iptables Questions

[endtimes]

Hello everyone. I hope this is the right forum to post this.

I have an Asus RT-AC88U running on Merlin FW 380.67. I am working on setting up an OpenVPN server on the router. Currently it's working to the point where I can connect to it but I'm confused on a couple of things that I would appreciate assistance one.

1) I want to set it up 'Allow only specified clietns' to access the VPN using a username and password. What I don't know is what I need to set the IP to under the 'Allowed Clients' to. The VPN network will be a 10.8.0.0/24. Should I assume the IP will be 10.8.0.1?

2) What does 'Username / Password Auth. Only' setting do as opposed to just 'Username/Password Authentication'?

3) What does the 'Push' option do in the 'Allowed Client' list? Do I need to enable it?

3) I also want to be able to access my private LAN at the 192.168.1.0 network. Do I need to add an iptable line to the Asus router? If so, what is the command?

Any clarification on this would be amazing!

[/IMG]

 

[Teknition]

Hello everyone. I hope this is the right forum to post this.

I have an Asus RT-AC88U running on Merlin FW 380.67. I am working on setting up an OpenVPN server on the router. Currently it's working to the point where I can connect to it but I'm confused on a couple of things that I would appreciate assistance one.

1) I want to set it up 'Allow only specified clietns' to access the VPN using a username and password. What I don't know is what I need to set the IP to under the 'Allowed Clients' to. The VPN network will be a 10.8.0.0/24. Should I assume the IP will be 10.8.0.1?

2) What does 'Username / Password Auth. Only' setting do as opposed to just 'Username/Password Authentication'?

3) What does the 'Push' option do in the 'Allowed Client' list? Do I need to enable it?

3) I also want to be able to access my private LAN at the 192.168.1.0 network. Do I need to add an iptable line to the Asus router? If so, what is the command?

Any clarification on this would be amazing!

I would use this as a guide for setting up an OpenVPN server on the router.

https://www.snbforums.com/threads/h...with-asus-routers-380-67-updated-08-07.33638/

For question #1, I believe that allowing specific clients means you know which IP addresses will be able to access your internal network. That didn't make sense for me, because I would be logging in remotely with my work laptop from different places. I just created logins and passwords for the users, then click that export button to generate an .ovpn file. I then copied that file to my iOS devices and my work laptop, and use the OpenVPN app to access my home network when I'm away. Questions #2 and #3 should be addressed in that guide, and Question #3B I believe is no, I didn't need to do anything like that and I can access my local LAN remotely with no issues.

 

[endtimes]

I would use this as a guide for setting up an OpenVPN server on the router.

https://www.snbforums.com/threads/h...with-asus-routers-380-67-updated-08-07.33638/

For question #1, I believe that allowing specific clients means you know which IP addresses will be able to access your internal network. That didn't make sense for me, because I would be logging in remotely with my work laptop from different places. I just created logins and passwords for the users, then click that export button to generate an .ovpn file. I then copied that file to my iOS devices and my work laptop, and use the OpenVPN app to access my home network when I'm away. Questions #2 and #3 should be addressed in that guide, and Question #3B I believe is no, I didn't need to do anything like that and I can access my local LAN remotely with no issues.

Thanks for the info! I decided to forget about managing the specific clients. So I set up a username and pwd to use. It works.

But I'm still having issues accessing a specific IP and any of my shares. I think this will take a bit more detail as to how it's set up and what I have in my environment.

My home LAN is 192.168.x.x/24
VPN LAN is 10.8.x.x/24
I have a FreeNAS server running at home with multiple jails setup including 192.168.1.3 (main Freenas server IP and windows type shares), 192.168.1.25 (plex media server) and 192.168.1.26 (Transmission). The 192.168.1.26 Transmission jail is sitting behind an OpenVPN Client I am using (I'm using AirVPN) on my AsusWRT. It's important to note that 192.168.1.26 (Transmission) is sitting behind my OpenVPN client which is configured on my router. The 192.168.1.3 (Freenass and win shares) and 192.168.1.25 (Plex server) are NOT sitting behind the OpenVPN client.

So,

1) I can ping addresses on my home LAN such as 192.168.1.3 (Freenas) 192.168.1.25 (plex media server jail on Freenas server)
2) I can access both of those addresses via webpage and SSH

but

1) I cannot access the mapped network drives that reside on my Freenas server on 192.168.1.3
2) I cannot ping or access via web the 192.168.1.26 Transmission

The guide has me create some FW rules on my home client to access my shares however they are not residing on a Win PC at home but on a server at 192.168.1.3. I don't think making any FW rules on my laptop here that I'm remoting in with will help. I think the issue may be in the iptables on my router. I need to allow the connection through possibly. It may also be a routing problem where I need to push the VPN network to route to my home LAN network. I found this https://forums.openvpn.net/viewtopic.php?t=21311 where someone says to add route push commands in the server config.

Here is my nat-start script:

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.26 --dport xxxxx -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.26 --dport xxxxx -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 61428 -j DNAT --to-destination 192.168.1.26
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 61428 -j DNAT --to-destination 192.168.1.26

 

[Jack Yaz]

Thanks for the info! I decided to forget about managing the specific clients. So I set up a username and pwd to use. It works.

But I'm still having issues accessing a specific IP and any of my shares. I think this will take a bit more detail as to how it's set up and what I have in my environment.

