VPN and DMZ

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
crewze
DD-WRT Novice


Joined: 22 Jun 2019
Posts: 1

PostPosted: Sat Jun 22, 2019 15:02    Post subject: VPN and DMZ Reply with quote
I have a DD-WRT attached to an ISP cable router. I have a server connected to the DD-WRT router that I would like to access from the internet. I have a DMZ set up on both routers and I am able to access the server fine un til I activate the VPN. AT that point the VPN stops woking and the access to the server no longer works. See attached diagram for network config.

I am not sure this is suppose to work. Maybe e someone could tell me if it should work and if not suggest a way to get access to the server with the VPN running.


[/img]



VPN Network Diagram.pdf
 Description:

Download
 Filename:  VPN Network Diagram.pdf
 Filesize:  22.99 KB
 Downloaded:  26 Time(s)


VPN Network Diagram.pdf
 Description:

Download
 Filename:  VPN Network Diagram.pdf
 Filesize:  22.99 KB
 Downloaded:  18 Time(s)

Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4212
Location: Netherlands

PostPosted: Sat Jun 22, 2019 15:58    Post subject: Reply with quote
It is not entirely clear yet to me.

You show us two routers, is the top one the ISP router?
It seems so as it has the Public IP address

But the server seems connected to this router and that is not the DDWRT router?

The bottom one seems connected to its WAN port so you are double NATting?
Is this the DDWRT router with an OVPN client to ExpressVPN?

In general when you have an OVPN client running on your router and you want to reach something on or behind that router then you have to use Policy based Routing.

If you don not use Policy Based Routing your default gateway is your VPN conncetion and your firewal will not allow incoming connections on your WAN which are going out via your VPN.

When using Policy based routing the default is restored to your WAN.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat Jun 22, 2019 17:48    Post subject: Reply with quote
egc wrote:
When using Policy based routing the default is restored to your WAN.


At the risk of a DNS leak (and other problems).

Although using PBR might be one way to deal w/ the problem, there are other options. And not too long ago I detailed those other options on the SNB forums.

https://www.snbforums.com/threads/simultaneous-vpn-server-and-vpn-client.39508/#post-485507
https://www.snbforums.com/threads/simultaneous-vpn-server-and-vpn-client.39508/#post-485800

Most of the other options eliminate the need to take the router itself off the VPN. And it's not just the possibility of DNS leaks that's the issue. Suppose you're running transmission on the router and expect it to use the VPN? Now it doesn't because you used PBR.

So yes, PBR solves the problem, but unfortunately it's the equivalent of using a sledgehammer to fix a hangnail.

I know @egc is aware that I'm not a fan of taking the router off the VPN for these reasons. Both he and I have been trying to find a way to implement PBR while still keeping the router itself on the VPN, but without much success. In the meantime, it's important for users to know there are other alternatives besides PBR. Esp. if you would otherwise have no need for PBR except to fix this problem w/ remote access over the WAN while the OpenVPN client was active.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum