Problems accessing home network from external networks.

[Shaggy1]

Hi

I have been trying to setup things up so I can access a web server running on my home network from external networks and also trying to figure out what is happening to the traffic under different circumstances.
I was wondering someone may be able to help me interpret/debug what I am seeing.

Network Setup:
==============
I have a Netgear Nighthawk dd-wrt router on which I have configured NAT such that I can access the ipaddress/port my server is running on.

I have a VPN client running on the router and use an external VPN supplier to encrypt traffic,. The dns server on my router is configured as the ip address of my pihole dns server which in turn is configured to use my vpn dns servers. So outgoing traffic goes via the VPN server before being forwarded to my ISP. For the puposes of testing connections I have also enabled WAN ping on my router.

Externally I have registered a DN whose AAA record points to the WAN ip address of my router.

(As a side note: I have setup letsencrypt to provide CA signed certificate to allow use of https)

With this setup I see the following:

From a laptop within my local network:
--------------------------------------------------------------------------------
I can ping the WAN ip address of my router.
I can accesss my webserver using my DN

From a laptop on neighbour1s network who uses the same ISP as me:
--------------------------------------------------------------------------------
I can ping the WAN ip address of my router and when I do (at least if my interpretation of tcpdump packets is correct - which it may well not be) I see icmp traffic come in on my WAN, and going out of
both my routers vpn tunnel interface and my routers WAN interface. I do receive replies.
I can access my webserver using my DNort from a browser


From a laptop on neighbour2s network who uses a different ISP (vodaphone):
-----------------------------------------------------------------------------
When VPN is enabled:
I cannot ping the WAN ip address of my router. I can see icmp packets received on the WAN interface of my router. I see also (I think - above tcpdump caveat) the icmp reply packets go out on the vpn tunnel interface. I see no icmp packet replies go out on the routers WAN interface. I receive no replies back at the laptop.
I cannot access my webserver using my DN/port from a browser.

If I disable the VPN:
I can ping the WAN address of my router. I see icmp packets received at my WAN and replies transmitted through my WAN interface. (vpn tunnel itf does not exist!)
I can acccess my web server using my DN/port from a browser.


From a phone using 02 network with VPN enabled and disabled:
--------------------------------------------------------------------------------
When I attempt to accesss my webserver using DN/port from a browser I get a message:
"This site cant be reached
refused to connect
ERR_CONNECTION_REFUSED"

Has anyone got a possible explanation for these observations ?
Does anyone know how I might be able to chenage things so I can access my web server from anywhere ?

 

[Crimliar]

Maybe my making a mess of this will motivate one of the hyper-knowledgeable members to come to your rescue.
So you probably want to be running a VPN server on the router, not a client that connects to a remote provider! When you remotely use the DDNS to find your WAN IP it'll give IP address from your ISP, not the one connected to the tunnel your router is sending its data through. So you initiate a remote connection direct to your router, and your router sends the info not back to you directly but through the VPN (appears as a different IP address to the client). In a perfect world, your remote device would probably reject that data as a security risk. But the world isn't perfect, and on O2 (UK I presume) you'll also be using CGNAT (Carrier Grade Network Address Translation) and now the data you are receiving is technically a "mess"!
Run a VPN server on the router (WireGuard usually makes Mince meat of CGNAT) and a VPN client on your remote device, and it'll all probably work!

 

[Shaggy1]

Thank you very much for your reply. I was certainly getting a bit confused about what was going on.

> So you probably want to be running a VPN server on the router

Yes I suspected I might need to do that - a bit of inertia there since I'll need to upgrade my firmware to do so.
Also not sure how this would work with outgoing data connections initiated from with in the LAN (which use an external supplier).
Do I/Can I run client for external supplier (in my case NordVPN) as well as a vpn server on my router ?

Since having a vpn server would require a client to be running on the connecting device (which is generally what I would want), to allow general access for a particular webserver/port in my LAN do you know if it is possible to (and if it would work) tell the router (in the vpn client conifg ?) not to use vpn for a specifc ipaddress/port number ?

 

[cptnoblivious]

1. Setup your router to be the VPN Server you connect to
2. This has no impact to traffic outbound
3. You will need a client that matches the VPN Server configuration (i.e. if running OpenVPN, get an client the OS you are using to connect from and install on the remote client, if running wireguard get a wireguard client etc)

The last question about port number I don't quite understand. The situation will be:
-You are remote and want to connect to the home network via VPN
-On your remote system, you start the OpenVPN / Wireguard client.
-You have configs that come from the VPN Server, with the IP(or DDNS name) and port number
-You run the client on the remote system, now all your traffic is going through your home Network. If you dont' want that anymore, you disconnect the remote client

Edit to add: Read your Routers manual for how to set up the VPN server. Hopefully they also explain how to configure the client and where / how to get the configuration files

 

[Shaggy1]

Ok. Thank you very much for the information. I am currently loooking at how to configure openvpn server on my router. (I know it can be done, but do not know how to configure it at the moment)

> The last question about port number I don't quite understand.
I was wondering if it was possible to use some sort of policy based routing in the vpn client configuration to route traffic from my web server directly through my ISP (router WAN) rather than through the vpn (but leave all other traffic going through the vpn). And whether if I did do that if the web server traffic would then be received correctly ?

 

[Clark Griswald]

@Shaggy1
OVPN how to set up on Asus Router

RMerlin VPN Director is where you can use your policy based rules.

 

[ColinTaylor]

@Shaggy1
OVPN how to set up on Asus Router

RMerlin VPN Director is where you can use your policy based rules.

@Clark Griswald He doesn't have an Asus router, he's using Netgear Nighthawk running DD-WRT.

 

[Clark Griswald]

@Clark Griswald He doesn't have an Asus router, he's using Netgear Nighthawk running DD-WRT.

My Mistake.

 

[Shaggy1]

Apologies for the late reply - tend to be very busy over the summer, so do not get much time.

Just to say I have set up policy based routing on my dd-wrt router such that ipaddress/port I use for my web server bypasses the VPN and that seems to work fine.

I am currently looking at moving to WireGuard client with my VPN provider and after that will ssee aboout tacling running a wireguard server (which at first sight looks a little complicated).

Thank you again for your help.