Simultaneous VPN Server and VPN Client

[Soulsearcher]

Indeed, it is the /run directory that doesn't seem to exist.
I do let it start up automatically at boot time and I do not want this to change (too convenient .

So I will adapt the script and put it under /tmp and try further.

I use the latest firmware for the RT-AC86U : 384.12 release.
It does act a bit weird I must say. Menus not loading properly since the update. But a refresh always solves it. But if I understood it is just one guy behind this software, so all my respect and I can live with the occasional glitch.

And now to my further testing of your work

 

[eibgrad]

Indeed, it is the /run directory that doesn't seem to exist.
I do let it start up automatically at boot time and I do not want this to change (too convenient .

I only meant for testing purposes, to help confirm this is indeed the problem. As you can see, that subdirectory is filled w/ the pid's of many other processes. I find it hard to believe the OpenVPN client gets started so early, before *any* of these other processes need the same directory structure, that it's not been created already by the time the OpenVPN client starts.

But if that proves to be the case, then guess I could modify the script to use /tmp/vpnclient.pid. I was just trying to be consistent w/ the rest of the system.

 

[Soulsearcher]

That's odd. Normally anything under /tmp is read/write for you or any process. I just ran it here (using 384.12 beta) and it runs fine. Before the OpenVPN client starts, I can even ran the following commands and it works fine (reports back 000).

echo 000 >  /tmp/var/run/vpnclient.pid
cat /tmp/var/run/vpnclient.pid

The only thing I can guess is maybe the entire directory structure (/tmp/var/run) isn't available in all cases by the time the OpenVPN client starts, esp. if you have the OpenVPN client setup to "automatically start at boot time". But that still seems unlikely.

What happens if you do NOT use "automatically start at boot time", but just let the system come up, then turn the OpenVPN client ON (thus giving the system more time to establish the /tmp/var/run directory structure)?

Frankly, it doesn't matter where the pid is stored, so you could try changing the script and custom config to use /tmp/vpnclient.pid, so you avoid the issue of the entire directory structure not being available, if that indeed is the problem.

But as I said, it runs fine over here. Doesn't make sense unless something changed between the 384.12 beta and 384.12 release, which doesn't seem likely either.

Btw, which release of the firmware are you using?

So I changed the code to "tmp/vpnclient.pid" and everything works... I guess... as I realize that I do not know how to check this next or even use it.
I have found a helping hand on "https://www.yougetsignal.com/tools/open-ports/" and it states that my port 80 IS OPEN !
Maybe it doesn't work as I didn't allow WAN access to my Router GUI? (but this is only supported in https anyway, so different port).

I also see in your code that a lot of "echos" are foreseen. But where to find those (or do I do not really need them at this stage)?
I have checked the system log of the router.

Next I tried to open port 1194 through changing the port in the "services-start" file and rebooted. Unfortunately a check via the "yougetsignal" website indicated that the port was CLOSED.

Can you give me some clues on what to try?
And what should I do next in order to make the access to the OPENVPN server on my NAS work?

 

[eibgrad]

So I changed the code to "tmp/vpnclient.pid" and everything works... I guess... as I realize that I do not know how to check this next or even use it.
I have found a helping hand on "https://www.yougetsignal.com/tools/open-ports/" and it states that my port 80 IS OPEN !
Maybe it doesn't work as I didn't allow WAN access to my Router GUI? (but this is only supported in https anyway, so different port).

By default, without any changes to services-start, the port forward is configured to access the router's GUI on the *LAN* side, NOT the WAN side. So the WAN's firewall is irrelevant. You should have at least been able to see your router's GUI come up and even login if you wanted to, just as if you had attempted to login to the GUI from any wired or wireless client on the LAN. Are you saying this didn't work?

Remember too, you have to use the VPN's external IP and the PIA assigned external port (NOT the internal port you specified in services-start) to reach the internal ip and internal port specified in services-start, and do it from outside the WAN of your router, perhaps on a smartphone, neighbor's wifi, etc.

