[SOLVED]Outside access DD WRT FTP with VPN client enabled

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
ig007
DD-WRT Novice


Joined: 28 Jul 2021
Posts: 16

PostPosted: Thu Jul 29, 2021 21:15    Post subject: [SOLVED]Outside access DD WRT FTP with VPN client enabled Reply with quote
In most recent topic I posted good people guided me to information on how to enable OpenVPN server and client be utilized simultaneously from outside of network. This time I have another issue.

I set up proFTPD and Samba for USB storage plugged to DD WRT router R6700v3 with build 47090. DD WRT router is behind ISP router. Can only access FTP server from outside with VPN client disabled. Is that IP Tabling again? I don't know how and this time can't find any information on forum or web how to solve this. Also in case it is solved, would FTP working with VPN client improve security of FTP server? I have the option to enable FTP storage on another router without VPN client to save the headache if there are no security benefits. Please help.


Last edited by ig007 on Wed Aug 04, 2021 10:42; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12766
Location: Netherlands

PostPosted: Sat Jul 31, 2021 5:30    Post subject: Reply with quote
If you want to have access to an FTP server running on your network or router the safest way is to use the VPN server to contact your network.

Once you are inside you should be able to use things on you network there is one caveat, the VPN server has its own subnet, so your LAN clients have to accept that network (i.e. open up the firewall of said clients)
u
If you do not want to use the VPN server but just your WAN as access then you have to use PBR on the VPN client (just as when you are using the VPN server and client on the router) or alternatively port forwarding through the VPN client (not many providers support port forwarding through the VPN)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ig007
DD-WRT Novice


Joined: 28 Jul 2021
Posts: 16

PostPosted: Sat Jul 31, 2021 11:50    Post subject: Reply with quote
egc wrote:
If you want to have access to an FTP server running on your network or router the safest way is to use the VPN server to contact your network.

Once you are inside you should be able to use things on you network there is one caveat, the VPN server has its own subnet, so your LAN clients have to accept that network (i.e. open up the firewall of said clients)
u
If you do not want to use the VPN server but just your WAN as access then you have to use PBR on the VPN client (just as when you are using the VPN server and client on the router) or alternatively port forwarding through the VPN client (not many providers support port forwarding through the VPN)


The only reason I want to have FTP alternative outside of my VPN server is to have speedy upload alternative. I get 10x better speeds over FTP than throug VPN server. As mentioned, I can setup FTP easily on another router which doesn't have VPN server or client. But I wonder if there is added security of running FTP on router with VPN client. If not, then I would stick with the above easy solution. But if there is security benefit, can you please guide me towards what I need to do exactly with PBR to get FTP working?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12766
Location: Netherlands

PostPosted: Sat Jul 31, 2021 12:31    Post subject: Reply with quote
First off all FTP is insecure and should not be used.
Use SFTP or FTPS.

If you want to connect to/via your WAN then your VPN client cannot occupy the WAN so your VPN client has to use PBR with exclusion of the routers address.

More or less the same as when you are running an OVPN server and OVPN client on the same router.

So when you use this setup the sftp traffic goes in via the WAN and goes out via the WAN (traffic has to use the same way in as out).
That answers your security question.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ig007
DD-WRT Novice


Joined: 28 Jul 2021
Posts: 16

PostPosted: Tue Aug 03, 2021 11:27    Post subject: Reply with quote
So I dumped the idea of FTP as I discovered speed via VPN tunnel to external USB drive is decent enough for me and also my initial testing over LTE was contributing somewhat to slow response from my NAS. Now I have a little different question(sorry for hijacking another thread) I have WRT3200ACM with build 47117 setup as VPN client and server with IP table setup as in guide in this forum enabling use of those at the same time. It is plugged to ISP router with port 1194 forwarded to it. I then have that WRT3200ACM plugged into WAN of R6700 with build 47090 with external HDD connected to USB and NAS box connected via LAN. No VPN client or server on R6700 obviously. Now I want to access my external HDD and NAS via OpenVPN from outside. What should I do and what settings do I need to apply and where? Can I just disable DCHP on R6700 and make it as extension of WRT3200 where all my wifi clients connect? In theory I the only reason I have two routers is that 3200 is 3-4x faster with VPN over LAN but sucks with wifi and vice versa, R6700 is slow with VPN, but delivers OK wifi. Thanks in advance.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12766
Location: Netherlands

PostPosted: Tue Aug 03, 2021 14:54    Post subject: Reply with quote
It is a viable option to put your wrt3200 as your primary router e.g. connect its WAN port to the internet and run the VPN server (and client) on it.

