Jump to content
Not connected, Your IP: 3.142.200.102
chbni

ANSWERED Port Forwarding for OpenVPN on Asus router: Stuck

Recommended Posts

Hi all,

Sorry for opening up another post of port forwarding. I read through the FAQ and several posts, but I still couldn't figure out how to set up my router. Hopefully you can help me with what I believe are only a few steps I am missing.

My new ISP is using CG NAT, hence I cannot connect to the OpenVPN server on my Asus Router. I set up a remote port in the Client Area for UDP and local port 1194. The OpenVPN server is up and running on the Asus Router at 1194.

Still, I cannot connect. I scanned the IP and port in canyouseeme.org but it says there is no service on that port. The test here at AirVPN's client area also times out.
I assume this has something to do with the latter part of the FAQ about forward ports via iptables in dd-wrt tomato. That's where I am struggling. Why do I have to forward from the router when the service is on the router? And where do I have to enter which lines?

Any help is much appreciated.
Thank you in advance!
 

Share this post


Link to post
15 hours ago, chbni said:

Why do I have to forward from the router when the service is on the router?


Hello!

Actually it should not be necessary. Forwarding unsolicited packets from the router to the final destination is necessary if the listening service is running on a device connected to the router, and the router is the one device which connects to the VPN. What is this listening service running on the router you write about? Maybe packets to it are blocked by firewall rules, have you checked them?

Kind regards
 

Share this post


Link to post

Thank you. That makes sense.

I recently reset the router so the firewall is at default settings. It should not block the VPN server on the router. I double-checked and did not see anything that could be in the way.

However, I just realized the tests here at AirVPN indicate the VPN resolves back to what seems to be wrong client IP address in the private IP section, aka 10.25.170.206.
The router is behind another (the ISP's) router, but in a comparable setup at my parents (but different provider that does not do CG NAT) the IP address gets resolved via DDNS. Also, 10.25.170.206 is not the router's local IP. Could this still be the ISP's CG NAT? I thought I could tunnel through that and establish a direct connection from my Asus router to AirVPN's VPN endpoint? Was I wrong?

What to do next?

Thanks in advance.

Share this post


Link to post
2 hours ago, chbni said:

Could this still be the ISP's CG NAT?


Hello!

No, it is not possible as the traffic flow is still encrypted on your ISP infrastructure, including your home ISP router.
 
2 hours ago, chbni said:

I thought I could tunnel through that and establish a direct connection from my Asus router to AirVPN's VPN endpoint? Was I wrong?


You were correct and this was assumed as already working. You mentioned a problem about remote inbound port forwarding, which is an additional feature. If the problem pertains to the connection by the router to the VPN servers, then it must be re-assessed: in this case remote inbound port forwarding does not even enter into play. Please clarify:
  1. can the router connect to AirVPN servers? if not, please send us the OpenVPN log taken after a connection attempt has failed
  2. is the problem related to remote inbound port forwarding? if so, please answer to the previous question and clarify: is the listening service really running on the router, or is it running on any device behind the router?

Kind regards
 

Share this post


Link to post

Thanks again for your time and input. Glad to know I am not totally wrong with what I am trying to achieve.
 

2 hours ago, Staff said:
1. can the router connect to AirVPN servers? if not, please send us the OpenVPN log taken after a connection attempt has failed

The router connects to AirVPN servers. I see the connection here on the details in the Client Area and the router's GUI shows a successful connection.
I do not believe it is relevant to the current issue with the service not being reachable from outside, but I want to mentioned it here nevertheless: From the client that is behind the router, I do not see the green AirVPN IP in the top bar of this website. I assume not all traffic from behind the router is yet routed through the VPN connection although set the router to "redirect all Internet traffic through tunnel".

I checked the logs and found a few lines that might be relevant. I temporarily set verbosity to 6, hence I will shorten the log. Please let me know if more information is needed.

Oct 22 13:28:19 ovpn-client1[17809]: OpenVPN 2.6.12 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Oct 22 13:28:19 ovpn-client1[17809]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.08
Oct 22 13:28:20 ovpn-client1[17810]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.16.170.1,route-gateway 10.16.170.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.16.170.244 255.255.255.0,peer-id 7,cipher CHACHA20-POLY1305'
Oct 22 13:28:20 ovpn-client1[17810]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Oct 22 13:28:20 ovpn-client1[17810]: ovpn-up 1 client tun11 1500 0 10.16.170.244 255.255.255.0 init
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add default via 192.168.10.1 dev eth0  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 10.16.170.0/24 dev tun11 proto kernel scope link src 10.16.170.244  table ovpnc1

Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 127.0.0.0/8 dev lo scope link  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.2  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 192.168.10.1 dev eth0 proto kernel scope link  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 192.168.26.0/24 dev br0 proto kernel scope link src 192.168.26.1  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 192.168.30.0/24 dev tun21 proto kernel scope link src 192.168.30.1  table ovpnc1
Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 239.0.0.0/8 dev br0 scope link  table ovpnc1

Oct 22 13:28:20 openvpn-routing: Add route to remote endpoint: /usr/sbin/ip route add 185.189.112.13/32 via 192.168.10.1 table ovpnc1
Oct 22 13:28:20 openvpn-routing: Setting client 1 routing table's default route through the tunnel
Oct 22 13:28:20 vpndirector: Routing all traffic through ovpnc1
Oct 22 13:28:20 openvpn: Forcing all to use DNS server 10.16.170.1 (OpenVPN client 1 is set to Exclusive DNS mode)
Oct 22 13:28:22 ovpn-client1[17810]: Initialization Sequence Completed


There are a few entries (in red) I find worth mentioning:
Line 4: Could the warning the reason why traffic from the client is not routed through the VPN tunnel?
Line 6:
  • 192.168.10.1 is the ISP's router, the Asus router connects to that network section at 192.168.10.2
  • The internal IP of the Asus router is 192.168.26.1.
  • 192.168.10.30 is the address range for connections to the VPN server on the router that I want to reach from the outside.
I have no explanation for 239.0.0.0 nor 10.16.170.244.
However, the latter is the IP address listed in the session details here on AirVPN and target address when I am testing the ports through the Port Forwarding section. I therefore assume this is the address that is being used as the AirVPN client IP for inbound port forwarding.
Just assuming: Could it be that the link between this IP and the router's internal IP (192.168.26.1 or 192.168.10.2) and the client IP 10.16.170.244 of the inbound port forwarding AirVPN connection is missing?
 
2 hours ago, Staff said:
  1. is the problem related to remote inbound port forwarding? if so, please answer to the previous question and clarify: is the listening service really running on the router, or is it running on any device behind the router?

I believe so. The service is an OpenVPN server on the Asus router that is up and running. The service is running directly on the Asus router, not on a device behind the router. For testing, I also opened the router's GUI (of course password protected) to the outside and set up a port of that service here at AirVPN. While I can reach the GUI locally from within the network, I cannot from the outside (either).
Port scans from outside do not show any services at the respective, inbound forwarded ports.

Just for sake of completion: The router is patched to the recent firmware of Asuswrt-Merlin.
 

Share this post


Link to post
@chbni

Hello!

The OpenVPN log shows a successful connection, so everything seems fine here. Just for a cross-check, please browse ipleak.net from a browser of a device behind the Asus router and verify that your "real" IP address does not appear anywhere. If it does, this potential issue:
Quote

WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results


could be resolved by upgrading the firmware. By upgrading to AsusWRT Merlin you will also have the option to forward ports to a device behind the router itself, should this need arise in the future.

About remote inbound port forwarding, we're back to square 1 so we will be waiting for the answer to our first question in our first message: what is this listening service running on the router you write about?

Kind regards
 

Share this post


Link to post

Hello and thanks again.
Sorry, I am not sure whether I understand your comment and question. I am running AsusWRT Merlin, as indicated above the most recent version available for my router. The warning appears nevertheless.

The service that is listening to the incoming traffic is the OpenVPN server. This OpenVPN server is running on the Asus router and listens locally to port 1194.
For testing, I activated another service, namely the webservice to the router's GUI listening to port 8443 on the Asus router. Although this one is also not reachable from the outside, this is purely for testing. What caused all this and what I am interested in is only the before-mentioned OpenVPN server on the Asus router I want to use to dial into my home network from outside.

Sorry for the confusion. If that is not the answer you need, please kindly specify what you mean with " what is this listening service running on the router you write about "
 

Share this post


Link to post
17 minutes ago, chbni said:

The service that is listening to the incoming traffic is the OpenVPN server. This OpenVPN server is running on the Asus router and listens locally to port 1194.


Hello!

Thank you for the clarification, we should have understood this setup since your very first message.

This is likely the problem. Running an OpenVPN server and an OpenVPN client on the same host at the same time requires some care. Latest Merlin firmware version might support it out of the box, please verify. If this particular configuration is possible, remember that your OpenVPN server will probably be reachable from the Internet on your real IP address:1194, not on the VPN server exit-IP address, because OpenVPN server and client will necessarily rely on different tun interfaces and routing tables.

Is there anyone reading this thread who achieved a proper setup of an OpenVPN server and an OpenVPN client running simultaneously on a Merlin router, with the OpenVPN client network receiving packets for the OpenVPN server subnet?

Kind regards
 

Share this post


Link to post

From my understanding, running both VPN should be possible.

