Menu
What's new
By:
Filters Better Search

Solved Asus RT-AC86U OpenVPN server behind ISP modem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jorgemarmo

Occasional Visitor
Hi there, it might be a newbie question... but that's how you learn right?

I'm trying to set up a OpenVPN server, I just want to access to my RaspberryPi based Samba server from outside my local network.

My setup: an ISP modem, connected by cable to my RT-AC86U (wan port), all devices and WiFi are connected to the Asus.
ISP modem IP (fixed by ISP) is, let's say 12.34.56.789
The asus IP on the ISP modem is 192.168.1.250 (static by a rule)
1612476193095.png


in the subnet (not even sure if this is the right term), the asus IP is 192.168.2.1
1612476281056.png


So I set my OpenVPN server, pretty much default options, I download the certificates, I change the remote IP to use my ISP modem IP
Code: 
remote 12.34.56.789 43210

I get into the ISP modem and I create a NAT rule to forward all 43210 (both protocols) to the ASUS,
1612478179955.png


but and when I try to connect from my laptop using my cellphone in 4G as hotspot, it doesn't work... I get this:

Code: 
⏎04/02/2021 à 22:39:47 EVENT: WAIT ⏎04/02/2021 à 22:39:47 Connecting to [12.34.56.789]:43210 (12.34.56.789) via UDPv4
⏎04/02/2021 à 22:39:57 Server poll timeout, trying next remote entry...
⏎04/02/2021 à 22:39:57 EVENT: RECONNECTING ⏎04/02/2021 à 22:39:57 EVENT: RESOLVE ⏎04/02/2021 à 22:39:57 EVENT: WAIT ⏎04/02/2021 à 22:39:57 Contacting 12.34.56.789:43210 via UDP
⏎04/02/2021 à 22:39:57 WinCommandAgent: transmitting bypass route to 12.34.56.789
{
    "host" : "12.34.56.789",
    "ipv6" : false
}

⏎04/02/2021 à 22:39:57 Connecting to [12.34.56.789]:43210 (12.34.56.789) via UDPv4
⏎04/02/2021 à 22:40:07 EVENT: CONNECTION_TIMEOUT ⏎04/02/2021 à 22:40:07 EVENT: DISCONNECTED ⏎

I've tried many of the options stated on This Thread but with no success.

btw, I'm using stock firmware Current Version : 3.0.0.4.386_40451-g30f1b6c (which should be just 1 version behind)

Any ideas?
 
Last edited:
Are you sure the *internal* port for the OpenVPN server is 43210? It's a good idea to change the *external* default port (1194), but if the VPN is hosted internally, beyond the primary router, this isn't strictly necessary. It'll work, but you would have had to specifically configured the OpenVPN server w/ 43210, and we have no way of knowing if you did since you provide no details (other than claiming to have used the defaults).
 
eibgrad said:
Are you sure the *internal* port for the OpenVPN server is 43210? It's a good idea to change the *external* default port (1194), but if the VPN is hosted internally, beyond the primary router, this isn't strictly necessary. It'll work, but you would have had to specifically configured the OpenVPN server w/ 43210, and we have no way of knowing if you did since you provide no details (other than claiming to have used the defaults).
Click to expand...
hi, normally yes, I changed it

1612482643457.png
 
Thanks. The log you provided in the prior post appears to be for the OpenVPN client. What about the OpenVPN server log? Does it at least show an attempt to contact the OpenVPN server? Big difference between not reaching it at all vs. it reaches it, but fails for some other reason.
 
where do you get the OpenVPN log?

btw, this is not it, but if I understand it right, it means that ports from the ISP modem to the ASUS are forwarding OK

1612483445648.png

192.168.2.1 is the Asus IP.
 
