Posted: Sat Apr 28, 2018 12:30 Post subject: openvpn PBR: website behind an internal IP
I got the DDWRT running Nordvpn as a client fine. But i also have one internal IP 192.168.1.4 i want to go over my regular WAN IP. Cuz this is my Nextcloud server VM.
What i did:
1. Disabled "Shortcut Forwarding Engine"
2. Added all IP's i want to go over openVPN in the PBR manually as xxx.xxx.xxx/32, and obviously didnt add 192.168.1.4
3. Checked all clients' external IP and it works fine.
4. Added port 443 to the regular NAT GUI, but i dont think thats what i should be doing.
I think PBR took over the routing and i need to add firewall rules to give 192.168.1.4 an open port 443 to the WAN.
Im reading and reading but it appears a bit too hard for me to tackle. Can somebody point me in the right direction? Or write me the rule? Obviously i would like to be able to still reach 192.168.1.4 on the network behind it.
thx!
Last edited by fuzzyduck on Wed May 02, 2018 11:50; edited 3 times in total
Make sure 192.168.1.4 is routed via the WAN, surf from this client to ipleak.net and you should see the ISP's ip address, from the VPN routed clients you should see Nord's.
If I understand correctly you are hosting a server on 192.168.1.4. You need a port forward to that server, the port forward opens up the firewall.
Port 433 is sometimes used so I would suggest using something like 8443, set this port on the server and forward it on the Port Forwarding tab of the router.
That is basically all, assuming this router is internet connected, if it is behind an other ISP router then that one has also to be set up for port forwarding.
Thx for the reply. So the GUI portforwarding is for IPs NOT in the PBR range.
My Firmware: DD-WRT v3.0-r35244 std (03/05/1
EDIT1: GUI portforwarding port 443 to the https website at 192.168.1.4 works fine when VPN client disabled. It breaks when i enable VPN client again. Could it be some vpn setting i use (NORDVPN)?
EDIT2: When i check for port 443 at https://www.yougetsignal.com/tools/open-ports/ with openVPN client enabled it says its open, but the router doesnt seem to forward the packets to 192.168.1.4. When trying the Nextcloud website it loads indefinitely.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Apr 29, 2018 7:57 Post subject:
You can not test from inside your network when VPN is on. You have to test if the server is accessible from outside e.g. from a friends address or using your phone via cellular network.
I figured i could just go out over VPN and come back in again over WAN, but that not the case.
Yes, from another IP the website works.
If you could point me in the right direction for this advanced routing i would be grateful. So when i type somewebsite.com behind the router it should route to 192.168.1.4?
EDIT: I addded address=/website.com/192.168.1.4 to the Additional DNSMasq Options. It works now, but im not sure its the best/right way
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Apr 29, 2018 15:36 Post subject:
NAT loopback (that is what you use when accessing anything over the WAN from inside your network) does not work because it goes out via the VPN and in via the WAN.
For the script which resolves this see: https://pastebin.com/YwnHLqaa
Copy the Raw data and go to administration/Commands Paste it there and save as Startup.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Apr 29, 2018 20:38 Post subject:
Yes keep SFE disabled when using Policy Based Routing.
Otherwise your VPN clients will not have http access.
SFE is not speeding up the VPN connection anyway.
It can speed up the WAN connection but is only helpfull if you have a really slow router or 300 Mb/s or higher internet connection. If that is the case and your firmware is on linux kernel 4.4 I have a patched SFE module which works with PBR (courtesy of @Quarkysg) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087