OpenVpn Client/Server and DDNS

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Tue Jan 19, 2021 19:51    Post subject: OpenVpn Client/Server and DDNS Reply with quote
Hello. Hope to find some help here.
Have XR500 running DD-WRT v3.0-r45192 std (12/29/20)
Configured OVPN client which is connected to the ExpressVpn.
Configured OVPN Server to connect to my local network from the outside.
Everything works perfectly and I can connect to my local network only via WAN IP. Is it possible to force DDNS client to report VPN IP and connect to the local network via that IP?
Using
route api.dynu.com 255.255.255.255 vpn_gateway
server=/api.dynu.com/208.67.222.222
I somehow managed to report VPN IP to the DDNS provider and it was right but I could not connect to the internal network since then.

Also, I use dns-leak-test from here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325492&sid=ed6eda8857b40c7b73ac45f2ddb71d74
which shows only one leak when the router is rebooted.
How to trace where leak comes from?
Or is it possible to fix this while using PBR?
Jan 19 20:22:15 router user.notice ddwrt-ultimate-dns-leak[1853]: Tue Jan 19 20:22:15 CET 2021: dns leak detected Query Over WAN
Jan 19 20:22:15 router user.warn ddwrt-ultimate-dns-leak[1853]: dns leak detected Query Over WAN

Dnsmasq
no-resolv
server=208.67.222.222
server=208.67.220.220

Routing rules in VPN client config
route 208.67.222.222 255.255.255.255 vpn_gateway #DNS
route 208.67.220.220 255.255.255.255 vpn_gateway #DNS2
route 216.239.35.12 255.255.255.255 vpn_gateway #NTP server

PBR
10.8.0.1/24
192.168.1.1/32
192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/26
192.168.1.192/29
192.168.1.200/32

Firewall
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
iptables -I FORWARD -s 10.8.0.1/24 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.1/32 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.2/31 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.4/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.8/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.16/28 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.32/27 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.128/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.192/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.200/32 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.201 -o $(get_wanface) -m state --state NEW -j ACCEPT
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8598

PostPosted: Tue Jan 19, 2021 22:44    Post subject: Reply with quote
First, DDNS by default only looks at the WAN ip to determine the public IP (specifically when it detects a change), although you could change it to use a URL that returns the current public IP. But you would still have the problem of having DDNS detect the change of the VPN ip since it's still monitoring the WAN ip. So all in all, I don't think messing w/ DDNS makes much sense here. There might be better ways, including perhaps checking w/ the VPN provider. Sometimes they provide information about your active connections when accessing your account on their website.

Second, most VPN providers do NOT support remote access over the VPN. And being an ExpressVPN user myself, I know they don't, specifically because they believe it undermines the user's security and privacy.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1089
Location: Appalachian mountains, USA

PostPosted: Tue Jan 19, 2021 23:14    Post subject: Reply with quote
FWIW, AirVPN supports "static VPN port forwarding" for internet clients to connect to your system (assuming you tweak the firewall appropriately) by connecting to a particular port on the VPN server's exit IP. They assign the port number to you long term (if you wish), hence "static." Very few VPN providers offer static forwarding like this. More providers offer dynamic port forwarding, where the port number is assigned (I believe) for the duration of your connection to the server. If you do not always use the same server, Air has a DDNS service that will map a fixed fqdn to the exit IP of whatever server you are currently connected to. (That would seem to require you to connect only one client.) See airvpn.org. dd-wrt how-to linked in my sig.
_________________
Five WRT1900ACSv2's on 42926, 44048.
VLANs, VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard servers, wireguard clients (AzireVPN), two DNSCrypt DNS providers (incl Quad9) via OpenVPN/wireguard clients.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7268
Location: Netherlands

PostPosted: Wed Jan 20, 2021 9:37    Post subject: Reply with quote
Most things are already answered, and as Express VPN does not provide port forward via VPN there is no need to get the IP address from the VPN (like the way you are setup enabling "Use external IP check" on DDNS setting page might work though)

Port forwarding via VPN is possible I had it running once using very sophisticated scripts from @eibgrad when I was using Private internet Access I used it to get to my summer residence as it was behind a residential gateway.

The other problem a DNS leak when the router is rebooting, that is indeed logical as it take some time (can take 1 to 2 minutes) before the tunnel is up and (DNS) traffic is routed via the tunnel.
That is why you use a kill switch (the kill switch does not prevent the DNS leak but prevents clients using it)

It is in theory possible to start the router without any DNS, so actually waiting until the tunnel is up and DNS is setup via the tunnel.

The problem is the time server and the VPN servers url.
For the Time server you have to use an IP address and also for the VPN servers address.
Never tried it for VPN , did try it for WireGuard and that worked.

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Wed Jan 20, 2021 21:11    Post subject: Reply with quote
Thank you for the explanation!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum