BI Remote Viewing via WAN address. 2 servers, one works the other doesnt

[IAmATeaf]

The only, easy way of doing this might be to add another network card to the server, configure it for another subnetwork, then run the BI web service on that card. You could then route all traffic from that network to the WAN. But this would all depend on what other network hardware you have as to whether this would work.

 

[achalmersman]

The only, easy way of doing this might be to add another network card to the server, configure it for another subnetwork, then run the BI web service on that card. You could then route all traffic from that network to the WAN. But this would all depend on what other network hardware you have as to whether this would work.

hmmm. interesting idea. And the hardware at his location is capable of that and I have spare NICs laying around. Thanks for the idea

 

[crw030]

Now that we figured out WHAT the problem is it should be easier to solve! Check out OpenVPN docs on Site-To-Site VPN. (That’s what you have setup). Site To Site VPN Routing Explained In Detail | OpenVPN

You need to configure the “ipv4 remote network subnet” setting so that it knows what subnets to send through that tunnel, resolves the need for static route and also regular internet traffic will continue to take your fathers default route to the internet.

Since he is connecting to YOUR OpenVPN you could also try pushing the proper routes to him as a client, it doesn't always work for some clients but ought to work if he is running OpenVPN client software on his PC.

In pfSense,

1. Open "VPN" menu
2. Choose "OpenVPN" menu option
3. Click the Edit (pencil) on the server connection you are hosting for him to connect to.
4. Scroll down to "Advanced Configuration"
5. In the quite large "Custom Options" text box put:

push "route 10.0.0.0 255.255.255.0" - the double quotes are important, and replace the 10.0.0.0 with your subnet, for example: 192.168.1.0 255.255.255.0 --although is you were using the 192.168.1.X subnet I would recommend you change that as well someday.

 

[crw030]

If you get the connection working you can do a download or speed test just to confirm his regular internet access is still taking the proper route. As you said you probably don't want to route everything through your connection.

 

[achalmersman]

Now that we figured out WHAT the problem is it should be easier to solve! Check out OpenVPN docs on Site-To-Site VPN. (That’s what you have setup). Site To Site VPN Routing Explained In Detail | OpenVPN

You need to configure the “ipv4 remote network subnet” setting so that it knows what subnets to send through that tunnel, resolves the need for static route and also regular internet traffic will continue to take your fathers default route to the internet.

Since he is connecting to YOUR OpenVPN you could also try pushing the proper routes to him as a client, it doesn't always work for some clients but ought to work if he is running OpenVPN client software on his PC.

In pfSense,

1. Open "VPN" menu
2. Choose "OpenVPN" menu option
3. Click the Edit (pencil) on the server connection you are hosting for him to connect to.
4. Scroll down to "Advanced Configuration"
5. In the quite large "Custom Options" text box put:

push "route 10.0.0.0 255.255.255.0" - the double quotes are important, and replace the 10.0.0.0 with your subnet, for example: 192.168.1.0 255.255.255.0 --although is you were using the 192.168.1.X subnet I would recommend you change that as well someday.

I was already doing that. I'm also using that method for assigning a static address. But how does can this be configured to make BI use only the VPN for WAN traffic without manually adding every WAN network that would connect?
Current advanced config for his Client Specific Override below.

ifconfig-push 192.168.30.4 255.255.255.0;push "route 192.168.30.0 255.255.255.0";push "route 192.168.1.0 255.255.255.0"

....yes. I plan to re-IP my entire home network some day. It's just a project I haven't take on yet lol.

 

[crw030]

ifconfig-push 192.168.30.4 255.255.255.0;push "route 192.168.30.0 255.255.255.0";push "route 192.168.1.0 255.255.255.0"

I was assuming your fathers network is the 192.168.30.X network? If so you only need that last part.
push "route 192.168.1.0 255.255.255.0"

Once the route is working, you can disable OpenVPN setting "Force all client-generated IPv4 traffic through the tunnel. " if it happens to be set in pfSense.

