Two OpenVPN clients (tunnel for all internet traffic + tunnel to access resources on another server)

[hursey013]

Hey all,

I'm running Merlin 380.65_2 on a RT-AC68U. I've successfully configured an OpenVPN client to an external VPN provider in order to tunnel all of my traffic, with the exception of a few devices using some Policy Rules:

At this point, I would like to add a second persistent OpenVPN client connection to a remote server. I don't want to route any traffic through the VPN, just be able to access resources on it without having to expose the ports to the internet. I've configured OpenVPN on the server, imported the ovpn into Client 2 in Merlin and it connects successfully, but I'm unable to access the resources and it also causes some problems with the connection to Client 1. I suspect that I need to do something to get the two clients running on different subnets, but I'm not sure how I would go about this. At this point it appears both clients are getting assigned to the same gateway/subnet:

Client 1:

May 11 23:11:16 openvpn[828]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'

Client 2:

May 12 09:22:33 openvpn[28294]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'

Any guidance would be appreciated, thank you!

 

[hursey013]

Just wanted to follow up with what I think is a working solution.

Just to recap: I used the Road warrior OpenVPN install on two separate VPS's. Server 1 is being used as a persistent VPN tunnel to secure all traffic from router. Server 2 has a number of web based resources running on which are bound to various port numbers. I did not want to open those ports to the internet and instead wanted a second persistent OpenVPN connection to that server so I could securely access the resources when on my home network.

Since I control both servers I left Server 1 with the default OpenVPN subnet of 10.8.0.0/24 and updated Server 2 to use 10.8.1.0/24 to avoid subnet conflicts. I then set up OpenVPN Client 1 and Client 2 in Merlin to point to the respective servers.

Client 1 (Tunnel all traffic through VPN)

Client 2 (Access local resources on Server 2)

Two additional things I had to adjust in order to get everything working. I added route-nopull to the Custom Configuration of Client 2 to override the redirect-gateway and dhcp-option set by the Road warrior setup (I could probably just remove those from the server.conf as well). I also had to add a policy rule on Client 1 for accessing Sever 2's subnet of 10.8.1.0/24. I found that without this I could not access and of Server 2's resources from any device connected through the VPN on Client 1.

I just wanted to get a sanity check that this sounds somewhat correct and I haven't opened myself to any potential security risks. Also curious if there is a better way to tackle this?

Thanks!