Troubles with VPN Client + DDNS Setup on GT-BE98

[Tuntenfisch]

Hello,

I have a GT-BE98 running the "GT-BE98_3006_102.1_1-gnuton0_beta1_nand_squashfs.pkgtb" firmware found here. The router is connected via its WAN 10G port to a network socket inside a university campus. In order to gain access to the university campus network (and internet), I have set up a VPN client (client 1 to be specific) through the router's web interface and I've configured the router to route all internet traffic through the VPN. One issue I've encountered is that the VPN won't restart when the router restarts. But I was able to resolve this issue by creating a watchdog script under /jffs/scripts/ovpnclient1-watchdog which is registered via /jffs/scripts/services-start and called automatically every minute. Just for completeness sake, here are the contents of the corresponding scripts:

Contents of /jffs/scripts/ovpnclient1-watchdog:

#!/bin/sh

if [ -z "$(pidof vpnclient1)" ]
then
   service restart_vpnclient1
fi

Contents of /jffs/scripts/services-start:

#!/bin/sh

LOG_TAG="Services start script"

#Add cron entry for vpnclient1 watchdog.
if [ -z "$(cru l | grep CheckOpenVPNClient1)" ]
then
   cru a CheckOpenVPNClient1 "* * * * * /jffs/scripts/ovpnclient1-watchdog"
   logger -t "$LOG_TAG" -p 2 "Added OpenVPN Client 1 watchdog to cron utility."
fi

The watchdog successfully ensures that the VPN is up reliably.

Besides the VPN, I've also configured a DDNS service. Initially I've attempted to get the asuscomm.com DDNS running since the setup is easy. But it doesn't work in conjunction with a VPN because the router still has a private IP and the builtin functionality isn't smart enough to rely on the VPN to update the DDNS. I then saw that you can also opt for a custom DDNS update and specifically this section of the wiki in conjunction with the ASUS sample script got me this script:

Contents of /jffs/scripts/openvpn-event:

#!/bin/sh

if [ "$script_type" = "route-up" ] && [ "$dev" = "tun11" ]; then
    # OpenVPN tunnel won't open until openvpn-event script is finished, run the rest in a background shell
    (
        # Loop until VPN tunnel is established or the timeout limit is reached
        COUNTER=0
        LIMIT=10
        while [ "$COUNTER" -le "$LIMIT" ] && ! ifconfig | grep -Fq "tun11"; do
            sleep 1
            COUNTER=$((COUNTER + 1))
        done

        # Set the host name, ending with .asuscomm.com is optional
        HOSTNAME='redacted'

        # The IP address to use
        IP=$(ifconfig tun11 | grep 'inet addr' | awk '{print $2}' | cut -d ':' -f 2)

        # Asus DDNS server
        ASUS_SERVER='nwsrv-ns1.asus.com'

        # Router MAC address location is hardware dependent
        for LAN_MAC_NAME in et0macaddr et1macaddr et2macaddr; do
            MAC_ADDR="$(nvram get "$LAN_MAC_NAME")"
            if [ -n "$MAC_ADDR" ] && [ "$MAC_ADDR" != '00:00:00:00:00:00' ]; then
                break
            fi
        done

        # Use openssl to generate the password
        PASSWORD="$(printf '%s' "${MAC_ADDR//:/}${IP//./}" | openssl md5 -hmac "$(nvram get secret_code)" 2>/dev/null | awk '{print toupper($2)}')"

        # Try to update
        HTTP_RESULT="$(curl -fs -w '%{http_code}' -o /dev/null -u "${MAC_ADDR//:/}:$PASSWORD" "http://$ASUS_SERVER/ddns/update.jsp?hostname=${HOSTNAME%.asuscomm.com}.asuscomm.com&myip=$IP")"

        # Full code list https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/inadyn/plugins/asuscomm.c#L293
        case "$HTTP_RESULT" in
            200|220|230)
                /sbin/ddns_custom_updated 1
            ;;
            *)
                /sbin/ddns_custom_updated 0
            ;;
        esac
    ) &
fi

Note the deviations from the original scripts in the first if condition, and the different IP being used. Anyways, this script results in a HTTP response of 200, so everything should be good? Wrong! For some reason the DDNS update works but when actually attempting to ping the supposedly updated domain, I get no reply. I also cannot SSH into the router via the domain, or access the web interface. I did make sure to enable the relevant settings in the router's web interface, e.g. "Enable Web Access from WAN" in the case of the web interface. So my first question is, did I do anything wrong in my DDNS setup?

I've also saw in the Merlin wiki that Merlin switched to In-a-dyn to manage the DDNS related functionality. It even has a custom plugin for the ASUS DDNS service, the source code of which probably resides here. So I switched to the In-a-dyn setup and followed the instructions here. But I didn't manage to get it to work. My main issue was that I didn't know what the /jffs/inadyn.conf was supposed to look like when ussing the ASUS DDNS service. I also am unsure which DDNS provider url to use for the ASUS DDNS service. There are different ones mentioned in different examples throughout the wiki/codebase. This leads me to my second question, what does the setup for the ASUS DDNS service with In-a-dyn look like and can someone give me a comprehensive example?

