Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Fri Jan 21, 2022 14:28 Post subject: [SOLVED]Connection problem to OpenVPN server behind router
egc wrote:
@DWcruiser, better start a new thread in the Advanced Networking forum, this is the build thread.
Thank you for your reply. If you can move it to where you think fit, by all means, pls.
egc wrote:
You are mentioning connection problems it looks like you are running an OpenVPN server and client on the same router, something which needs special setup.
Yes and No. I am running both. But my OpenVPN server is setup on a MikroTik router (behind gateway R7800). VPN traffic coming to R7800 on port 1194 is port-forwarding to MikroTik.
Private Internet Access Client is configured on the R7800.
They both have been working fine together, without fault, on same setup for several years now. Up to r47692.
egc wrote:
As a test you can connect with the routers IP address and not with the DDNS Domain name.
I spent most of today going back and forth, b/w r47692 and r48138 (and also r48141), testing under various scenarios. Here are the results:
----->r48138<-----
A. When PIA OpenVPN Client is running in the background, R7800 took on PIA OpenVPN Client address as its own (displayed on top right hand corner). And not my ISP's real IP. It does not matter even if:
-- a device is not listed in PBR. Or
-- the router's actual IP address is used in my OpenVPN script, instead of my DDNS. The connection still failed despite the router and DDNS section both displayed the real IP address!
B. When PIA OpenVPN Client is disabled. Everything works fine.
----->r47692<-----
No issue at all under all above scenarios.
egc wrote:
Note that you can also login at your DDNS provider and see (or set) what address they have from you and also note that it takes 15-30 minutes before the changing of address is reflected/propagated to other DNS servers so that it is visible.
I logged into my DDNS provider as suggested. Manually updated my DDNS with actual IP. But still no connection. For good measure, I changed to my second DDSN provider. But still no luck. (It feels a bit like doing Beta-Test when I was doing it for Netgear a few years back).
egc wrote:
The routers WAN IP address can be found with (from CLI telnet/Putty):
nvram get wan_gateway
which should be the same as shown in the upper right hand corner of the GUI
Thank you for that. I ran the command under Administration/Commands tab but its returned IP was not the same as the one displayed on top right hand corner. Not sure if relevant, but every household in Australia is connected to the same National Broadband Network (NBN) under the government's national policy). This may explain the IP gateway not being the same as the router's IP address, but somewhere up in the chain of the NBN in our area.
Nevertheless, I can verify that it's the top right hand corner IP when connected under r47692. Again, no connection was possible under r48138. Nor r48141
egc wrote:
Edit: just did some testing with DDNS and it worked without a problem.
I also use a router with build 48138 and an OpenVPN server, WireGuard server and an OpenVPN client without a problem.
Thank you for taking your time in verifying the issues. Since it works in your testing, my issues appear to be more likely related to Port Forwarding together with DDNS?
egc wrote:
The OpenVPN client must use PBR to free the WAN for access or route the ports of the OpenVPN server and WireGuard server via the WAN, I am doing the latter see picture of OpenVPN client settings: 1194 is the OpenVPN server port, 51810 is the port of the WireGuard server.
You can also use Route selected sources via the VPN and if you do not include the routers IP address then that also will free the WAN for access
Agreed. I have certain devices (e.g. USA Roku, Sangean radio) whose IP addresses are specifically included in the PBR section of PIA OpenVPN Client to allow us to watch/listen to o/seas programs for several years now. While Australian Roku is not included on PBR for local programs. This makes it simple just to turn it on and watch whatever we like, without mucking around for US or local programs selection first on the same device! (My former paid job has a lot to do with Improving Business Efficiency. It's called Business Process Re-engineering).
I think I covered all the issues that you kindly raised in reply. I thank you again for your help in this matter.
So what's next?
Regards _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Fri Jan 21, 2022 15:02 Post subject:
I split your post off and transferred to the advanced networking forum.
It is a bit muddy as some things are missing.
But basically you cannot connect to your VPN server which is on a client behind a router and the router is running an OpenVPN client to PIA.
First get DDNS out of the equation.
If you try to connect to your OpenVPN server use the WAN IP address of the router and not the DDNS address so for now just disable DDNS.
As always testing should be done from outside e.g. with your phone on cellular
First test without the OpenVPN client active.
Then Enable the OpenVPN client but just add an IP address in the PBR field NOT being your OpenVPN server and NOT being the router itself.
Select:
Source Routing: Route Selected Sources via VPN
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sat Jan 22, 2022 9:22 Post subject:
egc wrote:
I split your post off and transferred to the advanced networking forum.
It is a bit muddy as some things are missing.
But basically you cannot connect to your VPN server which is on a client behind a router and the router is running an OpenVPN client to PIA.
Thank you for that. And you're correct.
egc wrote:
First get DDNS out of the equation.
