port forwarding doesn't work when OpenVPN client is active

Question

I have successfully configured OpenVPN client on my router running ddwrt and I have also set it up to enable OpenVPN on startup.

home network => ddwrt router with OpenVPN client => web

I can see the router web interface and ssh into any of my home unix boxes if the OpenVPN client is not running. So I'm wondering how can I do the same if the OpenVPN client is running.

I am sure my home net connection is active because I am typing this right now on my Macbook that is connected to my router via wifi and my other Macbook is connected to the net via iPhone personal hotspot. I'm doing testing on the 2nd Macbook.

Important info:

Router firewall is off.

IP routing info

root@myrouter:~# ip route list
0.0.0.0/1 via 10.208.185.5 dev tun1 
default via my-wan-gateway-ip-here dev ppp0 
my-wan-gateway-ip-here dev ppp0  proto kernel  scope link  src my-real-ip-here
10.208.0.1 via 10.208.185.5 dev tun1 
10.208.185.5 dev tun1  proto kernel  scope link  src 10.208.185.6 
127.0.0.0/8 dev lo  scope link 
128.0.0.0/1 via 10.208.185.5 dev tun1 
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
my-vpn-ip via my-wan-gateway-ip-here dev ppp0

My OpenVPN config runs the default router-up.sh that's created by dd-wrt automatically. I didn't make any changes to this script.

root@myrouter:/tmp# cat /tmp/openvpncl/route-up.sh 
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT

My DNS servers (using Comodo and OpenDNS)

root@myrouter:/tmp# cat resolv.dnsmasq
nameserver 8.26.56.26
nameserver 8.20.247.20
nameserver 208.67.222.222

I also used some script I found on the net so certain IPs can bypass the VPN. This script is part of my startup script (rc_startup). I need this so I can play this specific game on my tablets.

#!/bin/sh
sleep 30
NO_VPN_LST="192.168.1.11 192.168.1.2"
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ]; do
sleep 3
WAN_GWAY=`nvram get wan_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0

Answer 1

The issue you are facing is probably one of default/source routing.

When the VPN is not on things work because the default gateway is out your Internet connection, but when you start the VPN a couple of new routes are being added "0.0.0.0/1 via 10.208.185.5 dev tun1 and 128.0.0.0/1 via 10.208.185.5 dev tun1 " This has the net effect of making the default gateway the VPN endpoint rather then your regular connection.

So there are 2 solutions, depending on what you need to do -

The easier solution is to get rid of those 2 lines creating the default gateway, and program in (or get your provider to program in) specific routes on your VPN connection which you want to access over VPN. This is only an option if you are using a VPN for a specific purpose - eg connecting to a company network, but won't work well for you if you are trying to hide your identity on the wider Internet.

The harder solution is to do "source based routing" - which means setting up 2 routing table - the current one being a default table, with a second table to respond on stuff which comes in over your regular connection directly, with a different default route. This is non-trivial to do, but there are a number of links how to do it, including here and here (The keywords to google would be "source routing" or "policy routing" - If you really want to become expert in this stuff though, you probably need to become familiar with the LART - Chapter 4 covers policy routing)