Menu
What's new
By:
Filters Better Search

OpenVPN site-to-site with Asus Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

Plenkske

New Around Here
Me and my brother both have a Synology NAS, since a recent move.
Now we want to establish a VPN connection so we can access both NAS as if they are both in our own LAN. We both have an Asus RT-AC66U router with firmware version 3.0.0.4.354.28 Beta1 (Merlin build). We also both have a stable glass fiber internet connection.
These are our current settings:

At home(openvpn server)
Router: 192.168.1.1
IP's: 192.168.1.1 - 192.168.1.149

At my brothers(openvpn client)
Router: 192.168.1.150
IP's: 192.168.1.150 - 192.168.1.254

OpenVPN server and client settings are in the attachments. Chosen for TAP interface because we want to see all clients in both LANs.
I created keys using this manual: http://openvpn.net/index.php/open-source/documentation/howto.html#pki

The problem is that the OpenVPN Client keeps turning off after some time and wont turn on again automatically. Before it turns off everything works fine. It turns off after some minutes or some hours. It can be seen in the VPN Status but also the ON/OFF switch is at OFF. Also I have to click twice to get it back ON again(so I guess it thinks its still ON the first click). There is no clear error message, but some things I got in the system log:

(server side)
openvpn[721]: event_wait : Interrupted system call (code=4)
openvpn[721]: TITLE,OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 19 2013
openvpn[721]: TIME,Fri May 3 10:34:37 2013,1367570077
openvpn[721]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
openvpn[721]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
openvpn[721]: GLOBAL_STATS,Max bcast/mcast queue length,0
openvpn[721]: END

and

nmbd[533]: [2013/05/03 10:28:07, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
nmbd[533]: Samba name server RT-AC66U-V is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.1

and client side
(right before it turns off)
openvpn[807]: Extracted DHCP router address: 192.168.1.1

and also

nmbd[537]: [2013/05/02 20:48:45, 0] nmbd/nmbd_incomingdgrams.c:process_local_master_announce(309)
nmbd[537]: process_local_master_announce: Server RT-AC66U-V at IP 192.168.1.1 is announcing itself as a local master browser for workgroup WORKGROUP and we think we are master. Forcing election.
nmbd[537]: [2013/05/02 20:48:45, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(149)
nmbd[537]: Samba name server RT-AC66U has stopped being a local master browser for workgroup WORKGROUP on subnet 192.168.1.150


What I have tried so far:
- Switch server-client side(ofcourse also switched the keys...).
- Switch from UDP to TCP.
- I found the keepalive option on a forum and it looked like it worked longer but after half a day the client is turned off again.
- I have port 1194 forwarded to the routers IP but I'm not sure if this is necassary?
- Also I'm not sure if our IP's are correct this way? We thought this was the best option because we want to see all clients in "one" LAN.

Right now I'm pretty much clueless on what to do so I hope someone here can help.
Thanks in advance!
 

Attachments

  • client.jpg
    client.jpg
    57.6 KB · Views: 1,368
  • server.jpg
    server.jpg
    52.7 KB · Views: 1,266
The idea is the same yes, but I don't really see what I can do with it since the setup in DD-WRT is a lot different.
Yeah, I've checked the values but don't really see the difference or I am not seeing where I can change them.

Really hope someone can help me using the same firmware(the asus merlin build).
 
and client side
(right before it turns off)
openvpn[807]: Extracted DHCP router address: 192.168.1.1

Can confirm that this bug was introduced back in OpenVPN 2.3.0 and has now been fixed with the release of OpenVPN 2.3.2.

As a workaround to maintain a stable UDP TAP OpenVPN connection, I have had to remove the line
push "route-gateway dhcp"
line from the Custom Configuration of my Asus RT-N66U configured as OpenVPN server to prevent OpenVPN clients with build older than 2.3.2 from crashing and exiting at the Extracted DHCP router address: point....
 
I don't think there is way to update the router's openvpn by myself, right?

That custom configuration line... I don't even use that, or is it the same as the "allocate from dhcp" option ?
 
Plenkske said:
I don't think there is way to update the router's openvpn by myself, right?

That custom configuration line... I don't even use that, or is it the same as the "allocate from dhcp" option ?
Click to expand...

This bug has been fixed since Shibby has included OpenVPN 2.3.2 code into his latest [RELEASE] 110 firmware build.

I can now use push "route-gateway dhcp"
on the server without causing the clients to eventually crash...

Once Merlin incorporates OpenVPN 2.3.2 this should clear the bug causing intermittent crashes on your client router running Merlin's firmware.
 
Will OPENVPN work between an PC connected to a asus N56U, and a NAS connected to an asus AC66U in another location?
 
Thanks for the replys somms, I have changed some settings and now it works stable since last monday! (knock on woods)

Changes client side (compared to the picture in head post): encryption cipher set to BF-CBC and compression set to enabled.

Server side options, see attached picture...
 

