What's new

Site-to-Site OpenVPN Internet redirect and DHCP issues

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TinMan11

Occasional Visitor
Hello,

I'm having some issues getting the internet redirect and DHCP assignments to work properly. My setup is as follows and any advice is greatly appreciated. I'm trying to setup site-to-site openvpn between my work and home but only have local (ie 192.168.1.*) traffic go over the vpn connection. Regular internet traffic should go out as normal.

Router A "server" (aka home router) 192.168.1.1
Asus RT-AC66U running the latest stable Asuswrt-Merlin firmware 380.59
Screen shots of the settings are below.

Router B "client" (aka work) 192.168.1.200
Asus RT-N66U running the latest stable Asuswrt-Merlin firmware 380.59
Screen shots of the settings are below.

I've setup router A to have a local DHCP pool of 192.168.1.5 to 192.168.1.199. This way I can set the vpn client (aka router B) to IP address 192.168.1.200 and have all clients connected thru it use the range of 192.168.1.201 to 291.168.1.254.

Router B has DHCP disabled so all DHCP addressing is done by Router A over the VPN connection.

Issue #1 - Clients connected to router B still get IP addresses from 192.168.1.5 to 192.168.1.199 when they should be getting addresses in the .201 to .254 range.

Issue #2 - Clients connected to router B still show as connecting to the internet from router A. Internet traffic (is none 192.168.1.* traffic) should go directly out to the internet and not be routed over the VPN connection.

Thank you for taking the time to read my issues and providing any insight you may have.
 

Attachments

  • RT-N66U VPN 1.png
    RT-N66U VPN 1.png
    346.1 KB · Views: 842
  • RT-AC66U 2 VPN.png
    RT-AC66U 2 VPN.png
    399 KB · Views: 515
  • RT-AC66U 1 DHCP.png
    RT-AC66U 1 DHCP.png
    376.9 KB · Views: 535
  • RT-N66U VPN 2.png
    RT-N66U VPN 2.png
    185.5 KB · Views: 481
  • iMac wrong IP address.png
    iMac wrong IP address.png
    79 KB · Views: 468
Hello,

I'm having some issues getting the internet redirect and DHCP assignments to work properly. My setup is as follows and any advice is greatly appreciated. I'm trying to setup site-to-site openvpn between my work and home but only have local (ie 192.168.1.*) traffic go over the vpn connection. Regular internet traffic should go out as normal.

Router A "server" (aka home router) 192.168.1.1
Asus RT-AC66U running the latest stable Asuswrt-Merlin firmware 380.59
Screen shots of the settings are below.

Router B "client" (aka work) 192.168.1.200
Asus RT-N66U running the latest stable Asuswrt-Merlin firmware 380.59
Screen shots of the settings are below.

I've setup router A to have a local DHCP pool of 192.168.1.5 to 192.168.1.199. This way I can set the vpn client (aka router B) to IP address 192.168.1.200 and have all clients connected thru it use the range of 192.168.1.201 to 291.168.1.254.

Router B has DHCP disabled so all DHCP addressing is done by Router A over the VPN connection.

Issue #1 - Clients connected to router B still get IP addresses from 192.168.1.5 to 192.168.1.199 when they should be getting addresses in the .201 to .254 range.

Issue #2 - Clients connected to router B still show as connecting to the internet from router A. Internet traffic (is none 192.168.1.* traffic) should go directly out to the internet and not be routed over the VPN connection.

Thank you for taking the time to read my issues and providing any insight you may have.
Why don't you take a look at the article I wrote about VPN server and Client
its all explained there. You need to change the IP range of your server to 10.x.x.x not give it the same IP as the router.
and your 2 routers should not be on the same subnet.
router A 192.168.1.1
Router B 192.168.2.1
http://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/
its all explained in step by step and an image for the exact settings.
My advice, is set everything to default and start again.
you have way to many errors all over the place that wont let things work.
router A DNS settings is all wrong.
Start it all over again. Look at the article for VPN server and if you still have problems let me know and i will help you out more :)
the way it stands there is no way anything will work right.
 
