I have two VPN-servers working and connection to VPN-client (Torguard) simultaneously.
I have read countless of threads and a lot of trial and error in order for this to work and apparently now it does. Unfortunately I am not used to scripts at all.
For me it works without writing JFFs-scripts in /jffs/scripts/nat-start.
According to Torguard they need to open a port forward and I need to add nat-start scripts, but for some reason it works without.
However I am still curious.
I can only get simultaneous VPN server and VPN client to work when choosing "Policy Rules" in Redirect internet traffic. I use Policy Rules Strict.
When I choose "All" I can not log into VPN server when VPN client is active.
Does anyone know why that is?
Also, I am wondering if my router is directing its traffic through the VPN client with these settings. I have aria2 installed on my NAS and I would really much like that when adding a download link to aria2 that it goes through the VPN.
That explanation does help. Thank you very much!!!
If I understand correctly, with policy rules I am connecting to my VPN server via WAN in and VPN out. Is that correct?
If I understand correctly, the router services (installed on entware) such as aria2 is using WAN and not the VPN client? Is there a way to make certain router ports, e.g the port for aria2 use the VPN client that with "policy rules" or do I need to switch to "All"? Aria2 is on 192.168.50.1:81/aria2.
All my efforts trying to establish a VPN with routing "All" through the VPN has failed even though I have had the port 8080 forwarded by Torguard as well as scripts written to nat-start.
If I understand the script correctly I have set tun11 (though it is the tun of the VPN client), the port to 8080 since that is the port of my VPN server and dest-IP to 10.16.0.2 or 10.16.0.0/24.
Not sure if this is correct?
Using script nat-start would mean that the 'pass-thru' rule is always available, but depending on your paranoia/level of desired control, you could use the openvpn-event script and its associated trigger scripts vpnserver1-route-up/vpnserver1-down (to ensure the 'pass-thru' rule only exists if the VPN Server 1 is UP) or have the 'pass-thru' dynamically applied only to specific inbound OpenVPN client connections using the OpenVPN '--client-connect/--client-disconnect' scripts.
The GUI primarily only allows selective routing of sourceLAN devices/target IPs (see the Wiki entry Policy based routing) but for Selective Port routing you will need a script:
you could use the openvpn-event script and its associated trigger scripts vpnserver1-route-up/vpnserver1-down (to ensure the 'pass-thru' rule only exists if the VPN Server 1 is UP)
Using @john9527's template openvpn-event trigger script and you can choose which openvpn-event trigger script is executed by the specific Server/Client.
i.e simply create the appropriate scripts...... in your case scripts vpnserver1-route-up and vpnserver1-down
P.S. No idea why your openvpn-event script currently needs to unconditionally execute the 'cp' command for every OpenVPN event for all servers and all clients?
No idea why your OpenVPN-event script currently needs to unconditionally execute the 'cp' command for every OpenVPN event for all servers and all clients?
i don't know either hehe, I didn't put it there, maybe it was one of the things I added (diversion, stubby, amtm, connmon, yazfi, scmerlin, ntpmerlin or spdmerlin)
I'll check john's script, thanks for the help again @Martineau
P.S. No idea why your openvpn-event script currently needs to unconditionally execute the 'cp' command for every OpenVPN event for all servers and all clients?
The Stubby installer script placed the cp entry in openvpn-event.sh to override how OpenVPN Client handles DNS and forces the OpenVPN Client to always use Stubby. I realized recently that it should be handled differently and the feature can be removed. If the user wants the OpenVPN Client to use Stubby DoT, they can simply set "Accept DNS Configuration" = "Disabled". I have some time today to update the installer to make the change.
I went back and looked at the /tmp/resolv.dnsmasq override performed by the OpenVPN Client. It has to stay there for now or risk breaking Stubby DoT.
Without the override, the firmware will populate /tmp/resolv.dnsmasq with both the WAN DNS1 and the OpenVPN DNS entries 10.9.0.1 and 10.8.0.1 during an OpenVPN up event. For Stubby, we are using the router's IP address for DNS1. The VPN DNS values depend on the Accept DNS Configuration setting. Strict will append the DNS of the VPN to the DNS specified in DNS1 and DNS2 on the WAN screen as follows:
The addition of the VPN DNS in /tmp/resolv.dnsmasq prevents Stubby from working. I'll continue to analyze. I may have to install 384.11 beta to see how the DoT updates to the firmware is handling this. But I suspect most users will move away from the Stubby installer and upgrade to the native DoT built into the firmware and use of the Stubby installer script will fade away.