Attachments

  • server.jpg
    server.jpg
    48.3 KB · Views: 1,377
Since we had some troubles with the ip's of laptops/phones I changed the VPN ip's to 192.168.1.225 - 192.168.1.240 and the LAN of my brothers set to ...150 - ...224

We thought that was the solution but for some reason, sometimes a laptop or phone gets a too high or too low IP and the gateway of the wrong router. This is annoying since it then suddenly uses the internet of the wrong side, and so the internet is very slow.
For example: I'm at home, laptop gets .170 IP and the gateway of my brother. So the internet connection on my laptop is then via the router of my brother(first goes through vpn ofcourse).

Is there a way to fix this without having to set up static ip's on all devices?
 
Plenkske said:
Since we had some troubles with the ip's of laptops/phones I changed the VPN ip's to 192.168.1.225 - 192.168.1.240 and the LAN of my brothers set to ...150 - ...224

We thought that was the solution but for some reason, sometimes a laptop or phone gets a too high or too low IP and the gateway of the wrong router. This is annoying since it then suddenly uses the internet of the wrong side, and so the internet is very slow.
For example: I'm at home, laptop gets .170 IP and the gateway of my brother. So the internet connection on my laptop is then via the router of my brother(first goes through vpn ofcourse).

Is there a way to fix this without having to set up static ip's on all devices?
Click to expand...

Code: 
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

You can either put the above into the Firewall Script of the OpenVPN server router or you could enter Dnsmasq custom config as follows:

dhcp-host=00:26:5E:89:A4:C9,ignore
dhcp-host=F0:7B:CB:28:4D:4B,ignore
dhcp-host=00:1F:16:FD:DE:15,ignore

entering those specific MAC addresses would block them from using the gateway thru the tunnel but you would have to enter these on both the Server and Client routers. You would need to enter your brother's MAC addresses into your router to prevent them from using your router as the gateway and he would have to enter your MAC addresses to prevent them from using his router as the gateway. It is one of the drawbacks of using a TAP connection instead of a TUN OpenVPN connection.
 
Thanks! I have put those lines in the server router. Seems to work :)
Are there any drawbacks using that?
 
Plenkske said:
Thanks! I have put those lines in the server router. Seems to work :)
Are there any drawbacks using that?
Click to expand...

No drawbacks. I use that firewall script in the OpenVPN server router in my site-to-site TAP setup. It just prevents any remote clients from receiving the DHCP response from the local router and vice versa...
 
Hi Guys,
I've got site to site vpn up and running, but I'm running into that DHCP problem where with my laptop I jump from site A to site B, i end up with Site A's gateway and end up hitting the web through the siteA's network.

It seems that answer is the previous reply from somms, but I don't get where to enter the ebtables. I've tried custom config, just copying and pasting into the custom section at the bottom of asus's openvpn section gives out errors in the system log.

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP


where do i input the above ebtables ? I tried SSH into router and found /jffs/scripts/ folder empty, so I created firewall-start and input the 4 lines into there, but i'm not sure if that's correct way to do it? pointers would be great! Thanks!
 
Not sure if you found the solution, but this seemed to have done the job for me.

On the main site (server side) & Client Side
SSH into router and found /jffs/scripts/ and create a new file called "firewall-start" , put the 4 lines into it then restart the router.

I haven't had any issues jumping to and from different vpn locations.
 
Last edited:
Hey guys,
Yet again, I know this is an old thread but I have a question about Plenkske's config.
He set his VPN tunnel's Client Address Pool to be on the same subnet as his own LAN : 192.168.1
Wouldn't that be interfering with his DHCP?

Thanks,
 
You must log in or register to reply here.

Similar threads

S
Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site?
Replies
2
Views
498
sunactive
S
F
Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists
Replies
2
Views
633
Freewill0592
F
D
Asus GT-AX11000 (3004.388.4_beta3) OPENVPN Server help needed vith Site to Site
Replies
14
Views
1K
Martinski
M
B
OpenVPN on Asus Router: Synology NAS Fails to Update AntiVirus Definitions
Replies
6
Views
668
billybob2
B
B
3 way Site-to-site OpenVPN
Replies
11
Views
2K
bortek
B
Similar threads
Thread starter Title Forum Replies Date
S Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site? VPN 2
O TV with OpenVPN client VPN 15
M Help Me Understand OpenVPN VPN 5
R How to route/bridge OpenVPN TUN Client to LAN/BR0? VPN 0
I Hardening Asus Merlin built in OpenVPN server VPN 1
B Does Asus AC5300 OpenVPN server support connect with IPV6 network? VPN 2
A openvpn on tp-link behind isp router VPN 0
T OpenVPN through Asus ET12 works on all my devices except for one... I can't figure out why, can anyone make sense of these logs? VPN 2
dougm [solved] PFSense+OpenVPN: Problems Routing Specific VLAN traffic out VPN VPN 1
F Site To Site VPN between Debian VM and AsusWRT-Merlin router, no routes exists VPN 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 975 (members: 24, guests: 951)
Top