Why don't you take a look at the article I wrote about VPN server and Client
its all explained there. You need to change the IP range of your server to 10.x.x.x not give it the same IP as the router.
and your 2 routers should not be on the same subnet.
router A 192.168.1.1
Router B 192.168.2.1
http://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/
its all explained in step by step and an image for the exact settings.
My advice, is set everything to default and start again.
you have way to many errors all over the place that wont let things work.
router A DNS settings is all wrong.
Start it all over again. Look at the article for VPN server and if you still have problems let me know and i will help you out more :)
the way it stands there is no way anything will work right.


Thank you for getting back to me so quickly.

I would like to setup site-to-site - not just a basic server/client vpn. My intention was to have everything on one subnet so I could access work systems from home and vice versa.

Could you please elaborate on "router A DNS settings are all wrong"? I have a pi-hole running separately on my network for ad blocking and such. I use a NAS with DNS as a backup to it.

The tutorial you pointed out does a simple server/client vpn setup which only allows the client to access systems on the server side - not the other way around.
 
Thank you for getting back to me so quickly.

I would like to setup site-to-site - not just a basic server/client vpn. My intention was to have everything on one subnet so I could access work systems from home and vice versa.

Could you please elaborate on "router A DNS settings are all wrong"? I have a pi-hole running separately on my network for ad blocking and such. I use a NAS with DNS as a backup to it.

The tutorial you pointed out does a simple server/client vpn setup which only allows the client to access systems on the server side - not the other way around.
Not true, you can configure the Server to allow other subnets to share all their networks.
you are putting addresses everywhere where they are not intended to be.
This is creating problems.
the VPN server needs a 10.x.x.x not a 192.x.x.x
you don't need to put DNS 192.168.x.x in the DHCP DNS
You are complicating your life when its a lot simpler then how you did it.
Look at that article, setup your VPN server, then go to the other router and set it up as a client the way I explained it.
It's simple like said, not over complicated as you are making it be.
Try it and get back to me.
you need to look at the Manage Client-Specific Options and enable client -- client then you will have other subnets that will share their their file and print shares.
But you need to make sure you have the 2 routers on different IP addresses otherwise you will get router conflict and never get any file sharing happening.
Do it like that and then get back to me.
If you need to ping a windows machine disable the windows firewall for a few minutes just to make tests because the windows firewall will block all pings from the Server. You can always use it as TAP if all you have is windows PC's that will work better
but try TUN for now with the suggestions I said, Leave DHCP pool 192.168.1.100-192.168.1.254
take out those IP addresses you put in DNS and WINS Server Setting in DHCP
do one step at a time and make sure things work. If you just go ahead and jump to 100 areas it will never work.
Remember the old saying
Kiss, keep it simple :)
 
oh and put different IP address for each router.
router A 192.168.1.1
router B 192.168.2.1
 
If you also select the "Allow Client<->Client" option, another checkbox appears in the table that, when selected, allows other clients (or client LANs) to communicate with this client LAN. So, now you can have multiple sites all connected together with communication between any of them as desired.

An "allow only these clients" option is also present. With this selected, clients that aren't in the table are not allowed to connect. If you want to allow a client that doesn't have a LAN behind it (or you don't want to allow access to it), just put it in the table and leave the subnet/netmask blank.

With these options, this release removed the biggest limitation that's been present since the first release: having the VPN limited to client-initiated connections.
 
Thanks yorgi! I'll give it a go.

One question though - When I select "Manage Client-Specific Options" - no table pops up as per the instructions.
 

Attachments

  • Screen Shot 2016-07-25 at 10.55.29 AM.png
    Screen Shot 2016-07-25 at 10.55.29 AM.png
    311.7 KB · Views: 542
Ok, I'm back to where I started and can access clients at home (router A) from router B (work) but I can't do the opposite.

@yorgi your instructions state that
"Manage Client-Specific Options: Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts.

Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication."

Is there another way to get the Common Name? I have no idea what I put in...

Thanks!
 
Ok, I'm back to where I started and can access clients at home (router A) from router B (work) but I can't do the opposite.

@yorgi your instructions state that
"Manage Client-Specific Options: Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts.

Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication."

Is there another way to get the Common Name? I have no idea what I put in...

Thanks!
Did you enable Allow Client <-> Client only?
Did you make sure that you disabled NAT option in the clients router? otherwise it won't work.
I don't think you have to enable Allow only specified clients because you are the only one using the file shares.
let me know if that worked.
Also make sure that both routers don't have the same subnet.
 