My home LAN is 192.168.x.x/24
VPN LAN is 10.8.x.x/24
I have a FreeNAS server running at home with multiple jails setup including 192.168.1.3 (main Freenas server IP and windows type shares), 192.168.1.25 (plex media server) and 192.168.1.26 (Transmission). The 192.168.1.26 Transmission jail is sitting behind an OpenVPN Client I am using (I'm using AirVPN) on my AsusWRT. It's important to note that 192.168.1.26 (Transmission) is sitting behind my OpenVPN client which is configured on my router. The 192.168.1.3 (Freenass and win shares) and 192.168.1.25 (Plex server) are NOT sitting behind the OpenVPN client.

So,

1) I can ping addresses on my home LAN such as 192.168.1.3 (Freenas) 192.168.1.25 (plex media server jail on Freenas server)
2) I can access both of those addresses via webpage and SSH

but

1) I cannot access the mapped network drives that reside on my Freenas server on 192.168.1.3
2) I cannot ping or access via web the 192.168.1.26 Transmission

The guide has me create some FW rules on my home client to access my shares however they are not residing on a Win PC at home but on a server at 192.168.1.3. I don't think making any FW rules on my laptop here that I'm remoting in with will help. I think the issue may be in the iptables on my router. I need to allow the connection through possibly. It may also be a routing problem where I need to push the VPN network to route to my home LAN network. I found this https://forums.openvpn.net/viewtopic.php?t=21311 where someone says to add route push commands in the server config.

Here is my nat-start script:

#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.26 --dport xxxxx -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.26 --dport xxxxx -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 61428 -j DNAT --to-destination 192.168.1.26
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 61428 -j DNAT --to-destination 192.168.1.26

Re. transmission, are you using Policy Rules or Policy Rules (strict). I found the latter stopped my VPN clients communicating with the LAN resource when using Strict, which is to be expected.
Re. SMB shares, are you mapping by IP or domain name?

 

[endtimes]

Re. transmission, are you using Policy Rules or Policy Rules (strict). I found the latter stopped my VPN clients communicating with the LAN resource when using Strict, which is to be expected.

It is set to strict. Let me change it to just Policy Rules and I'll report back!

 

[Jack Yaz]

It is set to strict. Let me change it to just Policy Rules and I'll report back!

I don't know if there is a way to use strict but then manually add a rule to allow VPN server clients to connect to it, I hadn't had time to investigate/ask on here yet, I went with the quick 'n' dirty fix.

 

[endtimes]

I don't know if there is a way to use strict but then manually add a rule to allow VPN server clients to connect to it, I hadn't had time to investigate/ask on here yet, I went with the quick 'n' dirty fix.

That did it. I can access Transmission at x.x.1.26 however my shares are still not accessible.

 

[Jack Yaz]

That did it. I can access Transmission at x.x.1.26 however my shares are still not accessible.

Did you see my edit about the mappings?

 

[endtimes]

Oh I did now. They are mapped by domain for example \\Freenas\media. When I tried to remap it to a different drive letter using \\192.168.1.3\Freenas\media, it allows me to enter in the username and pwd but it wont take. I know the creds are good. My last attempt at mapping, it just hangs while attempting to connect.

 

[endtimes]

I also read this from an old change log for MerlinWRT :

- NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.

 

[Jack Yaz]

Oh I did now. They are mapped by domain for example \\Freenas\media. When I tried to remap it to a different drive letter using \\192.168.1.3\Freenas\media, it allows me to enter in the username and pwd but it wont take. I know the creds are good. My last attempt at mapping, it just hangs while attempting to connect.

You may need to completely clear the mapping and reboot the client, WIndows can be picky.

I also read this from an old change log for MerlinWRT :

- NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.

Mm that's why i'd like to use strict. I imagine you can add a manual route but i wouldn't know the syntax. Maybe someone else here will pick up on this.

 

[endtimes]

You may need to completely clear the mapping and reboot the client, WIndows can be picky.



Mm that's why i'd like to use strict. I imagine you can add a manual route but i wouldn't know the syntax. Maybe someone else here will pick up on this.

Thanks a ton and yes, I agree with you. Hopefully someone can help here with the rules.

Also, I got the share to work! I had the wrong path. '\\192.168.1.3\media' did it.

 

[Jack Yaz]

Thanks a ton and yes, I agree with you. Hopefully someone can help here with the rules.

Also, I got the share to work! I had the wrong path. '\\192.168.1.3\media' did it.

Domain not working is most likely a DNS issue. Is your VPN server advertising DNS?

Also, If you've got a Domain set in Router/FreeNAS, it might be worth pushing it over OVPN in additional config (at bottom of server page, Advanced), replace XXXX as required

push "dhcp-option DOMAIN XXXX"

 

[endtimes]

Hmm...in Frenas, the domain is just set to 'local' but I do have a domain setup in the router. I am using DDNS as well. I put your command and though it worked to connect to my shares via domain, I lost access to 192.168.1.26 transmission. This is what I have in the custom config in the OpenVPN server page.

--auth-nocache
route 10.10.10.0 255.255.255.0
push "dhcp-option DOMAIN domainname"

The route is what allow I believe if I remove the route command, I also lose access to transmission.

 

[endtimes]

Okay, I rebooted the router and with all 3 of those commands in, everything works....

Now we should still try to figure out about the rules for accessing with Policy strict mode enabled.

--Edit--
Actually, the route command is not needed if you have don't have Policy Strict mode enabled.

 

[Jack Yaz]

Revisiting this, adding a rule such as the below allows VPN Server clients to connect to LAN resources behind a VPN Client with policy rules strict.

vpnsubnet=$(echo "$(nvram get vpn_server1_sn)" | cut -f1-3 -d '.')
ip route add $vpnsubnet.0/24 dev tun21 table ovpnc1 src $vpnsubnet.1 2> /dev/null