• June 29, 2022, 05:30:19 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: SOLVED: How to make VPN connected devices see LAN devices -> static routing?  (Read 791 times)

Demolux_D1

  • Level 1 Member
  • *
  • Posts: 4

Dear forum-members,

I just have set up QuickVPN and successfully connected to my home network via my Android phone. I can successfully login to my DIR-882 via my Android phone over 4G VPN connection. But I cannot reach other LAN resources, e. g. my vacuum cleaner.

Now as far as I found out the VPN devices and the LAN devices are on different subnets. So LAN is subnet 192.168.0.x, while VPN devices are on subnet 192.168.95.x as I found out via a network analysis on my Android phone. But... the latter changes as I suppose... but let's assume it is the same every time for now:

Now what I want to do is to make my vacuum cleaner accessible from my Android phone via VPN. As far as I found out there is no possibility to make DIR-882 use LAN subnet for VPN connected clients. BUT: Can you use static routing to connect both subnets?

If so, how would you write a static routing entry? E. g.:
Name: "Some name"
Destination Network: 192.168.0.x (but obviously you cannot type x, so what goes there?)
Mask: 255.255.255.0 (probably?)
Gateway: 192.168.0.1 (the DIR-882 address goes there doesn't it?)
Metric: (no idea, but probably the IP of the phone as idk where else to put it)
Interface: WAN (only possible choice)

I would really like to get some support on this. Thanks in advance!
Best regards!
« Last Edit: May 20, 2022, 08:52:26 AM by Demolux_D1 »
Logged

me_iauras

  • Level 2 Member
  • **
  • Posts: 79

The issue isn't that the VPN client cannot reach the router's LAN subnet but the other way around .
So you must create a static route in order for your LAN clients to know how to reach your VPN client (Android phone) ; I've had the same issue trying to reach my NAS via the VPN server .
Name : <name>
Destination Network : 192.168.95.0 (The VPN server always uses this subnet)
Mask : 255.255.255.0 (/24 network on the VPN subnet)
Gateway : 192.168.0.1 (your router's LAN WAN IP)
Metric : 1
Interface: WAN
 It works for me to browse my home network from a VPN client this way .
Logged

Demolux_D1

  • Level 1 Member
  • *
  • Posts: 4

Thanks for the effort and explanation, I think I understood!

So I made a static route yet it still does not work. This is my route:
____________________________
Name : LAN2VPN
Destination Network : 192.168.95.0
Mask : 255.255.255.0
Gateway : 192.168.0.1
Metric : 1
Interface: WAN
____________________________
This is the IP of my phone:
192.168.95.2
This is the IP of my robot:
192.168.0.150

I could not access the webpage of my robot - which at the same time is accessible in LAN. A reboot of the router does not make any difference.
I also could not access my NAS.

What about the "/24" on the Mask? I could not enter that because of the not allowed characters.

I then did another route the other way around, including a reboot:

____________________________
Name : VPN2LAN
Destination Network : 192.168.0.0
Mask : 255.255.255.0
Gateway : 192.168.95.1
Metric : 1
Interface: WAN
____________________________

I still cannot reach my local network devices from my phone. Disabling DDNS also did not work. Yet I can connect to the router on both IPs, 192.168.95.1 and 192.168.0.1, from my phone.

Any further advice? Maybe I need a different client-side configuration? I can e.g. enter a forwarding route in my VPN profile on Android.
Logged

me_iauras

  • Level 2 Member
  • **
  • Posts: 79

It seems that they've fixed the routes issue in the v 1.3.x firmware version .
I was on v 1.2.x when I had to create the static route and it remained active after I upgraded to v 1.3.x but now I've tested with the route disabled (and restarted the router after I've disabled it to make sure it wasn't still a zombie route) and everything seems to work now without it .
Previously I had issues with the SMB protocol ; if I remember correctly I could access the NAS's web portal but accessing the network share directly via SMB didn't work without the route in place .
This is how I had it set up

My LAN subnet is 10.10.10.0/24 ( because reasons ) and my gateway is 10.10.10.1 .
My VPN client also receives the 192.168.95.2 IP so I really dont understand why it doesn't work for you because it seems that the setups are identical .

As you can see in the image on my laptop connected to my phone's hotspot ( wifi OFF on the phone ) via the VPN connection i can reach a VM on my LAN side .
« Last Edit: May 14, 2022, 01:46:21 AM by me_iauras »
Logged

Demolux_D1

  • Level 1 Member
  • *
  • Posts: 4

Thanks for the response and the picture.

I tried 2 things.

1. I changed the subnet of my LAN to 192.168.95.0. But then the DIR-882 simply changes the VPN subnet to another seemingly random address-realm (192.168.2xx.0 as far as I remember). Does not work as before.

