Unable to connect to internal network through VPN

draytekroutetp-linkvpn

I am using two routers, one for connecting through VPN, and the other for internal network. My issue is after I connect via VPN, I can't access the internal network in other router. Here's my setup:

DrayTek Vigor 2832n

Used to connect to outside network via ADSL, and also used to connect to my network via VPN.

Firmware: 3.9.1 (latest)

Router IP (LAN1): 192.168.0.1

Subnet (LAN1): 255.255.255.0/24

Bind IP (LAN1): 192.168.0.5 (for the other internal router)

DHCP (LAN1): enabled starting at 192.168.0.2

Static route (LAN1): no rules

VPN IP (LAN1): static at 192.168.0.4

TPLink WR740N

Takes an ethernet connection from DrayTek router, where it is input in the WAN port.

Firmware: dd-wrt v24-sp2 (latest)

WAN IP: 192.168.0.5

Router IP: 192.168.1.1

Subnet: 255.255.255.0

DHCP enabled starting at 192.168.1.100

I have several laptops connected to the TP Link router, where IPs are in the range of 192.168.1.x and through any of then, I can access the router webpages for both TPLink and DrayTek routers.

In addition, I can successfully VPN to my site from outside, where I can open the DrayTek router webpage. However in doing this, I am neither able to open the TPLink webpage, nor open any PC connected at the internal 192.168.1.x network.

Here's the ping status in this scenario:

192.168.0.1 (DrayTek: Success)

192.168.0.5 (TPLink WAN: Success)

192.168.1.1 (TPLink IP: Fail)

192.168.1.100 (PC on TPLink network: Fail)

Here's what trace route shows:

192.168.0.5: 192.168.0.1 to 192.168.0.5

192.168.1.1: 192.168.0.1 to 185.17.235.2xx to 185.17.235.3x (no idea what these IPs are)

I thought its an issue related to the need for a static route in DrayTek router, but when I create one I get "Status: Invalid". Here are my settings:

Destination IP: 192.168.0.5

Subnet Mask: 255.255.255.0/24

Gateway IP: 192.168.0.1

Network Interface: LAN1

Hence, I am not sure what is wrong with these settings.

Also, I originally only had DrayTek router by itself, but weirdly enough, clients kept disconnecting ethernet connections every once and a while, which was causing issues in my network. I never figured out the reason, and since I need VPN access, I put this setup together.

Best Answer

If your vpn puts your outside device in the 192.168.0.x subnet, you’re connected to the Draytek.

I’m not certain what “192.168.0.5 (TPLink WAN: Success)” means. You get the admin page when you browse to this address?

The TPLink’s doing what it’s supposed to do. As far as this router’s concerned, 192.168.0.x is the outside world and it’s to be blocked.

Considering that I've never heard of draytek, my guess is that this router was provided by your isp.

Since the Draytek's not really doing anything, other than to serve as a bridge between your tplink and the internet, the most elegant solution is to bridge it and configure the tplink to communicate directly with your isp, and set the VPN up in the tplink. I've done this for clients (with fios).

Looking at your setup, right now your vpn ends at the Draytek. You can't go past the tplink because it's doing what it's supposed to do (blocking access from the outside). If you set the tplink for remote administration, I'm pretty sure that you'll be able to visit https://192.168.0.5 and see its settings from a remote location (it's advisable NOT to allow this).

Based on my own experience with routers provided by isp's, I wouldn't bother trying to figure out what the Draytek's doing (or not doing).

I'd try things in this order:

  • Set up the vpn on the tplink. Connect a pc to a Draytek's LAN port, have this PC initiate a vpn connection to the tplink (as if you were at a remote location), and make sure it works (your vpn should assign a 192.168.1.x address to this pc).
  • Install teamviewer or another remote admin program that goes through firewalls in at least one computer behind the tplink. You might need a backdoor for the next step.
  • On the Draytek, set 192.168.0.5 as a DMZ and try to connect from OUTSIDE of your office to the vpn (go to a friend's house to try this - I’d avoid starbucks, etc., because THEIR firewall might be set up to stop vpn traffic).
  • If the above doesn't work, go back to the Draytek (this is where teamviewer comes VERY handy) and set ALL ports on the Draytek (0-65535) to be forwarded to 192.168.0.5. This SHOULDN’T be necessary if the tplink’s on a DMZ, but I've had to do this on two occasions.

Once you get the vpn working the way it should and you know that you have vpn access to your devices, consider bridging the Draytek, or you can use it as a means to provide guest wifi access, which should not have access to anything behind the tplink.

Good luck!

alex

PS: If your isp-provided ip address is dynamic, you might need to set up something that relays your public address to a dynamic dns service (i.e. dyndns.net), but one problem at a time...

PS2: Not all dd-wrt's support vpn (and I'm 99% sure that the flavor they support is OpenVPN). For asus, for example, you have to get an asus-specific variant of dd-wrt, so that's something else you need to check. Otherwise, you'll need to set up something like NetZero (my preferred end-point vpn) or Hamachi on the computers behind your tplink.

Related Topic