What's new

Solved ASUS RT-AX86U Merlin 386.4 OpenVPN routing help/ideas

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ivannn

New Around Here
Hello,

I have brand new AX86 running Merlin 386.4
A site-to-site Open vpn tunnel with a client AC66U_B1 running Merlin 386.4 is working well: Traffic from and to the local networks is routed through the VPN and I can access devices on each side via the tunnel. Accessing server side internet from hosts on the client side lan is possible.

I would like to route a Chromecast device (having a DHCP reservation) and plugged into the Openvpn server local network via the vpn tunnel for internet access at the client OVPN router side.
Tweaking IP settings such as setting up a static route on the Chromecast is not possible.

I am looking for ideas/help how to route all traffic from the Chromecast to the internet via the VPN rather than going out from local network's default gateway.
It seems I can't configure using VPN Director for this purpose since I only have WAN and Client VPN's interfaces and the OpenVPN server interfaces are not available.

What options are available for this use case?
Static routes on the OVPN server side router?
pushing routes to the OVPN config on any side?
iptables?
anything else?
 
Add the Chromecast's local IP (let's assume that's 192.168.2.100) as a static route to the OpenVPN server in the custom config field, using a route directive.

Code:
route 192.168.2.100 255.255.255.255 vpn_gateway

Or more simply (since 255.255.255.255 vpn_gateway is the default) ...

Code:
route 192.168.2.100
 
Thanks for the quick reply. Unfortunately this didn't work. I have tried to troubleshoot using a tablet instead of the chromecast. It shows "no internet" message for the wifi link. The routing table is updated upon adding an of these "route" instructions to the custom config field with the following:
192.168.155.110 10.16.155.2 255.255.255.255 UGH 0 0 0 tun22

Just in case I tried rebooting the router upon updating the configuration. Using ssh, I was pinging the IP address of the device from the router and noticed it starts timing out once the route instruction is applied.

here is a snapshot of the server config :

cat /tmp/etc/openvpn/server2/config.ovpn daemon ovpn-server2 topology subnet server 10.16.155.0 255.255.255.0 proto udp4 multihome port 1194 dev tun22 txqueuelen 1000 data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC data-ciphers-fallback AES-128-CBC keepalive 15 60 verb 3 push "route 192.168.155.0 255.255.255.0 vpn_gateway 500" client-config-dir ccd client-to-client route 192.168.144.0 255.255.255.0 push "dhcp-option DNS 192.168.155.1" push "redirect-gateway def1" plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn ca ca.crt dh dh.pem cert server.crt key server.key script-security 2 up 'ovpn-up 2 server' down 'ovpn-down 2 server' status-version 2 status status 5
 
Now that I think about it, suggesting route directives was dumb on my part. Static routes only apply to destination IPs, NOT source IPs!

What you need on the server side is routing policy, but the server doesn't offer that functionality. Your best option might be to establish an OpenVPN server on the client side, and OpenVPN client on the server side, so you can have that routing policy. But once you do that, then you might as well eliminate the site-to-site, in exhange for unidirectional VPNs (something I've done in the past when it made sense). IOW, two tunnels instead of one.
 
P.S. That's NOT to say you couldn't create your OWN routing policy script on the server side to handle it w/ the site-to-site VPN (something I would probably do if I was in the same situation). But I'm just thinking of how I would recommend others do it without having to leave the GUI. I try to avoid scripting as much as possible.
 
I have never tried unidirectional VPNs and frankly, in the past I had reverse server-client setup, but since I have replaced ac68 with ax86 I thought it would be smarter to use the one with more cores and native AES support as a server. From topology perspective it does not make so much sense and perhaps, I have to roll back my design :)

I am still wondering if I can grab the traffic from my chromecast on the router side and push via iptables to the vpn server interface and if this would be feasible at all.
 
I have never tried unidirectional VPNs and frankly, in the past I had reverse server-client setup, but since I have replaced ac68 with ax86 I thought it would be smarter to use the one with more cores and native AES support as a server. From topology perspective it does not make so much sense and perhaps, I have to roll back my design :)

I am still wondering if I can grab the traffic from my chromecast on the router side and push via iptables to the vpn server interface and if this would be feasible at all.

Again, you need routing policy on the server side. It's possible to script it, in much the same way the OpenVPN client uses routing policy to selectively route traffic over the VPN on the client side. It can be done. But you obviously know how to script it. And I suppose I could come up w/ something given a little time. But my thought was to leverage the *existing* routing policy support in the OpenVPN client on the server side. Whether you have one bidirectional (site-to-site) tunnel, or two unidirectional tunnels, it's NOT going to change the performance all that much. In that regard, each side is bound by the local router's performance capabilities, regardless which approach you take.
 
thanks again. I have reversed the VPN connection vector and it works well upon setting routing up in VPN Director.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top