Asus GT-AX11000 (3004.388.4_beta3) OPENVPN Server help needed vith Site to Site

[dj02]

Asus GT-AX11000 (3004.388.4_beta3) OPENVPN Server help needed vith Site to Site:

I have problem, with Asus GT-AX11000 (3004.388.4_beta3) OPENVPN Server network 1 (subnet: 192.168.0.0/24), i cannot access client (netgear 7800 with latest voxel firmware) network 2 (subnet: 192.168.1.0/24). Client is connected to my asus router's vpn server.

When i write on network 1, in some pc (example in pc 1: 192.168.0.10), network 2's ip, example pc remote 2: 192.168.1.9, the pc1's browser cannot resolv pc remote 2's ip address. What i'm doing wrong? Below pictures from server config.

UPDATE:
NEWER DETAILS/PICTURES FROM THE SETTINGS BELOW THIS LINK: https://www.snbforums.com/threads/a...p-needed-vith-site-to-site.86433/#post-860145

 

[elorimer]

Not trying to be snarky, but almost everything. I have no experience with Netgear so you are on your own there. I assume when you connect, devices on the client side can reach devices on the server side? It isn't a safe assumption because there is confusion among client, and hoffvpnclient, so I'm not sure you are working with an exported configuration to begin with.

To start with, you are showing "hoffvpnclient" as the connected client, not "client", so not much is going to work.

Also, using 192.168.1.0/24 and 192.168.0.0/24 as subnets is asking for trouble. Not least because in your post you refer to one of them as 192.168.0.2/24.

In the allowed clients boxes, you should have hoffvpnclient, 192.168.1.0 and push=no. You are telling the Asus router that when hoffvpnclient connects, set up a route to 192.168.1.0/24. You aren't trying to push that to the client, as the client already can connect, we are assuming. And then, on the Netgear side, you need to be mindful that there may be firewalls in place.

 

[dj02]

Not trying to be snarky, but almost everything. I have no experience with Netgear so you are on your own there. I assume when you connect, devices on the client side can reach devices on the server side? It isn't a safe assumption because there is confusion among client, and hoffvpnclient, so I'm not sure you are working with an exported configuration to begin with.

To start with, you are showing "hoffvpnclient" as the connected client, not "client", so not much is going to work.

Also, using 192.168.1.0/24 and 192.168.0.0/24 as subnets is asking for trouble. Not least because in your post you refer to one of them as 192.168.0.2/24.

In the allowed clients boxes, you should have hoffvpnclient, 192.168.1.0 and push=no. You are telling the Asus router that when hoffvpnclient connects, set up a route to 192.168.1.0/24. You aren't trying to push that to the client, as the client already can connect, we are assuming. And then, on the Netgear side, you need to be mindful that there may be firewalls in place.

sorry i had typo on subnet text.

 

[elorimer]

Yes, I figured that from the rest. But, for example, my ISP modem sits at 192.168.1.254 and hands out addresses in 192.168.1.xx; nothing I can do about that except stay away from 192.168.1.xx addresses everywhere.

 

[AurelM]

Usually the problem is with the firewall on the server, try with it disabled and check if you can access the resource you want.

An older post, but with detailed instruction for file sharing using smb/cifs protocol on Windows 10: https://www.snbforums.com/threads/lan-access-over-openvpn-on-merlin-384-16-solved.64632/post-592613.

Can you access the WebUI of the router in the other location? This should be possible if the site-to-site vpn is working correctly.

Also, disable compresion on the openvpn server, more info The VORACLE attack vulnerability. You will most likely have to do this for all clients as well.

 

[elorimer]

Perhaps I misunderstood. I thought the OP was having trouble reaching the client network from the server network, not the other way around.

 

[dj02]

Perhaps I misunderstood. I thought the OP was having trouble reaching the client network from the server network, not the other way around.

yes that was the problem and is still. below newest images from serverside. I cannot access example client side router by writing it's ip 192.168.1.1 (no firewall restrictions enabled) on server side network pc (192.168.0.10).

Clientside configuration (tried also adding line: push "route 192.168.1.0 255.255.255.0"):

# Config generated by Asuswrt-Merlin 388.4, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp4
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
remote *HIDDEN* 23547
auth-user-pass *HIDDEN*.auth (auth is working correctly)
remote-cert-tls server
resolv-retry infinite
keepalive 15 60
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
nobind
float
<ca>
HIDDEN
</ca>
<cert>
HIDDEN
</cert>
<key>
HIDDEN
</key>

 

[AurelM]

Perhaps I misunderstood. I thought the OP was having trouble reaching the client network from the server network, not the other way around.

I'm not talking about the openvpn server unless explicitly stated, I'm talking about the server of the resource @dj02 is trying to access. I'm using this language because I don't know what he's trying to achieve (and it really doesn't matter, it's still a server of that resource).

---

Let's try this again, using the ips since it's easier to follow.

Usually the problem is with the firewall on the server, try with it disabled and check if you can access the resource you want.[...]

Server in this case is 192.168.1.9, that's where you need to disable firewall and recheck.

[...]An older post, but with detailed instruction for file sharing using smb/cifs protocol on Windows 10: https://www.snbforums.com/threads/lan-access-over-openvpn-on-merlin-384-16-solved.64632/post-592613.[...]

If you haven't already, check this thread I've linked to see if there's something that might help.

[...]I cannot access example client side router by writing it's ip 192.168.1.1 (no firewall restrictions enabled) on server side network pc (192.168.0.10).[...]

This doesn't bode well for the site-to-site vpn connection, so you should check the firewall on the 192.168.1.1 r7800 router also, specifically the input chain of the filter table in iptables, where it should accept incoming packets on the openvpn client network interface (for example "tun11" network interface in asuswrt-merlin for openvpn client 1).

