Menu
What's new
By:
Filters Better Search

Asus Merlin firmware OpenVPN multiple connection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jasonwch

Occasional Visitor
Hi, maybe I am dumb. But I just find that I've create 1 OpenVPN server at Asus AX68U.

Device A connected to VPN, working fine
Device B connected to VPN, Device A network become not responding (tho it's still connected)

I can also see that they will all getting the same IP address.

I've tried create 2 login, but still the same issue.

Do I need to do some configuration to allow multiple connection, or I need to create another OpenVPN server for every connection?

Thanks
 
I think I figured out by adding this to custom config:
duplicate-cn

But also aware that someone will also add one more line: username-as-common-name. I am not sure what this line do. Now I am working without this line, but clients can still communicate with each other by SMB file sharing (as a test). May I know what common name means inside the VPN routing?
 
The problem here is that you have NOT specifically described *how* you've configured the OpenVPN server. Without such details, we can't accurately explain your situation.

Using the default settings, the duplicate-cn directive is automatically added to the underlying config file. This is necessary because ALL connected clients *share* a single client cert/key. Without the duplicate-cn directive, the OpenVPN server will drop the current connection that's using that same cert/key in favor of the new connection.

But the fact you had to *manually* add the duplicate-cn directive tells me you are NOT using the default settings. You made a change that lead the router to remove it. And now I have to guess what that was.

One possibility? You enabled MCSO (Manage Client-Specific Options). That section assumes that each connecting client will have its own unique cert/key, differentiated by the CN (Common Name) on its cert. This differentiation is typically needed for the purposes of a site-to-site configuration, where each client is supporting different local IP networks on its side of the tunnel. And you can't support multiple, concurrent OpenVPN clients in this manner if the they don't have a unique cert! So the router removes the duplicate-cn directive.

The username-as-common-name directive is a workaround for those who insist on using a single shared client cert/key. What OpenVPN will now do is differentiate users based on their username rather than the CN on their cert.

But that might just be one possibility. There are a lot of options here, resulting in many different configurations. Shared cert, multiple certs (that you created), certs w/ and w/o username/password, no certs at all but just username/password, MCSO enabled/disabled, etc. If you leave out such details, we just have to guess.
 
eibgrad said:
The problem here is that you have NOT specifically described *how* you've configured the OpenVPN server. Without such details, we can't accurately explain your situation.

Using the default settings, the duplicate-cn directive is automatically added to the underlying config file. This is necessary because ALL connected clients *share* a single client cert/key. Without the duplicate-cn directive, the OpenVPN server will drop the current connection that's using that same cert/key in favor of the new connection.

But the fact you had to *manually* add the duplicate-cn directive tells me you are NOT using the default settings. You made a change that lead the router to remove it. And now I have to guess what that was.

One possibility? You enabled MCSO (Manage Client-Specific Options). That section assumes that each connecting client will have its own unique cert/key, differentiated by the CN (Common Name) on its cert. This differentiation is typically needed for the purposes of a site-to-site configuration, where each client is supporting different local IP networks on its side of the tunnel. And you can't support multiple, concurrent OpenVPN clients in this manner if the they don't have a unique cert! So the router removes the duplicate-cn directive.

The username-as-common-name directive is a workaround for those who insist on using a single shared client cert/key. What OpenVPN will now do is differentiate users based on their username rather than the CN on their cert.

But that might just be one possibility. There are a lot of options here, resulting in many different configurations. Shared cert, multiple certs (that you created), certs w/ and w/o username/password, no certs at all but just username/password, MCSO enabled/disabled, etc. If you leave out such details, we just have to guess.
Click to expand...