The script publishes the VPN's external IP and PIA assigned external port at http://<router-lan-ip>/user/pia/ext_port_forward.html

I also see in your code that a lot of "echos" are foreseen. But where to find those (or do I do not really need them at this stage)?
I have checked the system log of the router.

Yes, there are a lot of echos, and some of them are intended to report what the router is doing, like indicating the external port if it was successfully opened. You can examine anything the script writes to the syslog by executing the following command from a shell (ssh).

cat /var/syslog.log | grep merlin-pia

Next I tried to open port 1194 through changing the port in the "services-start" file and rebooted. Unfortunately a check via the "yougetsignal" website indicated that the port was CLOSED.

And how did you check this? If that was through the WAN, it's going to see the WAN's public IP and report closed. It's only going to work if the request is made though the VPN tunnel so it sees the VPN's public IP.

Regardless what it reports, all that matters is if indeed you can access your NAS over the tunnel using the VPN's public IP and PIA assigned external port. Also, the ip (--ip) in the services-start script has to be changed to the internal IP of the NAS. I assume you did this too, but you only specifically mentioned changing the internal port (--port).

This gets a bit tricky because you have to keep in your mind the difference between what is specified in the services-start script (which are the *internal* ip and port of the port forward), vs. the *external* public IP and assigned PIA port. You use the latter (from say your smartphone on the cellular network) to gain access to the VPN provider's end of the tunnel, which then works it way over the tunnel to be forwarded by the former at the OpenVPN client.

So let's say the VPN public IP is 199.199.199.199 and PIA assigned external port is 55555, and the services-start ip is 192.168.1.100 and port is 1194, on your smartphone, you specify the following.

http://199.199.199.199:55555

 

[eibgrad]

P.S.

I used http in the example, but if this is to your own OpenVPN server, then obviously that IP and port would be specified on the remote OpenVPN client config.

Also, if the purpose of using the script is to gain access to an OpenVPN server, I'm not sure it's the most efficient means to gain remote access. Essentially you're running one OpenVPN tunnel inside another OpenVPN tunnel. The script is better suited to accessing a NAS, rdp server, etc., where you're NOT nesting tunnels. It's not that it won't work, but most consumer grade routers don't handle OpenVPN all that efficiently to begin with, and tunneling inside another tunnel *may* prove painfully slow.

 

[Soulsearcher]

By default, without any changes to services-start, the port forward is configured to access the router's GUI on the *LAN* side, NOT the WAN side. So the WAN's firewall is irrelevant. You should have at least been able to see your router's GUI come up and even login if you wanted to, just as if you had attempted to login to the GUI from any wired or wireless client on the LAN. Are you saying this didn't work?

Remember too, you have to use the VPN's external IP and the PIA assigned external port (NOT the internal port you specified in services-start) to reach the internal ip and internal port specified in services-start, and do it from outside the WAN of your router, perhaps on a smartphone, neighbor's wifi, etc.

The script publishes the VPN's external IP and PIA assigned external port at http://<router-lan-ip>/user/pia/ext_port_forward.html



Yes, there are a lot of echos, and some of them are intended to report what the router is doing, like indicating the external port if it was successfully opened. You can examine anything the script writes to the syslog by executing the following command from a shell (ssh).

cat /var/syslog.log | grep merlin-pia

And how did you check this? If that was through the WAN, it's going to see the WAN's public IP and report closed. It's only going to work if the request is made though the VPN tunnel so it sees the VPN's public IP.

Regardless what it reports, all that matters is if indeed you can access your NAS over the tunnel using the VPN's public IP and PIA assigned external port. Also, the ip (--ip) in the services-start script has to be changed to the internal IP of the NAS. I assume you did this too, but you only specifically mentioned changing the internal port (--port).