You are saying the OpenVPN server will probably be reachable from the Internet on my real IP address:1194. This is not the case because of the ISP's CG NAT. That's the reason why I am trying to run the service through AirVPN's connection.

However, let's assume for a moment running both VPN is not possible. To test that, I opened the other service, the GUI of the Asus router at port 8843 to the world. That service is not related to OpenVPN and should be accessible through the AirVPN tunnel via the port forwarding service, shouldn't it? Unfortunately, that is also not the case. Hence, I suspect the issue to not be related to running OpenVPN and OpenVPN client at the same time on the same host.

While I cannot say for sure the issue has something to do with it, I find the above line in the Asus-router's log suspicious:

Oct 22 13:28:20 openvpn-routing: Copy main table route: /usr/sbin/ip route add 10.16.170.0/24 dev tun11 proto kernel scope link src 10.16.170.244  table ovpnc1


That is the endpoint of where AirVPN directs the external calls:
image.png.dc6837c5860e033149d0a807e86e65cf.png

I do not know where this IP comes from. Is this a setting on the Asus router? Could it be that the external calls are getting routed here instead of to the service of the Asus router listening on the port but at a different IP? The Asus router's internal IP is 192.168.26.1, so I would have understood and expected that address to show up at AirVPN.
 

Share this post


Link to post
34 minutes ago, chbni said:

You are saying the OpenVPN server will probably be reachable from the Internet on my real IP address:1194. This is not the case because of the ISP's CG NAT.


Hello!

Yes, in this case it's not reachable at all.
 
35 minutes ago, chbni said:

I opened the other service, the GUI of the Asus router at port 8843 to the world. That service is not related to OpenVPN and should be accessible through the AirVPN tunnel via the port forwarding service, shouldn't it?


Not necessarily. You should have forwarded port 8843 on your AirVPN account port panel (you did it by re-mapping port 28443, so make sure to connect to port 28443 of your DDNS, and not 8843) and you must make sure that the GUI web app binds to the OpenVPN client's tun interface and not to OpenVPN server's tun interface or to the physical network interface. A router's GUI web app may also refuse any connection outside the local network for security reasons, please check. Please also consider to stop the OpenVPN server to discern the exact problem with the router web interface.
 
40 minutes ago, chbni said:

I do not know where this IP comes from.


It is the subnet of the OpenVPN server your OpenVPN client connected to. The OpenVPN server assigned to your OpenVPN client tun interface (a virtual network interface) the 10.16.170.244 adress, in the 10.16.170.0/24 subnet. The route added in table ovpnc1 ("OpenVPN client 1") and quoted in your message looks very correct.

Kind regards
43 minutes ago, chbni said:

Asus router's internal IP is 192.168.26.1


In this context "internal" IP address is very ambiguous. That's probably the IP address of the router's physical network interface for the WAN or LAN, in turn assigned (if you use DHCP) by the ISP router your Asus router is connected to.

Kind regards
 

Share this post


Link to post
2 hours ago, chbni said:

I want to use to dial into my home network from outside.


Hello!

For this purpose running an OpenVPN server and client at the same time on the same router is perhaps a useless complication. A simpler solution is just connecting the router to some AirVPN server, forwarding and pre-routing the ports needed for the listening services of the machines behind the router to the proper destination (both on your AirVPN account port panel and from the router's tun interface), configuring the proper DDNS for each port, and reach from the Internet the services running on the devices behind the router.

This simple solution, however, is not suitable in case you need more than 5 ports (if you need more, contact the support team).

Kind regards
 

Share this post


Link to post

Thank you for your input.

It is - finally - working as intended. There was a setting in the VPN client to AirVPN I had overlooked, namely a button allowing (respectively denying) incoming traffic. Once this was set and it was ensured that all Internet traffic is being tunneled through the connection to AirVPN's tunnel, I was able to establish a connection to the server on the Asus router.

I still cannot reach the router's GUI, although I made it available to more than just the internal (LAN) interface. I assume by clicking the respective button, the GUI only becomes available to the WAN interface but not the VPN connection. That's fine though, I do not need - nor want - the GUI to be reachable from outside anyways.

With regards to the last post with the easier solution: You are right that it would be easier to connect directly to a service/machine behind the router if I wanted to access that service only. However, I want to do more than that in my LAN, e.g. sending WOL magic packets waking up machines in the LAN and accessing a storage unit that is not running always.

Share this post


Link to post
2 minutes ago, chbni said:

I was able to establish a connection to the server on the Asus router.


Hello!

Thanks for the info and to let us know that an AsusWRT Merlin based router can handle perfectly an OpenVPN server behind an OpenVPN client almost out of the box and without manual configuration required.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...