RDP and VPN solution?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
Lights_On
DD-WRT User


Joined: 21 Jul 2012
Posts: 53

PostPosted: Wed May 23, 2018 11:19    Post subject: RDP and VPN solution? Reply with quote
Hi All,

Seeking some advice if possible.

I run a R7000 on Kong and run a permanent VPN using OpenVPN. All is well. I would like to be able to set up a way of RDP into machine on my LAN from outside the LAN. Obviously using DYNDNS and a VPN on the router stops the ability to simply port forward RDP to an IP and thus connect, plus also I would not want to open RDP ports to the web any way as is not safe. So as such - what is the best action to take? So I guess the short question is:

How do I remote into a PC from outside the LAN when my router is running a permanent VPN?

Thank you in advance for any support or direction here.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 23, 2018 17:13    Post subject: Reply with quote
Once you get connected to your VPN at home, you have access to the target device using its *local* IP address (e.g., 192.168.1.100). So you just RDP to that local IP address as if you were physically at home. Simple.
Lights_On
DD-WRT User


Joined: 21 Jul 2012
Posts: 53

PostPosted: Wed May 23, 2018 17:58    Post subject: Reply with quote
Hi,

Thanks for the reply but I think I have perhaps not been clear. If I run VPN on my router there is no way to access it or local IP addresses it may work with as the VPN does what it is meant to and masks things so as such once VPN on router is enabled there is no way to access an IP inside the land from outside the lan as the VPN set up ensures this. No VPN and a fixed IP or DNS does the job. But not when VPN on. With VPN on I have no issues inside the lan. Any ideas further to this extra detail?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 23, 2018 18:36    Post subject: Reply with quote
Ok, I think I see the confusion here. When you said simply "OpenVPN" (unqualified), I thought you meant you were running an OpenVPN *server* at home. But what you really meant is you have an active OpenVPN *client* running on the router, and that is diverting traffic over the VPN, and you can no longer access anything via port forwarding over the WAN, like RDP from the internet to some LAN device, is that correct?
Lights_On
DD-WRT User


Joined: 21 Jul 2012
Posts: 53

PostPosted: Wed May 23, 2018 22:05    Post subject: Reply with quote
Perfect. Yes 100% the situation. Thank you for supporting clarity. My desired solution possible with this set up?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 23, 2018 22:56    Post subject: Reply with quote
This is a well-known problem. The replies from your RDP connection over the WAN are being routed over the VPN. But the stateful firewall on the router will not permit the traffic associated w/ a given connection to use different network interfaces for the incoming and outgoing packets. Both the incoming and outgoing packets *must* use the same network interface.

IOW ...

WAN in, WAN out ... is allowed
WAN in, VPN out ... is denied
VPN in, VPN out ... is allowed
VPN in, WAN out ... is denied

There are several ways to deal w/ the problem. What works best for you is for you to decide.

1. Use the PBR (policy based routing) field in the OpenVPN client GUI. Only those sources IPs listed in that field will use the VPN. All others will use the WAN/ISP. And if the target of your RDP session is not in that field, then you'll regain remote access to it.

2. Access the target device over the VPN rather than the WAN. That assumes your VPN providers offers port forwarding over their end of the tunnel (some do, some don't).

3. If the target device is always being access from the same public IP(s) (e.g., you only access remotely from your workplace, or others places with well-known public IPs), then add static routes that force those public IPs to use the WAN. Static routes always take precedence over the default gateway. And it's the default gateway being changed to the VPN that's causing this problem for remote access over the WAN.

Obviously this isn't a practical solution for someone who's on the road and accessing their home network from arbitrary locations.

4. Use the following script.

https://pastebin.com/gnxtZuqg

This is a relatively new solution I've developed. You create a DDNS domain name w/ some DDNS provider (doesn't matter who, any will do) and then update that DDNS domain name as you roam (usually you can just login to the DDNS provider's website and update it directly, or send the appropriate URL to their service via your browser). The script (once configured w/ that same DDNS domain name) monitors that DDNS domain name for changes. When a change occurs, it installs a static route for the public IP assigned to that DDNS domain name that points to the WAN.

