What's new

Connecting NVR behind VPN Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

alonsh

New Around Here
Hello
Running Merlin with AC-88U and openVPN server.
I have a NVR on my network which I toggled 'block internet access' in the client list to avoid unwanted comm out.
I can connect/access the NVR from within my internal network, but when I try to access it VPN'd to my network from the outside, it times out, other clients are reachable and I can ping my router.
When I toggle 'block internet access' off everything works fine internal/external, but that's not the desired state.
Any good suggestions/guidance on how to block outbound internet but enable internal/VPN connection?
Thanks :)
Alon.
 
What you can do is NAT the tunnel's inbound traffic w/ the LAN ip of the router as it's dropped on the internal network so it appears to the NVR that the request is coming from the router rather than the internet.
Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -d 192.168.1.100 -j SNAT --to $(nvram get lan_ipaddr)


Of course, since I don't know the specifics of your OpenVPN server's tunnel network, or the internal IP of the NVR, you'll need to replace those in the rule. I only used 10.8.0.0/24 and 192.168.1.100 as an example.

In fact, some ppl will NAT *all* inbound traffic to avoid similar problems w/ other devices. For example, by default, the Windows firewall typically doesn't allow communications w/ any other *private* IP network other than the one on which it's running. But if you NAT all the inbound traffic, you can get around that limitation w/o having to reconfigure the firewall on every Windows machine.
Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
 
Last edited:
The Internet Access toggle in the GUI restricts all access

Because your VPN is technically not part of the internal lan your router treats it as a connection to the outside world and hence blocks it

Personally a firewall-start script would be easier to maintain as all rules will be in one place instead of partially a script and gui.
Code:
#!/bin/sh
iptables -I FORWARD -s xxx.xxx.xxx.xxx -j logdrop   # log nvr calling home or use DROP to drop without logging
iptables -I FORWARD -s xxx.xxx.xxx.xxx -d 10.8.0.0/24 -m state --state ESTABLISHED -j ACCEPT    #
Assuming you're using a TUN setup with 10.8.0.0 DHCP range, xxx.xxx.xxx.xxx being the internal IP of your NVR and depending on how you connect to it you may need to add change ESTABLISHED, to RELATED,ESTABLISHED

I think this would work for you anyway.

Or the option posted above will work too, but leave the internet block enabled in the gui
 
Last edited:
What you can do is NAT the tunnel's inbound traffic w/ the LAN ip of the router as it's dropped on the internal network so it appears to the NVR that the request is coming from the router rather than the internet.
Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -d 192.168.1.100 -j SNAT --to $(nvram get lan_ipaddr)


Of course, since I don't know the specifics of your OpenVPN server's tunnel network, or the internal IP of the NVR, you'll need to replace those in the rule. I only used 10.8.0.0/24 and 192.168.1.100 as an example.

In fact, some ppl will NAT *all* inbound traffic to avoid similar problems w/ other devices. For example, by default, the Windows firewall typically doesn't allow communications w/ any other *private* IP network other than the one on which it's running. But if you NAT all the inbound traffic, you can get around that limitation w/o having to reconfigure the firewall on every Windows machine.
Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT --to $(nvram get lan_ipaddr)

Thank you very much for your reply, much appreciated.
I actually like your suggestion above to resolve this issue with all network clients as I started to experience similar behaviour with other iOT devices on the network which I disabled internet connection (accessible within but not via VPN).
As I have no experience with implementing code into the router, as I mainly use the GUI, is there a guide you can refer me to how to implement?
Thank you!
 
Thank you very much for your reply, much appreciated.
I actually like your suggestion above to resolve this issue with all network clients as I started to experience similar behaviour with other iOT devices on the network which I disabled internet connection (accessible within but not via VPN).
As I have no experience with implementing code into the router, as I mainly use the GUI, is there a guide you can refer me to how to implement?
Thank you!

As with all firewall rules, you should test it by copy/pasting it into an ssh window. That way, in the unlikely event of it hanging your router, you can simply reboot to recover.

Once you're convinced it works, you need to enable JFFS and JFFS scripts in Administration->System. Then copy/paste the following script (making sure the source (-s) network of the tunnel matches your OpenVPN server config) into an ssh window. It will automatically create the necessary nat-start script to install the rule upon reboot.
Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi


Note, the script will NOT overwrite any existing nat-start script. If that happens, you'll need to manually add the rule to the existing nat-start script.
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top