This gets a bit tricky because you have to keep in your mind the difference between what is specified in the services-start script (which are the *internal* ip and port of the port forward), vs. the *external* public IP and assigned PIA port. You use the latter (from say your smartphone on the cellular network) to gain access to the VPN provider's end of the tunnel, which then works it way over the tunnel to be forwarded by the former at the OpenVPN client.

So let's say the VPN public IP is 199.199.199.199 and PIA assigned external port is 55555, and the services-start ip is 192.168.1.100 and port is 1194, on your smartphone, you specify the following.

http://199.199.199.199:55555

OK, I understand it better now and I see I approached it in the wrong way. Especially your info on the port (and its publishing on "ext_port_forward.html" made me realize my errors.
Unfortunately it still doesn't work...
To be absolutely sure your "services-start" works, I made it executable through CHMOD A+RX (which you probably already tackled in your code). Nothing.

With more understanding I could dig in a different way.
I tried to find the published port html file, but couldn't find it (with "find . -name ext_port_forward.html"). So the code doesn't even get to point where it is generating the file (nor the directory).
Then I thought to check the logs with the command given, but the log file doesn't exist in the /var directory. 2 syslog.log files exist, one in /tmp folder and the other in /jffs folder. The system log in the GUI doesn't seem to give me feedback regarding your code.

Just to confirm:
Both your scripts are created in /jffs/scripts.
The "vpnclient.pid" is created and contains a number (checked with nano).

I am not giving up, but this is very frustrating.

 

[eibgrad]

It's frustrating for me too. I'm trying to post instructions on how to see the webpage itself in the underlying filesystem, and the forum won't let me post it!

The security system on these forums is way too sensitive at times. All I'm trying to do is show a cat command that dumps the webpage, and it won't let me.

When using the find command, don't use ".", since that means start at the current directory, and I have no idea where that is. Always use "/", the root directory, for a thorough search.

 

[Soulsearcher]

It's frustrating for me too. I'm trying to post instructions on how to see the webpage itself in the underlying filesystem, and the forum won't let me post it!

The security system on these forums is way too sensitive at times. All I'm trying to do is show a cat command that dumps the webpage, and it won't let me.

When using the find command, don't use ".", since that means start at the current directory, and I have no idea where that is. Always use "/", the root directory, for a thorough search.

Done the "/" but I was aware of the "." restrictions ;-)
File not found.
Sorry to disappoint.

I use SHA256, maybe that has an influence?

I also tried the "services-start" script in SSH command
"
/jffs/scripts/merlin-pia-port-forward.sh --ip 192.168.68.1 --port 80 --debug
"
And I get echo "info: nothing to do".

 

[eibgrad]

I also tried the "services-start" script in SSH command
"
/jffs/scripts/merlin-pia-port-forward.sh --ip 192.168.68.1 --port 80 --debug
"
And I get echo "info: nothing to do".

In order for it to run at the command line via SSH, you need to add the --exec option.

/jffs/scripts/merlin-pia-port-forward.sh --ip 192.168.68.1 --port 80 --debug --exec

 

[Soulsearcher]

In order for it to run at the command line via SSH, you need to add the --exec option.

/jffs/scripts/merlin-pia-port-forward.sh --ip 192.168.68.1 --port 80 --debug --exec

It executed without echo. Still nowhere ext_port_forward.html to be found.
Any other things I can try or should I switch to another solution?
I am also opening a ticket at PIA support. If that proves useful I will post it here.

 

[eibgrad]

Does a dump of the process table (ps command) show it running?

Remember too, it's only going to work if you run the script within the first two (2) minutes of the connection being established. So there's a timing issue here. That's one of the reasons I don't normally allow the script to run from the command line unless you provide the --exec option. It will be misleading if the connection is long since established.

At this point, I don't know how much more help I can provide. It runs fine here, even using the /tmp/var/run directory. Something else seems amiss w/ your config that I just can't identify. It would be one thing to have one or two problems, but you seem to have a slew of them.

