GT-BE98 Pro and OpenVPN problem

[gallahermike]

Any help or suggestions would be appreciated.

GT-BE98 Pro replaced my dying RT-AX88U (Running Merlin).

I copied the setting from the old router to the new one and most everything works as expected, but I am having problems with OpenVPN.

Clients can connect but cannot see LAN servers or use the LAN internet connection. They basically don't seem to have a gateway assigned to the adapter and no DNS gets resolved.

General/Advanced Config...

The client opvn file looks mostly like this (Key Edited out)

remote XXXX.asuscomm.com 3500
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30

# for OpenVPN 2.4 or older
comp-lzo no
# for OpenVPN 2.4 or newer
;compress

auth-user-pass
client
auth SHA1
ignore-unknown-option cipher data-ciphers
cipher AES-128-GCM
data-ciphers AES-128-GCM
remote-cert-tls server

On the client side here is an IPconfig /all

and the route table

On the router from the logs I can see the following...

Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 TLS: Initial packet from [AF_INET6]::ffff:10.0.10.184:55648 (via ::ffff:73.12.151.5%br0), sid=7934e51f 0ec7de7e
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_VER=2.6.9
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_PLAT=win
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_TCPNL=1
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_MTU=1600
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_CIPHERS=AES-128-GCM
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_PROTO=990
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_LZO_STUB=1
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_COMP_STUB=1
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_COMP_STUBv2=1
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_GUI_VER=OpenVPN_GUI_11.47.0.0
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 peer info: IV_SSO=openurl,webauth,crtext
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 TLS: Username/Password authentication succeeded for username 'Michael' [CN SET]
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1553'
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
Mar 14 17:06:48 vpnserver1[1773]: 10.0.10.184:55648 [Michael] Peer Connection Initiated with [AF_INET6]::ffff:10.0.10.184:55648 (via ::ffff:73.12.151.5%br0)
Mar 14 17:06:48 vpnserver1[1773]: Michael/10.0.10.184:55648 MULTI_sva: pool returned IPv4=10.10.0.10, IPv6=(Not enabled)
Mar 14 17:06:48 vpnserver1[1773]: Michael/10.0.10.184:55648 MULTI: Learn: 10.10.0.10 -> Michael/10.0.10.184:55648
Mar 14 17:06:48 vpnserver1[1773]: Michael/10.0.10.184:55648 MULTI: primary virtual IP for Michael/10.0.10.184:55648: 10.10.0.10
Mar 14 17:06:49 vpnserver1[1773]: Michael/10.0.10.184:55648 PUSH: Received control message: 'PUSH_REQUEST'
Mar 14 17:06:49 vpnserver1[1773]: Michael/10.0.10.184:55648 SENT CONTROL [Michael]: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0 vpn_gateway 500,route 10.0.0.0 255.0.0.0 vpn_gateway 500,route 10.0.0.0 255.0.0.0 vpn_gateway 500,route 192.168.52.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 10.0.0.1,route 10.0.0.1,block-outside-dns,route 10.10.0.1,topology net30,ping 10,ping-restart 30,ifconfig 10.10.0.10 10.10.0.9,peer-id 1' (status=1)

and looking at the routers "Routing Table" I see the following...


Destination Gateway Genmask Flags Metric Ref Use Type Iface
default 73.12.148.1 0.0.0.0 UG 0 0 0 WAN0 eth0
1.0.0.1 73.12.148.1 255.255.255.255 UGH 1 0 0 WAN0 eth0
1.1.1.1 73.12.148.1 255.255.255.255 UGH 1 0 0 WAN0 eth0
10.0.0.0 * 255.0.0.0 U 0 0 0 LAN br0
10.10.0.0 10.10.0.2 255.255.255.0 UG 0 0 0 LAN br0
10.10.0.2 * 255.255.255.255 UH 0 0 0 tun21
73.12.148.0 * 255.255.252.0 U 0 0 0 WAN0 eth0
73.12.148.1 * 255.255.255.255 UH 0 0 0 WAN0 eth0
192.168.52.0 * 255.255.255.0 U 0 0 0 br54

Thanks in advance for any advice or help,
Michael

 

[ColinTaylor]

At first glance your subnet usage seems... unusual. Your server's LAN is massive at 10.0.0.0/8 and your VPN tunnel is 10.10.0.<something>.