The R6700 is then used for Wifi and is setup as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point
(set ip address in the subnet of the wrt3200, set gateway and local DNS to primary router, disable WAN and disable DHCP and connect LAN<>LAN)

You then have one seamless subnet.

When you connect to your OpenVPN server and want to access things on your LAN (like a NAS) make sure to Disable the "CVE mitigation"

Furthermore LAN clients will have their own firewall which is often not allowing the VPN subnet.
So deal with that or add a firewall rule to NAT traffic out of br0.
See the "OpenVPN troubleshooting guide" paragraph about: "LAN clients not reachable "

I use AndSMB from my Android phone to get to my NAS Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ig007
DD-WRT Novice


Joined: 28 Jul 2021
Posts: 16

PostPosted: Tue Aug 03, 2021 17:14    Post subject: Reply with quote
egc wrote:
It is a viable option to put your wrt3200 as your primary router e.g. connect its WAN port to the internet and run the VPN server (and client) on it.

The R6700 is then used for Wifi and is setup as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point
(set ip address in the subnet of the wrt3200, set gateway and local DNS to primary router, disable WAN and disable DHCP and connect LAN<>LAN)

You then have one seamless subnet.

When you connect to your OpenVPN server and want to access things on your LAN (like a NAS) make sure to Disable the "CVE mitigation"

Furthermore LAN clients will have their own firewall which is often not allowing the VPN subnet.
So deal with that or add a firewall rule to NAT traffic out of br0.
See the "OpenVPN troubleshooting guide" paragraph about: "LAN clients not reachable "

I use AndSMB from my Android phone to get to my NAS Smile


Ok, so I have followed AP setup procedure, except that I wanted to keep both routers Wifi capability separate, so I ended setup at WAN/LAN stage. I have no issue accessing LAN NAS on R6700 over VPN from outside. And I am able to access wrt3200 ddwrt GUI. But I can't access R6700 GUI and its USB in the same outside connection. When I am within my network, able to access all of it without issue. R6700 firewall is disabled as per AP setup guide, except multicast. Your above command for vpn firewall didn't help either. Where should I dig now?

UPDATE: this is solved! I had NTP not showing proper date and time no matter what. Then I added to Gateway and Local DNS of R6700 IP of upstream wrt3200acm and boom! Now time and date are showing correctly and I can reach out to R6700 GUI over VPN tunnel from outside. This DDWRT is one hell of a learning curve, but gives +300% to capabilities of stock firmware, which is why I will keep learning Smile
ig007
DD-WRT Novice


Joined: 28 Jul 2021
Posts: 16

PostPosted: Wed Aug 04, 2021 1:47    Post subject: Reply with quote
So there is another problem now... My USB external HDD mounts well on any of two routers on subnet and I can see it over the network and access share, but whenever I try to write to it on Kubuntu OS, I get "There is not enough space on disk to write..." That is bs, because it is a freshly formatted disk and is empty. Similar response is on Windows 10, no write. I tried ext4 as well as ntfs with no luck. Formatted drive with GPT. No luck either. Whenever I try write to it on Android via CX File Explorer, it starts to write until about 270mb and then router crashes. I guess it just writes to router RAM somehow, but not the drive.. Anyway, there is nothing special I did with USB or Samba setup. All basic stuff as per guide in this forum wiki. Core USB enabled, USB storage enabled and auto mount enabled. It mounts... Samba enabled, HOME workgroup, v2.1-3.11, share added with RW, user set. Any clues?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12766
Location: Netherlands

PostPosted: Wed Aug 04, 2021 5:21    Post subject: Reply with quote
Glad the original problem is solved.

For the USB accessibility open a new thread in the router specific forum e.g. for the R6700v3 the Broadcom forum.

I only use USB sticks with ext2 format for /opt and /jffs so cannot help you with that.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum