VPN Director rules and WAN

[propofol]

Hi all,

I have found this forum incredibly useful over the last six months of my foray into self-hosting.

I have an ASUS AX6000, running the latest (Dec 2022) version of Merlin. My entire LAN is protected behind an Open VPN connection via NordVPN. This was achieved by using a CIDR range so that everything except my guest wifi network was behind the VPN.

I now have an old laptop I am using as an Ubuntu server. The server “sees” the internet just fine when it is behind the VPN. But, I would like to self-host a few services that are exposed to the Internet. I therefore added a VPN Director rule to allow that laptop (that has a manual IP address of 192.168.50.29) to just be WAN with no VPN protection. Or at least I thought I did. The problem is that, when the rule is enacted, the Ubuntu server cannot interact with the internet. Pinging google doesn’t work. I can control the laptop with other devices on the LAN via the CLI.

Bizarrely, though, when I enable port forwarding, I *can* reach the Ubuntu server via the Internet (I am using my cell phone so I have excluded my network entirely).

I have posted the VPN Director rules below.

To summarize, my Ubuntu server:
- reaches the Internet OK when behind the VPN
- does NOT reach the Internet when supposedly on WAN via a VPN Director rule
- DOES interact normally for specific port(s) when on WAN via VPN Director AND when ports are forwarded.

I am an intermediate networking person, having been using the Internet (via lynx) since 1993. But I am not advanced. I would greatly appreciate any help! Thank you.

 

[arkywein]

Hi @propofol,

I'm not an expert on this, but from setup perspective everything looks alright. I have a similar configuration but with one noticeable difference – I don't explicitly assign my server (which runs on a Raspberry Pi) to WAN.

My Raspberry Pi server has a manually set IP outside of 192.168.0.0/25, which makes it an exception to the rules entirely (or to better put it, it's not even covered by the rules). From what I can see in your config, you explicitly set your Ubuntu server to WAN (which has the highest priority), and then all other clients within /24 to OVPN. According to the documentation, your Ubuntu laptop should therefore be excluded from your second rule. Could you try replicate my setup and see if that works? Just limit the IP pool to something like 192.168.50.0 - 192.168.50.127 (which is /25), assign your router to WAN and give your Ubuntu server an IP outside /25, for example 192.168.50.130 and see if it works. However, I remember assigning my Pi to WAN and it worked perfectly fine, I could reach the internet.

 

[propofol]

Thanks for your reply. I followed your helpful suggestion and it works! I remain uncertain why my initial attempt failed.

I appreciate the help — Merry Christmas!