Hello,
I am facing a problem with my OpenVPN server setup on an Asus router RT-AX86U with Asuswrt-merlin (latest, v388.1)
First let me explain my network setup. I remotely connect to my openvpn server (10.10.20.0/24), which is hosted on my Router_A (192.168.20.0/24). From there, I can access everything on the 192.168.20.0/24 subnet. But I have another subnet, behind another Router_B (192.168.30.0/24). The problem is that I can not reach anything on this last subnet unless I configure the OpenVPN server to route both LAN and internet traffic.
Here is a graph of my network:
As I want to allow a few friends to access my server, I do not want to route their internet traffic through my home network. So the goal is to reach Server_B (on the linked image) which is on 192.168.30.0/24 subnet with the OpenVPN server set to LAN only.
The OpenVPN server config :
Note : when switching from "clients use both LAN and internet" to "clients use LAN only", only the parameter
Client config file :
Some configs and notes :
Thank you for your help
I am facing a problem with my OpenVPN server setup on an Asus router RT-AX86U with Asuswrt-merlin (latest, v388.1)
First let me explain my network setup. I remotely connect to my openvpn server (10.10.20.0/24), which is hosted on my Router_A (192.168.20.0/24). From there, I can access everything on the 192.168.20.0/24 subnet. But I have another subnet, behind another Router_B (192.168.30.0/24). The problem is that I can not reach anything on this last subnet unless I configure the OpenVPN server to route both LAN and internet traffic.
Here is a graph of my network:
As I want to allow a few friends to access my server, I do not want to route their internet traffic through my home network. So the goal is to reach Server_B (on the linked image) which is on 192.168.30.0/24 subnet with the OpenVPN server set to LAN only.
The OpenVPN server config :
Code:
daemon ovpn-server2
topology subnet
server 10.10.20.0 255.255.255.0
proto udp4
multihome
port 1195
dev tun22
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 3
push "route 192.168.20.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
push "dhcp-option DNS 192.168.20.254"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 192.168.20.1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 2 server'
down 'ovpn-down 2 server'
status-version 2
status status 5
# Custom Configuration
push "route 192.168.30.0 255.255.255.0"
Note : when switching from "clients use both LAN and internet" to "clients use LAN only", only the parameter
push "redirect-gateway def1"
is removed. Is there some way to modify so it allows access to second subnet, but not to my internet ?Client config file :
Code:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1195
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
push "route 192.168.30.0 255.255.255.0"
Some configs and notes :
- The router A has a route set to 192.168.30.0 255.255.255.0 with 192.168.20.3 as gateway
- Router B has a route set to 10.10.20.0 255.255.255.0 with 192.168.20.1 as gateway (I read that this is necessary in this scenario, but it did not change anything)
- Router B firewall is inactive
- From machines within 192.168.30.0/24 I can ping any machine in 192.168.20.0/24 and 10.10.20.1
- I tried adding
push "route 192.168.30.0 255.255.255.0"
on the client.ovpn file, but with same results. - On the windows client, the command
route print
does show 192.168.20.0 255.255.255.0 10.10.20.1 10.10.20.2 501 among others, but nothing for 192.168.30.0, so the route is not deployed on client machines. I tried to manually add it withroute -p add 192.168.30.0 MASK 255.255.255.0 192.168.20.3
but pinging does nothing. However, when I doroute -p add 192.168.30.0 MASK 255.255.255.0 10.10.20.1
I can see on my router A that an icmp request is sent from 10.10.20.2 to 192.168.30.1 but with no reply. - With the previous route added on the windows client, when trying to ping someone in 192.168.20.0, I can see on my router that 3 requests are sent (tun22, br0 and eth1). But when pinging someone on 192.168.30.0, only one request is sent on tun22
Thank you for your help