External access to NAS server through OpenVPN dd-wrt router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TheLuffe
DD-WRT Novice


Joined: 27 May 2017
Posts: 8

PostPosted: Fri Jun 02, 2017 5:29    Post subject: External access to NAS server through OpenVPN dd-wrt router Reply with quote
Hello

Backstory:
I acquired my new router a couple of days ago and finally got it up and running as a OpenVPN client. The connection to my VPN provider(Torguard) seems to work flawlessly, however I can't seem to connect to my NAS-server from outside my local network now. Previously I used the VPN capabilities of my NAS-server(DS216play), but it was a system hog and maxed out system ressources when I reached 50 Mbps, which is why I bought my new router(Linksys WRT-3200ACM). It is when I switch the default gateway of the NAS server from 192.168.1.4 to ...1.1 and disconnect the VPN connection on the NAS-server(to instead use the one setup on the dd wrt router), that I lose my ability to access the diskstation externally.

Problem and setup:
First of, here's a map of my network as of right now:

The dd-wrt router is set to gateway mode.

When I try to access the NAS-server remotely through a webbrowser I get a "Refused to connect" error, which looks like this:

I am very much a network rookie, meaning I have always setup my own home networks, but it hasn't really required anything other than rudimentary understanding of the topic. I am currently guessing that there's a problem between my modem/router, dd-wrt router and my NAS, where it doesn't point to my NAS server, when I try to connect to it from outside my LAN.

I just don't know what to do about the issue. Does anyone have an idea to what the problem might be?

I hope I added all the necessary information in my post, but if there's something I forgot, please feel free to ask Smile
Sponsor
Briar
DD-WRT User


Joined: 05 Mar 2015
Posts: 58

PostPosted: Mon Jun 12, 2017 1:35    Post subject: Reply with quote
My setup is more basic (one wrt3200 router and a cable modem) but having the same issue with my Synology NAS and openVPN client, only my vpn is PIA

nothing I try helps, but to be honest my knowledge level is casual user
js1662
DD-WRT Guru


Joined: 23 Jul 2014
Posts: 1237
Location: BC, CA

PostPosted: Mon Jun 12, 2017 9:10    Post subject: Reply with quote
If you want to access your NAS server from outside, you need to setup an OpenVPN server on your router. When you are traveling, you need to have an OpenVPN client on the remote device. Once a secure tunnel is established between the remote device and the router, you can then access the NAS server using its IP address, the NAS server address and not the router address. As you can see PIA play no part at all or you don't need it for that purpose. It may be a good idea to turn off PIA client on the router as some people said that it may not work with both OpenVPN server and client on the same router.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 12, 2017 12:29    Post subject: Reply with quote
You can also use port forwarding to reach your NAS server and in that case you do not need an openVPN server.

The PIA OpenVPN client routes everything through the VPN gateway and can interfere with reaching your NAS (well actually is does not interfere with reaching but with the return/answer of your query).

The easisest solution is to use PIA with Policy Based routing, default gateway is then the through your ISP and your NAS can be reached through port forwarding.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Briar
DD-WRT User


Joined: 05 Mar 2015
Posts: 58

PostPosted: Mon Jun 12, 2017 13:38    Post subject: Reply with quote
Thanks for the responses, I appreciate the help.

I'll look into the server option more... can I go that route if I have a dynamic ip address?
The one help guide I looked at seemed pretty intimidating for the casual user.

As far as port forwarding, I do use it. Using port forwarding does allow local access to the NAS with OpenVPN enabled but still does not allow external access.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Jun 12, 2017 13:57    Post subject: Reply with quote
Briar wrote:
Thanks for the responses, I appreciate the help.

I'll look into the server option more... can I go that route if I have a dynamic ip address?
The one help guide I looked at seemed pretty intimidating for the casual user.

As far as port forwarding, I do use it. Using port forwarding does allow local access to the NAS with OpenVPN enabled but still does not allow external access.


Indeed, only if you are using Policy Based Routing than you will have external access, the alternative method is to add a firewall rule something like:
Code:
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport xx -s 192.168.1.yy -j MARK --set-mark 1

where xx is the port number and yy the IP address fo your NAS, this will route the outgoing traffic from your NAS through your WAN instead of through your VPN

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Briar
DD-WRT User


Joined: 05 Mar 2015
Posts: 58

PostPosted: Mon Jun 12, 2017 14:32    Post subject: Reply with quote
I am clueless on policy based routing, I will do some homework this evening and try to get some level of understanding...

on the firewall rule suggestion, would I enter the code you suggested in the dd-wrt command function, or maybe in the openvpn config, or somewhere else?

thanks for the help,
B
Briar
DD-WRT User


Joined: 05 Mar 2015
Posts: 58

PostPosted: Mon Jun 12, 2017 17:11    Post subject: Reply with quote
found this wiki:

"Source Based Routing

Source based routing only requires a few commands:
ip rule add from [source IP]/[netmask] table 200
ip route add default via [gateway] dev [interface] table 200
ip route flush cache


The [source IP] should be whatever the IP of the machine is that you want to be routed differently, optionally with a [netmask] to specify a block of source addresses to route differently. The [gateway] should be the IP of the next router to send traffic to such as your VPN server or the gateway IP of your ISP. The [interface] should be whichever interface the traffic needs to be sent out to reach the alternative gateway such as tun0 for a VPN."



tried this based on an example:

ip rule add from 192.168.1.111/28 table 200
ip route add default via [vpn ip address I used in the openvpn configuration] dev tun0 table 200
ip route flush cache

but when I try it, I cannot connect to anything, even the config page and have to do a reset to recover.

Blue is the variables I changed
192.168.1.111 = nas
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Mon Jun 12, 2017 19:09    Post subject: Reply with quote
There is an ip address error. You have used 192.168.1.x on both the LAN and WAN side of the WRT3200ACM. They should be different sub-nets.
Briar
DD-WRT User


Joined: 05 Mar 2015
Posts: 58

PostPosted: Mon Jun 12, 2017 19:56    Post subject: Reply with quote
My nas is 192.168.1.111
and the PIA vpn server address in my openvpn client setup is 108.61.55.75

So those are what I interpreted as to what the wiki was telling me to use.

ugh, I know this must be easy to most here but I truly don't have a clue...

where do I find the right numbers to use?

this I exactly what I tried:
ip rule add from 192.168.1.111/28 table 200
ip route add default via 108.61.55.75 dev tun0 table 200
ip route flush cache
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum