Run OpenVPN Client and server at same time?

[jra505]

Hi,

I've got my R7800 loaded with Voxel's firmware V1.0.2.76.1SF and Kamoj's add in (14th December 2019 version).

Up until recently, I was using the stock firmware.

I like to be able to use the VPN server function of the router, so that I can connect to my home network when I am away.

Since installing Voxel's firmware and Kamoj's add on, I've been playing around with the VPN Client function. I've got a NordVPN account, and with a little bit of help from @kamoj himself I seem to have got it working correctly.

What I would like to be able to do, and so far have failed, is to connect to my home network via the VPN server function whilst the router is connected to one of NordVPN's servers via Kamoj's add in.

If I have the router connected as a client, then it seems as though I cannot then remotely connect to it as a server. Should this be possible?

If so, what other steps do I need to take?

Any help would be much appreciated.

Thanks,

jra505

 

[L&LD]

Enabling the VPN Client shouldn't have changed your ability to connect to the OpenVPN Server on the router.

How exactly are you doing this and making it fail?

 

[R. Gerrits]

I guess if VPN client is active, then the router only accepts inbound traffic also through the tunnel.
So probably you'll need some kind of split-tunnel configuration for the VPN Client, where VPN Server traffic is kept out of the VPN Client tunnel. Perhaps with Kamoj's add-on this can be arranged?

I'm planning to also look into this, but haven't gotten around to it.

 

[jra505]

Enabling the VPN Client shouldn't have changed your ability to connect to the OpenVPN Server on the router.

How exactly are you doing this and making it fail?

It's a special talent I've got

I'm not sure what I'm doing wrong. To get the server to work, I generated an ovpn file (for Android) from the router's VPN Service page, and loaded it into the OpenVPN app on my phone. It works fine.

To get the OpenVPN client to work, I got a bit of help from @kamoj and configured it to use my NordVPN account credentials. After following Kamoj's advice, I changed my routers DNS servers from "Use the ISPs" to the ones specified in this post:

https://www.myopenrouter.com/article/how-set-openvpn-client-netgear-r7800-voxels-custom-firmware

Again, following Kamoj's advice, I enabled DNScrypt V2.

It works fine.

The issue arises when I try to connect to the VPN Server when I've already got the client active. The OpenVPN app on my phone eventually times out and says it cannot connect. As soon as I close the client down, the phone will then happily connect.


jra505

 

[R. Gerrits]

Just wanted to say that I yesterday also enabled OpenVPN client and I also have the same issue.
If OpenVPN Client is active, then my iPhone can no longer connect to the OpenVPN server.
Also I can no longer reach my webserver (via port forwarding).

Still my suspicion: traffic from iPhone to my public IP is routed directly and probably still accepted by the firewall. (didn't check yet though), but then the answer on that traffic will be routed through the outbound VPN tunnel. And usually this breaks tcp traffic.
(so perhaps ppl who use OpenVPN Server in UDP mode have no issues with this?)

I'll have a closer look this weekend.

 

[jra505]

Just wanted to say that I yesterday also enabled OpenVPN client and I also have the same issue.
If OpenVPN Client is active, then my iPhone can no longer connect to the OpenVPN server.
Also I can no longer reach my webserver (via port forwarding).

Still my suspicion: traffic from iPhone to my public IP is routed directly and probably still accepted by the firewall. (didn't check yet though), but then the answer on that traffic will be routed through the outbound VPN tunnel. And usually this breaks tcp traffic.
(so perhaps ppl who use OpenVPN Server in UDP mode have no issues with this?)

I'll have a closer look this weekend.

Thanks for taking a look at this - and glad it's not just me.

Will be interested to find out how you get on, many thanks!

jra505

 

[L&LD]

@R. Gerrits, to eliminate any iPhone/apple wonkiness, can you test with another computer instead?

Does it make a difference which OpenVPN client you use (1, 2, 3, etc.)?

Are you testing via cellular data or when connected to any other network other than your own?

 

[R. Gerrits]

did some testing from a Windows server in MS Azure, with a public IP assigned:

OpenVPN server enabled & OpenVPN client disabled
and a port-forwarding for port 8o to an internal web-server:

From AzureVM I can do .\psping.exe -t <public_ip_of_router>:80 and that gets a response.
From AzureVM I can also start an OpenVPN tunnel to my router (and then ping the internal ip of the router.)

Next I also enabled OpenVPN client:
As expected (because of wrong routing) psping command now gives a timeout and OpenVPN can also no longer connect.

To correct the routing, on the router I did:
/usr/sbin/ip rule add to <public_ip_of_AzureVM> table novpn
(the table novpn is something Kamoj's addon has created for the VPN Bypass; all traffic to that table is routed via the WAN interface, instead of via the VPN tunnel)

Immediately after that command, both the psping command and OpenVPN connecting started working again.
So this proves it is a routing issue.
But unfortunately, for most this is not a solution, as we don't know the public IPs that need to connect to OpenVPN or the port-forwarded resources.

Next attempt:
Remove the routing rule above, confirmed that connections no longer work and added my NAS (to which port 80 is forwarded) as a VPN bypassed device.
Result: psping is working again.
So partial success.

So next step, via ssh, I added 192.168.1.1 (my private router IP) to the bypass list.
Bad idea, as after that, all the traffic from that IP is only routed to the internet, so I lost my ssh connection and couldn't reach my router any more.

Rebooted the router, modified Kamoj's addon_bypassvpnip.sh script so that the table novpn now looks like this:

default via 94.213.xxx.1 dev brwan 
192.168.1.0/24 via 192.168.1.1 dev br0 
192.168.2.0/24 via 192.168.2.1 dev tun0

and again added 192.168.1.1 to the bypasslist.

This time my ssh session stayed alive.
but OpenVPN connection from AzureVM still is not possible.
and also still curl -silent https://whatsmyip.com |grep shownIpv4 shows the public IP of my VPN provider.

also tried adding <public_ip_of_router> and 127.0.0.1 to the bypasslist, but that also has no effect.
So somehow the router itself is ignoring the policy based routing for some of its processes.

to be continued...

 

[jra505]

to be continued

Thanks for your efforts on this - looks like the solution is potentially going to be quite complicated after all.

 

[R. Gerrits]

I have some success now:
The issue was that in the kernel routing table (/sbin/route -n) the routes for the VPN tunnel were also present, with the same metric as for my normal WAN route:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.21.xxx.1     128.0.0.0       UG    0      0        0 tun21
0.0.0.0         94.213.xxx.1     0.0.0.0         UG    0      0        0 brwan
128.0.0.0       172.21.xxx.1     128.0.0.0       UG    0      0        0 tun21

As the 0.0.0.0/1 and 128.0.0.0/1 are more specific than the 0.0.0.0/0, they are preferred.
(still don't fully understand why "ip rule to <destination-IP>" is overruling the kernel routes, while "ip rule from <source-IP>" isn't)

I now turned Kamoj's VPN-bypass function around:
I remove the two VPN routes from the kernel routing table.
So all traffic by default goes directly to internet.
Next I create a new routing table to for routing outbound traffic through the VPN tunnel.
And then I use policy based routing assign that vpnroute table only to specific devices.
(ip rule add from <ip-address> table vpnroute)

Now the next challenge, can I also script these changes so that it happens automatically?

My eventual goal: use policy based routing to only route specific traffic from a specific device through the VPN tunnel.
My NAS runs a webserver exposed via port-forwarding -> this traffic must not go through the VPN tunnel.
But occasionally it also runs transmissionbt -> that traffic I do want to go through the tunnel.

 

[R. Gerrits]

again a small update:
Now also managed to get my desired end goal.
Using iptables rules (in /opt/scripts/firewall-start.sh) I can now mark traffic from or to certain IP address and ports.
and depending on the mark, I use ip rule add fwmark to route it either directly to internet or through the VPN tunnel.

Only thing that doesn't seem to work:
if I connect my iPhone to OpenVPN (via tun0) I can access all my internal resources without issues.
But if then traffic to the internet has to again go via the outbound VPN, then it doesn't work. I'm guessing it is an DNAT/MASQUERADE kind of issue, but didn't further look into it as I have no use case for that scenario.
(from Windows (using tap0) this does work, but then the device is basically part of br0 (has a LAN IP)

@jra505, what would be your use cases for having both client and server active at the same time??

 

[jra505]

@jra505, what would be your use cases for having both client and server active at the same time??

Hi

Thank you so much for going to so much effort on this. It's truly appreciated.

The reason why I asked about the possibility of doing this is thus:

I've got a harddrive attached to my router which contains music and movies, and I always like to be able to access this harddrive even when I am away e.g. when we are away on holiday and the kids would like to watch one of their movies. In the past, I've done this using FTP and whilst it has worked fine from an access perspective, it's clearly not sensible from a security perspective. Another thing I used to do, was to keep the FTP server deactivated most of the time and only activate it when needed by remotely logging onto the router, and then deactivating it when finished. But I've also recently been told that leaving remote access on is also a bad idea, so I've now turned that off also.

So the way I do it now is this - I've activated the VPN service on the router so that when required I can connect my phone or laptop to my home network remotely, FTP to the local address of the harddrive and access the files I want. I assume this is a more secure way of accessing the harddrive than FTPing into it using the Internet.

But, since I installed the @kamoj add in, I've been playing around with the VPN client option and I like the idea of "hiding" my network by keeping it more or less constantly behind a VPN.

Trouble is, if I activate the VPN Client and that becomes the "norm", the next time I go away somewhere (not likely for a long time given the circumstances!) will I be able to access the files on my harddrive?

That was the reason for my initial question. One of the first responses, from @L&LD, implied that it should just work and that I must be doing something odd for it to be not working, however your efforts have shown that it is not trivial at all.

I know that there are other ways to access files remotely, using a NAS or cloud storage, I get that, but I'm loathe to spend more money on additional equipment or services if I can do what I want to do with what I've already got.

Many thanks for all your help!

jra505

 

[R. Gerrits]

Also managed to fix the bug that prevented my iPhone from accessing internet via outbound OpenVPN server, while being connected to OpenVPN client.

And I cleaned up my scripts a bit, and made it so that it reads the port based exceptions from files.
one file with entries that always must go directly to internet.
one file with entries that always must go via VPN (and optionally these last are also blocked so that traffic is dropped if VPN client connection is down)

If you know your way around in linux a bit, then I can send you the changes, so that you can also test it.

@kamoj, it would be nice if we can somehow incorporate it into your addon. What do you think?
What it still needs is a way to persist the settings in the above mentioned 2 files in nvram (for now I placed them in /etc)
And a way to edit those files in the GUI.

 

[kamoj]

First I must thank you on behalf of everyone here for your excellent job and support!

Just PM me the details, and I'll have a look at it.

For now I'll release an update of the beta including bugs you and others found, and a new function!

Also managed to fix the bug that prevented my iPhone from accessing internet via outbound OpenVPN server, while being connected to OpenVPN client.

And I cleaned up my scripts a bit, and made it so that it reads the port based exceptions from files.
one file with entries that always must go directly to internet.
one file with entries that always must go via VPN (and optionally these last are also blocked so that traffic is dropped if VPN client connection is down)

If you know your way around in linux a bit, then I can send you the changes, so that you can also test it.

@kamoj, it would be nice if we can somehow incorporate it into your addon. What do you think?
What it still needs is a way to persist the settings in the above mentioned 2 files in nvram (for now I placed them in /etc)
And a way to edit those files in the GUI.

 

[jrbmw]

Dont know if this is relevant.I have open vpn running but I can access my cctv cameras on my i phone when Im away from home.

 

[R. Gerrits]

Dont know if this is relevant.I have open vpn running but I can access my cctv cameras on my i phone when Im away from home.

I guess this entirely depends on the kind of CCTV camera's.
Some establish an outbound connecting to a server of the vendor. And your phone initially also connects to a server of the vendor.
And then those two sessions are "tied" together.

In that case, there is no issue at all. In this case, you probably also didn't set any port-forwarding in the router.

