Site-to-site VPN issue

[Dr.Henrik]

I am using an Asus RT-AC68U with Merlin to connect to my open VPN server at another location to achieve a site-to-site vpn using Openvpn. The RT-AC68U's network is 192.168.2.0/24 and the Openvpn server's network is 192.168.1.0/24. I have port routed port 80 from the router at 192.168.1.0/24 to the VPN server on which I have iroute 192.168.2.0/24 for the RT-AC68U. I have also applied Iptables DNAT in the VPN server to my web server. The problem is that as long as I do not choose to route all traffic through the tunnel in the merlin web interface I cannot do http requests i.e open the frontpage of the web server from 192.168.1.0/24, I can still ping the web server successfully and I can successfully communicate in the direction 192.168.2. 0/24 ->192.168.1.0/24. It seems that the http packets get stuck in the RT-AC68U on the way back. I want the network 192.168.2.0/24 to not use the tunnel for WAN. Is there anybody who can point me in the right direction, I have tried everything I can come up with.

 

[octopus]

I am using an Asus RT-AC68U with Merlin to connect to my open VPN server at another location to achieve a site-to-site vpn using Openvpn. The RT-AC68U's network is 192.168.2.0/24 and the Openvpn server's network is 192.168.1.0/24. I have port routed port 80 from the router at 192.168.1.0/24 to the VPN server on which I have iroute 192.168.2.0/24 for the RT-AC68U. I have also applied Iptables DNAT in the VPN server to my web server. The problem is that as long as I do not choose to route all traffic through the tunnel in the merlin web interface I cannot do http requests i.e open the frontpage of the web server from 192.168.1.0/24, I can still ping the web server successfully and I can successfully communicate in the direction 192.168.2. 0/24 ->192.168.1.0/24. It seems that the http packets get stuck in the RT-AC68U on the way back. I want the network 192.168.2.0/24 to not use the tunnel for WAN. Is there anybody who can point me in the right direction, I have tried everything I can come up with.

Have you looked at this side?

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[MaziahBebop]

Have you looked at this side?

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Looks like it should work. Something like this?

 

[eibgrad]

If you find yourself add routing rules, then you've somehow misconfigured it.

In a site-to-site, routed (tun), OpenVPN tunnel, there's no reason you should ever need to use any kind of NAT (SNAT or DNAT). Since both sides know of the others local networks, and how to route to them, it's irrelevant. The only time I've found an issue is when Windows refuses to accept traffic from any private network other than its own (a security feature Windows added years ago). But that's just a Windows firewall issue, and like any firewall, exceptions can be added to fix it.

Also, make sure you *disable* the Inbound Firewall option on the OpenVPN client, at least if you expect the devices on the OpenVPN server side to be able to initiate connection to device on the OpenVPN client side.

 

[Dr.Henrik]

I need the routing because the VPN server is not the router for the server's network (192.168.1.0/24). To elaborate on my setup; the VPN client sits behind a CGNAT and is the router for 192.168.1.2/24. I have a webserver on this network which I want to reach from the Internet. I have solved this by a site-to-site VPN. The VPN server's network has a static public IP. This means I will need to set up a route on the default gateway on the 192.168.1.0/24 network which routes port 80 to the VPN server which then routes these packets to the webserver on the 192.168.1.0/24 network. I have done this by setting up a static route for port 80 on the router and then iptables -t nat - A PREROUTING --in-interface eth0 -d 192.168.1.xxx(VPN server) -p tcp --dport 80 -j DNAT --to-destination 192.168.2.xxx:80 (webserver local address).
This works perfectly well when not using the policy based rules in Merlin, but rather "Force Internet traffic through tunnel" Yes or No. No matter if I choose Yes or No all traffic is forced through the tunnel which is bad since I loose most of my bandwidth (I don't know if this is a bug). The only way to make the internet traffic from 192.168.2.0/24 not to go through the tunnel is to use "Policy based rules" but then the HTTP packets are dropped by the Asus router on the way back from the webserver. I have drawn this conclusion since the webserver is responding to ICMP from the network 192.168.1.0/24 and I can ping the computers in the 192.168.1.0/24 from 192.168.2.0/24 and also reach the default gateway's web interface on 192.168.1.0/24 from 192.168.1.0/24.
I have set up the following policy rules on Merlin:

Please tell me if you want me to elaborate further.

 

[Dr.Henrik]

I solved it just now. I needed the explicit policy rule rule for source ip 192.168.2.xxx (webserver address) destination 0.0.0.0. Thank you all for taking your time.