Tried - still no go - now I can't access anything from either side however it says it is connected...
 

Attachments

  • Client.png
    Client.png
    348.6 KB · Views: 649
  • Server.png
    Server.png
    371 KB · Views: 701
You also have router A 192.168.1.1 and router B 192.68.2.1?
also maybe another thing to try is instead of putting the second router at 192.168.2.1 put it at 192.168.1.2
that shouldn't work try anyways.
I would also reboot the routers when you make these changes.
Did you reboot the routers when you configured them?
sometimes its just that.
If the above don't work can you try
TAP instead of TUN? on the server first and then then the Client?
I don't think that is right but lets trouble shoot a couple of things.
My problem is I have another router here but i don't have a second modem so for me to try this I would have to go to a buddies house and trouble shoot it from there. I will be there on Wednesday and will figure it out.
I only use my VPN server one way not both ways as you are trying but These configurations are suppose to do just that.. this is why I am only giving you suggestions in what these options can do.
I will ask Merlin and see if something up with the code.
Try these suggestions and get back to me.
 
I think this may be more helpful.

TAP is intended to bridge two networks together.
So try TAP server and TAP client. That should put both your networks together.
I don't understand why the other features don't work. I have never tested them, but they are there and their purpose is to do client to client LAN with TUN. From what I know that source code was pulled from Tomato firmware. Who know if it really works.
anyway i know I haven't helped out much but try this last resort.
Also if you go on TAP mode, use the same subnet, for both routers A 192.168.1.1
B 192.168.1.2
This should work because you are in bridge mode and both networks should show up.
Just remeber when you network this way, you need to map with IP address example
\\192.168.1.1\share name
I will be making tests on my side because I am curious why its not working for you.
I will post whatever results I get here and on the Server Article.
 
Last edited:
Hi @yorgi I have tried as you suggested and still no luck. I'm able to either get one direction only (client can access server side but not the other way) or I can get both sides to access each other but no internet access. I await your testing and (hopefully) possible solution.

Thanks again for your help on this.
 
Hi @yorgi I have tried as you suggested and still no luck. I'm able to either get one direction only (client can access server side but not the other way) or I can get both sides to access each other but no internet access. I await your testing and (hopefully) possible solution.

Thanks again for your help on this.
when you get both sides to access each other what is it that you did?
Meaning was it TAP or TUN ? what method worked for you both ways?
because we are almost there :)
 
Last edited:
Hi @yorgi I have tried as you suggested and still no luck. I'm able to either get one direction only (client can access server side but not the other way) or I can get both sides to access each other but no internet access. I await your testing and (hopefully) possible solution.

Thanks again for your help on this.
So I did some tests and this is my outcome.
I setup 2 routers using TUN protocol
Router A 192.168.1.1 named ROUTERA VPN server with SAMBA drive connected and shared with Manage client specific otions enabled along with client -- Client.
Router B 192.168.2.1 Named ROUTERB VPN client with Accept DNS Configuration set to "Strict" SAMBA drive connected and shared.
With the exception that It will not work if you have it set to Exclusive and on the client I didn't disable NAT because that stopped the internet as it did for you.
I used a USB tether on my android phone for the second router.
When I connected with the client to the VPN server I was able to see both routers and their shares.
I had to map the drives accordingly in order to see the shares.
\\192.168.1.1\ROUTERA
\\192.168.2.1\ROUTERB
this was the only way I can see both routers shares.
The only test I now have to do is go to my friends place with the second router and do the exact same thing
but this time I will connect from his ISP to my VPN server and see if I can see router B's LAN.
I am pretty sure it will work because when I was on the tunnel to my Server I was able to see both routers shares.
Since I was that far the rest of the LAN shouldn't be a problem to see because the routers LAN's showed up.

i need to know where you are getting stuck.
Have you succeed in doing what I did so far as to see both networks when connected to the server?
Is the 3rd step where connecting from another ISP to the server where it didn't work for you to see the 2 LANs?
I will do that the 3rd step this weekend and will get back to you.
I would need another router and ISP in order to do this 3 way setup and I should in theory see both Shares of the routers by connecting to my VPN server from another ISP.

Is this what you want to do?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top