smcgrath12
Occasional Visitor
Hello, I am not sure why my OpenVPN server is not working on ASUS RT-AC66U. This is my first time setting up OpenVPN on Merlin (I am running 380.59). I recently changed my software from DD-WRT to Merlin (mainly because I have AT&T Fiber and I only get 300 Mbps download on DD-WRT, versus around 950 Mbps on Merlin).
My router LAN IP is 192.168.4.0/24
My OpenVPN server IP is 192.168.9.0/24
My OpenVPN implementation was working on DD-WRT for connected Windows and IOS clients. I am using the same certificates for authentication on Merlin. Here is what I had on DD-WRT. The only exception is that the original router for DD-WRT as ASUS RT-68. Now, my router is ASUS RT-66.
--------------------------------------------------
1. In my "Commands", for the "Startup" script, I had this line "echo "1" > /proc/sys/net/ipv4/ip_forward"
--------------------------------------------------
2. For the OpenVPN additional config, I had this:
push "route 192.168.4.0 255.255.255.0"
server 192.168.9.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
dev tun0
proto udp
port 443
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
-------------------------------------------------------------------
3. In my "Commands", for the "Firewall" script, I had this:
# Allow hostile traffic to connect to the OpenVPN server
iptables -I INPUT 1 -p udp --dport 443 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
iptables -I INPUT 2 -i tun0 -j ACCEPT
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o br0 -s 192.168.9.0/24 -d 192.168.4.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o vlan2 -s 192.168.9.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i eth0 -o vlan2 -s 192.168.4.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.9.0/24 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.4.0/24 -j MASQUERADE
--------------------------------------------------------------------------------------------
And here is a sample CLIENT config for a Windows client that worked for the OpenVPN server running previously on DD-WRT:
remote xxxxxxxxxxx 443
client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
route-delay 30
ca ca.crt
cert client1.crt
key client1.key
-------------------------------------------------------------------------------------------
Now, I can connect to my OpenVPN server on Merlin fine, but thats where the good things end. I cannot ping any LAN clients from VPN clients or vice-versa, nor can the VPN clients access WAN.
I have tried a lot of different options (like pushing LAN to OpenVPN clients, etc) in the OpenVPN server config page on Merlin. But, it doesn't matter...
Can someone tell me if I even need any of these scripts, and if so, where do I need to put these existing scripts on Merlin after I enable the JFFS support? And do I need to change anything in these scripts for it to work on Merlin? One thing I did notice, my tun "number" sometimes is "tun0" and other times, it is "tun21" after a reboot of Merlin.
I have read this page https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts But, I am not sure which scripts I need to tinker to make this work? Do I need CCD files to make this work?
Any help will be much appreciate.. Thanks.
EDIT: The 66 is my test router. Eventually, I am going to import the config back to main 68 router.
My router LAN IP is 192.168.4.0/24
My OpenVPN server IP is 192.168.9.0/24
My OpenVPN implementation was working on DD-WRT for connected Windows and IOS clients. I am using the same certificates for authentication on Merlin. Here is what I had on DD-WRT. The only exception is that the original router for DD-WRT as ASUS RT-68. Now, my router is ASUS RT-66.
--------------------------------------------------
1. In my "Commands", for the "Startup" script, I had this line "echo "1" > /proc/sys/net/ipv4/ip_forward"
--------------------------------------------------
2. For the OpenVPN additional config, I had this:
push "route 192.168.4.0 255.255.255.0"
server 192.168.9.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
dev tun0
proto udp
port 443
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
-------------------------------------------------------------------
3. In my "Commands", for the "Firewall" script, I had this:
# Allow hostile traffic to connect to the OpenVPN server
iptables -I INPUT 1 -p udp --dport 443 -j ACCEPT
# Allow TUN interface connections to OpenVPN server
iptables -I INPUT 2 -i tun0 -j ACCEPT
# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o br0 -s 192.168.9.0/24 -d 192.168.4.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o vlan2 -s 192.168.9.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
iptables -I FORWARD -i eth0 -o vlan2 -s 192.168.4.0/24 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.9.0/24 -j MASQUERADE
# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.4.0/24 -j MASQUERADE
--------------------------------------------------------------------------------------------
And here is a sample CLIENT config for a Windows client that worked for the OpenVPN server running previously on DD-WRT:
remote xxxxxxxxxxx 443
client
remote-cert-tls server
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
route-delay 30
ca ca.crt
cert client1.crt
key client1.key
-------------------------------------------------------------------------------------------
Now, I can connect to my OpenVPN server on Merlin fine, but thats where the good things end. I cannot ping any LAN clients from VPN clients or vice-versa, nor can the VPN clients access WAN.
I have tried a lot of different options (like pushing LAN to OpenVPN clients, etc) in the OpenVPN server config page on Merlin. But, it doesn't matter...
Can someone tell me if I even need any of these scripts, and if so, where do I need to put these existing scripts on Merlin after I enable the JFFS support? And do I need to change anything in these scripts for it to work on Merlin? One thing I did notice, my tun "number" sometimes is "tun0" and other times, it is "tun21" after a reboot of Merlin.
I have read this page https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts But, I am not sure which scripts I need to tinker to make this work? Do I need CCD files to make this work?
Any help will be much appreciate.. Thanks.
EDIT: The 66 is my test router. Eventually, I am going to import the config back to main 68 router.
Last edited:
