ASUS RT-AC87U: Combining VPN-server with VPN client running on router

Pajani

New Around Here
So I have the ASUS RT-AC87U router with Asuswrt-merlin firmware (384.12).
I'm running an openVPN-server so I can connect to my home network remotely, so I can remotely maintain and control both the router and the clients on the network.

I just recently got a VPN subscription and added the openVPN-client on the router. I've managed to configure selective routing to how I want it but I am having problems with remotely accessing router webportal options or any network clients connected through the vpn service. I can however access anything without a problem routed to the internet through the WAN (ISP).

So my problem is that when accessing the VPN-server running on the router, I cannot access any local network clients routed to the internet through the VPN-service including the router webportal. Any ideas if this can be fixed and/or how to fix/troubleshoot?
 

eibgrad

Senior Member
Sounds to me as if the alternate routing table used by those clients bound to PBR (policy based routing) do NOT have the OpenVPN server's tunnel network in that alternate routing table, which to be honest, would be considered a bug.

One way to verify this is the problem is to dump and compare the main and alternate routing tables. I bet only the main routing table contains the OpenVPN server's tunnel network.

Code:
ip route show table main
ip route show table 111
Note, I don't recall for sure the table IDs used w/ Merlin's firmware, but I think it's 111, 112, 113, etc., for the various OpenVPN clients (1-5). If not, then dump ip rules to be sure (I'd do it myself but I'm on the road at the moment and don't have access to a Merlin router).

Code:
ip rule show
If I'm right, a temporary fix would be to add the route manually to the alternate routing table.

Code:
ip route add 10.8.0.0/24 dev tun21 table 111
(assuming 10.8.0.0/24, tun21, and 111 represent your configuration of the OpenVPN server and client)
 
Last edited:

Pajani

New Around Here
Hi eibgrad. I appretiate your fast response.

Turns out all I needed to do was a reboot and then it worked without a problem.
I don't know why I didn't think of this before, but atleast I'm not having issues :).

Although I am curious, I am quite new with this router or really networking in general.
Where would I find any sort of console where I would enter the code you gave?

Thanks!
 

eibgrad

Senior Member
Might be a timing issue here, and so the problem *might* return.

What Merlin does is copy the contents of the main routing table over to the alternate routing table when configuring the OpenVPN client. And if it happens the OpenVPN client gets established *before* the OpenVPN server, the server's routing information is not yet available in the main routing table, so obviously it doesn't get copied to the alternate routing table.

Now granted, it seems unlikely that on a reboot the OpenVPN server would not be established before any OpenVPN clients, since the clients need to access to their respective OpenVPN servers over the WAN. It just makes sense that the OpenVPN clients would take much longer to get established. But I can see a problem if you already had the OpenVPN clients established, then configured and enabled the OpenVPN server without a reboot. I assume that's what probably happened.

As far as adding that routing information, the best place would probably be via the openvpn-event script. You would trap on the route-up event to add the route, and route-pre-down event to delete the route. The openvpn-event script is one of many event-driven scripts supported by the Merlin firmware so the user can make modifications to system services.

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

One other thing. Even though this is a VPN issue, and it's the VPN forum, it's probably better to place *all* Merlin related questions, even VPN, in the Merlin forum. That seems to be preferred by most long-time users.
 

dosborne

Very Senior Member
Where would I find any sort of console where I would enter the code you gave?
Use a SSH client to access your router ("putty" for example)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top