Asus AC88 VPN Client to Client issue

[Bluecube]

I've just upgraded from an Asus AC56 to an AC88. I've updated the AC88 to run the Merlin firmware and all is going swimmingly apart from my OpenVPN network.

On the AC56 I could VPN to the router and see my home network without any faffing about. The AC88 shows extra options that need to be activated specifically (I think) the client-to-client option in order to allow my home network to be viewable. Unfortunately, no matter what I activate, nor what options I manually type in, I'm not able to view my home network through the VPN. I seem to have tried everything I can so I'm wondering if anyone out there has managed to get this working or knows of a fix?

I'm aware of several threads relating to OpenVPN and Asus routers but despite following the instructions in them, I've not been able to get client to client over TUN to work.

PS I can access the home network by using the TAP protocol. However, I need to use TUN for my iPad to connect. As stated, this worked perfectly on the AC56.

 

[RMerlin]

Post your current configuration.

There is no need to use the client-to-client settings, you just need to ensure that on the General settings you have either "Lan Only" or "Both" enabled for network access.

Also make sure the firewall of your LAN clients is configured to allow connection from your VPN clients, which are typically in the 10.8.x.y subnet.

 

[Bluecube]

As you can see I've selected the option to allow both LAN and Internet access for the client. I'm at a bit of a loss as to why this config isn't working so I'm hoping that someone here will see something I've missed.

EDIT: Corrected screenshots

 

[RMerlin]

Look in the System Log for any error.

Also, make sure that the 192.168.2.0 subnet is different from your actual LAN subnet, or you will have routing issues.

 

[Bluecube]

My LAN is on the 192.168.1.0 subnet so that's ruled out.

No errors in the System Log. I cleared it and connected using my OpenVPN client on my iPhone. The connection is made successfully but I still can't connect to the LAN.

The log entries for the connection are below -

Sep 9 17:27:46 ovpn-server2[4603]: 94.197.121.178 TLS: Initial packet from [AF_INET6]::ffff:94.197.121.178:15298, sid=0786e87b 16acda18
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC88U, emailAddress=me@myhost.mydomain
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.1-770
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_VER=3.2
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_PLAT=ios
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_NCP=2
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_TCPNL=1
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_PROTO=2
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_LZO=1
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 peer info: IV_AUTO_SESS=1
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Sep 9 17:27:47 ovpn-server2[4603]: 94.197.121.178 [client] Peer Connection Initiated with [AF_INET6]::ffff:94.197.121.178:15298
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 MULTI: Learn: 10.16.0.2 -> client/94.197.121.178
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 MULTI: primary virtual IP for client/94.197.121.178: 10.16.0.2
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 PUSH: Received control message: 'PUSH_REQUEST'
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 Data Channel: using negotiated cipher 'AES-128-GCM'
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sep 9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

 

[Martineau]

My LAN is on the 192.168.1.0 subnet so that's ruled out.

The connection is made successfully but I still can't connect to the LAN.

The log entries for the connection are below -

Sep  9 17:27:46 ovpn-server2[4603]: 94.197.121.178 TLS: Initial packet from [AF_INET6]::ffff:94.197.121.178:15298, sid=0786e87b 16acda18

Sep  9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 MULTI: Learn: 10.16.0.2 -> client/94.197.121.178

Sep  9 17:27:47 ovpn-server2[4603]: client/94.197.121.178 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)

Just an observation, you appear to have posted the GUI settings for VPN Server 1, yet the Syslog shows a client (10.16.0.2) connecting to VPN Server 2.

Have you checked that for VPN Server 2 either 'LAN Only' or 'Both' has been selected for 'Client will use VPN to access' etc?

Post the output of

iptables  -nvL   OVPN

 

[Bluecube]

Wel sp

Just an observation, you appear to have posted the GUI settings for VPN Server 1, yet the Syslog shows a client (10.16.0.2) connecting to VPN Server 2.

Have you checked that that for VPN Server 2 either 'LAN Only' or 'Both' has been selected for 'Client will use VPN to access' etc?

Post the output of

iptables  -nvL OVPN

Well spotted. I've amended the screenshots to show the correct Server details. Sorry about that!

 

[RMerlin]

Make sure you aren't blocked by a firewall on your destination machine. I don't see anything to explain what is happening in your configuration.

 

[Bluecube]

I can connect to the destination machine from other PCs on the LAN so I don’t think that’s an issue at all. The only thing I can see that could be a problem is that when connecting through the VPN, the client is given an IP of 10.16.o2 whilst my home LAN is the 192.168.1.* range. It doesn’t seem as if the two networks are connecting up for some reason.

 

[Martineau]

I can connect to the destination machine from other PCs on the LAN so I don’t think that’s an issue at all. The only thing I can see that could be a problem is that when connecting through the VPN, the client is given an IP of 10.16.o2 whilst my home LAN is the 192.168.1.* range. It doesn’t seem as if the two networks are connecting up for some reason.

Can you post the output from these two commands

iptables  --line -nvL FORWARD  | grep -E "Chain FORWARD|OVPN"

iptables  --line -nvL OVPN

 

[RMerlin]

I can connect to the destination machine from other PCs on the LAN so I don’t think that’s an issue at all. The only thing I can see that could be a problem is that when connecting through the VPN, the client is given an IP of 10.16.o2 whilst my home LAN is the 192.168.1.* range. It doesn’t seem as if the two networks are connecting up for some reason.

That's what I was referring to. By default, the Windows firewall will only allow connections from within the same subnet. You will have to adjust the firewall to also allow connections coming from the 10.16.0.x subnet. Same thing with third party firewall suites like Norton Security.

 

[Bluecube]

Can you post the output from these two commands

iptables  --line -nvL FORWARD  | grep -E "Chain FORWARD|OVPN"

iptables  --line -nvL OVPN

Results below -

Chain FORWARD (policy DROP 0 packets, 0 bytes)
12 5266 385K OVPN all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

and

Chain OVPN (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- tap21 * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
3 229 14516 ACCEPT all -- tun22 * 0.0.0.0/0 0.0.0.0/0

 

[Bluecube]

That's what I was referring to. By default, the Windows firewall will only allow connections from within the same subnet. You will have to adjust the firewall to also allow connections coming from the 10.16.0.x subnet. Same thing with third party firewall suites like Norton Security.

You may have a point there but if this was the case then why did the VPN work perfectly on the AC56 router?

 

[RMerlin]

You may have a point there but if this was the case then why did the VPN work perfectly on the AC56 router?

Different subnet then?

 

[Bluecube]

No it was the same subnet.

 

[bitmonster]

Why does it need to be on the 10.x subnet, can VPN just be set to use the same 192.168.2.x subnet? Would that help with anything.

Also I can't access the router GUI using Android paid "Open VPN Client", possibly after enabling TAP.

Any suggestions welcome.

Sent from my SM-G965F using Tapatalk

 

[ColinTaylor]

Why does it need to be on the 10.x subnet, can VPN just be set to use the same 192.168.2.x subnet? Would that help with anything.

The VPN's subnet needs to be different from the LAN's (and any other VPNs). TUN is a routed connection between different subnets. If they both have the same IP address range no routing would take place. If you want both ends to be part of the same subnet then you'd have to use a TAP (Ethernet bridge) connection.

Also I can't access the router GUI using Android paid "Open VPN Client", possibly after enabling TAP.

If you change the router's VPN server configuration you need export it to the client again.

 

[bitmonster]

The VPN's subnet

Merged threads here
https://www.snbforums.com/threads/openvpn-cannot-access-lan-dns-not-working.49063/page-2