ASUS RT-AC86U as VPN server - how to route client network to server LAN

BosseSwede

Regular Contributor
I have two sites (home and summer home) both with fiber connection to Internet. The summer home was installed a week or so ago.
I am going to put an ASUS RT-AC68U at the summer home, so I have configured it to connect by VPN to my home site using my Linux server at home as OpenVPN server. This way the devices at the summer LAN will reach all devices at home. I have tested this and it works when the router is connected to a different network nearby.

But I would also like to be able to go the "other way" through the tunnel so the client LAN is visible to the server LAN devices and then I think I need to use the ASUS RT-AC86U as the VPN server rather than the Linux server.
It is not obvious to me how one can configure the server.conf file in the router to allow backwards connection from the server side LAN through the tunnel to the client LAN, though...

I *have* read the two threads dealing with this basic problem but they are rather complicated.
Ultimate VPN guide
Setup for Bi-directional VPN

It seems like it should be easier to set up than these complicated ways...

I can connect with SSH to the router and then I can see in the file system this:
Code:
[email protected]:/# ls -la /tmp/etc/openvpn/server1/
drwx------    2 admin    root             0 Jan 14 13:48 .
drwx------    3 admin    root             0 Jan 11 13:47 ..
-rw-------    1 admin    root          1172 Jan 11 13:47 ca.crt
-rw-------    1 admin    root           912 Jan 11 13:47 ca.key
-rw-rw-rw-    1 admin    root          3561 Jan 11 13:47 client.ovpn
-rw-rw-rw-    1 admin    root          3561 Jan 11 13:47 client.ovpnr
-rw-rw-rw-    1 admin    root           672 Jan 15 00:56 client_status
-rw-rw-rw-    1 admin    root           546 Jan 11 13:47 config.ovpn
-rw-------    1 admin    root           830 Jan 11 13:47 dh.pem
-rwx------    1 admin    root           195 Jan 11 13:47 fw.sh
-rw-------    1 admin    root          1306 Jan 11 13:47 server.crt
-rw-------    1 admin    root           916 Jan 11 13:47 server.key
-rw-------    1 admin    root           436 Jan 15 13:52 status

I could modify the config.ovpn and add necessary commands, but I am a bit suspicious about the path starting with tmp...
Is this a RAM based temp disk which loses its content on restart or power cycle?
If so how can I modify the conf file so it stays permanent?

I need to add a client-config-dir so I can have a special config for the specific client on the remote site.
Then I also need to create the ovpn file for the remote LAN with its own CA entry so the correct config is used for that connection.

Any ideas?
 

eibgrad

Part of the Furniture
You could use the OpenVPN server on the Linux box to do this. It involves creating a CCD directory containing client-specific files, the iroute directive, etc. The following explains the rationale and process.


That said, it's probably *easier* to use the router instead. What you need to do is enable Manage Client-Specific Options on the router's OpenVPN server, and add one or more entries for the OpenVPN client (based on the CN (Common Name) of its client cert) which specifies the remote LAN(s) available behind that OpenVPN client once it get connected. The router does all the dirty work of setting this up as described in the above link. Just be sure to NOT enable the Push option!

P.S. Also make sure the OpenVPN client has the "Inbound Firewall" option set to Allow (by default, Block prevents site-to-site).
 

BosseSwede

Regular Contributor
OK, it turned out that with help from Tincantech over at the OpenVPN official site I got hold of this information:
Include multiple client side machines
It turns out to be dead simple to do everything needed on the existing OpenVPN server on my Linux box, so I did so and was done in about 10 minutes!
A few config items on the OpenVPN server and adding a static route on the router and then it works!
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top