Asus RT-AC87U Merlin OpenVPN Client Won't Get IP On TAP Interface

[canuckbrian]

Hello,

I work for an ISP and I'm trying to setup a VPN connection from my home to my office for the purpose of streaming IPTV.

I have an OpenVPN 2.3 server running on Ubuntu 14.04. The server is configured in bridge mode and I'm using a TAP adapter for the VPN connection.

Server Public Facing IP: 216.19.xxx.xxx
Server IPTV Facing IP: 10.108.0.19

server.conf:

port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server-bridge
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
duplicate-cn
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
script-security 2
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

up.sh:

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

down.sh:

#!/bin/sh
BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Client.ovpn:

client
dev tap
proto udp
remote 216.19.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ca ca.crt
#cert client.crt
#key client.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

The certs and keys are embedded in the ovpn profile.

interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 216.19.xxx.xxx
netmask 255.255.255.128
gateway 216.19.xxx.xxx
dns-nameservers 216.19.xxx.xxx 216.19.xxx.xxx 8.8.8.8 8.8.4.4


# IPTV Network
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down


# VPN Bridge Network
auto br0
iface br0 inet dhcp
dns-nameservers 10.252.100.6 10.252.100.7 8.8.8.8 8.8.4.4
bridge_ports eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp on
bridge_prio 1000

ifconfig Output:

br0  Link encap:Ethernet  HWaddr 00:0c:29:6c:80:1e
  inet addr:10.108.0.19  Bcast:10.108.255.255  Mask:255.255.0.0
  inet6 addr: fe80::20c:29ff:fe6c:801e/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:604691 errors:0 dropped:0 overruns:0 frame:0
  TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:37560950 (37.5 MB)  TX bytes:5712 (5.7 KB)

eth0  Link encap:Ethernet  HWaddr 00:0c:29:6c:80:14
  inet addr:216.19.xxx.xxx  Bcast:216.19.xxx.xxx  Mask:255.255.255.128
  inet6 addr: fe80::20c:29ff:fe6c:8014/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:2558515 errors:0 dropped:0 overruns:0 frame:0
  TX packets:62057450 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:194583375 (194.5 MB)  TX bytes:89842790326 (89.8 GB)

eth1  Link encap:Ethernet  HWaddr 00:0c:29:6c:80:1e
  UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
  RX packets:1883546327 errors:0 dropped:2 overruns:0 frame:0
  TX packets:117898 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:2575070069990 (2.5 TB)  TX bytes:19970384 (19.9 MB)

lo  Link encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1
  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tap0  Link encap:Ethernet  HWaddr 52:45:48:1a:50:5e
  inet6 addr: fe80::5045:48ff:fe1a:505e/64 Scope:Link
  UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
  RX packets:457 errors:0 dropped:4 overruns:0 frame:0
  TX packets:10073 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:149525 (149.5 KB)  TX bytes:667700 (667.7 KB)

Using this configuration and setup I can connect to the VPN server using my PC and the OpenVPN desktop client. The DHCP server from the IPTV Network provides my system with an IP, DNS info, and routes are populated in my PC's route table for the new network. I can ping everything needed without issues.

The problem comes when I try to use this with my Asus RT-AC87U router. I have the Merlin firmware installed on my router. I upload my ovpn profile, change the DNS to Strict and Redirect Internet Traffic is set to No. When I turn on the VPN connection, it connects and under the status tab I see traffic being passed back and forth. However the route table doesn't populate with any new routes, and when I SSH into my router and run the ifconfig command under the tap11 interface I don't see an IP listed.

Why does it work for my OpenVPN client on my PC, but not on my Router? Any help would be greatly appreciated. The VPN needs to stay in TAP mode so I can pass multicast and IGMP traffic, TUN doesn't support this.

 

[yorgi]

.

Set your client to exclusive and re direct all traffic to VPN. if you set it to NO then all your traffic will go to local ISP
or set it up with policy rules.

 

[RMerlin]

Policy routing only works in TUN mode.

Sent from my Nexus 9 using Tapatalk

 

[yorgi]

Policy routing only works in TUN mode.

Sent from my Nexus 9 using Tapatalk

Good thing to know