What's new

VPN Tunnel between 2 x Asus RT-N66U via OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cezare

Occasional Visitor
Hi there,

Like the title says, I am trying to establish Site-to-Site VPN Tunnel between my 2x Asus RT-N66U routers using OpenVPN. One is at my house and the other at my parents.


I tried the PPTP route at first but then read multiple forums' threads advising to go the OpenVPN route for better security/performance.
I have followed a few guides (older firmware) to have this scenario setup. My efforts produced what appears to be an ALMOST successful setup... but not quite yet.

  • I am able to successfully connect the two sites (see below)
  • I am able to RDP into remote site machines which have port 3389 open in built-in firewall
  • I am able to connect to services (media browser, etc.) on remote site machines which have ports explicitly punched in the built-in firewall
  • I am NOT able to ping, access machines to see shares, see in My Network Places in either site.


My setup:

Both routers run firmware: 3.0.0.4.374_5517


(H)ome router: 172.16.0.0/24 subnet

  • Operates as VPN server
  • Windows 7 clients (no antivirus software)

(P)arents router: 172.16.1.0/24 subnet
  • Operates as VPN client (imported ovpn config file from (H)ome router)
  • Windows 7 clients (no antivirus software)

(H)ome router's VPN settings:
homeroutersetup.jpg

Could anyone please shed a bit of light on this poor soul:)
Many thanks

PS - Afterthoughts
  • Do both routers need to be setup as VPN servers and connected to each other via VPN clients?
  • Should I be using TAP instead of TUN for Interface Type?
  • Adding static routes on each router to point to the other? as per this. - no luck unless i am doing something wrong.
 
Last edited:
I prefer tap/udp for joining two networks.
Both nets are 192.168.5.0, netmask 255.255.255.0.
1-st gateway is 192.168.5.1 (router ip), DHCP from 192.168.5.2 to 192.168.5.126.
2-nd gateway is 192.168.5.129 (router ip), DHCP from 192.168.5.130 to 192.168.5.254.

It's better to add to /jffs/scripts/firewall-start the next strings for to block DHCP queries over OpenVPN (client side will be enough):
Code:
#!/bin/sh

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
a
 
I prefer tap/udp for joining two networks.
Both nets are 192.168.5.0, netmask 255.255.255.0.
1-st gateway is 192.168.5.1 (router ip), DHCP from 192.168.5.2 to 192.168.5.126.
2-nd gateway is 192.168.5.129 (router ip), DHCP from 192.168.5.130 to 192.168.5.254.

It's better to add to /jffs/scripts/firewall-start the next strings for to block DHCP queries over OpenVPN (client side will be enough):
Code:
#!/bin/sh

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
a

Thank you! I will have this tried today.
Are there any disadvantages to using this over TUN? more overhead?
Where does that code go under? on the Asus router?
 

Thank you! I had this tested briefly.
For some reason I have to have the "Any IP address" (in File and printer Sharing (SMB-In) -> Scope -> Remote IP addresses) checked in order for the remote computer to successfully connect, which of course is not wise. Adding both side's network addresses does not work like explained in that article. I wonder whether iPv6 has anything to do with this.
 
Are there any disadvantages to using this over TUN? more overhead?
TUN is a virtual point-to-point IP link and you'll have a possibility to control access rights on a client-specific basis.
TAP is a virtual ethernet adapter, it works like a switch and makes it possible to logically merge several ethernet networks, as if they were a single ethernet subnet.
Usually tap is used if you need broadcast traffic to flow through vpn connection.
OpenVPN FAQ.


Where does that code go under? on the Asus router?
If you join two networks via tap you'll have two routers with two DHCP servers in your new virtual subnet.
That code prevents DHCP queries from one side of vpn link to another.
You need Merlin's firmware to use that code.
If you prefer to stay on official firmware, then it's better to use TUN.
 
I am running site to site OVPN between routers using Merlin's latest on the server router (AC68U now, N66U previously) and 13 clients (N66U's) of varying Merlin versions running just about as optimally as it can be here. I could probably give some guidance/reiterate on what I have done. My time is slim as of late, but I can try my best if that works...
 
Thanks guys! the TAP sounds like its what I need but like bbsc said, I need to run the Merlin firmware.
I will take any help you can give!
Where would one get the Merlin firmware?

I trully appreciate all of your help!
 
I prefer tap/udp for joining two networks.
Both nets are 192.168.5.0, netmask 255.255.255.0.
1-st gateway is 192.168.5.1 (router ip), DHCP from 192.168.5.2 to 192.168.5.126.
2-nd gateway is 192.168.5.129 (router ip), DHCP from 192.168.5.130 to 192.168.5.254.

It's better to add to /jffs/scripts/firewall-start the next strings for to block DHCP queries over OpenVPN (client side will be enough):
Code:
#!/bin/sh

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Hi,
I've been using TUN for some time successfully with Merlin 378.56_2 on both routers. I now find there is a definite need for TAP configuration.
Question about the listed configuration :
You said this code can be added to just the client. No need to have this done on the server?
As per this post, the code was added on both ends:
http://www.snbforums.com/threads/openvpn-site-to-site-with-asus-merlin.11097/#post-160069
Many thanks!
 
Last edited:
It's enough to have this on the single side of the tunnel.
I've added this code on the client side because of some personal reasons.
You can choose.

P.S. An year and a half since last post here... I was thinking everything was up and running OK :)
 
Last edited:
Heh, It's been running fine with TUN configuration as that's what I needed at a time.
Recently, with a few changes in the environment, sparked interest in TAP again.

Thank you!
 
Last edited:
"Allocate from DHCP" will do the job correctly.
You shouldn't use another network class/address for all things to work transparently.
 
Thanks so much for the quick reply!
Out of curiosity,
if server router DHCP assigns : 172.16.0.2 - 126
and client router DHCP assigns: 172.16.0.128 - 254

Will OpenVPN use an IP from server's DHCP pool to establish the tunnel?
 
Last edited:
There's no need for any extra IP addresses to establish tap/udp connection in this case.
Your client-router will be seen as 172.16.0.127 (as I see) from both sides and will work as ethernet bridge.
https://en.wikipedia.org/wiki/Bridging_(networking)

Moreover, ebtables filter (those werid lines in the firewall-start script) won't allow any DHCP queries via the tunnel.
That's why I advice to have it on client-router side: if you decide to connect a client-host to that server it WILL receive an IP from server-router DHCP.
 
Last edited:
Thank you very much for these details.
I've redone my server subnet yesterday and will be redoing client subnet today. Will report back.
 
Whoohoo, success. so far so good. Ill test it over the next couple of days.
I've also started a second OpenVPN "Server2" as a TUN in order to connect to my home network from work. However, this only gives me access to the devices on the home subnet (172.16.0.2 - 126). Any way I could have access to the entire bridged network ... from work?

Many thanks!
 
I am back :(
Today I found out that some (not all) of the hosts on my Client site are picking up IPs from DHCP on the Server site.

I have the firewall rules set on both devices:
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

What am I doing wrong?
Here are the screenshots of Server and Client:
Server
Client

PS I also have a TUN setup as a secondary openvpn server on the Server site for when I need to connect from remote. Does that have anything to do with this?
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top