OpenVPN client on router between different Merlin versions

[nbdwt73]

I have a router RT-AC68U running 380.70 on a small network containing a backup server in an offsite location. Access is only required on occasion. I also have an RT-AC86U running 384.8_2 on a network with several computers that may need access to the backup server. I had the OpenVPN client on the 86U connected to the 68U and working fine last year - 2017 (worked well for years - can't tell you which older version it was running the last time it was connected) but no longer. Currently my laptop (on the 86U network) connects fine (can connect to IP addresses on remote LAN and to the internet) when using a local OpenVPN client on the laptop (not using the router site-to-site client). It has the same credentials as the router client. However the router client will connect (both 86U and 68U show connect status and looks correct - routes look correct) but no access to remote server machine or the internet thru the VPN, pings to anything on the remote subnet time out.

I have been working on this for over a week - have followed Martineau's instructions as well as the OpenVPN instructions for Merlin. Question is will newer versions of the router client operate with older versions of the server? If so, I need some further help and will post specifics of the 86U setup... Thanks

 

[wesbez]

Upload the openvpn file to the device (again) that isn’t working with OpenVPN. Delete the old one. You could have made some changes which broke it.

 

[nbdwt73]

I actually went as far as starting over with new client credentials (both client and server opvn files - easy-rsa is my friend...). I am sure that I am overlooking something very small but I have exhausted every permutation that I can find including adding routes on the server side. The reason for my question regarding versions is that 1) the laptop OpenVPN works fine and is the same version since before 2017 and 2) the only thing that has changed since this worked before is the Merlin version on the local LAN.

I read (and followed) the instructions from OpenVPN, Github, Martineau (I did try but since deleted the CCD client directory on the remote router). As mentioned, the routers connect fine... just no traffic. I suspect it is something on the client side setup that I am missing...

 

[ColinTaylor]

I seem to remember that there were some changes to later versions of OpenVPN regarding depreciated or insecure options. Can't remember the details, have a look through Merlin's change log.

 

[john9527]

The way to set the client/server options changed starting with 384.5 (the end result is the same, but the way to get there may be different). Maybe post a screenshot of your setup.

   - CHANGED: Revised OpenVPN server options:
              o Removed "TLS Reneg time" (rarely used, can manually
                be set as a custom option)
              o Removed "Server Poll" (which didn't work
                properly), and reimplemented watchdog service,
                hardcoded to 2 mins frequency.
              o Removed "Push LAN" and "Redirect Gateway",
                replaced with new Client Access setting
              o Removed Firewall setting (firewall rules are now
                always created, and the broken External mode
                was fixed and integrated into the new Client
                Access setting).  You can now use the postconf
                script to override it.
              o Removed option to respond to DNS queries - enabling
                the option to Push DNS will also handle it
              o Added new Client Access setting to select between
                three types of access: LAN only, WAN only (will
                block access to the LAN, including the router
                itself) and LAN + WAN.
              o Keys and certificates can now be up to 7999
                characters long.

   - CHANGED: Revised OpenVPN client options:
              o Reorganized settings into groups
              o Removed "Poll Interval" (which didn't work
                properly), and reimplemented watchdog service,
                with a hardcoded frequency of 2 mins.
              o Removed Firewall setting (firewall rules are now
                always created).  You can now use the postconf
                script to override it.
              o Modified behaviour of Connection Retry.  Instead
                of taking a value in seconds that only affected
                resolution failure, it now takes a number of
                attempts, and affects connection failures.
                Resolution failures will now retry for an infinite
                period of time (the default OpenVPN value).
              o Added "refresh" link which can be clicked to
                re-query the public IP endpoint of the tunnel
              o Keys and certificates can now be up to 7999
                characters long.

 

[nbdwt73]

 

[nbdwt73]

Server OVPN...

# Automatically generated configuration
daemon
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
route 192.168.100.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 5
# Custom Configuration
push "route 0.0.0.0 0.0.0.0"
push "redirect-gateway def1"

 

[Martineau]

View attachment 15485

For your intended Selective Routing try changing

LAN 0.0.0.0 0.0.0.0 vpn

to (where xxx.xxx.xxx is your LAN subnet prefix)

LAN xxx.xxx.xxx.0/24 0.0.0.0 vpn

 

[nbdwt73]

Thanks... tried that - same result.

 

[wesbez]

Is the open vpn app/software updated on the client? I know some settings require a newer version. Worth a try at this point.

 

[Martineau]

Thanks... tried that - same result.

Hmmm, I'm assuming that the PC client is also OpenVPN 2.4.x rather than 2.3.x etc.?

So presumably you have simply compared the two configuration text files:
...the working PC config 'C:\Program Files\OpenVPN\config\clientX' with one used on the RT-AC86U '/etc/openvpn/clientX'.

Invariably (in my experience) it is the compression mismatch that is usually the culprit i.e. when the tunnel appears to be valid but it is only when you attempt a data transfer that it becomes apparent that there is an issue.
So you could tediously work your way through the options, 'disabled,none comp-lzo' etc.