Moving on, I decided to use DuckDNS with the script approach (not the In-a-dyn) approach. This works to the extend that I can ping the router and SSH into it from outside. But for some reason I still cannot acces the web interface even tho I enabled the option mentioned previously. So my final question is, why can I not access the web interface from outside and what would the steps be to resolve this? One suspicion I have is that I'm technically not attempting to access the web interface via the WAN, since the WAN IP is a private IP (192.168...). I'm accessing it through the public IP I get from the VPN connection.

I know this is a long post. But I hope someone can assist me with this.

 

[eibgrad]

The problem here (both for remote access and DDNS) is that the router itself is participating in the VPN! I have no idea what is possible w/ that particular firmware, but at least w/ Merlin and the VPN Director (i.e., policy based routing), these would NOT be problems since that removes the router itself from the VPN, and everything wrt the router's own processes continues normally over the WAN. The only thing that participates in the VPN are those local/remote IPs configured w/ the VPN Director.

All that said, if you *want* to have the router included in the VPN, then besides the DDNS issue, you'll have to have a VPN provider who permits port forwarding from their end of the tunnel (which is NOT common), and be able to port forward from that local network interface into your internal network (requiring yet more firewall configuration).

 

[eibgrad]

P.S. In the case of remote access w/ the router participating in the VPN, it would be possible to establish remote access over the WAN provided the public IP of the remote client was KNOWN, so you could add a static route to bind that public IP(s) to the WAN. Of course, that's NOT always practical since often the user is roaming. But if the remote access is from predictable locations (e.g., workplace, home), it may be workable.

 

[eibgrad]

You might find the following useful as well (some of these problems are well-known, w/ existing solutions).

asus rt-ax88u vpn director not connected right after reboot

Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...

www.snbforums.com

 

[Tuntenfisch]

The problem here (both for remote access and DDNS) is that the router itself is participating in the VPN! I have no idea what is possible w/ that particular firmware, but at least w/ Merlin and the VPN Director (i.e., policy based routing), these would NOT be problems since that removes the router itself from the VPN, and everything wrt the router's own processes continues normally over the WAN. The only thing that participates in the VPN are those local/remote IPs configured w/ the VPN Director.

All that said, if you *want* to have the router included in the VPN, then besides the DDNS issue, you'll have to have a VPN provider who permits port forwarding from their end of the tunnel (which is NOT common), and be able to port forward from that local network interface into your internal network (requiring yet more firewall configuration).

Thank you for the thorough response.

The reason why I used this firmware instead of the one on https://www.asuswrt-merlin.net/ is that the official only supports the GT-BE98 PRO router. But I have the non-PRO version. So I opted for the forked Merlin firmware that offers support for additional routers.

Regarding the VPN director: I'm by no means an expert in networking, but my routers WAN IP is a private one because the router is connected via cable to the university network, so I think the private IP is the one issued by the university network. The thing is, by default, when connected to a physical network socket inside the campus, you do not get any Internet access (besides being able to access the university website). So the WAN IP cannot be used to update a DDNS (for example).

Speaking of DDNS, so the reason why the ASUS DDNS service is not working but the DuckDNS service is, is not due to my script being wrong, but instead due to the network setup I'm running?

I guess one thing I could try is to see if I can access the web interface via the WAN IP from a device that is also part of the campus network (either via VPN or some other direct manner, e.
g. campus computer).

The reason why I opted for the "route all Internet traffic through the tunnel" approach is that it doesn't require additional setup for new clients. They just get working internet immediately.

P.S. In the case of remote access w/ the router participating in the VPN, it would be possible to establish remote access over the WAN provided the public IP of the remote client was KNOWN, so you could add a static route to bind that public IP(s) to the WAN. Of course, that's NOT always practical since often the user is roaming. But if the remote access is from predictable locations (e.g., workplace, home), it may be workable.

Good point, but as you mentioned this would be problematic when the clients have dynamic IPs.

You might find the following useful as well (some of these problems are well-known, w/ existing solutions).

asus rt-ax88u vpn director not connected right after reboot

Hello, i have installed latest asuswrt merlin on asus rt-ax88 router. I have installed a vpn connection as vpn client with openvpn protocol. When i reboot the router or take it from power, vpn director shows vpn connected status but it is not connected and i have no internet connection. Always...

www.snbforums.com

That's a great script. I'll definitely be replacing mine with that. Thank you!

 

[Tuntenfisch]

Note that I'm also actively trying to reach out to my university's network department to discuss solutions. But so far that has been a rather slow process...