VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN

[Grefyne]

OK, please dont beat me too much... I have tried the Wiki and looked online and even here before posting... i have been trying to figure this out for a week.

Here is my problem, i hope someone can help me accomplish my goal.

I have a VPN client that has a Public IP and open port 80. The client is OpenVPN.
I have the VPN connected without any problems.

I have a VPN Director rule setup for 192.168.1.0/24 and if i use the following commands then the port forwarding works and the website responds.

iptables -I FORWARD 8 -i tun11 -p tcp -d 192.168.1.5 --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5:80

But this causes ALL traffic to go through the VPN. The VPN is slow and i don't want normal traffic going out the VPN. I only want the ports that i define like above to go out the VPN. i want all other traffic to go out the WAN without the VPN.

Please if you can assist it would be much appreciated.

 

[elorimer]

Not exactly sure I understand what your setup is. I'm assuming you have an Asus router with Merlin on it, with an Openvpn client. With it you are trying to reach some other place with an OpenVPN server, and behind it a web server at 192.168.1.5. I don't think you need the iptables rules at all, and it doesn't matter that the router has a public IP or an open port, which is not really an outbound thing.

If the OpenVPN server is also an Asus router with Merlin, then you just set it to access LAN only and you should be done, without VPN Director. If it some other thing, then it might be pushing a change in the default gateway. If that is the case, you can insert into your client configuration a pull-filter ignore instruction and be done. Or do it with VPN director.

But I could be totally misunderstanding this.

 

[Grefyne]

yes, i am using an ASUS RT-AC66U B1 with Merlin, and an Openvpn client....

The OpenVPV client connects fine. the OpenVPN server is with ivacy.com. this allows my VPN client to have a public IP with port 80 open. 172.111.AAA.BBB

my lan is 192.168.1.0/24

i have several devices on the lan (about 40)

on 192.168.1.5 i want port 80 forwarded though the VPN
on 192.168.1.6 i want port 8123 forwarded though the VPN
on 192.168.1.7 i want port 81 forwarded though the VPN

with VPN director i have a rule with the local ip set to 192.168.1.0/24 and the iface as OVPN1.

with the iptables the website does respond on port 80, and likewise with other rules for 8123, and 81. without the iptables the ports do not forward.

i tried with the port forwarding in the UI and that did nothing.

if i use any device on the lan it will go out the VPN for all traffic. that is what i do not want.

i want the website on 192.186.1.5, and .6, and .7 to forward out the VPN but all other traffic to go out the WAN without the VPN

for example say that my WAN IP is 149.19.AAA.BBB

if i use any of the "my ip address" sites on the internet they will say my IP is 172.111.AAA.BBB rather than my WAN IP of 149.19.AAA.BBB

on 192.168.1.5 for example, i want it to continue to respond to port 80 from the VPN @ 172.111.AAA.BBB, but other traffic to go out the WAN on 149.19.AAA.BBB

 

[Grefyne]

ok i figured out sort of a strange way to get this to work...

since all of the servers i want to run, run in docker, i gave each docker container an address in 192.169.0.0/23

i then gave all my devices 192.168.1.0/23

then i made a WAN rule for VPN director of 192.168.1.0/24

and a vpn director rule of 192.168.0.0/24 for OVPN1

then i applied iptables rules pointing at the new 192.168.0.0 addresses

end result:
192.168.0.1 - 192.168.1.254 are routable as 1 subnet
anything 192.168.0.1 - 192.168.0.254 routes to the VPN (dockers are put here)
anything 192.168.1.1 - 192.168.1.254 routes to the WAN

 

[Grefyne]

now i just need to figure out how to run a script automatically after the router has booted up completely