Iv managed to find out whats happened. I had a look at the ipsec.postconf script & changed it so the tunnel uses the 10.10.10.0/24 subnet. I rebooted the router, ran your original code & hey presto, it works! In this case, should i keep the 220 table clone part? Where would you recommend i put the code so it always runs? Iv had an issue recently where some code has disappeared when amtm updates on the router, i think it overwrites or deletes & re adds files which continuously gets rid of some of my code. I cant put a user defined script in somewhere can i?
Thank you so much for your help, you've been really kind
If it is working, then you can use the openvpn-event triggers 'vpnclientX-route-up'/'vpnclientX-down' to manage the appropriate ip route/RPDB/iptables.
Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'
So far iv got this in 'vpnclient1-route-up':
Code:
VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO
In 'vpnclient1-down', would i only have:
Code:
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)
One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?
Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'
So far iv got this in 'vpnclient1-route-up':
Code:
VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO
In 'vpnclient1-down', would i only have:
Code:
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)
One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?
Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'
So far iv got this in 'vpnclient1-route-up':
Code:
VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO
In 'vpnclient1-down', would i only have:
Code:
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)
One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?
I have tried what you have suggested by adding a nat-start script to jffs/scripts:
Code:
#!/bin/sh
# Allow pass-thru for a connecting IPSec Server client to use Selective Policy routing RPDB out via VPN Client
# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
And adding the route to the OpenVPN client but no dice. I did not need to add 10.10.11.0/24 as i have chenged the ipsec.postcon file so only the 10.10.10.0/24 ip pool is used. I get "error connection timed out" on any site i try to view on my mobile phone while connected to the IPSec tunnel.
I think il have to fudge the cloning. In order for the table to get generated my mobile needs to be connected to the IPSec tunnel first right? Is there any way to run your original script:
Code:
#!/bin/sh
VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO
as soon as my mobile connects to the tunnel? What would i have to run when my mobile disconnects?
I have tried what you have suggested by adding a nat-start script to jffs/scripts:
Code:
#!/bin/sh
# Allow pass-thru for a connecting IPSec Server client to use Selective Policy routing RPDB out via VPN Client
# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
And adding the route to the OpenVPN client but no dice. I did not need to add 10.10.11.0/24 as i have chenged the ipsec.postcon file so only the 10.10.10.0/24 ip pool is used. I get "error connection timed out" on any site i try to view on my mobile phone while connected to the IPSec tunnel.
I think il have to fudge the cloning. In order for the table to get generated my mobile needs to be connected to the IPSec tunnel first right? Is there any way to run your original script:
Code:
#!/bin/sh
VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO
as soon as my mobile connects to the tunnel? What would i have to run when my mobile disconnects?
However, if there are no inbound IPSec connections, we should be able to make an educated guess/prediction as to what table 220 may contain when the device connects.
i.e. To fudge the table 220 cloning, can you try the following (assumes WAN interface name is eth0/vlan2 etc. (retrieved from variable 'wan0_ifname') , so if you use PPoE then use 'wan0_pppoe_ifname'?)
Code:
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1
then connect the phone ….hopefully the pass-thru should again now work, but if not, can you provide the following diagnostics
Code:
ip rule
ip route show table ovpnc1
iptables --line -t nat -nvL POSTROUTING
ip route show table 220
However, if there are no inbound IPSec connections, we should be able to make an educated guess/prediction as to what table 220 may contain when the device connects.
i.e. To fudge the table 220 cloning, can you try the following (assumes WAN interface name is eth0/vlan2 etc. (retrieved from variable 'wan0_ifname') , so if you use PPoE then use 'wan0_pppoe_ifname'?)
Code:
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1
then connect the phone ….hopefully the pass-thru should again now work, but if not, can you provide the following diagnostics
Code:
ip rule
ip route show table ovpnc1
iptables --line -t nat -nvL POSTROUTING
ip route show table 220
Ok, So, i rebooted the router, i have the nat-start script active as follows:
/jffs/scripts/nat-start
Code:
#!/bin/sh
# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
I have the selective routing in OpenVPN client 1 as 10.10.10.1/24 to go through the vpn.
I executed the following line by line via SSH:
Code:
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1
I connected my mobile & still the same error "error connection timed out".
The output requested in the previous post is as follows:
Code:
ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb 8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip rule
0: from all lookup local
10101: from 192.168.1.246 lookup ovpnc1
10102: from 192.168.1.137 lookup ovpnc1
10103: from 192.168.1.35 lookup ovpnc1
10104: from 192.168.1.215 lookup ovpnc1
10105: from 192.168.1.45 lookup ovpnc1
10106: from 192.168.1.88 lookup ovpnc1
10107: from 10.10.10.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.70.0.101 dev tun11
10.10.10.0/24 via 82.222.222.1 dev eth0 proto static
10.70.0.101 dev tun11 proto kernel scope link src 10.70.0.102
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# iptables --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 590 packets, 84461 bytes)
num pkts bytes target prot opt in out source destination
1 80 4149 MASQUERADE all -- * tun11 192.168.1.0/24 0.0.0.0/0
2 123 42108 PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
4 1 60 MASQUERADE all -- * eth0 !82.222.222.221 0.0.0.0/0 mode: fullcone
5 3 711 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table 220
10.10.10.1 via 82.222.222.1 dev eth0 proto static
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# grep -E "vpn:" /tmp/syslog.log
Apr 3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
(The 81.111.111.110 is NOT a mistake, the ip value for that was one down from the ones above).
Ok, So, i rebooted the router, i have the nat-start script active as follows:
/jffs/scripts/nat-start
Code:
#!/bin/sh
# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
I have the selective routing in OpenVPN client 1 as 10.10.10.1/24 to go through the vpn.
I executed the following line by line via SSH:
Code:
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1
I connected my mobile & still the same error "error connection timed out".
The output requested in the previous post is as follows:
Code:
ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb 8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip rule
0: from all lookup local
10101: from 192.168.1.246 lookup ovpnc1
10102: from 192.168.1.137 lookup ovpnc1
10103: from 192.168.1.35 lookup ovpnc1
10104: from 192.168.1.215 lookup ovpnc1
10105: from 192.168.1.45 lookup ovpnc1
10106: from 192.168.1.88 lookup ovpnc1
10107: from 10.10.10.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.70.0.101 dev tun11
10.10.10.0/24 via 82.222.222.1 dev eth0 proto static
10.70.0.101 dev tun11 proto kernel scope link src 10.70.0.102
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# iptables --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 590 packets, 84461 bytes)
num pkts bytes target prot opt in out source destination
1 80 4149 MASQUERADE all -- * tun11 192.168.1.0/24 0.0.0.0/0
2 123 42108 PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
4 1 60 MASQUERADE all -- * eth0 !82.222.222.221 0.0.0.0/0 mode: fullcone
5 3 711 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table 220
10.10.10.1 via 82.222.222.1 dev eth0 proto static
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# grep -E "vpn:" /tmp/syslog.log
Apr 3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr 3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
(The 81.111.111.110 is NOT a mistake, the ip value for that was one down from the ones above).
It appears that the 'nat-start' script either didn't run during the router boot process, or immediately after your MASQUERADE rule was added the table was wiped.
I suggest you debug/modify the 'nat-start' script using the updated version in post #84 which includes a 10 second delay and will also print a message to Syslog to help track that it did physically execute.
So having modifed 'nat-start', execute it manually to check for syntax errors etc.
Code:
/jffs/scripts/nat-start
then reboot and check to see if the required rule has been successfully created.
Hopefully fudging the cloning of table 220 actually works, so download the recommended 'openvpn-event' template script, and create
/jffs/scripts/vpnclient1-route-up
Code:
#!/bin/sh
VPN_ID=${dev:4:1}
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID} 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID}
to ensure that the table 220 fudge is executed whenever the VPN Client is (re)started.
shows Syslog contains event messages for when your phone connected to IPsec ('vpn: +') and when it disconnected ('vpn: -').
So although there is no equivalent 'openvpn-event' script in the firmware for IPSec events?, it is fairly trivial to monitor Syslog for a specific trigger message and execute the desired script.
I was searching for this possibility (Paththrough Routing Clients over VPN) since weeks, finally I found this thread. After reading the posts (several times...) it works now! Never been in contact with these scripts before...
Thanks for the advices in this thread (especially Martineau)!
It appears that the 'nat-start' script either didn't run during the router boot process, or immediately after your MASQUERADE rule was added the table was wiped.
I suggest you debug/modify the 'nat-start' script using the updated version in post #84 which includes a 10 second delay and will also print a message to Syslog to help track that it did physically execute.
So having modifed 'nat-start', execute it manually to check for syntax errors etc.
