NAS WOL via DD-WRT OpenVPN?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Tue Jul 02, 2019 22:04    Post subject: NAS WOL via DD-WRT OpenVPN? Reply with quote
Hi,

I access my LAN via OpenVPN setup on my Asus RT-AC66U DD-WRT.
And through this access, I would like to be able to wakeup a Synology NAS.

Directly on the LAN it's easy to do from a laptop:
  • I enable WOL on the NAS
  • I use the Wake On LAN software on which I set:
    - the NAS MAC address
    - the NAS 192.168.0.x fixed IP address
    - the 255.255.255.0 subnet
    - the "Internet" sent option
    - and the port #9.

It works like a charm.

But as soon as I try from Internet via OpenVPN, it doesn't work any more Sad
If the NAS is switched on, I can access it via a browser and its 192.168.0.x IP address.
But if it's off, I can't wake it up via Wake On LAN with the same settings as for the LAN.

So how can I fix the issue?

I've read this wiki, setup the port forwarding and ARP entry but it doesn't help...
https://wiki.dd-wrt.com/wiki/index.php/Wake-on-LAN_%28tutorial%29

Also the NAS is not listed within the Available Hosts of the DD-WRT WOL page.
Don't know if it's an issue or not.

Any idea?
Thanks! Smile
Sponsor
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 425

PostPosted: Tue Jul 02, 2019 23:32    Post subject: Re: NAS WOL via DD-WRT OpenVPN? Reply with quote
FTP wrote:
Also the NAS is not listed within the Available Hosts of the DD-WRT WOL page.
Don't know if it's an issue or not.

Any idea?
Thanks! Smile

That's strange....

Did you try to manually enter the NAS host in the "WOL Addresses" box on the same page?...Administration/WOL/

&/Or try logging into the router over the VPN and manually wake it in the box below it , on the same page?

You did not specify what type of device you were using remotely over the VPN....If an android device you could try the free app "Fing" to issue the WOL command.

Possibly the program you are using locally automatically binds its self to the subnet/network your device is using, when remote.....the VPN's...other remote wifi network/cellular.

_________________
Location 1
R6300V2- DD-WRT v3.0-r39345M kongac (04-03-19) Gateway
WNDR3400v1 DD-WRT.v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Gateway
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
2 devices: SXT 5 ac (mipsbe) RB 6.45.1 (06/27/19) PTP Bridge (0.8km/0.5mi)tx/rx866.6Mbps-1GbpsLAN

Thank You <Kong> & BrainSlayer for ALL that you do also to everyone here that shares their knowledge
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 425

PostPosted: Tue Jul 02, 2019 23:40    Post subject: Reply with quote
Forgot to mention....

You do have "Allow Client to Client" "enabled" on the OpenVPN setup page?

You can connect once it's awake..so you probably do....just wanted to be sure...

_________________
Location 1
R6300V2- DD-WRT v3.0-r39345M kongac (04-03-19) Gateway
WNDR3400v1 DD-WRT.v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Gateway
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
2 devices: SXT 5 ac (mipsbe) RB 6.45.1 (06/27/19) PTP Bridge (0.8km/0.5mi)tx/rx866.6Mbps-1GbpsLAN

Thank You <Kong> & BrainSlayer for ALL that you do also to everyone here that shares their knowledge
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Wed Jul 03, 2019 13:28    Post subject: Re: NAS WOL via DD-WRT OpenVPN? Reply with quote
Hi,

Thanks Dr_K for your answer!

Dr_K wrote:
That's strange....

It finds the...
- smartphones (iPhone)
- desktop
- laptops
- Apple TV
- and ISP modem/router (in Bridge mode as it's my Asus router with DD-WRT that's managing my LAN)
But not the NAS.

Dr_K wrote:
Did you try to manually enter the NAS host in the "WOL Addresses" box on the same page?...Administration/WOL/

Nope. I'll try in few hours.
My 2 NAS are currently busy creating a 1st backup of 2TB.

Dr_K wrote:
&/Or try logging into the router over the VPN and manually wake it in the box below it , on the same page?

I tried on the LAN. It doesn't work.
The "Manual WOL" functionality looks unable to wake-up the NAS (while the Wake On LAN software and the Synology DS Finder iPhone app both can, so the NAS is correctly setup to be waked up).

Dr_K wrote:
You did not specify what type of device you were using remotely over the VPN....If an android device you could try the free app "Fing" to issue the WOL command.

It's a laptop running Windows 10 & the Wake On LAN software.
I'll try with the iPhone DS Finder app over OpenVPN when my NAS will be available. It's the 2nd method I used that was working fine on the LAN.

Dr_K wrote:
You do have "Allow Client to Client" "enabled" on the OpenVPN setup page?

Yes I do Smile
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Thu Jul 04, 2019 6:58    Post subject: Re: NAS WOL via DD-WRT OpenVPN? Reply with quote
FTP wrote:
Dr_K wrote:
Did you try to manually enter the NAS host in the "WOL Addresses" box on the same page?...Administration/WOL/

Nope. I'll try in few hours.

It's not changing anything. Not helping.

FTP wrote:
Dr_K wrote:
You did not specify what type of device you were using remotely over the VPN....If an android device you could try the free app "Fing" to issue the WOL command.

I'll try with the iPhone DS Finder app over OpenVPN when my NAS will be available. It's the 2nd method I used that was working fine on the LAN.

Not working either.

Any other idea? Sad
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jul 04, 2019 14:19    Post subject: Reply with quote
The OpenVPN "client to client" directive has nothing to do w/ this problem. All that directive does is allow multiple OpenVPN clients using the same OpenVPN server to communicate w/ each other (something rarely needed). IOW, the OpenVPN server acts as a sort of gateway between the connected OpenVPN clients. Think of "client to client" as AP/Net isolation for OpenVPN. Unless you really need it, it probably makes more sense to NOT use it, at least from a security perspective.

I use the depicus online WOL service as well, and have my router's configured as in the dd-wrt WOL wiki, and it works just fine. Of course, I'm making my request from *outside* the WAN, and NOT from inside the LAN once I'm connected to the VPN. The latter makes no sense, since once inside the LAN via the VPN, you could just as well use the WOL feature of the router. I also save the depicus URLs in a document (which my editor usually treats as clickable links) that I maintain on Dropbox, so I have easy access to WOL while on the road.

When it comes to the router's own WOL page, once the target of WOL goes to sleep, eventually it disappears from ARP, and thus won't show in the Available Hosts section. That's why you either need to add the host to that page (preferably while it's still active), or just remember its MAC address.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Thu Jul 04, 2019 15:39    Post subject: Reply with quote
eibgrad wrote:
Unless you really need it, it probably makes more sense to NOT use it, at least from a security perspective.

That's a good point. I'll look at it and probably disable this option.

eibgrad wrote:
I use the depicus online WOL service as well, and have my router's configured as in the dd-wrt WOL wiki, and it works just fine.

Ok. So regarding the settings on DD-WRT GUI, providing the NAS IP address is "192.168.0.x", all you did was...
1/ In NAT / QoS -> Port Forwarding tab, add the following forward:
Code:
WOL  |  9  |  udp  |  192.168.0.x  |   9   |   x


2/ In Administration -> Commands section, add the following line and save with Save Startup ?
Code:
arp -i br0 -s 192.168.0.x FF:FF:FF:FF:FF:FF


eibgrad wrote:
Of course, I'm making my request from *outside* the WAN, and NOT from inside the LAN once I'm connected to the VPN. The latter makes no sense, since once inside the LAN via the VPN, you could just as well use the WOL feature of the router.

Interesting.
I did it from inside the LAN via the VPN as:
- I know it works on the LAN w/o the VPN,
- while it doesn't work from the WOL feature of the router for me.

This last point is weird. It should maybe get fixed which would unlock every other cases.

On the other hand, I'll try from Internet. If it works, good. But in any case I have to run OpenVPN to access the NAS, so it's also convenient for me to run OpenVPN and do everything on the LAN. And running Wake On LAN is easier than opening the DD-WRT GUI.

eibgrad wrote:
When it comes to the router's own WOL page, once the target of WOL goes to sleep, eventually it disappears from ARP, and thus won't show in the Available Hosts section. That's why you either need to add the host to that page (preferably while it's still active), or just remember its MAC address.

Well for me, the NAS never show up in this list, running or not. I just added it manually.

Thanks for your answer! Smile
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jul 04, 2019 16:25    Post subject: Reply with quote
FTP wrote:
Ok. So regarding the settings on DD-WRT GUI, providing the NAS IP address is "192.168.0.x", all you did was...
1/ In NAT / QoS -> Port Forwarding tab, add the following forward:
Code:
WOL  |  9  |  udp  |  192.168.0.x  |   9   |   x


2/ In Administration -> Commands section, add the following line and save with Save Startup ?
Code:
arp -i br0 -s 192.168.0.x FF:FF:FF:FF:FF:FF



You do NOT specify the actual target IP either in the port forward or static ARP assignment (as strange as that sounds). You choose an IP that is NOT assigned (and never will be assigned) to any device on the local network (e.g., 192.168.1.254).

If you statically bind the mac address of FF:FF:FF:FF:FF:FF to the NAS ip in the router's ARP table, the NAS will become unreachable by the router, and/or a future ARP request between the router and the NAS will likely replace the static ARP entry, thereby breaking WOL.

