[Solved] OpenVPN Client and Server - how hard can it be?

Hi,

I've been a very happy dd-wrt user over many years and switched to LEDE some time ago since dd-wrt seems to have more or less died. I was very pleasantly surprised what's possible with LEDE / openWRT and have been extending the functionalities of my router ever since (dual-wan in failover configuration, VPN server, DynDNS, guest WLAN, VLANs to separate some of my smart home and media devices from the 'inner' LAN, ...).
This is all running fine and despite some long hours I always managed to get things to work.

A few infos about my setup:

  • Internet <--> LTE Modem/Router <--> LEDE Router <---> LAN
  • A port forward at the LTE router exposes the openVPN port from the LEDE router
  • LEDE Router Hardware: Linksys WRT1900ACS
  • LEDE Version: 17.01.4 r3560-79f57e422d

Now my newest endeavour is using the LEDE router as a VPN client (I'm using NordVPN, but that shouldn't make any difference to my issue). This also works fine - however...

I still want to run my openVPN server which on its own works perfectly; until I connect to NordVPN. Then any connection to the VPN server (e.g. via a mobile without LAN connection) fails as if the firewall prevented access to the VPN server.

My guess is that the routing configuration routes all outbound traffic via the NordVPN tunnel (tun0 in my case) and I should however ensure that the VPN server can respond to the client attempting to connect (via tun1).
I've been playing around with firewall settings and the kernel routing table directly - to no avail so far.

I'm not really a big networking expert so maybe I'm missing something rather trivial... Can someone please give me a hint as to how I need to change my firewall / routing settings to get the VPN server and client to work in parallel?

Thanks in advance!

Best regards,
Bernhard

Does your LTE company allow incoming connections? Many of them block them completely. So the first thing would be to open some trivial port like ssh then test with a port scan site to see if it is really allowed.

Do the connections to VPN server from outside work without NordVPN client?

Yes, I can tunnel in perfectly as long as the NordVPN isn't connected...

Yes, they do. Once the NordVPN client is inactive connecting to the VPN
server works fine again...

Have you tried option no_pull (look up exact spelling in the client config) to refuse NordVPN routing? Does the VPN server still work then?

Using route-nopull works in the sense that I can establish a connection to NordVPN and my local VPN server remains accessible from the outside. However, then by default all traffic is routed via the standard gateway (i.e. the LTE modem). I tried to at least copy the routing normally pulled for the NordVPN connection, playing around with the routing table. Somehow I must be missing the secret ingredient...

Meanwhile I managed to get this to work. Actually, my theory above was going in the right direction.
The excellent posts in http://www.linksysinfo.org/index.php?threads/simultaneous-openvpn-server-client.72103/ helped me get a clearer picture of this. The requirements there are a bit different than mine so it was the post in https://serverfault.com/questions/382498/howto-only-tunnel-specific-hosts-route-through-openvpn-client-on-tomato that was the key to solving my problem.

The solution was to introduce policy based routing and use different routing tables for traffic that should go via the NordVPN tunnel and traffic that should not.
I wasn't particularly selective and in a first step let all devices in my LAN access the internet via the VPN. I might change this in the future if I run into any issues for certain devices.
In any case, for each rule to ensure that traffic is routed via the VPN I also added rules for local traffic as well as traffic to clients of my VPN server.

In essence I did the following:

Modify the VPN client config by adding the following configuration:

route-nopull
script-security 2
up /etc/openvpn/nvpn-up.sh
down /etc/openvpn/nvpn-down.sh

Add the following scripts:
nvpn-route.sh

#!/bin/sh
NVPN_TID="nvpn"
NVPN_GW="10.8.8.1"
NVPN_DEV="tun1"
IP_PATH="/etc/openvpn/ip.txt"
OVPN_NET="10.8.0.0/24"

# read ip ranges from text file
cat $IP_PATH | while read ip; do
    # add route to NordVPN table
    ip rule $1 from $ip table $NVPN_TID