Code:
/jffs/scripts/nat-start
then reboot and check to see if the required rule has been successfully created.
Hopefully fudging the cloning of table 220 actually works, so download the recommended 'openvpn-event' template script, and create
/jffs/scripts/vpnclient1-route-up
Code:
#!/bin/sh
VPN_ID=${dev:4:1}
ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID} 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID}
to ensure that the table 220 fudge is executed whenever the VPN Client is (re)started.
shows Syslog contains event messages for when your phone connected to IPsec ('vpn: +') and when it disconnected ('vpn: -').
So although there is no equivalent 'openvpn-event' script in the firmware for IPSec events?, it is fairly trivial to monitor Syslog for a specific trigger message and execute the desired script.
Suffice it to say, It finally works! At last! Thank you so much for your help. From what i can tell, the script wasnt running on startup. you were right. I have no idea how you figured that out. I wish i knew half as much as you do about these things. You are a genuine credit to this forum. I dont normally sign up to forums but im glad i signed up to this. Thank you once again for all your help. You are a diamond!
Il test this to see how it goes. I cant foresee any problems. If my mobile disconnects from the IPSec server, there isnt any code that needs to be run is there?
Thank you so much for your help. From what i can tell, the script wasnt running on startup. you were right. I have no idea how you figured that out. I wish i knew half as much as you do about these things. You are a genuine credit to this forum. I dont normally sign up to forums but im glad i signed up to this. Thank you once again for all your help. You are a diamond!
Il test this to see how it goes. I cant foresee any problems.
Unless you want to restrict the IPSec pass-thru to say only specific devices or perhaps time-of-day etc. then the policy restrictions would be best applied on detection of an IPSec client connecting, so I doubt there is a need for your current use-case to do anything on an IPSec client disconnect.
The two commands allow both OpenVPN Server instances to 'pass-thru' a connecting client directly out through ANY (active) VPN Client connection.
If you never change the OpenVPN Server IP pools from their defaults (10.8.0.0 and 10.16.0.0 for Server 1 and Server 2 respectively) then firewall-start is probably a good place for the rules as-is.
NOTE: It is good practice to also issue a delete command to prevent unnecessary duplicates
/jffs/scripts/firewall-start
Code:
#!/bin/sh
# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE
However, your requirements may require a finer control, i.e. if the OpenVPN Server configuration changes, then it may be prudent to only insert the rule during the execution of the appropriate "openvpn-event" /jffs/scripts/vpnserverX-up script; similarly delete the rule during execution of the /jffs/scripts/vpnserverX-down script.
Also you may feel that use of 'tun1+' should really explicity only reference a specific VPN Client e.g. tun11.
There are numerous examples of scripts, just make sure you use the correct name, ensure that you don't use a Windows editor (if you do run dos2unix against the file on the router) and make sure the file is executable etc.
Hi there. I know this post was from 2017 but it still works! I just got it working to where I can VPN into my home network and exit the network to the Internet through the VPN client! I do have one issue though. My remote computer connected to the VPN server cannot access any devices on the LAN. I can't ping or ssh into anything accept the router. I have the router VPN server settings set to allow access to both the LAN and Internet.
Hi there. I know this post was from 2017 but it still works! I just got it working to where I can VPN into my home network and exit the network to the Internet through the VPN client! I do have one issue though. My remote computer connected to the VPN server cannot access any devices on the LAN. I can't ping or ssh into anything accept the router. I have the router VPN server settings set to allow access to both the LAN and Internet.
I think you will need to dedicate the second VPN Server to access LAN devices. You won't be able to access LAN devices if you route VPN Server 1 to the VPN Client 1.
I think you will need to dedicate the second VPN Server to access LAN devices. You won't be able to access LAN devices if you route VPN Server 1 to the VPN Client 1.
I do have the 10.8.0.0/24 in my VPN routing policy. And as for your comment about x3mRouting being able to set it up for me, I assume you are not talking about having the VPN server route through the VPN client as well as access the lan, because you said that wasn't possible. I did come to find I can access the LAN through a separate VPN. So I have one VPN to access the LAN and one to access the Internet through the client VPN.
Just curious, what is the point of VPN(ning?) into my home network and exiting through the VPN client if I can't access the LAN? Wouldn't this just add extra latency and reduce speeds drastically with no real gain? I have a VPN client app on my phone/other remote computers I could use without the additional hop to my home network to leave through the client VPN.
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.