If you try to connect to your OpenVPN server use the WAN IP address of the router and not the DDNS address so for now just disable DDNS.
As always testing should be done from outside e.g. with your phone on cellular
First test without the OpenVPN client active.
Then Enable the OpenVPN client but just add an IP address in the PBR field NOT being your OpenVPN server and NOT being the router itself.
Select:
Source Routing: Route Selected Sources via VPN
You are mentioning an OpenVPN script, you should not use any scripting or firewall rules and nothing in the additional config, all can be done from the GUI
I think my long and detailed reply (sent after midnight last night) might not have made the issue clearer.
I agree with the main points of your reply. I did the necessary steps needed to isolate/identify the potential causes such as trying to connect via my phone's 4G, using its OpenVPN Client app; disabled Private Internet Access in some scenarios; and so on.
Nevertheless, I've done more investigations today. They point to the embedded INADYN component in recent versions of DD-WRT not updating DDNS properly. I am 99% sure of that.
P.S. This renders the thrust of my original post a bit misleading and sent our search down the wrong path. I am sorry. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Sat Jan 22, 2022 9:38 Post subject:
No problem we are here to try and solve your problems and/or identify bugs
OK so let's focus on inadyn.
Questions
Is this router directly connected to the internet and has a public IP address?
As far as I know the IP address in the upper right hand corner should reflect that regardless if you have a VPN client or have DDNS enabled.
Can you confirm that?
If this router has a public IP address than you should *not* use External IP check in the DDNS settings.
Using the External IP check can have different DDNS results if you have a VPN client active, but the IP address in the upper right hand corner should always reflect the WAN IP address as far as I know.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sat Jan 22, 2022 22:51 Post subject:
egc wrote:
OK so let's focus on inadyn.
Questions
Is this router directly connected to the internet and has a public IP address?
As far as I know the IP address in the upper right hand corner should reflect that regardless if you have a VPN client or have DDNS enabled.
Can you confirm that?
If this router has a public IP address than you should *not* use External IP check in the DDNS settings.
Using the External IP check can have different DDNS results if you have a VPN client active, but the IP address in the upper right hand corner should always reflect the WAN IP address as far as I know.
note:
Your router will by default not answer to ping unless you uncheck "Block Anonymous WAN Requests (ping)" on security tab
All testing should be done from outside your network, I use Fing on my android phone
I can confirm that my R7800 (as gateway router) always displays (on top right hand corner) a public IP address. It's a dynamic one from my ISP. Hence my need to use DDNS. In testing OpenVPN connection, my phone's 4G is always used as if I was on the road.
Also, 'Use External IP Check' is not ticked.
____________________
egc wrote:
To add it can take a while before your updated DDNS record has trickled down to other DNS servers.
I have seen it take more than 15 minutes before the change of the DDNS record was shown by other DNS servers
I simply force a manual DDNS update (i.e. Apply Settings in Setup/DDNS page) and DDNS gets updated within a minute or so, afterwards. A ping to my DDNS confirms the update was successful. I only use one DDNS server at a time, BTW.
___________
P.S. The MikroTik router is setup on a separate (port-based) VLAN on the R7800. My home networks are placed behind the MikroTik.
This setup allows me to backup my NAS (via OpenVPN encrypted tunnel) over the Internet, to my own cloud at a remote site. No monthly on-going fees and total control of my data. (Refer Edward Snowden). _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sun Jan 23, 2022 13:11 Post subject:
Success. I am able to connect to the MikroTik's OpenVPN server, via R7800 running r48141 at last.
Mea Culpa x3. (Ex-Catholic here). I missed a crucial point which you pointed out earlier. Hot weather during last few days in Mebourne (above 30 degrees Celsius), coupled with the Australian Tennis Open at present were my excuses.
Essentially, the whole PBR section was moved to the middle of the Services/VPN page by BS. In that move, the single static PBR option was cleverly (I must say) changed into three global and dynamic choices. It's brilliant design move.
As it was somehow stuck on 'Route all sources via VPN' when updated to later firmware, my DDNS got updated with PIA's VPN server address, not the router's actual public one. Hence my repeated failures to connect by hitting the wrong IP address on DDNS.
Thank you for your help and patience.
I'll buy you and BS a beer tomorrow. Thanks again. And good night. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Mon Jan 24, 2022 4:20 Post subject:
egc wrote:
Glad you solved it.
Thanks for your help in solving the issue with testing on your part. Perseverance is a good attribute to have.
egc wrote:
I love watching Australian Open.
Unfortunately our own guy lost to Medvedev
I am no expert in tennis and did not watch that match, but only highlights afterwards.
They were both in form, but Medvedev was more in form than van de Zandschulp. Ranked as #57, van de Zandschulp had less chance of defeating #2 in that way.
I would support van de Zandschulp as I have relatives living in Eindhoven, mind you. .
Cheers
P.S. Check your PP. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.