IOW, we're using DDNS in reverse, to keep the router updated w/ your current public IP rather than the router keeping you updated w/ its current public IP. And now you regain access to *all* port forwarding over the WAN because, as I explained previously, static routes take precedence over the default gateway.

5. Install the following script (this one's a bit "heavier" and more complex, so that's why I present it as a last resort).

https://pastebin.com/nC27ETsp

This is my own PBR implementation intended to replace the one provided in the OpenVPN client GUI. It's much more feature rich and fixes numerous, long-standing dd-wrt bugs. But it has one very nice advantage when dealing w/ this particular problem; merely installing it fixes it. You can delete all the sample rules, install it, and you'll immediately regain remote access over the WAN.


Last edited by eibgrad on Fri Jun 01, 2018 21:26; edited 1 time in total
Lights_On
DD-WRT User


Joined: 21 Jul 2012
Posts: 53

PostPosted: Wed May 23, 2018 23:15    Post subject: Reply with quote
Hi,

Thank you for taking the time to help and to share this code and information. I think either solution 4 or 5 will be best for me but as you say I will need to test them and find what works best.

One last question. If 4 and 5 sort of reverse update info to the router then does this then not in effect reverse the solution of using an openvpn solution. So as such I have not re routed traffic? Sory if this is obvious and a silly question.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed May 23, 2018 23:44    Post subject: Reply with quote
Lights_On wrote:
One last question. If 4 and 5 sort of reverse update info to the router then does this then not in effect reverse the solution of using an openvpn solution. So as such I have not re routed traffic? Sory if this is obvious and a silly question.


Remember what I said in option #2. You *could* remotely access your home network over the VPN instead of the WAN, provided your VPN provider offers port forwarding. And if you did, there would be no need for messing w/ the routing. Everything would work smoothly and perfectly (you would have to implement port forwarding via some scripting on the router as well, since the GUI's port forwarding only works w/ the WAN, but that's easily accomplished w/ a few firewall rules).

The reason you have this rerouting issue is because *you* have insisted on remote access over the WAN, which is NOT secured! And as such, in order to not violate the firewall rules, we're forced to reroute the replies back over that same WAN.

So if you feel this is somehow undermining the purpose for which you decided to use the OpenVPN client, then don't use the WAN for remote access. Use the VPN. And if your VPN provider doesn't offer port forwarding, find one that does.
Lights_On
DD-WRT User


Joined: 21 Jul 2012
Posts: 53

PostPosted: Wed May 23, 2018 23:48    Post subject: Reply with quote
Fully understood and a fair statement of facts. thank you. I need to go and test these and get my head round best implementation. I really appreciate your time helping me out - thank you.
portsup
DD-WRT User


Joined: 20 Oct 2018
Posts: 59

PostPosted: Sat Oct 20, 2018 23:38    Post subject: Re: RDP and VPN solution? Reply with quote
Lights_On wrote:
Hi All,

Seeking some advice if possible.

I run a R7000 on Kong and run a permanent VPN using OpenVPN. All is well. I would like to be able to set up a way of RDP into machine on my LAN from outside the LAN. Obviously using DYNDNS and a VPN on the router stops the ability to simply port forward RDP to an IP and thus connect, plus also I would not want to open RDP ports to the web any way as is not safe. So as such - what is the best action to take? So I guess the short question is:

How do I remote into a PC from outside the LAN when my router is running a permanent VPN?

Thank you in advance for any support or direction here.


VPN won't stop access to the router over WAN if you use PBR. You could use PBR then your RDP should be exposed to WAN, or maybe you will need to forward it.

If you want help setting up transmission while using PBR in openvpn look at my post https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661&start=30
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum