Posted: Fri Jun 02, 2017 5:29 Post subject: External access to NAS server through OpenVPN dd-wrt router
Hello
Backstory:
I acquired my new router a couple of days ago and finally got it up and running as a OpenVPN client. The connection to my VPN provider(Torguard) seems to work flawlessly, however I can't seem to connect to my NAS-server from outside my local network now. Previously I used the VPN capabilities of my NAS-server(DS216play), but it was a system hog and maxed out system ressources when I reached 50 Mbps, which is why I bought my new router(Linksys WRT-3200ACM). It is when I switch the default gateway of the NAS server from 192.168.1.4 to ...1.1 and disconnect the VPN connection on the NAS-server(to instead use the one setup on the dd wrt router), that I lose my ability to access the diskstation externally.
Problem and setup:
First of, here's a map of my network as of right now:
The dd-wrt router is set to gateway mode.
When I try to access the NAS-server remotely through a webbrowser I get a "Refused to connect" error, which looks like this:
I am very much a network rookie, meaning I have always setup my own home networks, but it hasn't really required anything other than rudimentary understanding of the topic. I am currently guessing that there's a problem between my modem/router, dd-wrt router and my NAS, where it doesn't point to my NAS server, when I try to connect to it from outside my LAN.
I just don't know what to do about the issue. Does anyone have an idea to what the problem might be?
I hope I added all the necessary information in my post, but if there's something I forgot, please feel free to ask
If you want to access your NAS server from outside, you need to setup an OpenVPN server on your router. When you are traveling, you need to have an OpenVPN client on the remote device. Once a secure tunnel is established between the remote device and the router, you can then access the NAS server using its IP address, the NAS server address and not the router address. As you can see PIA play no part at all or you don't need it for that purpose. It may be a good idea to turn off PIA client on the router as some people said that it may not work with both OpenVPN server and client on the same router.
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Mon Jun 12, 2017 12:29 Post subject:
You can also use port forwarding to reach your NAS server and in that case you do not need an openVPN server.
The PIA OpenVPN client routes everything through the VPN gateway and can interfere with reaching your NAS (well actually is does not interfere with reaching but with the return/answer of your query).
I'll look into the server option more... can I go that route if I have a dynamic ip address?
The one help guide I looked at seemed pretty intimidating for the casual user.
As far as port forwarding, I do use it. Using port forwarding does allow local access to the NAS with OpenVPN enabled but still does not allow external access.
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Mon Jun 12, 2017 13:57 Post subject:
Briar wrote:
Thanks for the responses, I appreciate the help.
I'll look into the server option more... can I go that route if I have a dynamic ip address?
The one help guide I looked at seemed pretty intimidating for the casual user.
As far as port forwarding, I do use it. Using port forwarding does allow local access to the NAS with OpenVPN enabled but still does not allow external access.
Indeed, only if you are using Policy Based Routing than you will have external access, the alternative method is to add a firewall rule something like:
Code:
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport xx -s 192.168.1.yy -j MARK --set-mark 1
I am clueless on policy based routing, I will do some homework this evening and try to get some level of understanding...
on the firewall rule suggestion, would I enter the code you suggested in the dd-wrt command function, or maybe in the openvpn config, or somewhere else?
Source based routing only requires a few commands:
ip rule add from [source IP]/[netmask] table 200
ip route add default via [gateway] dev [interface] table 200
ip route flush cache
The [source IP] should be whatever the IP of the machine is that you want to be routed differently, optionally with a [netmask] to specify a block of source addresses to route differently. The [gateway] should be the IP of the next router to send traffic to such as your VPN server or the gateway IP of your ISP. The [interface] should be whichever interface the traffic needs to be sent out to reach the alternative gateway such as tun0 for a VPN."
tried this based on an example:
ip rule add from 192.168.1.111/28 table 200
ip route add default via [vpn ip address I used in the openvpn configuration] dev tun0 table 200
ip route flush cache
but when I try it, I cannot connect to anything, even the config page and have to do a reset to recover.
Blue is the variables I changed
192.168.1.111 = nas