By choosing a target IP that does NOT get assigned to an actual device, it still causes the port forward to get sent around the LAN, and when the NAS sees it's own MAC address in the magic packet, it will know to itself wake up, even those it's not the actual target of the port forward.

I would also try to stay away from the low-numbered, well-known external ports, since many times ISPs block them. A little obscurity helps too, so use something like 19882, or 10009, etc.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Jul 04, 2019 16:44    Post subject: Reply with quote
P.S. If you want to create individual WOL port forwards, each targeting a specific device, you can. But you need to use the actual IP and MAC address of the device in the port forward and static ARP entry.

Personally, I find this to be rather inconvenient since there are many devices that I use w/ WOL. And so using FF:FF:FF:FF:FF:FF allows me to create *one* port forward and static ARP entry that will work w/ *any* WOL device, just so long as I include the target's MAC address in the WOL request.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
h8red
DD-WRT Guru


Joined: 28 Jun 2011
Posts: 570
Location: Vilnius, Lithuania

PostPosted: Thu Jul 04, 2019 16:59    Post subject: Reply with quote
Simply SSH into the router from outside with putty, etc. and wake the device from CLI.
Use authentication key with password to secure your connection from outside of course.

_________________
[Ramips] Nexx WT3020F Openwrt @kernel #4.14.132 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Thu Jul 04, 2019 18:36    Post subject: Reply with quote
Thanks eibgrad for your answers!
Very instructive Smile

eibgrad wrote:
You do NOT specify the actual target IP either in the port forward or static ARP assignment (as strange as that sounds). You choose an IP that is NOT assigned (and never will be assigned) to any device on the local network (e.g., 192.168.1.254).

If you statically bind the mac address of FF:FF:FF:FF:FF:FF to the NAS ip in the router's ARP table, the NAS will become unreachable by the router, and/or a future ARP request between the router and the NAS will likely replace the static ARP entry, thereby breaking WOL.

By choosing a target IP that does NOT get assigned to an actual device, it still causes the port forward to get sent around the LAN, and when the NAS sees it's own MAC address in the magic packet, it will know to itself wake up, even those it's not the actual target of the port forward.

This part was really confusing in the Wiki.
That's what I understood at first, but then there was also this...
Wiki wrote:
3. The WOL computer should have a static IP address, one manually assigned or through static DHCP. In the example below, we assume your router LAN is 192.168.1.x (the default) and the static IP WOL computer is 192.168.1.254.


So I changed for the IP address of the NAS and now I understand why most of my tests could not work.

But I also did 2 tests with 2 different unassigned IP address, they also failed.
However, I'll do another one as I think they may have failed for another reason. I had some quick Internet cut around that time so the test were "maybe" messed up by this issue.

In any case your explanations are much clearer than the Wiki's ones. Thanks! Smile

eibgrad wrote:
I would also try to stay away from the low-numbered, well-known external ports, since many times ISPs block them. A little obscurity helps too, so use something like 19882, or 10009, etc.

I can consider that when I'll come back home (as it requires to change a setting on the NAS) but right now I'm already travelling overseas and to change this setting remotely I would first need to wakeup the NAS one time.

In any case, I think it applies only if I try from Internet, right?
If I first log on OpenVPN, then this issue of the port 9 maybe blocked would not be applicable any more as I would be on the LAN, correct?

eibgrad wrote:
If you want to create individual WOL port forwards, each targeting a specific device, you can. But you need to use the actual IP and MAC address of the device in the port forward and static ARP entry.

Yes, I'll also test this, using the NAS IP & MAC addresses.
Just to see if both works or at least one works.
I maybe have a lazy NAS not willing to wake up if it's not the actual target of the port forward Wink

I'll come back to you as soon as I have the result of the tests, but once again I'm not at home any more since this morning, so the tests will take longer as I'll not be able to physically see the NAS waking up. I'll have after each test to wait for a mn and hope I can reach it.

h8red wrote:
Simply SSH into the router from outside with putty, etc. and wake the device from CLI.
Use authentication key with password to secure your connection from outside of course.

I'll try this either.

Thanks to both of you!
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Fri Jul 05, 2019 15:35    Post subject: Reply with quote
Ok, I've been able to do some -few- tests.

FTP wrote:
I also did 2 tests with 2 different unassigned IP address, they also failed.
However, I'll do another one as I think they may have failed for another reason. I had some quick Internet cut around that time so the test were "maybe" messed up by this issue.

I confirm, so far it doesn't work for me.
I've tried with 192.168.0.254 & FF:FF:FF:FF:FF:FF but I've not been able to wake-up the NAS, neither via the DD-WRT feature, nor via the Wake On LAN software (both through the VPN).

