Access LAN services through real IP with active VPN client

Hello,

Is possible to reach services hosted within the LAN from the Internet while the VPN client is active ?
I have a service running on a computer at let’s say 192.168.8.100. I have a port forwarding rule from WAN 8080 towards 192.168.8.100:8080.
When the VPN client is off, I can reach this service from the Internet by reaching [public IP]:8080. However, when I turn the VPN client on (all traffic policy), the service cannot be reached anymore.

I guess I would need something like “Services from GL.iNet Use VPN” to off, but for my own services. Is there any way to allow the non-VPN incoming traffic when the VPN is active ?

There is a workaround which consists in excluding the MAC address of computer at 192.168.8.100 from using the VPN with a policy, but I’d like the outgoing traffic of this computer to go through the VPN, and that the non-VPN incoming traffic is accepted anyway. Does this sound feasible ?

Thanks

Please try set these iptables rules:

# mark incoming traffic from wan for record
iptables -t mangle -A INPUT -i eth0  -j CONNMARK --set-xmark 0x80000/0x80000
# mark outgoing traffic not use vpn
iptables -t mangle -A OUTPUT -m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark

I’m not used to performing such low level operations. Where should I insert these ? How can I undo them if it doesn’t work as expected?
Besides, I’m using repeater as WAN source, do you confirm the “-i eth0” option ?

Use ssh command in the terminal.

Yes, it will be wlan-sta0 for repeater as WAN.

# mark incoming traffic from wan for record
iptables -t mangle -A INPUT -i wlan-sta0  -j CONNMARK --set-xmark 0x80000/0x80000
# mark outgoing traffic not use vpn
iptables -t mangle -A OUTPUT -m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark

To revert the rules, reboot or issue the following command:

iptables -t mangle -D INPUT -i wlan-sta0  -j CONNMARK --set-xmark 0x80000/0x80000
iptables -t mangle -D OUTPUT -m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark

Ok, thanks for the tutorial.
I just tested it and it didn’t work. Like before, the open port is unreachable when VPN is active.

Hi
add firewall rules to fix this:

uci set firewall.wan_in_conn_mark=rule
uci set firewall.wan_in_conn_mark.name='wan_in_conn_mark'
uci set firewall.wan_in_conn_mark.src='wan'
uci set firewall.wan_in_conn_mark.dest='*'
uci set firewall.wan_in_conn_mark.set_xmark='0x80000/0x80000'
uci set firewall.wan_in_conn_mark.target='MARK'
uci set firewall.wan_in_conn_mark.extra='-j CONNMARK --set-xmark 0x80000/0x80000'
uci set firewall.wan_in_conn_mark.enabled='1'
uci set firewall.lan_in_conn_mark_restore=rule
uci set firewall.lan_in_conn_mark_restore.name='lan_in_conn_mark_restore'
uci set firewall.lan_in_conn_mark_restore.src='lan'
uci set firewall.lan_in_conn_mark_restore.dest='*'
uci set firewall.lan_in_conn_mark_restore.set_xmark='0x80000/0x80000'
uci set firewall.lan_in_conn_mark_restore.target='MARK'
uci set firewall.lan_in_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
uci set firewall.lan_in_conn_mark_restore.enabled='1'
uci set firewall.out_conn_mark_restore=rule
uci set firewall.out_conn_mark_restore.name='out_conn_mark_restore'
uci set firewall.out_conn_mark_restore.dest='*'
uci set firewall.out_conn_mark_restore.set_xmark='0x80000/0x80000'
uci set firewall.out_conn_mark_restore.target='MARK'
uci set firewall.out_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
uci set firewall.out_conn_mark_restore.enabled='1'
uci commit firewall
/etc/init.d/firewall reload

To revert:

uci delete firewall.wan_in_conn_mark
uci delete firewall.lan_in_conn_mark_restore
uci delete firewall.out_conn_mark_restore
uci commit firewall
/etc/init.d/firewall reload

Basically, these rules will generate the following iptables items:

iptables -t mangle -A PREROUTING -i wlan-sta0 -p tcp -m comment --comment "!fw3: wan_in_conn_mark" -j CONNMARK --set-xmark 0x80000/0x80000
iptables -t mangle -A PREROUTING -i wlan-sta0 -p udp -m comment --comment "!fw3: wan_in_conn_mark" -j CONNMARK --set-xmark 0x80000/0x80000
iptables -t mangle -A PREROUTING -i br-lan -p tcp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: lan_in_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A PREROUTING -i br-lan -p udp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: lan_in_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A OUTPUT -p tcp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: out_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A OUTPUT -p udp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: out_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

They mark wan incoming traffic with connmark 0x80000, when the traffic go outgoing direction, it restore connmark(ctmark) to nfmark, with mark 0x80000, it will go via route table 52 that not use vpn.

Perfect, I just tested it and it works !

However, I noticed a sudden bandwidth drop of the traffic using Flint’s Wireguard Server, when I did set up the rules (from ~35Mbps in direct Wi-Fi to ~5Mbps when going through WG server). But in reverting the rules I didn’t notice a bandwith improvement, so it may be unrelated, I don’t know…

I tested using iperf3 in LAN and found no performance degradation with these rules

I had to setup a VPN policy, based on the VLAN, and now it’s not working anymore, the port forwarding remains closed with the VPN on. What should I change such as it works again ?
By the way, do you consider enabling this feature through the interface ?

Thanks !

Thank you for point this issue which not considered before.
I’ll check it later.

Sorry for late relay.
I tested on firmware 4.2.1, the vlan VPN policy is compatible with _conn_mark firewall rules.
This code has already been merged into the latest firmware.

When the issue happened, could you send me the iptables output:

iptables-save >/www/ipt

Then download it at 192.168.8.1/ipt

Thanks for coming back for this issue.
I just upgraded to the last 4.2.1 snapshot firmware (from 2023-03-30) and it’s still not working with the vlan policy.
I’ll send my iptables in private message.

Hi, firmware 4.2.1 release GL.iNet download center
port forward or local service can be accessed while the VPN policy is on.

Hi, thanks for the update.
However I just tested it, I have installed the 4.2.1 beta4 without keeping settings to have a fresh install, set again all my settings, and it’s still not working. My local service responds from the Internet when VPN client is off, and as soon as I turn it on it is not reachable anymore.

Thank you for reporting. Confirmed firmware packaging missing a script.
Add it manually by command:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF
#!/bin/sh

iptables-save -t mangle |sed '/wan_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle
EOF

I just tested it and it works very well. Thank you !

Hello,

The router interface just prompted me to upgrade to 4.2.3 release5, which I did, and then this was not working anymore.
I had to manually redo this command to make it work again, so it seems the script it still missing.

Could you add it for the next updates ?
Thanks

That script is installed in 4.2.3 release5 but another issue is found, you need to apply the policy mode setting after vpnclient is toggle on. Or the port forward rule will not work. That’s buggy, we’ll fix it later.

Hi, I found the solution, please revise the script by command:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF
#!/bin/sh

iptables-save -t mangle |sed '/_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle
EOF

@hansome This no longer works after upgrading to v4.5.0