Connected client becomes unreachable from WAN

[goldme 0]

I have an Ubuntu Virtual Machine running inside my lan where I have configured openvpn to start with the machine and connect automatically. Everything works as expected. I also host various other services on this machine that should be available through the LAN. In this case I'm hosting an nginx server on port 443 for an ssl website on the same machine where the openvpn client is connected.

 

The nginx service on port 443 is perfectly reachable from inside the lan (192.168.1.x) while openvpn on the same machine is also connected and I have various other services doing their thing through the VPN.

 

When I want to expose this nginx instance to the outside world through my home ip (NOT VPN) I simply add a port forward on my router for port 443 to the virtual machine. The problem is as follows:

 

If openvpn is connected on the VM: the nginx service is reachable from inside the LAN. Not reachable from WAN (port forwarded to machine)

If openvpn is disconnected (sudo killall openvpn): the nginx service is reachable from LAN and WAN

 

Tests are done through yougetsignal.com port checker.

 

It seems that as soon as openvpn is connected that the machine that is connected does not accept connections from outside (using the port forward on the router) but keeps accepting connections from the LAN normally!

 

iptables -L on the connected machine shows empty chains with ACCEPT policies on all.

 

I hope someone can help me with this.

[goldme 0]

I have solved this problem using the solution at this link: http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/

 

It turned out that the service was receiving requests on the eth0 interface but sending then response to the tun0 interface since that is the default route that openvpn has activated. Using the steps in the link I was able to route those packets correctly back to eth0.

[amires 10]

Hi, I had the same problem as well. I wasnt able to ssh to my router when connected to the vpn. The reason is that vpn changes your default gateway. To make your nginx service available from wan you have to use packet marking feature of iptables to mark packets and send marked packets out via your wan interface. I did something similiar with my tomato router. Try the following script you just need to adjust vpn_if and wan_gateway variables.

 

#!/bin/bash

vpn_if="tun11"
wan_gateway="1.2.3.4"

ip route flush table 100
ip rule show | grep -Ev "^(0|32766|32767):" | while read PRIO RULE; do ip rule del prio ${PRIO%%:*} $( echo $RULE | sed 's|all|0/0|' ); done

for i in /proc/sys/net/ipv4/conf/*/rp_filter
do 
	echo 0 > $i
done

ip route show table main | grep -Ev ^default | grep -Ev "$vpn_if" | while read ROUTE 
do 
	ip route add table 100 $ROUTE
done
ip route add default table 100 via $wan_gateway
ip rule add fwmark 1 table 100

iptables -t mangle -F OUTPUT
iptables -t mangle -A OUTPUT --sport 443 -j MARK --set-mark 1

ip route flush cache