Posted: Sun Mar 11, 2018 10:56 Post subject: Establish direct S2S VPN whith active client @ recieving end
Hello,
My configuration:
- TPLINK WR1043ND V2 with OpenVPN client to PureVPN (and a UDP NAT on 1194 to the Synology)
- Synology DS216+II with OpenVPN server active
I have configured (with the help of this forum) the following firewall command so traffic to the VPN server is not routed through PureVPN
Quote:
#!/bin/sh
(
set -x
TID="200"
FW_MARK="0x88"
NAS_IP="192.168.2.101"
# cleanup from prior execution (when applicable)
(
ip rule del fwmark $FW_MARK table $TID
-j MARK --set-mark $FW_MARK
iptables -t mangle -D PREROUTING -p tcp -s $NAS_IP --sport 1194 \
-j MARK --set-mark $FW_MARK
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
ip route flush table $TID
ip route flush cache
sleep 3
) > /dev/null 2>&1
# add WAN as default gateway to alternate routing table
ip route add default via $(nvram get wan_gateway) table $TID
ip route add throw 192.168.1.0/24 table $TID
# force routing system to recognize our changes
ip route flush cache
# disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $i
done
# mark packets from NAS service ports (these use WAN)
iptables -t mangle -I PREROUTING -p tcp -s $NAS_IP --sport 1194 \
-j MARK --set-mark $FW_MARK
If I disable the OpenVPN client and then connect my PC at work to the Synology VPN server (using my ISP's WAN IP) this connection works great. Also when I activate the OpenVPN client to PureVPN afterwards the OpenVPN connection keeps working while all other traffic at home is going through the tunnel. So far no problem.
But... when the OpenVPN client to PureVPN is active and I try to establish a VPN from work to the Synology NAS (through my ISP's IP) a connection is made (I can see on the Synology VPN server), but the handshake fails.
Quote:
Sun Mar 11 11:42:35 2018 UDP link local (bound): [AF_INET][undef]:1194
Sun Mar 11 11:42:35 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Mar 11 11:43:35 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Mar 11 11:43:35 2018 TLS Error: TLS handshake failed
Sun Mar 11 11:43:35 2018 SIGUSR1[soft,tls-error] received, process restarting
I suspect the negotiations answer is not send directly back (from my ISP's IP to my works IP), but instead is send through the PureVPN tunnel thus failing the negotiation.
Can anybody give me a pointer in how to solve this?
Ps. I have already tried another port instead of 1194, but with the same result
The reason for the script was to allow incoming requests on the ISP's WAN to be handled while the VPN client was running. The synology also hosts a small website, which off course has to be reachable with an active OpenVPN client.
Quote:
IOW, the problem here is that the OpenVPN client is changing the default gateway from the WAN to the VPN.
Thanks for the info, will try your suggestions when I am home. Indeed my work computer has a fixed IP so this can be used, however I also have OpenVPN on my phone (although I rarely use it) which, off course, has dynamic IP addresses. Isn't there an easy way to tell the router that if there is direct incoming traffic (on port 1194) that connection/IP should use the deafult WAN gateway instead of the VPN's?
I added the folowing to additional config (and policy based routing is empty):
Quote:
#Route work IP through WAN gateway
route xx.xx.xx.xx 255.255.255.0 net_gateway
As to where the xx ip address is the wan IP address of my work PC. But unfortuantely if I start OpenVPN on my work PC and connect the handshake still isn't done.
Thank you (again) for sharing your valuable knowledge with me.
Quote:
Isn't there an easy way to tell the router that if there is direct incoming traffic (on port 1194) that connection/IP should use the deafult WAN gateway instead of the VPN's?
I take it this is not so easy to do (so I can also use my phone if I should want to). Not super important as I rarely use it (and if I need it I can deactivate the OpenVPN client so it will connect), but maybe there is a simple way of doing this and then I might be able to configure it like that while I'm at it.
Thank you for this link, I was not aware of this risk and implemented this code also.
Quote:
If you're interested, I could give you the PasteBin link in a PM (don't want to publicize it quite yet since it's a work in progress). I could benefit from a beta tester or two anyway.
I am not a programmer, just a simple user with minor technical skills (mostly using Google and forums as you noticed). It could even be that this is just the kind of tester you are looking for. So if you think it is beta/simple enough for me to be able to test, I would love to do it and give you feedback. Maybe even in a new topic in which you describe a small howto, and I'll reply in it if with my findings/questions so this is available as info for everybody when you release it to the general public.
