What's new

VPN few Questions about IP Address, logs, policy

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

killeriq

Regular Contributor
Hello,

1. Where i could find my actual VPN IP address? on the Router (have RT-AC88U)
Would be great to see it in VPN - VPN Status - Open VPN client (of course if possible to add)

2. Is perhaps possible to separate OpenVPN log into different windows then "General Log" ?

3. In VPN client setup and Policy Rules is there a way how to add only few services from an IP address?
Im running NAS server and i would like to put on VPN only few services on different ports but with same IP
like:
192.168.1.100:8000
192.168.1.100:8005
and so on...

4. If i want to runt FTP server via VPN but the IP get changed after Router reboot or disconnect , how do i manager to set up some DDNS service for that?
VPN gives me PublicIP which i normally dont have...FTP server needs some StaticIP /hostname to be able to connect all the time

Thanks :)
 
2. Is perhaps possible to separate OpenVPN log into different windows then "General Log" ?

No, as Asuswrt's syslog daemon does not support multiple files. Since OpenVPN logs to Syslog, it's all logged to the same file.

3. In VPN client setup and Policy Rules is there a way how to add only few services from an IP address?

Not possible with the current policy system that's based on a routing table. Anything port-based would have to be done at the firewall level, which would conflict with NAT acceleration and other services that modify the firewall like Trend Micro's engine. This is why I chose to rely my system on the kernel's RPDB.

4. If i want to runt FTP server via VPN but the IP get changed after Router reboot or disconnect , how do i manager to set up some DDNS service for that?

That will depend on your VPN service provider. First, you will need to see if they support any kind of port forwarding.
 
Hello,

thanks for fast reply and explanations.

Could you please reply also on point 1? about the VPN IP?

4. my VPN provider gives public IP with all port open...

--------------

yesterday i been finally able to set the script and forward port with this guide https://airvpn.org/topic/11264-asus-merlin-wrt-port-forwarding-script-setup/ didnt find anything better how to start with it...just commands.
But not sure how to add multiple port into the command tried "4440,4441" or "4440:4441" and it didnt worked out...

Means i have to do all 4 lines for each port?
Code:
#!/bin/sh

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

#those need to be multiplied?

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport *Port* -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

Thanks
 
Could you please reply also on point 1? about the VPN IP?

You'd only get the tunnel's local endpoint IP, not whatever IP is used at the exit point - that info is not available to OpenVPN.
 
You'd only get the tunnel's local endpoint IP, not whatever IP is used at the exit point - that info is not available to OpenVPN.
If you check on desktop OVPN client for example...you can see that "VPN public" IP address also match if you do some whatsmyip test
 
If you check on desktop OVPN client for example...you can see that "VPN public" IP address also match if you do some whatsmyip test

Right, that information is not available to OpenVPN itself, it's your desktop doing a connection through the tunnel to see what IP it resolves to.
 
You'd only get the tunnel's local endpoint IP, not whatever IP is used at the exit point - that info is not available to OpenVPN.
This get you vpn-enpoint ip
Code:
curl -s -S --interface tun11 https://myexternalip.com/raw
 
This get you vpn-enpoint ip
Code:
curl -s -S --interface tun11 https://myexternalip.com/raw

I'm not a fan of relying on such third party services, as they tend to change or disappear over time. Look at the IEEE OUI lookup for instance, which kept breaking every time the IEEE made changes to their website, until Asus were forced to keep their own copy of the OUI database for lookups.
 
Ah ok i got your point, so maybe in future...;)

What about this? :
how to add multiple port into the command tried "4440,4441" or "4440:4441" and it didnt worked out...

Means i have to do all 4 lines for each port?
 
--dport 4440:4441 should normally work when specifying multiple ports, but it's possible that in the context you are trying to use it it doesn't allow ranges. Try adding "-m tcp" to your commands.
 
I'm not a fan of relying on such third party services, as they tend to change or disappear over time. Look at the IEEE OUI lookup for instance, which kept breaking every time the IEEE made changes to their website, until Asus were forced to keep their own copy of the OUI database for lookups.
Yes I know but for scripts it fine.
 
Yes I know but for scripts it fine.

Yes, but the OP was looking into the possibility of integrating such a check into the firmware itself.
 