 

[achalmersman]

I was assuming your fathers network is the 192.168.30.X network? If so you only need that last part.
push "route 192.168.1.0 255.255.255.0"

Once the route is working, you can disable OpenVPN setting "Force all client-generated IPv4 traffic through the tunnel. " if it happens to be set in pfSense.

The 192.168.30x network is for all VPN clients not just his server. His server is a client. As is my cell phone, or laptop, etc whenever connected. But you're right, the "route 192.168.30.0 255.225.255.0" statement wasn't needed. I removed it and everything is still working (only with "force all client generated traffic through tunnel" enabled though)

 

[crw030]

The 192.168.30x network is for all VPN clients not just his server. His server is a client. As is my cell phone, or laptop, etc whenever connected.

All the better actually, whenever one of the devices connects to your OpenVPN server it will get route pushed so it knows 192.168.1.x can be reached via the 192.168.30.x network, otherwise the default routing rule will send the traffic out to 192.168.1.x via your father's WAN connection, unless his network is also 192.168.1.x at which point it will go to his router and his router probably won't have a device registered at that ip address -- either way it goes in a blackhole never to be seen again.

Just so we steer clear of that problem, what's your father's internal network subnet?

 

[achalmersman]

All the better actually, whenever one of the devices connects to your OpenVPN server it will get PUSH ROUTE so it knows 192.168.1.x can be reached via the 192.168.30.x network.

So I'm back to not being sure how to make the WAN traffic go out the VPN. Other than tinkering with the separate physical network card which thinking about it I'm not sure even that would work. I think I would still have the same routing challenge. I quickly chatted with a platform engineer at work and he told me I can't get that specific with a Windows machine. He said you can't create windows routes based on port numbers / application but only by IPs. Honestly at this point I may be over-complicating this and just leave it as is. I doubt the WAN bandwidth is very much anyway but I would really have preferred not to have to worry about it. My upload speed is only 6.5 mb/s and I have a plex server etc. I don't need anything else consuming my home upload bandwidth.

 

[achalmersman]

All the better actually, whenever one of the devices connects to your OpenVPN server it will get route pushed so it knows 192.168.1.x can be reached via the 192.168.30.x network, otherwise the default routing rule will send the traffic out to 192.168.1.x via your father's WAN connection, unless his network is also 192.168.1.x at which point it will go to his router and his router probably won't have a device registered at that ip address -- either way it goes in a blackhole never to be seen again.

Just so we steer clear of that problem, what's your father's internal network subnet?

Its 192.168.0.x /24

But yes, I still want to Re-IP my home network as well as my church (it's the same scheme as mine)

Sent from my SM-G965U using Tapatalk

 

[crw030]

So I'm back to not being sure how to make the WAN traffic go out the VPN.

I thought your whole point was you didn't want all his WAN traffic to come across the VPN. I'm telling you that you just need proper routing.

You can test this by adding a static route on his Blue Iris PC that sends traffic to your subnets via the VPN gateway to confirm it will work. When his computer isn't connected to your VPN (which I assume is rarely since you are sharing your public IP with him), then all traffic to that subnet will just not know where to go.
You can go Google"what's my ip" from your fathers computer to verify that generic traffic is going out his regular WAN IP.

 

[achalmersman]

I thought your whole point was you didn't want all his WAN traffic to come across the VPN. I'm telling you that you just need proper routing.

You can test this by adding a static route on his Blue Iris PC that sends traffic to your subnets via the VPN gateway to confirm it will work. When his computer isn't connected to your VPN (which I assume is rarely since you are sharing your public IP with him), then all traffic to that subnet will just not know where to go.
You can go Google"what's my ip" from your fathers computer to verify that generic traffic is going out his regular WAN IP.

That is the point (I meant WAN traffic for only BI) and I've done all that. It was working but connections coming into my public IP using his port number go to his VPN address, but the connection never establishes hence the creation of this thread.

Unless you know of other routing statements that need made specific for traffic using his webUI port, I dont think it will work. Either all internet traffic goes through the VPN, or none is the way I understand it without adding static routes for public IPs

Sent from my SM-G965U using Tapatalk