Split Tunnel Weirdness

[jim99]

I have set up my Asuswrt-Merlin router so that all client browser traffic exits through a VPN to Surfshark, and all server traffic (I have mail and web servers running in Nethserver and a Hik NVR) goes out directly through the WAN.
Client browsing to internet sites is working fine, and my servers are visible on the internet. So far so good....however, here's the problem: if I try to browse to my servers' FQDNs from one of my clients (That is to say, the client sends the request down the VPN tunnel to the internet, and once in the internet, the request should make its way back to the WAN interface) I get no response. If I browse to the server's IP address, I get the default site, but that's not useful, I am running servers by name so browsing by address means I don't get the server I want, just the default server.

The DNS is giving the client the right name:IP resolution, so its looking like the traffic from the tunnel isn't being allowed back to the WAN....

Has anyone experienced this, and are there ways round it?

Thanks

 

[eibgrad]

I don't understand why you would expect a request made over the VPN to have its response (which I assume you mean the replies to that very same outbound connection) routed back over the WAN. All the server would ever see if the public IP on the VPN. How would it even know to send replies back to the WAN's public IP?

Are you perhaps expecting that outbound request to *trigger* a response from the server where it initiates a *new* inbound connection over the WAN? Again, how would the server even know the WAN's public IP?

You need to explain this a little more precisely, because I can't quite picture what's happening here.

 

[jim99]

Sorry, I mangled the description. I'll try again:

I have a client in the LAN. That client's address is set by DHCP, and VPN Director is configured to send the traffic from thew DHCP scope down the SurfShark VPN, so it emerges into the Internet at the end of the VPN.

The client is trying to browse one of my servers, but because its traffic gets captured by VPN Director, I believe it should go out the end of the VPN and through the Internet to my servers, which are configured in VPN Director to interface on the WAN (not the VPN).

Having got to the server , first "inside" the VPN, then "outside" in the internet, it should then (I think?) come back along the same path through the Internet to the VPN termination, then enter the tunnel and return to the originating client.

Now I know my servers are available on the open Internet, because if I browse to them from a different network, I can reach them, and they are reachable on the right address (my WAN address). I also know my clients are going down the VPN tunnel, because if I browse to whatsmyIP, I see a foreign address, not my WAN address. So that all looks to work.

However, when I try to browse to my servers, I get timeouts. Thats the problem I'm trying to solve. I could do this before the VPN, the clients browsed to the servers by going to their external addresses, so I was seeing what other internet users were seeing.

Hopefully, thats a bit clearer. It looks almost like the VPN won't allow traffic to "double back" on itself, but its more likely that I have got something wrong

Thanks

 

[eibgrad]

If you're saying that you have your servers configured in VPN Director to use the WAN, any WAN policy rules always take precedence or OVPN# rules. IOW, if those clients are bound to the VPN, but they happen to reference those servers bound to the WAN, those packets are going (and coming back) via the WAN.

 

[jim99]

If you're saying that you have your servers configured in VPN Director to use the WAN, any WAN policy rules always take precedence or OVPN# rules. IOW, if those clients are bound to the VPN, but they happen to reference those servers bound to the WAN, those packets are going (and coming back) via the WAN.

That's OK, if the client's packets destined for the WAN servers go out over the WAN, because the WAN rule takes precidence over the VPN rule, thats fine, as long as they go and come back. My problem is they are going and being black-holed along the way.

I just blew the config away and rebuilt it, I'm running on another router for the moment, but when I can swap the Asus back, I'll see whatther it has made a difference.

 

[jim99]

That's OK, if the client's packets destined for the WAN servers go out over the WAN, because the WAN rule takes precidence over the VPN rule, thats fine, as long as they go and come back. My problem is they are going and being black-holed along the way.

I just blew the config away and rebuilt it, I'm running on another router for the moment, but when I can swap the Asus back, I'll see whatther it has made a difference.

But the reconfigureation made no difference

 

[eibgrad]

I still don't understand what the issue is.

Whatever network interface is used on the outbound connection, be it the WAN or VPN, those replies ***must*** come back via the same network interface since the public IP in the source field of those packets will be either the WAN or VPN. And as such, the remote server can only respond to that same public IP. It's literally impossible for it to work otherwise.

Maybe you need to draw a diagram of this traffic flow.

 

[ColinTaylor]

Maybe you need to draw a diagram of this traffic flow.

This would be a good idea, along with a screenshot of your VPN Director settings.

I think I understand what you're describing but I can't recreate the problem here, it just works. Although in my case I'm browsing to my WAN IP address as I don't have DDNS set up. Have you tried using the WAN IP address (yes I know you said don't want to do this), it's unclear whether this is what you previously did?

 

[jim99]

Here's the diagram and the VPN Director shot. The thing that doesn't work is browsing to my own servers by name from internal clients; external clients have no problems, and I can't browse to them by IP address, it must be by name as the Nethserver has three Web servers and a mail server on it and they share the single interface/address.

 

[ColinTaylor]

and I can't browse to them by IP address, it must be by name as the Nethserver has three Web servers and a mail server on it and they share the single interface/address.

I realise that, but my question was did you try the WAN IP address? In your original post it was unclear whether you were using the internal or external IP address. It you were using the external (WAN) IP address and you could successfully reach your server's default site then this is not a routing or VPN issue. It is a DDNS or server issue.

 

[jim99]

I see what you mean, my apologies. I can get to the default site OK, but not to any of the virtual hosts or pages subsequent to the default site, so from what you are saying, its a DDNS or server issue. Mail server works fine. With a different router, an Archer D2, this works perfectly, but with the Asus, I get the problem even without the tunnel established.

 

[jim99]

Further info: If I attempt to browse by private IP address or default website, I get the default web site. If I try by external address, (port 80 or 443) it times out, but from a DOS window on the client, I can ping the external address

 

[ColinTaylor]

but with the Asus, I get the problem even without the tunnel established.

So nothing to do with the VPN then.

Examine your web server access log for clues.

What router model and firmware are you using?

 

[jim99]

Router is a RT-AC86U with Firmware Version:386.3_2

 

[john9527]

but from a DOS window on the client, I can ping the external address

What are the ping times? msec (actually going to the internet) or sub-msec (NAT-Loopback)

 

[jim99]

Ping time to the internal server address is 1-2 ms. To the external address the first ping takes longer then they come down pretty comparable to the times for the internal address. Something i just noticed: ping from the "Network Tools" on the router, the CCTV box pings fine, the VoIP box pings fine, but I get no ping from the server, even though I can ping it from the client DOS window

 

[ColinTaylor]

It sounds like your DDNS name is not resolving to the correct address.

 

[jim99]

I know about 5/8 of zero about DDNS, can you comment further....or refer me to a good document so I can fix it myself?

 

[john9527]

Do an nslookup of your external name.....compare the address it returns to the WAN address shown by the router.

 

[ColinTaylor]

You are using your DDNS name to access your server, right?

So from the PC that's having the problem issue an nslookup command to see what IP address is associated with it, e.g. nslookup blah.asuscomm.com

Does this IP address match your WAN IP address?