Asus OpenVPN tunnel - Server LAN cannot access client Asus Router Gui.

[NotTom]

Hi,
I currently have a 3 nodes (1 server and 2 clients) site-to-site openvpn tunnel setup between 3 asus RT-AX58U. The tunnel is working fine and every nodes can reach the LAN of the other 2 nodes. However for some unknown reason that I can't figure out, the server node cannot connect to the GUI interface of the 2 others ASUS routers (and only the asus routers).

In a nut shell:
Client 1 : Router - 192.168.1.1 (LAN 192.168.1.0/24)
- Can successfuly connect to a NAS on both Client 2 LAN & Server A LAN.
- Can successfuly connect to ASUS router on both Client 2 LAN & Server A LAN.
Client 2 : Router - 192.168.2.1 (LAN 192.168.2.0/24)
- Can successfuly connect to a NAS on both Client 1 LAN & Server A LAN.
- Can successfuly connect to ASUS router on both Client 1 LAN & Server A LAN.
Server A : Router - 192.168.3.1 (LAN 192.168.3.0/24)
- Can successfuly connect to a NAS on both Client 1 LAN & Client 2 LAN.
- CANNOT connect to ASUS router on both Client 1 LAN & Client 2 LAN.
- Can reach the GUI page of a second asus router setup in Aimesh on client 1, but the redirection from Aimesh router to the main router 1 just timesout.

I'm wondering if I'm missing some tunnel instruction or if this a limitation built in the Asus routers. While I have no proof, it feels like the 2 client routers are droping requests to themself, when it originates from the LAN of the server through the openvpn tunnel.

Has anyone experienced the same issue with Asus routers ?

----------------
tunnel opions:
- Local network only (activated)
- TUN
- UDP
- Push LAN to client (activated)
- Allow client <-> client (activated)
- Allow only specific client (activated)
- 2 clients are added with their LAN/Subnet + PUSH (activated)
- (no custom configuration)
- tunnel set up to use 10.8.0.0/24

 

[NotTom]

Not a single reply in several weeks... not a very popular topic I guess.

Is there nobody with a ASUS site-to-site vpn setup out there that can confirm if the router GUI of the client can be accessed from the server LAN (with either OpenVPN or Wireguard)?

 

[Stpa67]

I am no expert but is it possible to setup all 3 routers as vpn servers and add 2 clients to the other 2 routers on each server? or will it create a loop?

 

[NotTom]

No, I tried that. As far as I understand the way the Asus configuration work (and from the all the testing I did with openvpn and wireguard), Asus only allows for one "active/default" client route per router. The client list is based on a priority from top to bottom, and only one route/client can be set as "default" for all devices/traffic. It is possible to set additionnal client route but only for specific devices, and a single device can not be set on two routes/clients. So in the end, a single Asus router cannot be a client of 2 other routers at the same time. (But a Server can accept two clients)

Nothing I tried worked and I had the same behavior using OpenVPN and Wireguard on the Asus routers. So at this point, I've ditched this setup with the Asus routers, and went back to my old routers with a simpler Ipsec config which works #1.