Asus Merlin on RT-AC88U - VPN-Server: Cannot see Home-Network-Devices

[Lambda]

Dear Community,
I try now for some time to connect to my home-network with an Android-Smartphone by establishing a VPN-tunnel. Somehow it doesn't work and therefore I hope, you can help me.

I have an Asus RT-AC88U with Merlin Firmeware version 384.7_2.


My Network-Setup is the following:

(Internet) ---> WAN(Fritzbox)LAN ---> WAN(Asus RT-AC88U)LAN/WLAN ---> (Home-Network-Devices)

Fritzbox-LAN: 192.168.1.XXX
Asus RT-AC88U-LAN: 192.112.1.XXX


I did the following:

Fritzbox: On the Fritzbox I set up a port-forwarding to the Asus-Router for the VPN-Port I use. Also on the Fritzbox I set up a DynDNS to be reachable over the internet.
Asus-Router: Here I turned the VPN-Server-option on. I tried severals options. For this post, I take the default-options as a foundation (see screenshot (I uploaded it as an attachement, I hope, thats ok)). I then exported the cerfiticate and manually changed the IP-adress in the remote-line of the certificate to the DynDNS-address.
Smartphone (Android): I downloaded the OpenVPN-Connect-App and imported the certificate. Then I started the connection and typed in my credentials.
Asus Router: The Router does establish a VPN-tunnel to the phone (-> it shows the username in the table as connected). But I can not reach any devices inside the home-network. This (I think) is because in my understanding the Asus-Router creates a new subnet (10.8.0.0) and separate this strictly from the home-network (I cannot define the home-network as VPN-Subnet).

I tried many different options (I cannot recall all of them), but nothing seems to work.

So my question is: Do you know, how I can either put my VPN-tunnel directly into the home-network or how to create kind of a tunnel between the two subnets?

This seems to be a common problem, because I found quite some issues like this one in the internet. Yet nothing really helped me. What confuse me, is, that the possible options and configurations differ among each other and from mine (maybe because of different firmware-versions and/or devices?!). For example, I don't have the option "Push LAN to clients" that many others have. I did not find any post or tutorial, that has my possible options.


Sorry for language mistakes for I am not a native speaker. Also I may know some stuff about IT, but I am no network specialist.

I hope someone can help me.

Thank you in advance,
Lambda

 

[ColinTaylor]

The Router does establish a VPN-tunnel to the phone (-> it shows the username in the table as connected). But I can not reach any devices inside the home-network.

What have you tried doing? If you are trying to connect to a Windows PC try disabling the Windows Firewall when testing.

So my question is: Do you know, how I can either put my VPN-tunnel directly into the home-network

You would have to use a TAP connection instead of TUN

or how to create kind of a tunnel between the two subnets?

The routing is already setup, you don't need to do anything else.

 

[Lambda]

What have you tried doing? If you are trying to connect to a Windows PC try disabling the Windows Firewall when testing.

I have a home-automation-Server running on a Raspberry Pi. So I open the Browser on the smartphone and try to reach the IP-address, where I should find the frontend of the Home-Automation-Software (works, when I'm directly connected to the WLAN).
Also I tried using the Philips HUE-App which only works in the Home-Network (I do not use HUE-cloud).

You would have to use a TAP connection instead of TUN

As far as I know, TAP doesn't work on Android-devices.

The routing is already setup, you don't need to do anything else.

Does this mean, I should be able to find other devices on the network?

I have the Skynet-Firewall running. Can that intervene?

Thank you for the reply.

 

[dave14305]

I have the Skynet-Firewall running. Can that intervene?

Try running

firewall whitelist vpn

to update Skynet.

 

[ColinTaylor]

I notice in your first post you said that your Asus LAN was 192.112.1.XXX. Is that correct or a typo? 192.112.1.XXX is not a private address and should not be used internally.

I have a home-automation-Server running on a Raspberry Pi. So I open the Browser on the smartphone and try to reach the IP-address, where I should find the frontend of the Home-Automation-Software (works, when I'm directly connected to the WLAN).

Does the Pi have a firewall? Have you tried accessing other devices by their IP address, like a network printer or the router itself ?

Also I tried using the Philips HUE-App which only works in the Home-Network (I do not use HUE-cloud).

I don't know how that app works, but anything that relies on broadcast traffic (Samba browsing, DLNA, etc.) won't work.

Does this mean, I should be able to find other devices on the network?

You should be able to access devices by their IP address assuming they don't have their own firewall.

I have the Skynet-Firewall running. Can that intervene?

No idea.

 

[Lambda]

Try running

firewall whitelist vpn

to update Skynet.

I did this now, but it didn't change anything.

I notice in your first post you said that your Asus LAN was 192.112.1.XXX. Is that correct or a typo? 192.112.1.XXX is not a private address and should not be used internally.

Yes, that was a typo. I ment 192.168.112.xxx

Does the Pi have a firewall? Have you tried accessing other devices by their IP address, like a network printer or the router itself ?

I tried now reaching the router on 192.168.112.1. No luck ;/

Are the options like shown in the Screenshot in the first post ok? Are there any other options in the firmware, that has to be set?
Why does everyone seem to have the option "Push LAN to clients" but not me?

/edit
I don't know, if it helps, but this is the log, when a new connections arrives the router:

Dec  1 21:29:02 ovpn-server1[1949]: 90.203.153.155 TLS: Initial packet from [AF_INET6]::ffff:90.203.153.155:49937, sid=[SID]
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_GUI_VER=OC30Android
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_VER=3.2
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_PLAT=android
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_NCP=2
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_TCPNL=1
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_PROTO=2
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_LZO=1
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 peer info: IV_IPv6=0
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 TLS: Username/Password authentication succeeded for username 'VPNuser' [CN SET]
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Dec  1 21:29:03 ovpn-server1[1949]: 90.203.153.155 [VPNuser] Peer Connection Initiated with [AF_INET6]::ffff:90.203.153.155:49937
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 MULTI: Learn: 10.8.0.2 -> VPNuser/90.203.153.155
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 MULTI: primary virtual IP for VPNuser/90.203.153.155: 10.8.0.2
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 PUSH: Received control message: 'PUSH_REQUEST'
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 SENT CONTROL [VPNuser]: 'PUSH_REPLY,route 192.168.112.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 Data Channel: using negotiated cipher 'AES-128-GCM'
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec  1 21:29:03 ovpn-server1[1949]: VPNuser/90.203.153.155 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

/edit 2
After trying around a little bit more I think I found the problem:

Additionally to the VPN-Server I have a VPN-Client running on the router. Meaning, all outgoing traffic is routed to a VPN-Gateway outside of my home-network before accessing the internet. It seems, this doesn't work together with the VPN-Server-option.
At the configuration of the VPN-Client it is possible, to define network-devices, that should not get routed to the VPN-Gateway (and therefore accessing the internet directly). If I do this for example the Router or the Raspberry Pi, then I find these device after accessing my home-network via a VPN-tunnel from my Smartphone to the router (->VPN-Server option).

So it seems, I have to decide per device, if I want its traffic routed to a VPN-Gateway via the VPN-Client option or if I want be able to find this device while using a VPN-Tunnel to the router via the VPN-Server option. The main-reason for the VPN-Client option is to obscure my IP-address, so I do not really want to give up this feature.

Therefor I would love to be able to have both, getting all traffic routed to a VPN-Gateway but also being possible to reach this devices, when I'm connectin to my home-network from my Smartphone. Is there any solution to this?

Also sorry for not mentioning the VPN-Client before, I didn't now, that they affect each other.

Have a nice Sunday and thank your for the replies so far.