Code: 
Feb  4 19:22:00 vpnserver1[7837]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 12 2020
Feb  4 19:22:00 vpnserver1[7837]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.03
Feb  4 19:22:00 vpnserver1[7838]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb  4 19:22:00 vpnserver1[7838]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  4 19:22:00 vpnserver1[7838]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb  4 19:22:00 vpnserver1[7838]: Diffie-Hellman initialized with 2048 bit key
Feb  4 19:22:00 vpnserver1[7838]: TUN/TAP device tun21 opened
Feb  4 19:22:00 vpnserver1[7838]: TUN/TAP TX queue length set to 100
Feb  4 19:22:00 vpnserver1[7838]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  4 19:22:00 vpnserver1[7838]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Feb  4 19:22:00 vpnserver1[7838]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  4 19:22:00 vpnserver1[7838]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb  4 19:22:00 vpnserver1[7838]: UDPv4 link local (bound): [AF_INET][undef]:41700
Feb  4 19:22:00 vpnserver1[7838]: UDPv4 link remote: [AF_UNSPEC]
Feb  4 19:22:00 vpnserver1[7838]: MULTI: multi_init called, r=256 v=256
Feb  4 19:22:00 vpnserver1[7838]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  4 19:22:00 vpnserver1[7838]: Initialization Sequence Completed
Feb  4 19:31:59 vpnserver1[10823]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 12 2020
Feb  4 19:31:59 vpnserver1[10823]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.03
Feb  4 19:31:59 vpnserver1[10824]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb  4 19:31:59 vpnserver1[10824]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  4 19:31:59 vpnserver1[10824]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb  4 19:31:59 vpnserver1[10824]: Diffie-Hellman initialized with 2048 bit key
Feb  4 19:31:59 vpnserver1[10824]: TUN/TAP device tun21 opened
Feb  4 19:31:59 vpnserver1[10824]: TUN/TAP TX queue length set to 100
Feb  4 19:31:59 vpnserver1[10824]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  4 19:31:59 vpnserver1[10824]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Feb  4 19:31:59 vpnserver1[10824]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  4 19:31:59 vpnserver1[10824]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb  4 19:31:59 vpnserver1[10824]: UDPv4 link local (bound): [AF_INET][undef]:41067
Feb  4 19:31:59 vpnserver1[10824]: UDPv4 link remote: [AF_UNSPEC]
Feb  4 19:31:59 vpnserver1[10824]: MULTI: multi_init called, r=256 v=256
Feb  4 19:31:59 vpnserver1[10824]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  4 19:31:59 vpnserver1[10824]: Initialization Sequence Completed
Feb  4 22:24:12 vpnserver1[24227]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 12 2020
Feb  4 22:24:12 vpnserver1[24227]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.03
Feb  4 22:24:12 vpnserver1[24228]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb  4 22:24:12 vpnserver1[24228]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  4 22:24:12 vpnserver1[24228]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb  4 22:24:12 vpnserver1[24228]: Diffie-Hellman initialized with 2048 bit key
Feb  4 22:24:12 vpnserver1[24228]: TUN/TAP device tun21 opened
Feb  4 22:24:12 vpnserver1[24228]: TUN/TAP TX queue length set to 100
Feb  4 22:24:12 vpnserver1[24228]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  4 22:24:12 vpnserver1[24228]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Feb  4 22:24:12 vpnserver1[24228]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  4 22:24:12 vpnserver1[24228]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb  4 22:24:12 vpnserver1[24228]: UDPv4 link local (bound): [AF_INET][undef]:41067
Feb  4 22:24:12 vpnserver1[24228]: UDPv4 link remote: [AF_UNSPEC]
Feb  4 22:24:12 vpnserver1[24228]: MULTI: multi_init called, r=256 v=256
Feb  4 22:24:12 vpnserver1[24228]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  4 22:24:12 vpnserver1[24228]: Initialization Sequence Completed
Feb  4 22:28:05 vpnserver1[25693]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 12 2020
Feb  4 22:28:05 vpnserver1[25693]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.03
Feb  4 22:28:05 vpnserver1[25694]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb  4 22:28:05 vpnserver1[25694]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  4 22:28:05 vpnserver1[25694]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb  4 22:28:05 vpnserver1[25694]: Diffie-Hellman initialized with 2048 bit key
Feb  4 22:28:05 vpnserver1[25694]: TUN/TAP device tun21 opened
Feb  4 22:28:05 vpnserver1[25694]: TUN/TAP TX queue length set to 100
Feb  4 22:28:05 vpnserver1[25694]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  4 22:28:05 vpnserver1[25694]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Feb  4 22:28:05 vpnserver1[25694]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  4 22:28:05 vpnserver1[25694]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb  4 22:28:05 vpnserver1[25694]: UDPv4 link local (bound): [AF_INET][undef]:41067
Feb  4 22:28:05 vpnserver1[25694]: UDPv4 link remote: [AF_UNSPEC]
Feb  4 22:28:05 vpnserver1[25694]: MULTI: multi_init called, r=256 v=256
Feb  4 22:28:05 vpnserver1[25694]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  4 22:28:05 vpnserver1[25694]: Initialization Sequence Completed
Feb  4 22:31:21 vpnserver1[27138]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 12 2020
Feb  4 22:31:21 vpnserver1[27138]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.03
Feb  4 22:31:21 vpnserver1[27139]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Feb  4 22:31:21 vpnserver1[27139]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb  4 22:31:21 vpnserver1[27139]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Feb  4 22:31:21 vpnserver1[27139]: Diffie-Hellman initialized with 2048 bit key
Feb  4 22:31:21 vpnserver1[27139]: TUN/TAP device tun21 opened
Feb  4 22:31:21 vpnserver1[27139]: TUN/TAP TX queue length set to 100
Feb  4 22:31:21 vpnserver1[27139]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Feb  4 22:31:21 vpnserver1[27139]: /etc/openvpn/ovpn-up tun21 1500 1622 10.8.0.1 10.8.0.2 init
Feb  4 22:31:21 vpnserver1[27139]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Feb  4 22:31:21 vpnserver1[27139]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Feb  4 22:31:21 vpnserver1[27139]: UDPv4 link local (bound): [AF_INET][undef]:41067
Feb  4 22:31:21 vpnserver1[27139]: UDPv4 link remote: [AF_UNSPEC]
Feb  4 22:31:21 vpnserver1[27139]: MULTI: multi_init called, r=256 v=256
Feb  4 22:31:21 vpnserver1[27139]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb  4 22:31:21 vpnserver1[27139]: Initialization Sequence Completed

it doesn't seem to be seeing anything....
 
