I have a DD-WRT router which I would like access remotely via SSH. The DD-WRT is behind an ADSL router which has port forwarding for port 22 enabled, DD-WRT SSH access and service are set to port 22, as well. Remote access works fine. However, the DD-WRT is supposed to be permanently connected to a VPN server (using the built-in OpenVPN client).
The OpenVPN connection works fine but the remote SSH access only works when the VPN client is disabled.
I am reading that this may be related to all traffic being routed outbound through the VPN gateway, including traffic coming in through WAN. Is it correct that I would need to define a custom iptables setting for requests coming in through WAN to be responded via WAN, as well? If yes, how would I go about it? If no, what else could I do?
I am having a similar issue with the web GUI at port 8080 and a PPTP VPN server at port 1723, so I believe the issue is not related to SSH as such.
Here are the details of my setup:
Devices:
- TP-Link W8151N ADSL router
- TP-Link WR1043ND router with DD-WRT 25544
IP Addresses:
- ADSL router external:
115.x.x.x - ADSL router internal:
192.168.1.1 - DD-WRT WAN IP:
192.168.1.100(from ADSL router) - DD-WRT IP:
192.168.10.1 - DD-WRT IP external (VPN):
119.x.x.x - DDNS alias pointing at the ADSL router’s connection:
115.x.x.x
Configuration:
- ADSL router with port forwarding activated for ports 22 / 8080, DDNS to
192.168.1.100 - DD-WRT set to allow remote GUI management at 8080, also from remote IPs and SSH access at 22, SSH activated in services, also at 22.
- DD-WRT connected to OpenVPN using built-in client feature in 'Services' tab
Edit 05 March: What I have tried in the meantime:
Adding the following to the Policy Based Routing field in OpenVPN client settings (idea: traffic that comes from the WAN ip should be routed back to the WAN interface, vlan2 or ppp0):
ip rule add from 192.168.1.1 table 200
ip route add default via 192.168.1.1 dev vlan2 table 200
ip route flush cache
Result: When VPN connection is established, I can no longer access the GUI and the web either. My router is set to reboot after three minutes of not being able to reach Google DNS, so after three minutes I have access to GUI and web again but only until the VPN connection is back up.
Am I completely on the wrong track with this approach?
Answer
In DD-WRT go to Services --> VPN --> OpenVPN Client --> Policy Based Routing, add one line for each client whose traffic you want to route through the VPN tunnel, e.g.
192.168.10.20/32
192.168.10.21/32
...
As a result, the OpenVPN client no longer routes all traffic through the tunnel and hence also opens up the WAN again. I now have the VPN client running while still being able to SSH / PPTP / GUI into the router via the WAN's IP or a DDNS alias.
(There's probably a smarter way than adding one line for each client but all different netmasks that I tried resulted in the router no longer being accessible at all, so I ended up adding one line for all IPs in my DHCP range.)
No comments:
Post a Comment