Hi everyone! I would appreciate any help on this.

Here is my environment.

• AsusWRT-Merlin FW 380.67 on Asus RT-AC88U
• OpenVPN Client setup on my router using AirVPN
• OpenVPN Server enabled on my router with 10.8.0.0/24
• Internal home LAN with 192.168.x.x/24
• I have a FreeNAS server running multiple jails
• 192.168.1.26 = Transmission going through the OpenVPN client out to the internet

I'm having issues accessing only the Transmission jail at 192.168.1.26 on my home internal LAN when I VPN in. Transmission in my Freenas server is going through the a VPN configured on OpenVPN Clients page. This is happening because under the 'OpenVPN Clients' tab in the router page, under 'Redirect Internet Traffic' option, I'm using 'Policy Rules Strict' setting. Using the strict option increases security but requires a rule to be used that specifically targets the tunnel's interface to allow traffic to be forwarded. When I change it to just 'Policy Rules', I can ping and reach the Transmission server. Please help me write rules that forward traffic to the specifc tunnel'd interface of 192.168.1.26. Here is Merlin's explanation from his changelog for 380.66 (12-May-2017),


This brings me to iptables. Here is my nat-start script. My goal is to have a semi simple script with some security while allowing me to access the Trasmission IP. You'll see from my script that I tried different lines and when they didn't work, I just commented them out.

Any help is very much appreciated.

Link to a diagram:
http://i.imgur.com/9DpQHg0.png

This is your complete iptables rule set? You don't have any policy set? Also do you stop one iptables setup and then start this one?

Hi, this is just a custom script called nat-start that loads when the router boots. Im sure it's not the whole ruleset. Those don't need to be touched as they are configured by the options set on the router.

I've been reading up on iptables as much as possible within the last couple of days so Im sure the rules and tables are out of order but everything works as I have it now with the exception of accessing the .1.26 client that's behind the VPN on tun11. My initial venture into this was trying to forward the port as seen in the script.

Well I was able to get some clarity on this straight from the source RMerlin, "(Policy Rules Strict) change is done at a lower level than iptables - right at the kernel's routing table level, so working around it might be complicated".

With this in mind, unless someone really experienced with this tries to figure a way to add a route, accessing devices using strict mode will be a problem.

Since this is only part of your rule set there could be something in another rule that is causing you your problems.

You can add routes to your routing table with 'route add'.