What's new

How to allow openvpn clients to access my LAN PC?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gecongjie

Occasional Visitor
Hey, guys!
I set up an OpenVPN server on my ASUS AC66U-B1 (running Merlin 386.3_2). I have to use tun mode to allow android phones. I set "Client will use VPN to access" to Both (the other two choices are "LAN only" and "Internet only"). My phone can access the USB drive connected to the router(192.168.2.1), but I can't access my PC(192.168.2.11).
After some searching, I added "iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE" which doesn't work. (192.168.3.0 is my VPN Subnet setting)
What can I do to make my VPN clients able to access my PC on LAN?
Any help is appreciated.
 
So, I am having same question/issue, except I am using an Asus RT-AX86u router. Where do I add the following line of code ? :
"iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE"
in the Config file in the client?

And, in above line, I will need to change 192.168.3.0 to 10.8.0.0 (my VPN subnet)

Also, do I change the "eth1" to the IP address of the local LAN PC I want to ping/access? LOL I do not understand the following comment :
ColinTaylor said:

You should use br0 instead of eth1.
 
Last edited:
So, I am having same question/issue, except I am using an Asus RT-AX86u router. Where do I add the following line of code ? :
"iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth1 -j MASQUERADE"
in the Config file in the client?

And, in above line, I will need to change 192.168.3.0 to 10.8.0.0 (my VPN subnet)

Also, do I change the "eth1" to the IP address of the local LAN PC I want to ping/access? LOL I do not understand the following comment :
ColinTaylor said:

You should use br0 instead of eth1.

Let's first make clear what this thread is all about. Because it goes unstated, which adds to the confusion.

The problem the OP was experiencing was due to a personal firewall on the target device preventing access by the remote OpenVPN client. The most common culprit is Windows. By default, Windows will NOT allow access by any *private* IP network other than the one on which it is currently running. It's a security measure MS added several years ago. And some other devices and platforms have done likewise.

So the *correct* solution is to reconfigure the personal firewall on the device to permit the remote access by 10.8.0.0/24.

But sometimes ppl prefer to use the above POSTROUTING trick so they don't have run around their network reconfiguring firewalls. What that rule does is mask the source IP of the OpenVPN client (e.g., 10.8.0.2) w/ the ip of the router on its LAN network interface (e.g., 192.168.1.1). So now when the target is reached, it *sees* 192.168.1.1 rather than 10.8.0.2, and since the target and router share the *same* IP network, the personal firewall allows the access.

If you want to do the same thing, then you need to create a nat-start script like the following.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Enable jffs scripts in Administration > System, copy/paste the above into the terminal window of an SSH session, and reboot.
 
Let's first make clear what this thread is all about. Because it goes unstated, which adds to the confusion.

The problem the OP was experiencing was due to a personal firewall on the target device preventing access by the remote OpenVPN client. The most common culprit is Windows. By default, Windows will NOT allow access by any *private* IP network other than the one on which it is currently running. It's a security measure MS added several years ago. And some other devices and platforms have done likewise.

So the *correct* solution is to reconfigure the personal firewall on the device to permit the remote access by 10.8.0.0/24.

But sometimes ppl prefer to use the above POSTROUTING trick so they don't have run around their network reconfiguring firewalls. What that rule does is mask the source IP of the OpenVPN client (e.g., 10.8.0.2) w/ the ip of the router on its LAN network interface (e.g., 192.168.1.1). So now when the target is reached, it *sees* 192.168.1.1 rather than 10.8.0.2, and since the target and router share the *same* IP network, the personal firewall allows the access.

If you want to do the same thing, then you need to create a nat-start script like the following.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/nat-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

Enable jffs scripts in Administration > System, copy/paste the above into the terminal window of an SSH session, and reboot.
Thank you for the details. It is helpful to understand that underlying issue is with Windows Firewall.

I would rather update my Desktop's Window 7 Firewall than do add the code you listed above. For the Windows Firewall approach, can you provide some details on how I would accomplish this? Also, my router's IP is 192.168.1.1, the PC (running Windows 7) is static IP @192.168.1.101, and I set the router's OpenVPN Client Subnet to be 192.168.5.0/24 (example - I have seen a few times where the Client's IP is assigned as 192.168.5.6 ).

One question with this approach, however. Will Window's Firewall be working to allow the VPN Client to communicate with the Desktop when no user has logged on? I ask because I normally VPN into the house, then use WOL to power on the Desktop. I then access the Desktop at that point.


Side note - that above script that you included. Where would I place that, in the router or the Desktop I am trying to access ? This part went over my head ; )
 
I would rather update my Desktop's Window 7 Firewall than do add the code you listed above. For the Windows Firewall approach, can you provide some details on how I would accomplish this?

I don't use Windows. I'm a Linux desktop user. There are plenty of resources on the internet for configuring the Windows firewall.

