1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Bi-Directional VPN using two Asus Routers via OpenVPN NOT WORKING .. argh :(

Discussion in 'VPN' started by speedyrules, Jun 1, 2020.

  1. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    hi guys,

    need your help!

    first, i have read the ultimate guide, which is pinned on the VPN forum.. and i also found/read 3 other threads which i worked through .. but i am being to stupid to get this running :(

    my setup

    router 1 - ASUS RT-AC87U
    running latest original firmware
    lan setting ip address router: 192.168.81.1
    subnet mask: 255.255.255.0
    openvpn - server


    router 2 - ASUS RT-AC68U
    running latest original firmware
    lan setting ip address router: 192.168.0.1
    subnet mask: 255.255.255.0
    openvpn - client
    client name "openvpn"

    the client connects.. and all devices behind the client can access all other servers in the router 1 lan
    BUT: i cannot access from a computer in router lan 1 to any server behind the router 2 lan
    for example i cannot access from my 192.168.81.158 to 192.168.0.4.

    what the heck am i doing wrong?
    maybe here some settings

    routing table at client

    Destination Gateway Genmask Flags Metric Ref Use Type Iface
    10.8.0.5 * 255.255.255.255 UH 0 0 0 tun15
    10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun15
    xxx.xxx.42.1 * 255.255.255.255 UH 0 0 0 WAN0 eth0
    10.8.1.2 * 255.255.255.255 UH 0 0 0 tun21
    192.168.81.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun15
    10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun21
    192.168.0.0 * 255.255.255.0 U 0 0 0 LAN br0
    xxx.xxx.42.0 * 255.255.254.0 U 0 0 0 WAN0 eth0
    default xxx.xxx.42.1 0.0.0.0 UG 0 0 0 WAN0 eth0

    routing table at server

    Destination Gateway Genmask Flags Metric Ref Use Type Iface
    10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
    xxx.xxx.2.1 * 255.255.255.255 UH 0 0 0 WAN0 vlan2
    169.254.39.0 * 255.255.255.0 U 0 0 0 LAN br0
    192.168.81.0 * 255.255.255.0 U 0 0 0 LAN br0
    xxx.xxx.2.0 * 255.255.255.0 U 0 0 0 WAN0 vlan2
    10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    192.168.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
    default xxx.xxx.2.1 0.0.0.0 UG 0 0 0 WAN0 vlan2

    openvpn config in openvpn - server
    upload_2020-6-1_20-27-45.png

    upload_2020-6-1_20-28-39.png

    thanks for the help.. this situation is driving me nuts :O
     
  2. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    no one with ideas?
    maybe i can attract @David Gursky to have a look and help? :)
     
  3. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
  4. Klueless

    Klueless Very Senior Member

    Joined:
    Jan 1, 2016
    Messages:
    903
    Location:
    Rochester, NY
    Thanks for the "shout out" but it's been awhile since I played with OpenVPN. It was fun, it was exciting, it worked but I dropped it when I realized Internet latency rendered my legacy database application useless.

    After reading your post you're already far more advanced than me so do take what I say with a grain of salt. I never expected that one could do what you want.

    The "server" is set to share its privates. As a "client" I'm looking to access information, I am not looking to share my privates. My thought was that you would have to set both routers to be "servers" to each other and both routers to be "clients" to each other. That was going to be my approach but I never got that far. Probably just as well. I read elsewhere a user did exactly that but he's reporting his own set of problems so that may not be the answer either.

    With many apologies but I truly am "Klueless". Perhaps you might have something in common with the gentleman who posted this ==> https://www.snbforums.com/threads/b...site-to-site-with-two-rt-ac66u-routers.36891/
     
    Last edited: Jun 4, 2020
  5. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    thanks for the reply @Klueless ! any 2 cents help :)

    i did try setting both as servers and clients at the same time .. giving both different vpn ranges and ports.. the issue i ran into was that the routing tables were facing errors. this because the "automated" settings tried to make "doubled"/"conflicting" entries. so i gave up on that ..

    but thanks for the hint wih @Mikael Johansson .. will se if he got any further
     
  6. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    17
    I am just reading your request for help. I have a working solution between my home and cottage. I can connect to devices on the client VPN router. It automatically reconnects to the VPN server (home router) should the connection ever get lost.