Since you're there, also check the forward chain for the same filter table in iptables. It allows communication with all other 192.168.1.0/24 subnet ips except the 192.168.1.1 router ip, where it should accept incoming as well as outgoing packets on the same openvpn client network interface.

Can't get more specific since I don't know that firmware .

Here's the example from asuswrt-merlin firmware:

# iptables -t filter -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination       
[...]
OVPNCI     all  --  anywhere             anywhere         
DROP       all  --  anywhere             anywhere         

# iptables -t filter -L OVPNCI
Chain OVPNCI (1 references)
target     prot opt source               destination       
ACCEPT     all  --  anywhere             anywhere     

# iptables -t filter -S INPUT
[...]
-A INPUT -j OVPNCI
-A INPUT -j DROP

# iptables -t filter -S OVPNCI
-N OVPNCI
-A OVPNCI -i tun11 -j ACCEPT



# iptables -t filter -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination       
[...]
OVPNCF     all  --  anywhere             anywhere         
DROP       all  --  anywhere             anywhere         

# iptables -t filter -L OVPNCF
Chain OVPNCF (1 references)
target     prot opt source               destination       
ACCEPT     all  --  anywhere             anywhere         
ACCEPT     all  --  anywhere             anywhere         

# iptables -t filter -S FORWARD
[...]
-A FORWARD -j OVPNCF
-A FORWARD -j DROP

# iptables -t filter -S OVPNCF
-N OVPNCF
-A OVPNCF -o tun11 -j ACCEPT
-A OVPNCF -i tun11 -j ACCEPT

Note that the OVPNCI and OVPNCF are not default chains in iptables, but you could have their contents directly in INPUT and FORWARD chains respectively and it would be the same in terms of packet handling.

 

[maxbraketorque]

Have you enabled inbound connections on the router acting as the client (I guess that's the Netgear router)? That needs to be enabled. For ASUS routers, there is a radio button in the OVPN client config settings. Not sure what option exists for the Netgear firmware.

 

[elorimer]

It looks like progress on the Asus side. I don't understand how 1.png and 2.png are in the mix. If "client" is connected the rest should work; if "hofvpnclient" is connected that won't work.

So now it is on the Netgear side. If it were a Asus Merlin on that side it would be trivial.

 

[Martinski]

...
To start with, you are showing "hoffvpnclient" as the connected client, not "client", so not much is going to work.
...

If "client" is connected the rest should work; if "hofvpnclient" is connected that won't work.

You seem to be confusing the OpenVPN "client" certificate Common Name (CN), as given by the ASUS router when generating the default "client" config file, with the "Username" provided when the OP created an OpenVPN account that's separate from the default "admin" account.

IOW, "client" is the CN in the default client certificate generated by the router which is used during the TLS authentication process, whereas "hoffvpnclient" is the username from the OpenVPN user account which is used during the "Username/Password" authentication process.

The screenshot from the OP's first post clearly showed the correct label for each:

Note that "client" & "hoffvpnclient" are not tightly coupled. You can have one, several, or all OpenVPN accounts used the same client certificate (thus using the same "client" CN), or you could generate one unique client certificate (with its own unique CN) for each OpenVPN user account (e.g. using the Easy-RSA utilities on a separate PC).

Bottom line, having "client" & "hoffvpnclient" as CN & Username is not the problem.

 

[elorimer]

Thanks for setting me straight, very helpful. In the later post I see two 1.png pix, one this way and the other with client/client.

 

[dj02]

Thanks for setting me straight, very helpful. In the later post I see two 1.png pix, one this way and the other with client/client.

yes, later i changed username to client

 

[dj02]

I switched netgear as server and asus as client. only 1 problem left in asus client router. i get error:

ovpn-client1[19005]: ERROR: Linux route add command failed: external program exited with error status: 2
ovpn-client1[19005]: ERROR: Linux route add command failed

These are the settings netgear router gaved, it supports only TAP. Netgear router vpn server settings are not editable.

 

[Martinski]

I switched netgear as server and asus as client. only 1 problem left in asus client router. i get error:

ovpn-client1[19005]: ERROR: Linux route add command failed: external program exited with error status: 2
ovpn-client1[19005]: ERROR: Linux route add command failed

These are the settings netgear router gaved, it supports only TAP. Netgear router vpn server settings are not editable.

WRT the Netgear router, it looks like you’re working with a very limited & restricted implementation of the OpenVPN Server available options. My recommendation would be to go back to using the ASUS router as your OpenVPN Server because that’s where you need a robust implementation with more configurable/editable options to set up a more secure site-to-site VPN connection (e.g. HMAC authentication, TLS authentication, Username/Password authentication, TLS control channel security, choice of data channel encryption ciphers, key size, etc.).

Then, I'd suggest you take a closer look at post #8 above where @AurelM made good, valid points (as others like @maxbraketorque also pointed out) about making sure that the Netgear router acting as the OpenVPN client allows & forwards inbound VPN packets to reach not only the router itself but also the target LAN clients. In addition, each LAN client might need to have its own firewall modified to allow incoming VPN packets (i.e. traffic from a subnet that's different from the LAN subnet).

The last time I had a Netgear router was more than 12 years ago, and I'm not familiar at all with Voxel's F/W so I cannot say much WRT the client-side configuration. I'd suggest going to the Voxel F/W community forum and asking about how to add firewall rules on the Netgear router to allow VPN traffic when running an OpenVPN client. I can only assume that there must be a way to do that given that the OpenVPN server & client are available features.

Just my 2 cents.