The GUI primarily only allows selective routing of sourceLAN devices/target IPs (see the Wiki entry Policy based routing) but for Selective Port routing you will need a script:
Thanks again!
In which jffs would I put the selective routing scripts?
This is probably to much for me to perform.
My aim is that the router traffic goes through the VPN so the router services which I have installed (such as Aria2) goes through the VPN and that I can choose which devices that should go through the VPN.
I might have found another solution. Would you mind helping me saying if this is correct.
- I have looked around at some other of your posts in the forum and found the following scripts (code below) which I put in /jffs/scripts/firewall-start.
- I also set upp Policy Rules in the GUI with the following settings
Router 192.168.1.1 go through VPN
Lan 192.168.1.0/24 go through VPN (with this setting all devices now goes through the VPN).
Subnet VPN server 2 10.16.0.0/24 goes through VPN
With these settings and with script, I have managed to get a Open VPN connection while the VPN Client is running. Many thanks again for vast knowledge of this topic! If I understand correctly, I am connecting to my VPN server through WAN in and VPN-client out. [Edit] Darn it. For some reason I can not connect to my router GUI while connected to the VPN server. And when downloading with Aria2 downloads are continuing after VPN client is deactivated, thus not working as planned
Code:
#!/bin/sh
# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE
My aim is that the router traffic goes through the VPN so the router services which I have installed (such as Aria2) goes through the VPN and that I can choose which devices that should go through the VPN.
I also set upp Policy Rules in the GUI with the following settings
Router 192.168.1.1 go through VPN
For some reason I can not connect to my router GUI while connected to the VPN server . And when downloading with Aria2 downloads are continuing after VPN client is deactivated, thus not working as planned
If you have routed ALL outbound router traffic via the VPN, then any inbound request via the WAN will never receive the reply.
(You can of course use an iptables rule together with an RPDB rule to ensure OpenVPN Server Port 1194 (assuming default) traffic is ALWAYs sent via the WAN!)
However, the easy method is to run Aria2 on a dedicated LAN device e.g. NAS, then simply include the IP of the Aria2 device in the Selective Routing GUI for the VPN Client.
Alternatively, there is a thread where Transmission is installed on the router, and the trick is to bind Transmission to an alias IP, and the alias IP is then simply added to the Selective Routing GUI for the VPN Client.
NOTE: I have no need to use Transmission/Aria2/Torrents either obfuscated via VPNs or not, but decided to RTFM.
Fortunately, it appears that Aria2 allows a (similar) command line technique to bind Aria2 to an interface such as a VPN client (so will also probably work if specified in '/opt/etc/aria2.conf' ?)
If you have routed ALL outbound router traffic via the VPN, then any inbound request via the WAN will never receive the reply.
(You can of course use an iptables rule together with an RPDB rule to ensure OpenVPN Server Port 1194 (assuming default) traffic is ALWAYs sent via the WAN!)
However, the easy method is to run Aria2 on a dedicated LAN device e.g. NAS, then simply include the IP of the Aria2 device in the Selective Routing GUI for the VPN Client.
Alternatively, there is a thread where Transmission is installed on the router, and the trick is to bind Transmission to an alias IP, and the alias IP is then simply added to the Selective Routing GUI for the VPN Client.
NOTE: I have no need to use Transmission/Aria2/Torrents either obfuscated via VPNs or not, but decided to RTFM.
Fortunately, it appears that Aria2 allows a (similar) command line technique to bind Aria2 to an interface such as a VPN client (so will also probably work if specified in '/opt/etc/aria2.conf' ?)
Many thanks once again for your teachings and explanation. I do agree with you that (for this reason) that it would be easier to have aria2 on a specific device rather than connected to the router itself. Unfortunately I am very happy with having my NAS connecting to the router for now.
I also found the Transmission thread and unfortunately I have tried to apply it to aria2 without success. So I am not sure if it is easier.
It does address the requirements as you say if one uses aria2 with the command as above. I tried your download script aria2..... --interface=tun11 which worked.
Unfortunately, I use aria through debian with the arai2 GUI at 192.168.1.1:81/aria2. https://hqt.ro/aria2-download-manager-through-debian/
I tried to put interface=tun11 as well as interface=192.168.50.10 in the aria2.conf, but when doing that I can no longer not connect to the aria2 GUI. It says I can not connect to the aria2 RPC-server .
In my installation I find the aria GUI at 192.168.1.1:81/aria2, but if I understand the documentation the gui port for aria2 is port is actually 6800.
What would be the best step to take here?
Is it to bind port 6800 to the VPN client? Sorry it is quite late and I am not coming up with any great options right now. Again many thanks for your time.