But one question: my LAN is set on 192.168.0.x. That's why I've used 192.168.0.254.
Should I use 192.168.1.254 as written everywhere? Does it make any difference or is it just an example for 192.168.1.x LANs?

FTP wrote:
Yes, I'll also test this, using the NAS IP & MAC addresses.
Just to see if both works or at least one works.
I maybe have a lazy NAS not willing to wake up if it's not the actual target of the port forward Wink

Bingo!
This worked. For the 1st time I've been able to wake-up the NAS from the VPN with those settings : using the NAS IP & MAC addresses for the port forwarding & ARP line + the WOL wake-up DD-WRT feature. But it's not working with the Wake On LAN software, which maybe linked to the fact that the Magic Packet is sent to 192.168.0.255.

I've not run any test from Internet (w/o VPN). No time.

h8red wrote:
Simply SSH into the router from outside with putty, etc. and wake the device from CLI.
Use authentication key with password to secure your connection from outside of course.

I just had no time to test this during my flight connection as well.
I'll do it later Wink

Thanks for your help.
I already have one case that works, even though I don't know yet why some cases are not working Smile
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri Jul 05, 2019 17:37    Post subject: Reply with quote
Again, there's no point in using the online service while inside the LAN via the VPN. Again, if you're already inside the LAN via the VPN, you already have access to the WOL feature of the GUI, or even simply using a telnet/ssh session on the router and issuing a wol command (/usr/sbin/wol). The point of the online WOL service is for the purposes of being *outside* the WAN, on the internet side.

As far as the actual IP associated w/ using the FF:FF:FF:FF:FF:FF mac address, you should use your own network. The fact the wiki uses 192.168.1.254 is just because it's an example. If you're using the 192.168.0.x network, then it should be 192.168.0.254.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Sat Jul 06, 2019 14:38    Post subject: Reply with quote
eibgrad wrote:
Again, there's no point in using the online service while inside the LAN via the VPN. Again, if you're already inside the LAN via the VPN, you already have access to the WOL feature of the GUI, or even simply using a telnet/ssh session on the router and issuing a wol command (/usr/sbin/wol). The point of the online WOL service is for the purposes of being *outside* the WAN, on the internet side.

I know you opinion regarding this topic, but you seems to completely ignore the ergonomic aspect.
Your 2 solutions are much longer to run than double click on a shortcut and click on Wake-up. No authentication needed, no username and password to type. The Wake On LAN software windows is also displayed instantly, while it's also longer to open a browser and load 2 DD-WRT pages.
My favorite solution takes 1s.
The DD-WRT way takes 10s, providing there's not mistake in the 1st attempt of username and PW.

eibgrad wrote:
As far as the actual IP associated w/ using the FF:FF:FF:FF:FF:FF mac address, you should use your own network. The fact the wiki uses 192.168.1.254 is just because it's an example. If you're using the 192.168.0.x network, then it should be 192.168.0.254.

Ok. Clear. Thanks.

eibgrad wrote:
I would also try to stay away from the low-numbered, well-known external ports, since many times ISPs block them. A little obscurity helps too, so use something like 19882, or 10009, etc.

Just to make sure, do you confirm it applies only if I try from Internet, right?
If I first log on OpenVPN, this issue of the port 9 maybe blocked would not be applicable any more as I would be on the LAN, correct?
FTP
DD-WRT User


Joined: 01 Jul 2012
Posts: 61

PostPosted: Sun Jul 28, 2019 6:53    Post subject: Reply with quote
Hi guys,

Sorry for the delay, but like I said above, I was overseas so couldn't run extensive tests.

But I'm now back home and that's what I did.
And here are the results...


So far I did not run any test from Internet as it would imply to open and forward one port while for security purposes I prefer to leave them all closed and always use OpenVPN.

So the main conclusion is many cases work, EXCEPT, the one of the wiki! Shocked

If I try to set...
Code:
arp -i br0 -s 192.168.0.254 FF:FF:FF:FF:FF:FF
or
arp -i br0 -s 192.168.0.255 FF:FF:FF:FF:FF:FF

...it never allows DD-WRT to WOL the NAS, even in LAN! (I'm using a 192.168.0.x network)

Any idea why or where to look for to find out why?

Thanks! Smile

PS 1: the comment (.255) for PuTTY means it works only with the broadcast address 192.168.0.255, while when there's no comment, it works with the broadcast address or the NAS IP address.
PS 2: the comment (.255/Int.) for Wake On Lan means it works only with the 255.255.255.255 Sub Mask and "Internet" Send Option, while when there's no comment, it works with 255.255.255.0 or 255.255.255.255 Sub Masks and "Internet" or "Local Subnet" Send Options.


Last edited by FTP on Tue Jul 30, 2019 7:38; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum