Asus RT-AC1750 server VPN issue

[Hoang]

Hello everyone,

I just got the RT-AC1750. I setup vpn server with open VPN.
I downloaded the config file and use it with my PC and iphone.
I have the AC1750 connected to my google fiber box (the google fiber has wifi activated)

Here is the issue.
If I connect my phone or my computer to either the AC1750 wifi OR my google fiber box wifi, i could establish connection with the vpn server using openvpn app.

If I connect my phone or computer to a different network, when i try to establish connection with the vpn I get timeout error or waiting for server.

What should I do? Please advice.
thank you

 

[bnhf]

Sounds like you need to setup your Google Fiber box to forward the port you're using for your OpenVPN server to the RT-AC1750.

 

[Hoang]

Sounds like you need to setup your Google Fiber box to forward the port you're using for your OpenVPN server to the RT-AC1750.

Thank you very much for your reply. I greatly appreciate it. I already tried to do the port forwarding to the IP of the router but it did not work for me. Did I do it wrong?

 

[bnhf]

Thank you very much for your reply. I greatly appreciate it. I already tried to do the port forwarding to the IP of the router but it did not work for me. Did I do it wrong?

Most of your images are not coming through on the forum. Please upload them again using SNBForums "Upload a File" button.

Assuming you've done your port forwarding correctly, how are you getting to your Google Fiber box from the Internet. DDNS? Static IP? Current Dynamic IP?

Please post images of your RT-AC1750 VPN Server settings page and your Google Fiber Port Forwarding page.

 

[Hoang]

Most of your images are not coming through on the forum. Please upload them again using SNBForums "Upload a File" button.

Assuming you've done your port forwarding correctly, how are you getting to your Google Fiber box from the Internet. DDNS? Static IP? Current Dynamic IP?

Please post images of your RT-AC1750 VPN Server settings page and your Google Fiber Port Forwarding page.

Sorry about the images, i thought they went thru.
Google fiber box has dynamic IP.

My VPN server setting page and ggl fiber port forwarding page is below.
thank you for your time.

 

[bnhf]

I'm not seeing any obvious problems with your settings. You are using an outdated version of the Asus firmware. Is this a T-Mobile "Cellspot" Asus router? If it's not the T-Mobile version, you should at least upgrade to the latest Asus firmware, and even better would be to upgrade to the AsusWRT-Merlin version.

I'd double check your IP addresses. Did you set a DHCP reservation for the Asus router on the Google router? You need to be sure that the Asus' LAN IP address doesn't change. Check the Dynamic IP Internet address of your Google router to be sure it hasn't changed. Ultimately, you'll want a DDNS service to access your router from the Internet since its address will change. If you can put the Google router in bridge mode that would be best, then your Asus router would know your public IP and you could use the free Asus DDNS service.

 

[Hoang]

I'm not seeing any obvious problems with your settings. You are using an outdated version of the Asus firmware. Is this a T-Mobile "Cellspot" Asus router? If it's not the T-Mobile version, you should at least upgrade to the latest Asus firmware, and even better would be to upgrade to the AsusWRT-Merlin version.

I'd double check your IP addresses. Did you set a DHCP reservation for the Asus router on the Google router? You need to be sure that the Asus' LAN IP address doesn't change. Check the Dynamic IP Internet address of your Google router to be sure it hasn't changed. Ultimately, you'll want a DDNS service to access your router from the Internet since its address will change. If you can put the Google router in bridge mode that would be best, then your Asus router would know your public IP and you could use the free Asus DDNS service.

thank you again for your reply.
My router is not the t-mobile version. Yes i'm trying to work with the stock firmware before updating to ddwrt. I believe vpn server option with openvpn is supposed to be pretty straight forward, you create a server, get the client config file and just run it on client devices.

The IP for the router is reserved.

For some reason it's showing that i have the latest firmware (i updated yesterday actually after buying it)

My IP hasn't changed for the last few weeks. I have already setup DDNS for both the google router and my asus router since i have a few domains with google.

Bridge mode i'll need to talk to google about it (usually they only do this if we have static IP).

Anything else you think i should try?

 

[Hoang]

I have also just turn on the dmz on my google fiber box for the asus router IP and also the dmz of the asus router to its own IP.
still the same issue.
I have try to reset default the router and redo the vpnserver and client, still the same.

 

[bnhf]

I just checked and your Asus firmware is up-to-date. Just as a side note, when the time comes, I think you'll find that the AsusWRT-Merlin software is going to be a better option for you than dd-wrt. I use both, but the Merlin stuff is special, a great combination of ease-of-use and power.

What are your Asus logs showing you when you try to connect to to your OpenVPN server from an outside network? If there's no indication of any attempt at establishing a connection, then the problem lies with the Google Fiber router and its forwarding. Does the Google router have logs you can check? I see you have a port 443 port forwarding to the Asus is that working?

 

[bnhf]

Also, you can turn off your Asus DDNS -- it won't work because of the double NAT you have with the Google router. You're not trying to use the Asus DDNS address are you?

 

[bnhf]

I just tried to ping dangthanhhoang.com and got -- ping: bad address 'dangthanhhoang.com'

 

[Hoang]

I just checked and your Asus firmware is up-to-date. Just as a side note, when the time comes, I think you'll find that the AsusWRT-Merlin software is going to be a better option for you than dd-wrt. I use both, but the Merlin stuff is special, a great combination of ease-of-use and power.

What are your Asus logs showing you when you try to connect to to your OpenVPN server from an outside network? If there's no indication of any attempt at establishing a connection, then the problem lies with the Google Fiber router and its forwarding. Does the Google router have logs you can check? I see you have a port 443 port forwarding to the Asus is that working?
Also, you can turn off your Asus DDNS -- it won't work because of the double NAT you have with the Google router. You're not trying to use the Asus DDNS address are you?

Man thank you again for your time and advice. One more time i greatly appreciate it.

I will go with the Merlin firmware if needed then.

Asus log does not show anything if i connect to a different network and try to connect to the vpn server. I do the DMZ on google fiber box to the router so i'm not sure what's wrong with the port forwarding part ? Is the IP i use the correct one ? ( I use the IP that shows under server IP when i could connect to the vpn server from my iphone: 192.168.1.198)

Google does not have log unfortunately I just checked.

when I check port 443 with the online tool, it's showing that the port is closed ??

yes i know it's double NAT and still tried it LOL.

for the google domain, i only have the domain and create DDNS for it. LOL, i guess that's not how it's done.

Please advice.

so now we know that the ports are set to open inside the google box but actually they are not opened correct?

 

[bnhf]

If you're using the .ovpn file generated by your Asus router the domain name would have been wrong. asus.dangthanhhoang.com does not have your correct external IP address, because it's behind the google router. dangthanhhoang.com would be the correct domain, because that's the DDNS you're updating on the Google router. dangthanhhoang.com doesn't ping though.

So we've smoked out the problem here, it's with the way you're doing DDNS. As a test, find out what your current external IP is by looking on the Google router -- you should see your WAN IP somewhere. Use that address (xxx.xxx.xxx.xxx), to test your setup . Once you've verified that it works, we'll figure out your DDNS issue. It seems like there's a problem with your dangthanhhoang.com domain, along with a few other things. Test with your external IP next though. Anything that starts with 192, 172 or 10 is a private (LAN) IP, so is not correct.

 

[Hoang]

If you're using the .ovpn file generated by your Asus router the domain name would have been wrong. asus.dangthanhhoang.com does not have your correct external IP address, because it's behind the google router. dangthanhhoang.com would be the correct domain, because that's the DDNS you're updating on the Google router. dangthanhhoang.com doesn't ping though.

So we've smoked out the problem here, it's with the way you're doing DDNS. As a test, find out what your current external IP is by looking on the Google router -- you should see your WAN IP somewhere. Use that address (xxx.xxx.xxx.xxx), to test your setup . Once you've verified that it works, we'll figure out your DDNS issue. It seems like there's a problem with your dangthanhhoang.com domain, along with a few other things. Test with your external IP next though. Anything that starts with 192, 172 or 10 is a private (LAN) IP, so is not correct.

Hey man, i could disable the ddns and have the exact same issue. I would just connect to the vpn server directly to the 192.168.1.198 (reserved IP of the asus router).

I'm testing a few things. will keep you updated.
IN the meantime if you could think of anything please kindly let me know.
thank you very much.

 

[bnhf]

192.168.1.198:1194 is the private address of your OpenVPN server. According to the "Port Forwarding Tester" image you posted, 136.52.21.66 is your current public IP address. So, set your VPN client to access your server at that address using port 1194. Then connect your client to a network other than your own and you should be able to establish a connection.

To fix your DDNS problem put asus.dangthanhhoang.com in the Domain/Hostname field on your GOOGLE FIBER router. asus.dangthanhhoang.com is resolving, but with your local IP. That's because the Google router is the only one of the two that knows your public IP address. Once you fix that, you'll be able to use your DDNS address of asus.dangthanhhoang.com with port 1194 in any of your OpenVPN clients.

 

[Hoang]

192.168.1.198:1194 is the private address of your OpenVPN server. According to the "Port Forwarding Tester" image you posted, 136.52.21.66 is your current public IP address. So, set your VPN client to access your server at that address using port 1194. Then connect your client to a network other than your own and you should be able to establish a connection.

To fix your DDNS problem put asus.dangthanhhoang.com in the Domain/Hostname field on your GOOGLE FIBER router. asus.dangthanhhoang.com is resolving, but with your local IP. That's because the Google router is the only one of the two that knows your public IP address. Once you fix that, you'll be able to use your DDNS address of asus.dangthanhhoang.com with port 1194 in any of your OpenVPN clients.

I greatly appreciate your reply.

I have forwarded port 1194, 443 and 80 to my vpn server at 192.168.1.198. It is very weird that when i check to see if those three ports are open, only port 443 is actually open, the other two are not. I believe google blocks them (i have called google about this issue). I changed the vpnserver port setting inside the setting of asus router to 443.

I have also changed DDNS inside google fiber box to asus.dangthanhhoang.com and BAM as you said. it's CONNECTED now when I use my T-Mobile cellular to connect to openVPN.

man YOU'RE THE BEST. THANK YOU THANK YOU THANK YOU

It's showing a different server IP now instead of 192.168.1.198. I'm curious why?

 

[Hoang]

This is so WEIRD.
The setting inside google fiber is the same. I Tried to export the client ovpn file inside the asus router with ddns off (of course that won't work because now openvpn will try to connect to 192.168.1.198 instead).

However now when i turn on the DDNS and export the ovpn file and use it with openvpn client, I CANNOT CONNECT to my vpnserver any more? I use the same ovpn file that I was able to connect to the vpnserver with, now I CANNOT CONNECT.

I'm trying to understand why LOL?

 

[Hoang]

NEVER MIND MY LAST POST.

I just created a new ddns and replace that in google fiber box and asus router. Maybe i forgot to turn on/off the vpnserver before exporting the *.ovpn file.
Everything is great now.
THANK YOU THANK YOU THANK YOU.

I hope this post would help people who has same issue when the router is not bridged and they have some domains laying around.

 

[bnhf]

You need to have the DDNS on the Asus router turned off. If both your Asus router and the Google Fiber router are both updating the same DDNS domain. The Google router will update it with the correct external IP, but the Asus will not -- it will update it with its private WAN IP address that comes from the Google router. Turn off the Asus DDNS! If you do any future .ovpn exports, you can always edit the .ovpn file (after Asus export, but before client import) with a text editor to correct the domain name.

 

[Hoang]

You need to have the DDNS on the Asus router turned off. If both your Asus router and the Google Fiber router are both updating the same DDNS domain. The Google router will update it with the correct external IP, but the Asus will not -- it will update it with its private WAN IP address that comes from the Google router. Turn off the Asus DDNS! If you do any future .ovpn exports, you can always edit the .ovpn file (after Asus export, but before client import) with a text editor to correct the domain name.

I actually leave the DDNS on the asus router on and i can connect to the vpnserver with my iphone. Even when i have it off, i could still connect to the VPNserver correctly.

My understanding is this, when i have ddns on the asus and fiber the same, i create the ovpn file which has all the config to connect directly to the vpn server thru the ddns. Then when it does try to do so, the vpnclient actually try to connect to the google fiber box with the port 443, however that port is now forwarded to the vpnserver of the asus router. Now the ddns on the asus router whether is on or off does not matter because it's not exposed to the domain that i have.

I'm noob when it comes to these things but that's my understanding since i have my ddn on my asus router now ON and could connect to the vpn server no problem.

What is your thought on this ?