 

[Thierry]

Hi everybody,

I'm quite a newby in such topic, but I know that before asking questions, I have to look at all posts to see if I find my answer, I did it and honestly, I've not been able to find the appropriate answer.
I have an asus AC68U router (latest firmware) and as lot of people, I have a VPN provider that I'd like to have permanently connected to my router (openVPN client) and I have also a openVPN server allowing me to acces from internet to my LAN. Independantly, everything is working well.

Problems come when I try to get both active at the same time, then nothing works :d as you can imagine.
From the different posts I saw, I understood that is due to a problem of routing the message when connecting to the server. I think that few rules needs to be set up within the router to fix that and have the correct routes installed but here, I do not know what needs to be done and how to do it.
I must admit that configuration through the router web interface would be much more easier for me knowing that I'm far to be a specialist of iptables, but if I need, I will do it.
I was looking for a kind of tuto that explains the differents steps but I didn't get it. As well, looking at all posts, I saw many things but not sure at all that was answering my small problem.

So if someone could be so kind to provide me a bit of help that I can get these 2 VPN working together and allowing me to connect to my private LAN, it would be marvellous.

In advance, huge thanks
Thierry

I am a complete novice in home networking. I am trying to learn but clearly need some help. I have managed the following: (1) installed Merlin on my ASUS RT-AC3200 router, (2) connected my router VPN client to my NordVPN service and confirmed that it's working (3) confirmed all my LAN devices are working (i.e. Netflix, Hulu, Amazon etc.) when connected to NordVPN, (4) installed a NAS server and confirmed that i can access it.

However, when I am away from my LAN, I would like to connect to my home network by using OpenVPN through my VPN server on the ASUS router WHILE NORDVPN IS RUNNING. I can't make that work. To date I have set up the DDNS server on my router and confirmed that, if I terminate the NordVPN connection, I can connect to my LAN from a non-LAN internet connection.

I don't want anything fancy. My goal is as follows: (1) be able to access my home LAN so I can use the date on my NAS drive (pictures) when I am away from home (2) keep my NordVPN connection active from my router at all times so that my ISP can not track my activity.

My apologies if this has been covered here. I looked but could not find anything.

 

[Xentrk]

Hi everybody,
Problems come when I try to get both active at the same time, then nothing works :d as you can imagine.
In advance, huge thanks
Thierry

Can you be more specific about the issue as "nothing" means everything? For example, do you have access to the LAN but not the WAN? Is traffic not traversing the VPN Client tunnel when you turn on the VPN Server? Need more specifics. Port 1194 is the default port number for the VPN Server. Make sure the VPN Client is using a different port. Also, look at the system log for messages that will help debug the issue.

 

[Thierry]

Can you be more specific about the issue as "nothing" means everything? For example, do you have access to the LAN but not the WAN? Is traffic not traversing the VPN Client tunnel when you turn on the VPN Server? Need more specifics. Port 1194 is the default port number for the VPN Server. Make sure the VPN Client is using a different port. Also, look at the system log for messages that will help debug the issue.

Hi,
Sorry, I should have add few information on top.

Sever has the port 1195 and a range of IP different from the client.
Client uses the port 1194.

The problem I have is that once client is up, connected to my VPN provider, I cannot succeed to get the VPN connection from my device connecting to the server, I guess it's because the answer from the server are sent within the VPN so not reaching my device which is in the WAN.

I saw that this pb has been discussed many times but I did not find how to solve

Thierry

 

[Xentrk]

Hi,
Sorry, I should have add few information on top.

Sever has the port 1195 and a range of IP different from the client.
Client uses the port 1194.

The problem I have is that once client is up, connected to my VPN provider, I cannot succeed to get the VPN connection from my device connecting to the server, I guess it's because the answer from the server are sent within the VPN so not reaching my device which is in the WAN.