Also, my router's IP is 192.168.1.1, the PC (running Windows 7) is static IP @192.168.1.101, and I set the router's OpenVPN Client Subnet to be 192.168.5.0/24 (example - I have seen a few times where the Client's IP is assigned as 192.168.5.6 ).

Well originally you said 10.8.0.0/24. But if it's now 192.168.5.0/24, then change the rule or configure the Windows firewall (whichever you prefer) accordingly.

One question with this approach, however. Will Window's Firewall be working to allow the VPN Client to communicate with the Desktop when no user has logged on? I ask because I normally VPN into the house, then use WOL to power on the Desktop. I then access the Desktop at that point.

The firewall requirements in terms of access based on the client's source IP has *nothing* to do w/ anything else that may be at issue, including whether there is or isn't an active user logged into Windows. All we're talking about is how to deal w/ this one narrow issue.

Side note - that above script that you included. Where would I place that, in the router or the Desktop I am trying to access ? This part went over my head ; )

If you want to use the POSTROUTING rule rather than reconfigure the Windows firewall, then you need to enable JFFS scripts on the router, copy/paste that script into the terminal window of an SSH session w/ the router, and reboot. It will install and configure the necessary nat-start script, which will be activated once rebooted.
 
P.S. I did find the following, although it specifically refers to Windows 10 and above.


Most likely you'll want to create an Inbound rule/exception for 192.168.5.0/24.
 
Hi eibgrad,
Thanks a lot for your Script. One question regarding that.
I have both openvpnserver enabled. One "protected 192.168.10.0/24" where all Traffic is routed through openvpn 1 and one "unprotected 192.168.11.0/24" where the Traffic is routed via wan.

If I want to use your Script for both ip adress areas , what I have to change?
Should I just add one additional line to the Script?

iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

iptables -t nat -I POSTROUTING -s 192.168.11.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Many thanks for your support.
Hugo
 
Hi eibgrad,
Thanks a lot for your Script. One question regarding that.
I have both openvpnserver enabled. One "protected 192.168.10.0/24" where all Traffic is routed through openvpn 1 and one "unprotected 192.168.11.0/24" where the Traffic is routed via wan.

If I want to use your Script for both ip adress areas , what I have to change?
Should I just add one additional line to the Script?

iptables -t nat -I POSTROUTING -s 192.168.10.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)

iptables -t nat -I POSTROUTING -s 192.168.11.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Many thanks for your support.
Hugo

That should work.
 
Hi everyone,
I am posting here as this is similar with what I encounter and I cannot figure it out. Don't have many knowledge regarding this but willing to learn 😀.
I have created a vpn server to a location to be able to remotely connect to it and access local network and devices.
Another thing I want to be able to do is to access the remote router admin page.
Here is all the trouble starts: from my windows 11 machine I cannot do that.
Whenever I try to access 192.168.1.1 it just lands to my local router page. I have tried to ssh into it with the same result.
If I am doing what I have tried above from an Android device it just works. This means is a Windows firewall setting.
I have tried the script above and also tried to create and inbound rule in Windows firewall but without any success.
Would you please help me sort this out with a step bybstep guide.
Thank you and Happy New Year 😊
 
Here is all the trouble starts: from my windows 11 machine I cannot do that.
Whenever I try to access 192.168.1.1 it just lands to my local router page. I have tried to ssh into it with the same result.
Your problem is not the same as that discussed in this thread and has nothing to do with firewalls.

Your problem is that your local network is 192.168.1.1/255.255.255.0 and the remote network is also 192.168.1.1/255.255.255.0. Each network needs to have different IP addresses. Change the remote network to use 192.168.2.1/255.255.255.0 and it should work.
 
Damn,
Somewhere deep down I knew is something as simple as this 😅.
Thank you so much ColinTaylor 😊.

I'll give it a go maybe later on today as I'll go to that site.

Stupid question; is there an workaround that I can still keep the local network on 192.192.168.1.1 range and still being able to access it or for each site I want to access it over OpenVpn I need to change the internal address like : 192.168.2.1 ... 3.1 ... and so on?
 
Stupid question; is there an workaround that I can still keep the local network on 192.192.168.1.1 range and still being able to access it or for each site I want to access it over OpenVpn I need to change the internal address like : 192.168.2.1 ... 3.1 ... and so on?
Sorry, can you rephrase that sentence so that it makes sense. I suspect the answer is going to be "no".
 
I do apologise 😁.
Wanted to know if there's still a way to keep(let's say 4 different sites) under the same local network(192.168.1.1) without having to modify it. Figure it out already that the answer is "No".

I already changed the local network to 1 of the sites to 192.168.2.1 and I confirm that it works.

Thank you so much for the help provided. Everyday you learn something new on snbforums without being a tech savy.

Happy New Year everyone!
 
Wanted to know if there's still a way to keep(let's say 4 different sites) under the same local network(192.168.1.1) without having to modify it. Figure it out already that the answer is "No".
No. If all the remote networks are using 192.168.1.x you could change your network to something different (e.g. 192.168.2.x). That way you only need to change one network instead of four.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top