[SOLVED] Vpn local domain error

Hello good afternoon, sorry for my English.
I have a router wrt1900acs-v2 I also have a Qnap TS-253A and a domain of my own. in the qnap I have installed a web server.
everything works fine until I install VPN client, (everything works fine I mean the port redirections I can also enter with the name of my domain to the web server).

Well when I install VPN client I can no longer enter from my local network to my domain, it only lets me enter with the local ip and port.
I come from ddwrt and when I installed vpn client I did not have this problem, if someone could help me.
Thank you very much in advance.
A greeting.

The output of ip route both when the VPN is active and when it is not active would be helpful.

Also, is it that you can't access the device at all, or just that it is you can't use a name like "my-qnap.local"?

If it is the name, it is probably that connecting the VPN replaces the local DNS with the VPN-provider's DNS selection.

My domain is not local is www.tuzapa.com

from outside my network if I can access

Looks related to this topic.

It still does not work, this is my way out.

root@WRT1900Acs:~#  cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd15:6176:cbb9::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '172.17.0.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'
        option vid '2'

config interface 'wifilan'
        option proto 'static'
        option ipaddr '172.30.0.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config interface 'guest'
        option proto 'static'
        option ipaddr '172.31.0.1'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '3t 5t'

config rule
        option out     'wan'
        option lookup '100'

config route 'vpn'
        option 'interface' 'wan'
        option 'target' '0.0.0.0'
        option 'netmask' '0.0.0.0'
        option 'table' '100'
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '172.17.0.20'
        option dest_port '80'
        option name 'HTTP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '172.17.0.20'
        option dest_port '443'
        option name 'HTTPS'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8080'
        option dest_ip '172.17.0.20'
        option dest_port '8080'
        option name 'qnap-http'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8081'
        option dest_ip '172.17.0.20'
        option dest_port '8081'
        option name 'qnap-https'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option dest_ip '172.17.0.20'
        option name 'Teamspeak3'
        option src_dport '6969'
        option dest_port '6969'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '10011'
        option dest_ip '172.17.0.20'
        option dest_port '10011'
        option name 'Teamspeak3'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '25'
        option dest_port '25'
        option name 'Email'
        option dest_ip '172.17.0.20'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '110'
        option dest_port '110'
        option name 'Email-pop3'
        option dest_ip '172.17.0.20'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '143'
        option dest_port '143'
        option name 'Email-Imap'
        option dest_ip '172.17.0.20'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '465'
        option dest_ip '172.17.0.20'
        option dest_port '465'
        option name 'Forward465'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '993'
        option dest_port '993'
        option name 'Email-Imaps'
        option dest_ip '172.17.0.20'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '995'
        option dest_port '995'
        option name 'Email-pop3S'
        option dest_ip '172.17.0.20'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8082'
        option dest_ip '172.17.0.20'
        option dest_port '8082'
        option name 'Forward8082'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8443'
        option dest_ip '172.17.0.51'
        option dest_port '8443'
        option name 'plesk-mail-server'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '2288'
        option dest_ip '172.17.0.20'
        option dest_port '2288'
        option name 'Forward2288'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '448'
        option dest_ip '172.17.0.20'
        option dest_port '448'
        option name 'Forward448'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wan wan6'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'guest'
        option input 'REJECT'
        option network 'wifilan guest'

config forwarding
        option dest 'wan'
        option src 'guest'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest 'lan'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'guest DNS'
        option src 'guest'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67 68'
        option name 'guest DHCP'
        option src 'guest'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '587'
        option dest_ip '172.17.0.20'
        option dest_port '587'
        option name 'Forward587'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '6080'
        option dest_ip '172.17.0.20'
        option dest_port '6080'
        option name 'Forward6080'

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '9981'
        option dest_ip '172.17.0.20'
        option dest_port '9981'
        option name 'TVHeadend'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.0.1/24 brd 172.17.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 213.37.155.99/27 brd 213.37.155.127 scope global eth1.2
       valid_lft forever preferred_lft forever
10: br-wifilan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.30.0.1/24 brd 172.30.0.255 scope global br-wifilan
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 172.21.21.72/23 brd 172.21.21.255 scope global tun0
       valid_lft forever preferred_lft forever
14: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 172.31.0.1/24 brd 172.31.0.255 scope global wlan1-1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 172.21.20.1 dev tun0
default via 213.37.155.97 dev eth1.2 proto static src 213.37.155.99
81.171.69.3 via 213.37.155.97 dev eth1.2
128.0.0.0/1 via 172.21.20.1 dev tun0
172.17.0.0/24 dev br-lan proto kernel scope link src 172.17.0.1
172.21.20.0/23 dev tun0 proto kernel scope link src 172.21.21.72
172.30.0.0/24 dev br-wifilan proto kernel scope link src 172.30.0.1
172.31.0.0/24 dev wlan1-1 proto kernel scope link src 172.31.0.1
213.37.155.96/27 dev eth1.2 proto kernel scope link src 213.37.155.99
0:      from all lookup local
0:      from all fwmark 0x10000 lookup 201
1:      from all oif eth1.2 lookup 100
32766:  from all lookup main
32767:  from all lookup default
root@WRT1900Acs:~#

my pc has 2 network interfaces one I have with vpn and the other does not and I can not enter my domain from my local network from either one.

Let me get it straight. You have the name www[.]tuzapa[.]com which resolves to IP 213.X.Y.Z
You want from a PC inside the LAN zone to access the qnap server, which in fact is 172.17.0.20, by using that name, in other words by using the public IP address.
Does the qnap need to use the VPN?
If not it is rather easy, you can add the following rules and routes.

config rule
	option src   '172.17.0.20/32'
	option lookup '100'

config route 'lan'
        option 'interface' 'lan'
        option 'target' '172.17.0.0'
        option 'netmask' '255.255.255.0'
        option 'table' '100'

This way you force the qnap to use only wan interface to access the internet and have a route for your lan in case you try to access the server with DNAT from the public IP.

"Split-horizon" DNS can also handle this without going out over the VPN and then back in, by providing your local hosts the local address of the server, rather than letting your public DNS resolve it.

Good morning, when entering the route and restarting, I can not access the router, neither from local lan nor from wifi clients.
The qnap does not go through the VPN.
I only have one client that goes through VPN, it is: Vu + Ultimo (172.17.0.102)
Thanks again .

Most likely you misstyped something, the network configuration is producing errors during service start, and eventually networking doesn't start.
Either connect console to fix that, or reset to defaults and restore backup.

Thank you very much trendy, if I have already done a reset to factory values. everything except VPN. and so if it works but when you install vpn nothing at all.

I am not sure I understood you properly, but if you have already done a factory reset and reconfigured the router, all you need to add in network config for the qnap (172.17.0.20) to go through wan and not vpn are the following two snippets

config rule
	option src   '172.17.0.20/32'
	option lookup '100'

config route 'not_vpn'
        option 'interface' 'wan'
        option 'target' '0.0.0.0'
        option 'netmask' '0.0.0.0'
        option 'table' '100'

Thank you very much trendy, now I do not have an error I have a network but I can not enter the domain www . tuzapa . com from my own network.
I've tried from the two network interfaces that have VPN and the one that does not have a VPN. I can only enter with the IP (local).

Add this in /etc/config/dhcp

config domain
        option name 'www.tuzapa.com'
        option ip '172.17.0.20'
1 Like

Now if trendy, I am indebted to you many thanks.
I can enter from both network interfaces with both VPN and without VPN.
Many thanks.

1 Like

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.