Need to Solve OpenVPN Client + AiCloud Smart Access at the same time

[janosek]

Hello,

I am still struggling to figure out iptables in order to have both my OpenVPN client, which is selectively routing devices on my NAT, and AICloud Smart Access working over the WAN at the same time. When the VPN Client is down, I can access AICloud Smart Cloud no problem on my android phone connected over the cellular network, but it becomes unreachable as soon as the OpenVPN client comes up.

I tried adding:
iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport
80,443 -j MARK --set-mark 1​

But selective routing applications on the router doesn't seem to work the same as selective routing on the router's NAT.

I tried using the INPUT and OUTPUT chain, but I always seem to lock myself out of the router, so I haven't done much with it.

I attached my iptables, ifconfig and a netstat showing the aicloud listening on ports 443 and 8082.

Does anyone have any clue how to get AICloud to connect through eth0 when tun11 is active?

 

[janosek]

OK. So I discovered first that I can keep the tunnel technically active (although I imagine it would time out eventually since there is no data being routed) by running the following commands:

/sbin/route del -net 0.0.0.0 netmask 128.0.0.0 gw $(ip route list table main | awk '/tun11/ { print $3}' | sort -u | grep -v 'tun11')

/sbin/route del -net 128.0.0.0 netmask 128.0.0.0 gw $(ip route list table main | awk '/tun11/ { print $3}' | sort -u | grep -v 'tun11')


running those two commands allows AICloud to work from my cellular network, but OpenVPN is not being routed to my WAN, so the opposite problem.

Now to somehow route openVPN to the WAN while not sucking in ports 443 and 8082.

 

[janosek]

I've decided to give up on trying to solve this. I will just buy a serviio pro licence for my desktop that by-passes the VPN client.

As far as I am concerned, the fact that an active openvpn client breaks the AICloud functionality over the WAN should be considered a bug of Merlin's firmware, but obviously I am the only one who thinks this as no once else seems interested in this class of problem.

 

[Sky1111]

Did you actually try Serviio Pro? does it work thru VPN?

(you do not need to buy it to try it - simple re-install gives a grace period to try Pro)

 

[janosek]

Yes, works perfectly. I can selectively route devices on my lan to either the VPN or WAN, so my desktop that runs serviio routes out the WAN. Then I just port forward the serviio ports. on the other hand, openvpn and aicloud are both on the router and I can't figure out how to route them separately. Hopefully someone does, as I feel it is an important problem to solve.

 

[Martineau]

I've decided to give up on trying to solve this. I will just buy a serviio pro licence for my desktop that by-passes the VPN client.

As far as I am concerned, the fact that an active openvpn client breaks the AICloud functionality over the WAN should be considered a bug of Merlin's firmware, but obviously I am the only one who thinks this as no once else seems interested in this class of problem.

Janosek, I need to be able to provide remote support of several RT-N66Us that I have installed for my family members.

In the past, I used PPTP and to accomodate this I gave all of my family's remote RT-N66U unique 10.xxx.x.x subnets.

The use of HMA as an OpenVPN client breaks my remote access via both OpenVPN and PPTP so I too have struggled to understand if it is my particular setup that is causing this frustrating concurrent OpenVPN client issue.

I also attempted to remove the 'strange' 0.0.0.0 netmask 128.0.0.0 entries created by the auto config of the HMA OpenVPN client, but this seems to break HMA client functionality? :-(

I am not a Linux Iptables expert so have been trawling thru serveral forums Ubuntu (even Raspberry Pi) etc. for any help to fix this frustrating issue but as yet still without success.

At present I do not have the OpenVPN client auto-started with the GUI, and have left a 10 minute grace period before my HMA script starts the selective OpenVPN HMA client. - in this way, if I need to remotely access an RT-N66U I can ask one of the remote family to reboot their router and I can connect via OpenVPN/PPTP hopefully before their HMA OpenVPN client starts.


I'm sure there must be a (simple) logical solution to our common issue without resorting to 3rd party software such as Serviio pro etc., unless of course someone can categorically state that this concurrent use of the OpenVPN client and OpenVPN/PPTP server for both inbound and outbound traffic is technically impossible.

In the meantime I am about to test a different OpenVPN client to see if this is a unique HMA client issue, so I personally won't give up the quest! even though it appears no-one else apart from us appears to need this functionality.

Regards,