--dport 4440:4441 should normally work when specifying multiple ports, but it's possible that in the context you are trying to use it it doesn't allow ranges. Try adding "-m tcp" to your commands.


So i should replace "-p" with "-m" and it should be like:
Code:
iptables -I FORWARD -i tun11 -m udp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -I FORWARD -i tun11 -m tcp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -m tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -m udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

#Instead:

iptables -I FORWARD -i tun11 -p udp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

Thanks
---


Octopus: Yeah i wanted to see it somewhere in VPN field in the Router....
 
So i should replace "-p" with "-m" and it should be like:

No, use both. -m tcp defines the module, -p tcp defines the protocol.
 
This get you vpn-enpoint ip
Code:
curl -s -S --interface tun11 https://myexternalip.com/raw

Asus is using a mini stun client in more recent firmware code to retrieve the public IP of a specific interface. The result is a bit similar to what you are doing with curl, but in a more reliable way (stun exists specifically for that purpose so you have a consistent API accross different servers, and you can easily poll multiple servers in case one goes down). I'll give it a shot at adapting it for OpenVPN. Tricky part is, I don't want to be constantly polling those servers, so I have to devise a way to poll it only once a tunnel has completed its connection.
 
I got a stun-based IP retrieval implemented.
 
This thread has been really helpful.

What command is needed to allow traffic to pass from the VPN server 10.8.x.x network when I VPN into my router to an IP (192.168.x.x) on my internal LAN that is going through the VPNClient and tunneling out? I'm using Policy Rules Strict mode.
 
No, use both. -m tcp defines the module, -p tcp defines the protocol.
So like this? :) ill add it everywhere?
Is there some guide for this? (not a linux/unix person as u might see :D )

Thanks for helping out...the IP feature ill install new beta soon to check,thanks!

Code:
iptables -I FORWARD -i tun11 -m udp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -I FORWARD -i tun11 -m tcp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -m tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11 -m udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

#Instead:

iptables -I FORWARD -i tun11 -m udp -p udp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -I FORWARD -i tun11 -m tcp -p tcp -d *IP of device requiring open port* --dport 4440,4441 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -m tcp -p tcp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*
iptables -t nat -I PREROUTING -i tun11-m udp -p udp --dport *Port* -j DNAT --to-destination *IP of device requiring open port*

Thanks

EDIT:

Seems like i find some way:
http://howtonixnux.blogspot.cz/2008/03/iptables-using-multiport.html
Code:
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080,5900,5901,5902 -o eth0 -i eth1 -j ACCEPT

will try later at home :)
 
Last edited:
Hello guys,

Seems like this is the correct setup for Multiple ports setup:
Code:
iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.10.101 -m multiport --dports 51400,51401 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.10.101 -m multiport --dports 51400,51401 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p udp -m multiport --dports 51400,51401 -j DNAT --to-destination 192.168.10.101
iptables -t nat -I PREROUTING -i tun11 -p tcp -m multiport --dports 51400,51401 -j DNAT --to-destination 192.168.10.101


But im facing now other issue...
I have few ports open from my provider as im on Local network with non-public IP
I got assigned few PORTs lets say 8000-8005 and can be used as "port.provider.com:8000" format to get into my devices from internet.
Everything works, but soon as i attach my IP NAS (unraid) and redirect traffic to VPN i lose the visibility to those ports/webui/services.
NAS act also as server and it has multiple services on it.

I tried something like
Code:
iptables -I FORWARD -i tun11 -p tcp -d 192.168.10.100 --dport 8000 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.100

Also removed the port fwd from Asus UI: WAN - Virtual Server / Port Forwarding (as suggested somewhere), but still not reachable.
I know its bit more complex then standard, so i would be appy if someone (more experienced) with IPtable could help :)

Thanks
 
Hi guys,

Ive realised that the Port forwarding is not working anymore - not connectable on torrrent, so im in passive mode.
I did update (Firmware:380.68_2 ) but not sure when it stopped to work.

Also in VPN -> VPN Client i've found
Firewall
- 1. Automatic
Add new option : Create NAT on tunnel (Router must be configured manually) YES / NO
2. Custom - it clears it

Not sure if it was there before or what should be the right setting to take setup from file "/jffs/scripts/nat-start"

---
Or problem is elsewhere VPN provider or so...

Thanks
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top