    # add local route to allow access in the LAN
    ip rule $1 from $ip to ${ip:0:10}.0/24 table main

    # add local routes to support inter-zone access
    ip rule $1 from $ip to 192.168.10.0/24 table main
    ip rule $1 from 192.168.10.0/24 to $ip table main

    # add local route for local OpenVPN server
    ip rule $1 from $ip to $OVPN_NET table main
done

# set NordVPN gateway
ip route $1 default via $NVPN_GW dev $NVPN_DEV table $NVPN_TID
# force changes
ip route flush cache

nvpn-up.sh

#!/bin/sh
/etc/openvpn/nvpn-route.sh add

nvpn-down.sh

#!/bin/sh
/etc/openvpn/nvpn-route.sh del

The actual IP ranges are read from a separate text file. I'm using CIDR notation, created with http://ip2cidr.com/.

Hello bern77,

can you share a lilnk for a howto for a OpenVPN NordVPN configuration?

If possible, i would like to run OpenVPN only for wireless connections and have the ethernet traffic untouched. Also i would prefer to have the connection to NordVPN undencrypted and as fast as possible. I need only a DNS in Germany for video streaming.

I'm new to Openwrt/LEDE and open for any ideas and input.

There's an alternative solution which doesn't require scripting because it's offloaded to vpn-policy-routing package: https://lede-project.org/docs/user-guide/openvpnserverandclient.

Hi Bozolinho,

NordVPN's howto can be found here: https://nordvpn.com/de/tutorials/openwrt/openvpn/

With the policy based routing approach I have documented in my post above you should be able to define rules for the ethernet based IP addresses in your LAN to bypass the VPN connection (you should use static DHCP leases for that).

Hope that helps!

Best regards,
Bernhard

Thank you, Bernhard!

I was following those rules already once with the effect, that the router was not responding anymore to anything and i had to reflash the firmware. Will follow them step by step again and try to find out which step caises this. One thing i already noticed is, that during the DNS configuration i have a bridge entry in the config file. My EA9500 is attached via WAN Port to one of the switch ports of my providers cablemodem/router

Hello again,

i dont get it to work. The EA9500 is behind my ISPs cablemodem router, connected via the ISPS LAN Port to the EA 9599s WAN Port. That configuration is fine and running. Up till the Moment i switch onthe OpenVPN connection. Then the internet connection collapses.
I put my network config file here to illustrate the differences to the NOrdVPN Tutorial. If anybody can help me out what to do i would be gratefull. The difference is in the WAN configuration as it says bridged and the ifname is different. That stays also after changing the dns entries as described in the Nordvpn tutorial:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan1 eth2.101'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        option gateway '192.168.0.1'

config interface 'wan'
        option type 'bridge'
        option ifname 'wan eth2.102'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'br-wan'
        option proto 'dhcpv6'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'

Did you do the firewall configuration as well?

Yes, i followed the NordVPN Tutorial you linked earlier, even before you posted it (already knew it). I did the same process several times. Only difference when i compare the config files as they should be is the wan area is the 'interface wan' area.
Also the main cablemodem router is set to IPSEC and PPTP Passthrough. The NordVPN Windows client from a PC connected directly to the cablemodem router works also and has a oerfect VPN connection.

Must be a problem in the EA 9500 configuration somewhere...

And your question just brought me to another idea. I just also tried the nordvpn client on a windows laptop connected to the EA9500. Works also perfect. So the following works:

Nordvpn Client PC Ethernet -> Cablemodem -> VPN Server OK
Nordvpn Client Laptop wireless -> EA9500 -> Cablemodem -> VPN Server OK
Nordvpn Client Laptop Ethernet -> EA9500 -> Cablemodem -> VPN Server OK

It has to be a problem in the ea 9500 configuration or the communication between ea9500 and the cablemodem limited to the ea 9500s openvpn adapter