I saw that this pb has been discussed many times but I did not find how to solve

Thierry

Thanks. If you want to have your device use the VPN Client, you need to add the device Policy Rules section on the VPN Client screen. See Policy Rule Routing on Asuswrt-Merlin firmware for more information.

 

[Thierry]

Thanks. If you want to have your device use the VPN Client, you need to add the device Policy Rules section on the VPN Client screen. See Policy Rule Routing on Asuswrt-Merlin firmware for more information.

Thanks for information but I need a bit more to be sure I understand (sorry, newbie )
As reminder of what I'm trying to do :
My router has one client VPN connected to a VPN provider. As well, an OpenVPN server is running. My problem is that if the client is connected to VPN provider, I cannot connect to the OpenVPN server when I'm on the Internet, and everythings works well if the client VPN is not connected.

So if I understand well, from the OpenVPN client panel, I need to set up a policy rule to solve that ? but what kind of policy ? I'm unfortunately not a specialist of network stuf, I know only general basis.
Would you please be so kind to detail a bit more ?

Thanks a lot

 

[Xentrk]

Thanks for information but I need a bit more to be sure I understand (sorry, newbie )
As reminder of what I'm trying to do :
My router has one client VPN connected to a VPN provider. As well, an OpenVPN server is running. My problem is that if the client is connected to VPN provider, I cannot connect to the OpenVPN server when I'm on the Internet, and everythings works well if the client VPN is not connected.

So if I understand well, from the OpenVPN client panel, I need to set up a policy rule to solve that ? but what kind of policy ? I'm unfortunately not a specialist of network stuf, I know only general basis.
Would you please be so kind to detail a bit more ?

Thanks a lot

If I understand it correctly, when you are away from the house or router and connected to a public WiFi, you are unable to connect to the router OpenVPN Server when the VPN client is also running on the router? But you can connect when the VPN client is turned off???? I've never heard of this issue before which makes me think I'm not understanding. Or, are you trying to connect to the router's VPN server when your LAN device is connected to the VPN client? If so, not sure why one would need to do this or if it is even possible.

I did have an issue with getting the VPN Server connection made when using an Android.

Setting the config to the legacy Adaptive LZO Compression made it work for Android and was also compatible with iOS and Windows 10.

https://www.snbforums.com/threads/openvpn-ios-win10-issues.55399/page-2#post-470357
https://www.snbforums.com/threads/openvpn-ios-win10-issues.55399/page-2#post-470378

These references may be of help.

OpenVPN Client Setup
OpenVP Server Setup
VPN Server
VPN Client

Check the system log for any messages.

 

[Thierry]

If I understand it correctly, when you are away from the house or router and connected to a public WiFi, you are unable to connect to the router OpenVPN Server when the VPN client is also running on the router? But you can connect when the VPN client is turned off????

It's exactly the problem. From what I read in several posts, it's because the VPN server, at the connection time with my iPhone, is sending back some information to the iphone but through the client VPN as this vpn is activve, so the connection cannot be established between VPN server and iPhone.
Thierry

 

[Xentrk]

It's exactly the problem. From what I read in several posts, it's because the VPN server, at the connection time with my iPhone, is sending back some information to the iphone but through the client VPN as this vpn is activve, so the connection cannot be established between VPN server and iPhone.
Thierry

Thanks for clarifying. I have not heard of this issue before. I have an Android phone and had the issue where the Android could not connect to the VPN Server. The fix was to enable Compression on the VPN Server using LZO Adaptive and importing a new certificate. Are the other protocols like PPTP or IPSec a possible work around solution?

 

[Thierry]

Are the other protocols like PPTP or IPSec a possible work around solution?

Hi, Already tried with another VPN server I have on a NAS, same pb occurs, which is quite logical.
As far as I have understood, I need to set up a solution where the answer from the router won't go through the client VPN but to the WAN, like this, it should work.
The problem is that I don't know how to do that in the asus router (web interface or IPTables).
help is welcome
Thanks