Posted: Tue Aug 15, 2017 16:58 Post subject: Allow VPN server clients talk to LAN w/Policy Routing Strict
Hi everyone. I'm desperate for some help on this. So far, I haven't been able to find anyone that can help me on this.
Short version:
Is there a way to manually provide route/firewall access for an OpenVPN client on a 10.8.0.0 subnet, to talk to a LAN client, let's say 192.168.1.26, when said client is redirecting internet via an OpenVPN client set to use Strict Policy Routing?
Explained differently, I can't access an IP on my home internal LAN when I VPN into my home router. The said IP is going through a VPN out to the WAN.
Policy Rule Strict as explained in Merlin's change log:
Code:
NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". [b]The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used.[/b] This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.
In general, it's recommended to use this new strict
mode.
Setup:
[list]
- AsusWRT-Merlin FW 380.67 on Asus router RT-AC88U
- OpenVPN setup on my router using AirVPN for my internal home LAN with 192.168.x.x/24 network
- OpenVPN Server enabled on my router with 10.8.0.0/24 network
I can post my nat-start script or any other logs or output needed.
Well I was able to get some clarity on this straight from the source RMerlin, "(Policy Rules Strict) change is done at a lower level than iptables - right at the kernel's routing table level, so working around it might be complicated".
With this in mind, unless someone really experienced with this tries to figure a way to add a route, accessing devices using strict mode will be a problem.