DDNS avoiding VPN client routing

[Pila]

I use own very complex DDNS script. Works perfectly. Currently I am on DoubleNAT configuration. When I fire up a VPN Client in the router, my routing changes. If my DDNS script now checks the outside address, it will get an VPN server address and that is wrong. VPN server on my router is not an issue here. Asuswrt-Merlin fw.

My routing gets changed from my doubleNAT modem 192.168.0.1

via 192.168.0.1 dev eth0 src 192.168.0.100

to VPN client:

via 10.9.2.133 dev tun13 src 10.9.2.134

How to fight it? I could limit DDNS address checking to eth and ppp links or skip tun/tap. But how do I check my external IP address using curl and go through eth or ppp and not through tun? Manually adding / changing routing rules is absolutely not a solution in this situation for several good reasons.

For me personally, the solution is to simply skip checking my WAN IP while VPN client is active in the router.

Plus, I do not know what would happen in singleNAT (and I am not in the mood to loose over an hour to switch to my singleNAT USB modem just to test it; I would appreciate quick 10 sec PM help from someone with singleNAT and VPN client configuration to SSH one command for me).

I would prefer an inteligent and universal solution but within my DDNS script. Ideas?

 

[sfx2000]

I use own very complex DDNS script

that's your problem - make it simple...

DDNS - one end-point
VPN - direct to that end-point

done

 

[Pila]

that's your problem - make it simple...

DDNS - one end-point
VPN - direct to that end-point

done

Not getting it. I would prefer if curl --interface works, but it is no go.

I do not want to write address of VPN server to my DDNS services.

There is absolutelly no problem with my script. It runs perfectly fulfilling all its jobs. But, As I contemplated to publish it here, I wanted to make it more universal than I need.

 

[RMerlin]

Not getting it. I would prefer if curl --interface works, but it is no go.

I do not want to write address of VPN server to my DDNS services.

There is absolutelly no problem with my script. It runs perfectly fulfilling all its jobs. But, As I contemplated to publish it here, I wanted to make it more universal than I need.

If you use OpenVPN, then use policy-based routing. Set a policy with your target web server to force traffic to that server to use the WAN interface.

 

[sfx2000]

Not getting it. I would prefer if curl --interface works, but it is no go.

I do not want to write address of VPN server to my DDNS services.

There is absolutelly no problem with my script. It runs perfectly fulfilling all its jobs. But, As I contemplated to publish it here, I wanted to make it more universal than I need.

there's an abstraction with client IP's that DDNS uses and the domain records themselves - one can have many hosts on one domain, and many domains on one host - DNS is a database...

Where folks get into trouble is trying to associate many IP's to many Domains - it can be done, but as you've noted, it depends on the DDNS client for a typical consumer grade Router/AP - it won't let you do it, at least not in an easy manner...

If you go into your DNS record itself at the DDNS provider, you can do many great things - but it depends on the provider - some do, some don't - and if they do - the "how" is usually vendor specific.

 

[Pila]

For DDNS Service, I want to use my real WAN IP and not VPN (through client) IP address.

curl --interface eth0 does not work for me when VPN client is up.

# curl -v --interface eth0 http://icanhazip.com
* About to connect() to icanhazip.com port 80 (#0)
*   Trying 64.182.208.182... Local Interface eth0 is ip 192.168.0.100 using address family 2
* Local port: 0
* Connection timed out
*   Trying 64.182.208.181... Local Interface eth0 is ip 192.168.0.100 using address family 2
* Local port: 0
* Connection timed out
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

After a day of thinking and reading: even if the above curl works, I have no way to be 100% sure which iface to use. And, I do not want to require or change anything outside my DDNS script and my control.

I came to the same conclusion RMerlin gave: Policy Rules must be configured if VPN client is running. RMerlin version would not be universal for my need as it needs to be fitted to the used service and that might change or services might have multiple IP addresses (e.g. icanhazip.com). IPs on my LAN are constant. I do not want to assume users know how to get an IP address of something outside their LAN.

I find it is best to include explicitly in Policy Rules what must use VPN client and then all is well. For my DDNS script, if it notices routing through tun, it will simply exit (rather than report VPN WAN IP to DDNS service). Seems to me this is as close to the universal solution as it can get.

I expect it will work the same in DoubleNAT and SingleNAT, but I must build my patience to switch my modem (1 hour work) to a SignleNAT one.

Many problems with these routers often challenge my patience, but wonderful (and likely painfull) work RMerlin did, lets me adapt and work around the problems and use all the good stuff he added.