If you have camera's that do require port-forwarding, then things become a lot more complex if you want to achieve this via the VPN. Because then also your VPN provider should provide you with the option to apply port-forwarding.

 

[jra505]

If you know your way around in linux a bit, then I can send you the changes, so that you can also test it.

I don't really know my way around it at all I'm afraid - thanks for the offer, but I fear that the amount of assistance that I'd need would end up with me being more of a hindrance than a help

Thanks for all your efforts - hopefully your solution will appear in a forthcoming version of Kamoj's add in.

 

[jrbmw]

I guess this entirely depends on the kind of CCTV camera's.
Some establish an outbound connecting to a server of the vendor. And your phone initially also connects to a server of the vendor.
And then those two sessions are "tied" together.

In that case, there is no issue at all. In this case, you probably also didn't set any port-forwarding in the router.

If you have camera's that do require port-forwarding, then things become a lot more complex if you want to achieve this via the VPN. Because then also your VPN provider should provide you with the option to apply port-forwarding.

I think your right
Its done with automatic port mapping,device domain name and ddns.No port forwarding in router

 

[mith_y2k]

Hi R. Gerrits, I have a similar wish and maybe I can benefit from the work you've done. I have Voxel on Orbi, but not the Kamoj add-on. I would like to runt he openVPN client, but only route traffic from Transmission through it. All the other traffic should go through the regular internet interface.

I was looking at the openvpn-client init script, which then calls the net-wall script (it looks like it's written by @kamoj? ) and has a specific section for openVPN:

# iptables rules for OpenVPN client                    
if [ -f /var/run/openvpn-client.pid ]; then            
    iptables -I INPUT -i tun21 -j ACCEPT            
    iptables -I OUTPUT -j ACCEPT                    
    iptables -I FORWARD -i tun21 -j ACCEPT          
    iptables -I FORWARD -i br0 -o tun21 -j ACCEPT  
    iptables -I FORWARD -i tun21 -o br0 -j ACCEPT  
    iptables -t nat -A POSTROUTING -o tun21 -j MASQUERADE
fi

My instinct is to just remove all lines for tun21 and then add a simple line to route all Transmission traffic through it. Something like this:

# iptables rules for OpenVPN client                     
if [ -f /var/run/openvpn-client.pid ]; then             
    iptables -I INPUT -i tun21 -j ACCEPT             
    iptables -I OUTPUT -j ACCEPT                     
    iptables -A OUTPUT -m owner --gid-owner vpnroute ! -o tun21 -j REJECT
    # do I need the line below?
    iptables -I FORWARD -i tun21 -j ACCEPT           
    # do I need the line below?
   iptables -t nat -A POSTROUTING -o tun21 -j MASQUERADE
fi

and then start Transmission with the vpnroute group (which I previously added to the system).

This is based on what I see at https://askubuntu.com/questions/37412/how-can-i-ensure-transmission-traffic-uses-a-vpn#205510

I haven't touched iptables in 10+ years

 

[R. Gerrits]

Unfortunally it is not that simple.
Iptables is for firewalling, and not for routing.

The moment you start the VPN client, it adds a few routes to your routing table.
And then all traffic towards the internet is routed via the VPN tunnel.

You can see that for instance via ip route show table main

To be able to bypass the VPN for some traffic (or force the VPN for other traffic), you need to add an additional routing table, for routing traffic directly via the WAN interface, instead of via the VPN tunnel.

And then using ip rule add commands you can control which traffic is routed via the main table (i.e. using VPN) or which traffic is routed via that newly added table (i.e. going directly to internet).

In your case, you could then route all traffic coming from interface lo & br0 (the router itself and the LAN) via the new table.

Via an iptables rule (with that option -m owner --gid-owner vpnroute) you can mark the traffic from Transmission.
And because iptables is then marking that traffic, you can use ip rule add fwmark command to force this traffic via VPN.
And indeed you can also reject Transmission traffic if the VPN tunnel is down.


btw it is better to put your own iptables rules in /opt/scripts/firewall-start.sh (this is also executed from net-wall)
(and if you'd have that location on an USB stick, then your changes would persist after a firmware update).

I'll PM you some code that should do the trick.