@Martineau
Ok, so I now downloaded Transmission and it works behind the VPN server .
I posted my question regarding aria2 webui on github to see if they have an answer why I cannot connect to the RPC server when adding interface=tun11 in aria2.conf. That quesion is not really valid for this thread.
I suppose one way to solve connecting to the RPC server on port 6800 would be to put port 6800 to tun11.
Since I have not used selective routing before.
Could you please explain how I am to use your script on #32 above.
- Where do I put it ./VPN_PortSelect.sh -h?
- How would I type a VPN_Portselect for port 6800 on my NAS to be routed via VPN client 1?
I feel kinda lost on this topic but if your hp-envy14 device in connected to your router via usb I might have an idea what that row will look like.
Again many thanks for sharing your knowledge about this topic.
I've been messing around with this for a few days now and I cannot figure it out... Naturally I'm trying to connect from my Android device via OpenVPN --> my router (Asus Merlin) --> my vpn provider --> internet. The function supplied by @Martineau isn't working for me, I've gone through this entire thread at least ten times now trying to figure out why. I've connected to my router through ssh using PuTTY and typed it in the command line "iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE" but I don't understand how to diagnose why this isn't working (though I've done enough research by now to know why this should work ). I've typed in "iptables -t nat -L" and have found that the policy is administered, but it just says the destination is "anywhere" so I have no idea if my OpenVPN connection from my Android phone to my router is actually routing through my VPN provider's 'tun11'. I proved this to myself by using a dns leak website, which shows my router's IP and not my VPN provider's IP.
I am an extreme novice in networking, the only reason I want to do this is to use my PiHole on my phone away from home while also using my VPN provider... Do I need to do anything specifically to the server.conf files (either the client or vpn service provider) or apply specific settings in Merlin? I've had to have spent 15 hours trying to figure this out by now... Thanks in advance to anyone who can help.
If I understand correctly, the command line allows your VPN server to go through your VPN client. It does not automatically route the traffic that way though.
You also need to do the following in the router GUI.
- Change to policy rules for your VPN Client. There you can add which Lan ip adresses that should use your VPN client. Add the subnet for your VPN server 1 to go through the VPN client. It is most likely 10.8.0.0/24 if you have not changed it. The "24" at the end will make sure every device connected to VPN server 1 will go through your VPN client.
Reboot and test again.
This works for me.
I swear I have done all that. My VPN client and server are 100% on different subnets, I've enabled routing through the Merlin GUI, and I've written the command supplied verbatim. I don't have the skill set to diagnose what the issue is... I think the issue might be the traffic coming back to the device. If it comes back with a different IP due to the router's DHCP Server (or if the VPN client changes it), then I don't think it will read on my independent OpenVPN server... I have no idea how to do this. I tried using the route command "route my_router_ip my_router_mask" in my server's .ovpn file but it didn't work...
Yup so I literally have no idea what is happening. I guess if someone knows why let me know, but otherwise it probably isn't worth your time to help an extreme novice at networking out . Thanks!
I swear I have done all that. My VPN client and server are 100% on different subnets, I've enabled routing through the Merlin GUI, and I've written the command supplied verbatim. I don't have the skill set to diagnose what is... I think the issue might be the traffic coming back to the device. If it comes back with a different IP due to the router's DHCP Server (or if the VPN client changes it), then I don't think it will read on my independent OpenVPN server... I have no idea how to do this. I tried using the route command "route my_router_ip my_router_mask" in my server's .ovpn file but it didn't work...
Yup so I literally have no idea what is happening. I guess if someone knows why let me know, but otherwise it probably isn't worth your time to help an extreme novice at networking out . Thanks!
Hmm. Not really sure which command you are refering to by verbatim. He has 1 post in this forum which is not about this topic.
Kind of hard to follow your steps.
Unfortunately it does not really come back with a different IP. Eiter the VPN server goes through the VPN client or it does not .
It took me some time to figure this out as well. But with great help I got it to work and I now have two VPN servers going through two different VPN clients .
If everything is correct in the WebUI and you are seing your WAN IP when you are connected to your VPN server, it does sound like you forgot to execute the script.
Look through the following to make sure it is correct!
Did you save this code in /jffs/scripts/firewall-start
(Just copy-paste)
Code:
#!/bin/sh
# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE
And afterwards made /jffs/scripts/firewall-start exetutable by typing.
Code:
chmod a+rx /jffs/scripts/firewall-start
If you have the correct settings for the VPN client (policy rules with VPN server subnet going through the VPN client) in the WebUI then you just need to reboot your router.
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
