1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Webserver Access when OpenVPN Client Connected

Discussion in 'Tomato Firmware' started by scoobynz, Jan 17, 2013.

  1. scoobynz

    scoobynz Serious Server Member

    Hello,

    I have installed shabby AIO on an E4200, after fiddling around unsuccessfully with dd-wrt for the last fortnight. After seeing how stable and easy to use Tomato is, I cannot help but feeling that the last fortnight of my life was wasted!

    The main reason I require firmware is to connect to an online VPN server (service).

    Code:
    WAN (ISP) = 97.140.xx.xx
     
    Router = 192.168.2.1
     
    NAS = 192.168.2.20 (routed through VPN)
     
    E.g. Laptop = 192.168.2.3 (Not routed through VPN, routed through WAN).

    I successfully set-up the VPN client on my router to my requirements, i.e. my NAS is tunnelled through the VPN but all other devices on my network (e.g. my laptop) are directed through the normal ISP route (WAN). I did this following this link here; http://tomatousb.org/tut:openvpn-via-password-authentication. This is working seamlessly.

    My issue is that my NAS contains a webserver for my domain. As soon as the VPN client connects I lose the ability to access the webserver from outside the network, i.e. by typing in my address www.’mydomain’.com. I can see that my nameservers are still pointing to my WAN IP, so the connection is obviously still coming through my WAN but not making it to the webserver on the NAS as the NAS thinks it is exclusively connected to the VPN route only.

    I note that the OpenVPN route-up script directs all traffic for my NAS IP using the vpn_gateway function.

    My question is – how do I maintain the functionality I have at present but also allow the NAS to receive traffic from the WAN as well as the connect VPN route. i.e. how do I make my NAS direct traffic through the VPN route and listen on the WAN concurrently.

    Any suggestions would be greatly appreciated.

    Regards,
    C
     
  2. scoobynz

    scoobynz Serious Server Member

    Hello, I am assuming that this is a routing problem As such I have attached my iptables listing.
    Code:
    root@unknown:/# iptables -nvL
    Chain INPUT (policy DROP 214 packets, 26623 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    all  --  tap11  *      0.0.0.0/0            0.0.0.0/0
      145  5888 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    21789 3702K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        2  104 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
      35  2374 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
    1952  133K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
      40 12348 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
      302  172K ACCEPT    all  --  tap11  *      0.0.0.0/0            0.0.0.0/0
    20568  14M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.2.0/255.255.255.0 name: lan
      806  695K ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
      14  560 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      728 38196 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    19114  13M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        1    60 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
      446 28276 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      633 45069 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
     
    Chain OUTPUT (policy ACCEPT 2047 packets, 1084K bytes)
    pkts bytes target    prot opt in    out    source              destination
     
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination
        2  104            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:50025
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:50079
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:21
        1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:80
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:143
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:8080
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.2.20        udp dpt:8080
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:6789
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.2.20        udp dpt:6789
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:50110
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:22
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.2.20        udp dpt:22
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:51413
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:9091
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.2.20        udp dpt:9091
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:6017
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.2.20        tcp dpt:1194
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.2.20        udp dpt:1194
    
    and my route listing is;
    Code:
    94.174.0.1 dev vlan2  scope link
    46.246.90.128/25 dev tap11  proto kernel  scope link  src 46.246.90.136
    192.168.2.0/24 dev br0  proto kernel  scope link  src 192.168.2.1
    94.174.0.0/22 dev vlan2  proto kernel  scope link  src 94.174.3.40
    127.0.0.0/8 dev lo  scope link
    default via 94.174.0.1 dev vlan2
    
    Any assistance with this would be greatly appreciated. I have been trying to resolve this for a fortnight and am at my wits end. . . .

    Regards,
    C
     
  3. Bird333

    Bird333 Network Guru Member

  4. scoobynz

    scoobynz Serious Server Member

    Hi Bird333 and thank-you for your response. Sorry I have taken so long to respond.

    The issue I had was really related to the fact that webserver was running on the same ip as my torrent software. I therefore could not direct port 80 through the VPN as I my webserver needs this port. This lead to issues as some torrent trackers communicate on port 80 etc. . . .

    What I did to resolve this was to create a virtual interface (eth0:1) on my nas, assigning it an IP (192.168.2.21 in my case). I then bound the torrent software to this new IP in the torrent configurations. I then routed this new IP to the VPN using the information in this very useful link; http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/

    C
     

Share This Page