UPDATE 1:
Seems like now I am using username-as-common-name, then the traffic can go back and forth for VPN clients and home devices behind Asus VPN server. But there are some tricks to make SMB works from Windows firewall settings as Windows firewall by default only allows local subnet IP to get through. So this come to another question, beside playing with Windows firewall setup, anyway to make all kind of devices (VPN client or home device, Windows, Mac, Android, IOS) to permit each other on both subnet local 192.168.50.X and VPN 10.8.0.X

Thanks and not sure if this is possible


Hi @eibgrad

Nice to meet you here, I've read a lot of your posts which also hints on adding this derivatives dupicate-cn

Please see attached for my OpenVPN setup. What I am trying to do is using just one *single* cert/config file which can applied by my own different devices (PCs, iPad and Android mobile). As from your comment, I may need use different account to login from different devices and use"username-as-common-name" instead of "duplicate-cn" becuase I also want to achieve the following:

My setup is simple, this OpenVPN is on my home router, there are some PCs, NAS behind it. My mobile devices (laptop, iPad, Andorid) will use OpenVPN Connect app to connect this VPN to play safe on some public wifi. Now, I can use *IP / full hostname* (e.g. homepc.domain) to access home devices (PCs,NAS) from VPN client (mobile devices). ALSO I can use *IP* (but NOT hostname) to access between VPN clients (e.g. Android phone to Laptop through SMB). BUT I cannot make home devices (device behind my OpenVPN router) to access VPN clients (e.g. from my home PC to my Windows laptop connected with OpenVPN through SMB).

From some of your posts and also other information on the web, My assumption is due to different subnet for home clients (192.168.1.X) and VPN clients (10.8.0.X). For VPN clients, the OpenVPN server will push the route back to home subnet, so OpenVPN client can access back to home devices. But there is no route from home devices to VPN clients because there are no VPN server involvement with home devices.

May I know what can I do to push these route on my home devices? or any setup I can do on VPN server to push VPN client's subnet information back to home subnet?

Thanks so much

openvpn_set.png
 
Last edited:
jasonwch said:
UPDATE 1:
Seems like now I am using username-as-common-name, then the traffic can go back and forth for VPN clients and home devices behind Asus VPN server. But there are some tricks to make SMB works from Windows firewall settings as Windows firewall by default only allows local subnet IP to get through. So this come to another question, beside playing with Windows firewall setup, anyway to make all kind of devices (VPN client or home device, Windows, Mac, Android, IOS) to permit each other on both subnet local 192.168.50.X and VPN 10.8.0.X

Thanks and not sure if this is possible
Click to expand...

www.snbforums.com

How to allow openvpn clients to access my LAN PC?

Hey, guys! I set up an OpenVPN server on my ASUS AC66U-B1 (running Merlin 386.3_2). I have to use tun mode to allow android phones. I set "Client will use VPN to access" to Both (the other two choices are "LAN only" and "Internet only"). My phone can access the USB drive connected to the...
www.snbforums.com www.snbforums.com

jasonwch said:
Hi @eibgrad

Nice to meet you here, I've read a lot of your posts which also hints on adding this derivatives dupicate-cn

Please see attached for my OpenVPN setup. What I am trying to do is using just one *single* cert/config file which can applied by my own different devices (PCs, iPad and Android mobile). As from your comment, I may need use different account to login from different devices and use"username-as-common-name" instead of "duplicate-cn" becuase I also want to achieve the following:

My setup is simple, this OpenVPN is on my home router, there are some PCs, NAS behind it. My mobile devices (laptop, iPad, Andorid) will use OpenVPN Connect app to connect this VPN to play safe on some public wifi. Now, I can use *IP / full hostname* (e.g. homepc.domain) to access home devices (PCs,NAS) from VPN client (mobile devices). ALSO I can use *IP* (but NOT hostname) to access between VPN clients (e.g. Android phone to Laptop through SMB). BUT I cannot make home devices (device behind my OpenVPN router) to access VPN clients (e.g. from my home PC to my Windows laptop connected with OpenVPN through SMB).

From some of your posts and also other information on the web, My assumption is due to different subnet for home clients (192.168.1.X) and VPN clients (10.8.0.X). For VPN clients, the OpenVPN server will push the route back to home subnet, so OpenVPN client can access back to home devices. But there is no route from home devices to VPN clients because there are no VPN server involvement with home devices.

May I know what can I do to push these route on my home devices? or any setup I can do on VPN server to push VPN client's subnet information back to home subnet?

Thanks so much

View attachment 44101
Click to expand...

If you want home devices to initiate connections to OpenVPN clients, there should be NO NEED to enable MCSO, since that's only intended for site-to-site, where you need access to the devices *behind* the OpenVPN client on its own private IP network. As far as I can tell from your description, this is NOT a requirement.