    To start with, you will need to install Merlin code on your ASUS routers as it provides extra tuning options you will need. Next you will need to switch the VPN connection to TAP (a LAN VPN vs TUN - a routed VPN). With TAP, the LAN sides have to be the same subnet. Also you have to disable firewalling to allow the server side devices to connect to client side devices, a configuration option the stock ASUS code does not have.
    Check out some comments I posted here... https://www.snbforums.com/index.php?posts/544947 and contact me if you have further issues.

    Regards, Peter

    Sent from my Pixel using Tapatalk
     
    Klueless likes this.
  7. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    @Pej5 thanks for the reply!

    i am scared a bit of installing merlin, since i am just crap in doing stuff like that :)

    maybe first a general question: you say: "switch the VPN connection to TAP (a LAN VPN vs TUN - a routed VPN). With TAP, the LAN sides have to be the same subnet"
    in this case you mean router 1 and router 2 would be in the same 192.168.81.0 network?
    would then all the internet traffic from router 2 be routed over router 1 to the internet? (right now the router 2 network only routes over router 1 when ips from router 1 network are needed)
    this would be not necessarily my optimal solution .. but..if this is the only way to get it working..

    about the need of merlin:
    with the stock firmware i can change as far as i know everything that is mentioned in https://www.snbforums.com/index.php?posts/544947 except maybe "Create NAT on tunnel = No (allowing client LAN IP addresses through directly without NATing), and Inbound Firewall = No (allowing Server traffic through to client LAN)". but i am not sure if these options did actually help you to solve the problem.

    and what are your settings with: "Allow Client <-> Client" and "Allow only specified clients" .. i have both on "No" ..
     
  8. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    17
    I'll answer in order.

    The Merlin code installed as easily as a standard code upgrade.

    With TAP, yes both would have to be Net 81 or any subnet so long as they match. I chose to enable DHCP on each router with ranges .1 to .96 on one, and .200 to .254 on the other. (See last comment below.)
    You can still use the Local Internet on the router with VPN client. This is how I use it.

    Merlin features: Inbound Firewall = No (allowing Server traffic through to client LAN)". This one is critical for what you want to do. You want devices on the VPN Server side to be able to access devices on the VPN client side and the stock ASUS code protects Client side with a firewall that cannot be disabled.
    I cannot find the Create NAT feature you mention.
    I allow client to client

    Finally, there seems to be a new feature where the LAN subnets may be different. I do not recall that when I configured. Not sure how that would work.

    Hope this helps.

    Peter



    Sent from my Pixel using Tapatalk
     
  9. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    thanks for anwering!

    so, just uploading the firmware file and push "upload"?
    - how do i get back to stock firmware?

    very clever splitting the ranges of the subnet.. somehow i was just not thinking of that ..
    so you are also saying i would not need any extra settings for using the local internet?

    maybe i try first jsut disabling the complete firewall to see where i get with this. there is no "Inbound Firewall" setting as i can see in the stock.. but with generally disabling the firewall i should i might get some more infos why i am stuck..
    also will try TAP and and the client 2 client setting .. and if i am still stuck.. merlin :)

    if anyone has any more tipps, i would appreciate any 2 cents :)

    thanks again!

    will take a while.. but i will keep you guys posted!
     
  10. speedyrules

    speedyrules Occasional Visitor

    Joined:
    Feb 26, 2016
    Messages:
    13
    here 2 pics from settings in the stock firmware
    upload_2020-6-8_11-3-55.png


    probably could also play with this here to get things through? whilelisting the router 2 network? .. how would i whitelist all of it??
    upload_2020-6-8_11-4-38.png
     
  11. Pej5

    Pej5 Occasional Visitor

    Joined:
    Jun 29, 2018
    Messages:
    17
    so, just uploading the firmware file and push "upload"?
    - how do i get back to stock firmware?

    Correct, and just upload the stock firmware if you want to switch back. Merlin looks like ASUS code, but with more features. (Maybe ASUS code looks like Merlin )

    so you are also saying i would not need any extra settings for using the local internet?

    Correct Select LAN only in the VPN server config.

    maybe i try first jsut disabling the complete firewall to see where i get with this.

    Not a good idea as that disables protection from the Internet to all your devices. The Merlin setting only removes it from the private tunnel between routers and you are in control of both ends.

    You may have to message me to get my attention as I do not follow this list daily.


    Sent from my Pixel using Tapatalk