2. I mirrored your setup and also changed my LAN subnet to 10.10.10.0.

I activated the static route:


I connected with my laptop via hotspotting on my phone. The phone is connected via VPN to my DIR-882.

I then pinged some network resources from my laptop as here:


As you see I can only successfully ping another phone (same model) and my router in my LAN. I cannot ping any other local network resources, including a third smartphone of a different model and a second laptop. However, I can ping my VPN connected phone from my laptop when my laptop is in LAN. Each network resource is pingable in LAN, including the VPN connected one (Smartphone):

BUT: At the same time I still cannot ping into my LAN from my VPN (except router and this same second phone, idk why). I can also not ping my laptop from my VPN connected phone. So this works only from one side, from within LAN (Laptop(LAN)->phone(VPN) OK, phone(VPN)->laptop(LAN) FAIL). My phone says "unkown host".

I don't really get what I can do after all that. I have SMB and FTP disabled in the User Settings as I do not use the router's shared USB storage but a dedicated NAS. Any further idea?

EDIT: I connected to my VPN on my third phone additionally and also tried to ping into LAN. This does also not work. But, interestingly, I can also not ping the first VPN-connected phone... :/?
« Last Edit: May 14, 2022, 09:05:46 AM by Demolux_D1 »
Logged

me_iauras

  • Level 2 Member
  • **
  • Posts: 79

"I connected with my laptop via hotspotting on my phone. The phone is connected via VPN to my DIR-882."

I don't know your phone's OS (is it Andorid or IOS iPhone) but with android the VPN routes are not passed to the clients of the hotspot .
Normally if you went to whatismyip.com on your laptop browsser in that situation it would/should have returned a WAN IP from your mobile service provider and not one from your wired/fixed/home ISP . Only the phone uses the routes from the VPN connection .
Also make sure that you disable wifi before activating the hotspot ; at least on my Samsung S22 (it was the same on the S20/S9 before it ) if I left wifi on and created a hotspot the internet connection which was shared to the hotspot's clients would be that from the wifi not the one from the mobile 4G connection .

Just because you cannot "ping" a client does not necessarily mean it's unreachable ; can also mean that it's firewall is not configured to allow ICMP reply requests .
For example  I cannot ping 10.10.10.185 (a VM Win 10 machine in my LAN with DHCP dynamic IP ) because I haven't configureg it's firewall to allow such operation. But at the same time I can connect to it via RDP from my laptop (the laptop is connected to my phone's hotspot and the VPN client is the default Win 10 VPN client for L2TP/IPSEC  with VPN IP 192.168.95.2 )


However from my VM (10.10.10.185) I can ping the laptop without issue since the firewall on the laptop is configured to respond to ICMP requests .


After the necessary changes to the VM's firewall (enable the "Core Networking Diagnostics - ICMP Echo Request (ICMPv4-In)" rule  on both Domain and Private/Public networks and the scope set to Any IP )I can ping it from my laptop just fine .



In conclusion for me bidirectional connection is working no mater if the clients are of the DHCP static or DHCP dynamic type ; I can reach all the LAN clients form my laptop and the other way around .

When I was talking about SMB I was talking about my NAS's network share not the USB sharing on the router ; that part is disabled on my router also (that's why I got the NAS in the first place since the performance of the USB sharing on the router was so pity-full of ~ 7 MB/s write speed).
However the VPN on my router is more of a backup now; I have a Wireguard VPN server running on my QNAP NAS (it's an option in the QVPN service along with OpenVPN and L2TP/IPSEC servers) as it gives me way better performance .
Setting up clients is kind of a PITA ( you have to share the private key of one end of the tunnel with the other end  for each client) but it gives my 200+ Mb/s throughput vs 15-16 Mb/s with the VPN server n the router .
Also with Android 12 L2TP/IPSEC is no longer supported for new connections (Windows/MAC will be dropping native support also) . if you had a phone on Android 11 and upgraded the previously created connection will remain but you cannot create new VPN profiles for L2TP .
Maybe you can try spinning up a VPN server on your NAS to see if that works ;as I've said it should work now as it's configured but .....

« Last Edit: May 14, 2022, 09:47:52 AM by me_iauras »
Logged

Demolux_D1

  • Level 1 Member
  • *
  • Posts: 4

Thanks again and alot for your answer!

The issue is solved  ;D
Guess what, "Parental Control" completly disables the access to the network, also to other network participants (not only to WWW). So... disabling Parental Control for the devices I need to access did the trick.

Thanks and a nice weekend!
Demo
« Last Edit: May 20, 2022, 11:32:17 AM by Demolux_D1 »
Logged