What's new

How can I port forward to internal OpenVPN ip?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nickolasm5

Occasional Visitor
Hello, could not find similar threads.
Asus ac86u, merlin 386.9

On the router I have set up Open VPN server, with static IPs for users. eg test1 - 10.8.0.9 test2 - 10.8.0.10 (clients that connect from outside)
the local network users 192.168.3.1 can ping IPs ot the openvpn and vice versa. 10.8.0.9 can ping 10.8.0.10 and vice versa.
port forwarding works perfect for lan (192.168.3.0)
everything ok here.
I don't want to route the clients traffic throgh my router. so in the gui for openvpn I select "lan only"
in port forwading Gui I set up forwarding e.g. wan - > 3389 10.8.0.9
doesn't work
if I select "both" in the gui for openvpn - port forwarding starts working, but all the traffic goes through the asus router

Is there an option to have port forwarding wan -> openvpn working, not routing the clients traffic through the router?
 
Last edited:
Hello, could not find similar threads.
Asus ac86u, merlin 386.9

On the router I have set up Open VPN server, with static IPs for users. eg test1 - 10.8.0.9 test2 - 10.8.0.10 (clients that connect from outside)
the local network users 192.168.3.1 can ping IPs ot the openvpn and vice versa. 10.8.0.9 can ping 10.8.0.10 and vice versa.
port forwarding works perfect for lan (192.168.3.0)
everything ok here.
I don't want to route the clients traffic throgh my router. so in the gui for openvpn I select "lan only"
in port forwading Gui I set up forwarding e.g. wan - > 3389 10.8.0.9
doesn't work
if I select "both" in the gui for openvpn - port forwarding starts working, but all the traffic goes through the asus router

Is there an option to have port forwarding wan -> openvpn working, not routing the clients traffic through the router?
Well, if you are used to wrote your own scrips, I would add these two lines to your firewall-start file (if you have one):
Bash:
iptables -I FORWARD -i eth0 -p tcp -d 10.8.0.9 --dport 3389 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 10.8.0.9
If you don't have a firewall-start file, you should create one in /jffs/scripts folder, and grant it execution permissions:
Bash:
chmod +x /jffs/scripts/firewall-start
For creating that file, you can use 'vi' or 'nano' editors. I, personally, use 'vi'.

The question is: if you want your clients accessing the Internet via these ports, why are you avoiding that connection cheking the option 'LAN only' on the router?

Regards.
 
Last edited:
thanks!
the clients (for now a server) is behind a "grey" ip - so its the only option to have a possibilty to access it from the internet.
from the other hand there is no sense routing all traffic from it through the vpn.
So the only option is to set up the forwarding via ip tables? no option to enable the possibilty to set up forwarding via asus gui?
 
ASUS GUI is intented for routing devices inside the local network, I think.
You are talking about opening ports to devices outside this local network and I'm afraid the GUI isn't capable to do that. Perhaps I'm wrong and someone else with more knowledge of ASUS GUI can explain you how to do it. Let's see.
 
Well, port forwarding wan - > lan works perfectly via gui. wan - > openvpn also works perfect via gui if i select the option to use both lan and wan for clients.
So is suppose it is just some setting that is changed, and makes it impossible to forward ports, when only lan is selected for openvpn.
Imagining i will need to forward many ports for many IPs - not the best solution to set it up via comand prompt (but better than nothing)
I've set such thing in mikrotik, but mikrotik cant handle the speed asus can, as mikrotik doesn't have hardware acceleration for vpn
 
Sorry, but there is a thing I can't understand.

If you denies access to the Internet for the VPN clients on ASUS router by ticking 'Only LAN', they are not going to be able to access the WAN on the ASUS router and the Internet through the same router, and your port forwardings from WAN interface to your VPN clients have no effect.

Sorry, I don't know why are you trying to redirect traffic to your vpn clients from an interface you are forbidding these clientes to access to.
 
Last edited:
Ok. lets put it other way. e.g. i connect to a router from a windows server via l2tp or pptp never matter, I can access the router an the network behind the router, and the router can access the server, and it is possible to set up port forwarding from the router to the windows server using the ip assigned to the vpn client. But all internet traffic goes directly - not via the vpn.
I just don't know how it is done with openvpn in asus. I don't care about allowing or not the vpn client to use the wan of the asus router. i just want the internet traffic of the remote server to be routed directly (not through vpn)

if there is possibility to set it up selecting "both" but then adding some string to make the traffic on the client go directly (not via asus) that would be great
 
Last edited:
solved the problem.

1. in the vpn options I set up "lan only"
2. in the client config added the following:
redirect-gateway def1
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
route 192.168.3.0 255.255.255.0 vpn_gateway
route 10.8.0.0 255.255.255.0 vpn_gateway


now the intet trafic goes directly, and the port forwarding to 10.8.0.9 works via gui
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top