And since there is no site-to-site here, there's no need to disambiguate OpenVPN clients based on either their CN or username. Again, that only becomes necessary in order to know which OpenVPN client is supporting which private IP network behind it.

So when all is said and done, you don't need anything more than the router defaults, which means a shared client cert and key, and optionally the user of username/passwords, but only for the purposes of additional security (esp. since everyone is sharing a client cert/key). But things like MCSO, username-as-common-name, etc., are just irrelevant. Those are site-to-site requirements, which don't apply to your use case.

If there's any remaining problem here at all, it's being able to tell which OpenVPN client has which assigned IP on the tunnel! IOW, what you probably want/need is *statically* assigned IPs on the tunnel. At least if you intend to have devices at home initiate connections to those OpenVPN clients.
 
eibgrad said:
www.snbforums.com

How to allow openvpn clients to access my LAN PC?

Hey, guys! I set up an OpenVPN server on my ASUS AC66U-B1 (running Merlin 386.3_2). I have to use tun mode to allow android phones. I set "Client will use VPN to access" to Both (the other two choices are "LAN only" and "Internet only"). My phone can access the USB drive connected to the...
www.snbforums.com www.snbforums.com



If you want home devices to initiate connections to OpenVPN clients, there should be NO NEED to enable MCSO, since that's only intended for site-to-site, where you need access to the devices *behind* the OpenVPN client on its own private IP network. As far as I can tell from your description, this is NOT a requirement.

And since there is no site-to-site here, there's no need to disambiguate OpenVPN clients based on either their CN or username. Again, that only becomes necessary in order to know which OpenVPN client is supporting which private IP network behind it.

So when all is said and done, you don't need anything more than the router defaults, which means a shared client cert and key, and optionally the user of username/passwords, but only for the purposes of additional security (esp. since everyone is sharing a client cert/key). But things like MCSO, username-as-common-name, etc., are just irrelevant. Those are site-to-site requirements, which don't apply to your use case.

If there's any remaining problem here at all, it's being able to tell which OpenVPN client has which assigned IP on the tunnel! IOW, what you probably want/need is *statically* assigned IPs on the tunnel. At least if you intend to have devices at home initiate connections to those OpenVPN clients.
Click to expand...


Thank you so much, but seems the POSTROUTE is a bit overkill. I will leave it in my pocket...thanks anyway
 
You must log in or register to reply here.

Similar threads

V
Two VPN connections from home network at the same time -> problems
Replies
6
Views
564
vrapp
V
M
For AX68U and AX86S Merlin users: openvpn server - max user qty?
Replies
1
Views
224
ColinTaylor
C
Blankedy
AC86U OpenVPN server whilst in AP mode
Replies
3
Views
356
Blankedy
Blankedy
dbaser
ASUS RT-AC68U not working after Merlin firmware update, did I brick it?
Replies
15
Views
708
dbaser
dbaser
M
VPN for a Cruise Ship
Replies
11
Views
601
sfx2000
sfx2000
Similar threads
Thread starter Title Forum Replies Date
dbaser ASUS RT-AC68U not working after Merlin firmware update, did I brick it? Asuswrt-Merlin 15
M ASUS RT-AXE7800 Merlin Firmware availability ???? Asuswrt-Merlin 11
P Problem flashing Merlin firmware on Asus rt ax56u Asuswrt-Merlin 2
T ASUS RT-AX88U with Asuswrt-Merlin firmware - Few queries Asuswrt-Merlin 17
T Merlin firmware not working on Asus RT-AX57 Asuswrt-Merlin 10
M Issue Updating Merlin Firmware to 386.12_2 on my ASUS RT-AC66U B1 Asuswrt-Merlin 2
keef Asus GT-AX6000 and Merlin firmware Asuswrt-Merlin 11
J Asus RT-AC68R /w latest Merlin 386.12 firmware - Openvpn client issue Asuswrt-Merlin 2
J Solved *SOLVED* Asus RT-AX86U Pro on latest Merlin 3004.388.4, cannot get RT-AC68U (on any firmware) to connect as a AI Mesh Node Asuswrt-Merlin 3
K Installing Merlin Firmware on ASUS RT-AX86U Pro Asuswrt-Merlin 12

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 730 (members: 33, guests: 697)
Top