I don't see any OpenVPN client attempting to connect. In fact, it seems you're restarting the OpenVPN server repeatedly. I also see the following...

Code: 
Feb  4 22:28:05 vpnserver1[25694]: UDPv4 link local (bound): [AF_INET][undef]:41067

IOW, it's listening port on 41067, NOT 43210!

P.S. Oh, so you hid the actual port, ok. As I said, the internal port doesn't need to be a secret. It could just as well use the default 1194. It's the external port you want to keep secret.
 
Last edited:
jorgemarmo said:
btw, this is not it, but if I understand it right, it means that ports from the ISP modem to the ASUS are forwarding OK

View attachment 30305
192.168.2.1 is the Asus IP.
Click to expand...
This is wrong (unless Asus has completely redesigned the way VPN server works). Remove the port forwarding rule for 43210 on the Asus. You only need a port forwarding rule on the ISP router.
 
Last edited:
eibgrad said:
I don't see any OpenVPN client attempting to connect. In fact, it seems you're restarting the OpenVPN server repeatedly. I also see the following...

Code: 
Feb  4 22:28:05 vpnserver1[25694]: UDPv4 link local (bound): [AF_INET][undef]:41067

IOW, it's listening port on 41067, NOT 43210!

P.S. Oh, so you hid the actual port, ok. As I said, the internal port doesn't need to be a secret. It could just as well use the default 1194. It's the external port you want to keep secret.
Click to expand...

so, I try to connect from the other computer (trough my cellphone) at the same time that I see the Log, nothing....
[edit]
I installed OpenVPN on my android phone... same thing... it does not connect and nothing on the log
 
Last edited:
ColinTaylor said:
What do you now see under System Log - Port Forwarding ?

Are you sure your ISP router has a public IP address and not a CGNAT address?
Click to expand...
1612487478554.png


Are you sure your ISP router has a public IP address and not a CGNAT address?
Click to expand...
how to tell???
when I go to https://nordvpn.com/what-is-my-ip/ [edit] when connecting trough the ISP modem directly [edit end] I get my "12.34.56.789" IP address [edit] which is not the NordVPN server I get when I connect trough the Asus [edit end]

btw, I do use the ASUS router as a OpenVPN client for all my internet connection with NordVPN
 
OK the port forwarding looks more normal now.

jorgemarmo said:
btw, I do use the ASUS router as a OpenVPN client for all my internet connection with NordVPN
Click to expand...
That's quite possibly the problem. Turn off the VPN client and test again.

Make sure your VPN client is using the public IP address shown by the ISP router and not that shown when going through the NordVPN connection.
 
Last edited:
ColinTaylor said:
That's quite likely the problem. Turn off the VPN client and test again.
Click to expand...

Good point, although I'd at least expect to see the incoming traffic to the syslog. It's the replies being routed out the VPN that become the problem. Hopefully you're right.
 
immensely disappointed...
so I turned off the VPN Client on the asus and I was able to connect to my Asus VPN server....

any way to have both working at the same time?
 
Use PBR (policy based routing) to force your clients over the OpenVPN client. That will remove the router from the VPN and you'll gain access to the OpenVPN server again.

P.S. Or are you only using the ASUS OEM/stock firmware?
 
Use PBR (policy based routing) to force your clients over the OpenVPN client. That will remove the router from the VPN and you'll gain access to the OpenVPN server again.
Click to expand...
Not sure how to do that [edit] "not sure how" is an understatement, I get the idea, but "I have no clue" would be more accurate ;) [edit end]

P.S. Or are you only using the OEM/stock ASUS firmware?
Click to expand...
... y e s . . . because I haven't had any good reason to change it, but if Marlin would make my life easier, I wouldn't have any problem to try it out
 
You must log in or register to reply here.

Similar threads

O
HW issue on RT-AX58U
Replies
4
Views
694
Ola Malmstrom
O
B
Scribe /usr/bin/logger messages don't make it to the log file - intermittent issue
Replies
15
Views
1K
bibikalka
B
S
WAN Disconnections ASUS RT-AX86U Pro
Replies
4
Views
983
Lynx
Lynx
A
Asus XT12 Please review logs
Replies
1
Views
851
privacyguy123
P
L
Openvpn internal error add route
Replies
0
Views
273
lucian
L
Similar threads
Thread starter Title Forum Replies Date
C Wireguard on Asus: Can only see router, not LAN Devices! VPN 3
B Just got Nord ruuning on Asus now have one more issue VPN 2
M Asus- Open VPN and reaching network drives VPN 8
I Hardening Asus Merlin built in OpenVPN server VPN 1
B Does Asus AC5300 OpenVPN server support connect with IPV6 network? VPN 2
Diablo99 Asus RT-AX86U Router & VPN VPN 8
R allowing direct WAN access on Asus RT-AX86U VPN 7
A Port forwarding over proton VPN on Asus Merlin router. VPN 9
P Cannot get VPN to function properly from ASUS router to Apple TV VPN 3
J Asus AX88U VPN VPN 7

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 563 (members: 19, guests: 544)
Top