What's new

Access a second subnet over OpenVPN server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
I am facing a problem with my OpenVPN server setup on an Asus router RT-AX86U with Asuswrt-merlin (latest, v388.1)

First let me explain my network setup. I remotely connect to my openvpn server (, which is hosted on my Router_A ( From there, I can access everything on the subnet. But I have another subnet, behind another Router_B ( The problem is that I can not reach anything on this last subnet unless I configure the OpenVPN server to route both LAN and internet traffic.

Here is a graph of my network:

As I want to allow a few friends to access my server, I do not want to route their internet traffic through my home network. So the goal is to reach Server_B (on the linked image) which is on subnet with the OpenVPN server set to LAN only.

The OpenVPN server config :
daemon ovpn-server2
topology subnet
proto udp4
port 1195
dev tun22
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 3
push "route vpn_gateway 500"
client-config-dir ccd
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 2 server'
down 'ovpn-down 2 server'
status-version 2
status status 5

# Custom Configuration
push "route"

Note : when switching from "clients use both LAN and internet" to "clients use LAN only", only the parameter push "redirect-gateway def1" is removed. Is there some way to modify so it allows access to second subnet, but not to my internet ?

Client config file :
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1195
resolv-retry infinite
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
remote-cert-tls server
push "route"

Some configs and notes :
  • The router A has a route set to with as gateway
  • Router B has a route set to with as gateway (I read that this is necessary in this scenario, but it did not change anything)
  • Router B firewall is inactive
  • From machines within I can ping any machine in and
  • I tried adding push "route" on the client.ovpn file, but with same results.
  • On the windows client, the command route print does show 501 among others, but nothing for, so the route is not deployed on client machines. I tried to manually add it with route -p add MASK but pinging does nothing. However, when I do route -p add MASK I can see on my router A that an icmp request is sent from to but with no reply.
  • With the previous route added on the windows client, when trying to ping someone in, I can see on my router that 3 requests are sent (tun22, br0 and eth1). But when pinging someone on, only one request is sent on tun22
I am currently out of ideas.

Thank you for your help

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!