I'm not sure I see how that could work. The tunnel address space is within the local address space so I suspect no routing will take place (as you're using a tun interface). But that's just a guess.

 

[gallahermike]

Sure I guess that makes sense. I guess I hadn't thought about it as that same configuration worked on the RT-AX88U.

 

[ColinTaylor]

Are you sure you were using tun before and not tap?

 

[gallahermike]

I double checked the old router it was TUN.

Trying to switch to TAP produces a different problem. Errors connecting in the client...

2024-03-14 19:27:40 OpenVPN 2.6.9 [git:v2.6.9/6640a10bf6d84eee] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb 12 2024
2024-03-14 19:27:40 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-03-14 19:27:40 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-03-14 19:27:40 DCO version: 1.0.0
2024-03-14 19:29:24 TCP/UDP: Preserving recently used remote address: [AF_INET]73.12.151.5:3500
2024-03-14 19:29:24 UDPv4 link local: (not bound)
2024-03-14 19:29:24 UDPv4 link remote: [AF_INET]73.12.151.5:3500
2024-03-14 19:29:24 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-03-14 19:29:24 [GT-BE98_Pro] Peer Connection Initiated with [AF_INET]73.12.151.5:3500
2024-03-14 19:29:25 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
2024-03-14 19:29:25 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.1
2024-03-14 19:29:25 open_tun
2024-03-14 19:29:25 tap-windows6 device [OpenVPN TAP-Windows6] opened
2024-03-14 19:29:25 Successful ARP Flush on interface [21] {A56D3F93-0414-4A82-94AE-D3B84AD0B9F1}
2024-03-14 19:29:25 Bad compression stub decompression header byte: 251
2024-03-14 19:29:25 Bad compression stub decompression header byte: 251
2024-03-14 19:29:25 Bad compression stub decompression header byte: 251
2024-03-14 19:29:25 Bad compression stub decompression header byte: 251
2024-03-14 19:29:26 Bad compression stub decompression header byte: 251
that just repeats until I disconnect.

and the logs from the router...

Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 TLS: Initial packet from [AF_INET6]::ffff:10.0.10.184:63979 (via ::ffff:73.12.151.5%br0), sid=6e4d49ca 706cfeae
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_VER=2.6.9
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_PLAT=win
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_TCPNL=1
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_MTU=1600
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_CIPHERS=AES-128-GCM
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_PROTO=990
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_LZO_STUB=1
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_COMP_STUB=1
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_COMP_STUBv2=1
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_GUI_VER=OpenVPN_GUI_11.47.0.0
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 peer info: IV_SSO=openurl,webauth,crtext
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 TLS: Username/Password authentication succeeded for username 'Michael' [CN SET]
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
Mar 14 19:46:27 vpnserver1[30807]: 10.0.10.184:63979 [Michael] Peer Connection Initiated with [AF_INET6]::ffff:10.0.10.184:63979 (via ::ffff:73.12.151.5%br0)
Mar 14 19:46:27 vpnserver1[30807]: Michael/10.0.10.184:63979 MULTI: no dynamic or static remote --ifconfig address is available for Michael/10.0.10.184:63979
Mar 14 19:46:28 vpnserver1[30807]: Michael/10.0.10.184:63979 PUSH: Received control message: 'PUSH_REQUEST'
Mar 14 19:46:28 vpnserver1[30807]: Michael/10.0.10.184:63979 SENT CONTROL [Michael]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.0.0.1,route 10.0.0.1,route remote_host 255.255.255.255 net_gateway,ping 10,ping-restart 30,peer-id 0' (status=1)
Mar 14 19:46:46 kernel: CONSOLE[wl3]: 095382.198 wl3.1: 10:ce:a9:50:5b:cb: wlc_send_bar: seq 0x3c1 tid 0

 

[RMerlin]

You should fix your network topology first. You have two overlapping subnets, which will lead to unexpected routing issues. If for some reason you absolutely need a whole /8 for your LAN (I can't imagine why), at least move the VPN network to a different subnet, like 192.168.100.0/24.

 

[L&LD]

I suspect you're just going to continue having problems.

Perform a full reset to factory defaults if you want to get the most out of the new hardware.

 

[gallahermike]

@ColinTaylor & @RMerlin. common sense solution.

I have both narrowed down the root segment the router uses and put the VPN connections on a 192.168 subnet and have gotten everything working.

Thanks for the help.