Bidirectional OpenVPN between two networks

Igor

Regular Contributor
Hello!

I have two networks: 192.168.1.0/24 and 192.168.50.0/24. Both networks are behind Asus routers with the latest Merlin firmware installed. A router with 192.168.1.1 connects to the Internet via L2TP (static IP), 192.168.50.1 via USB-modem (DHCP). The task is to connect two networks 192.168.1.0/24 and 192.168.50.0/24. How to build bi-directional OpenVPN between two networks?

I've tried building like this:
Run OpenVPN server (TUN) on a router with 192.168.1.1
Run OpenVPN client (TUN) on a router with 192.168.50.1
A 10.8.0.0/24 network has formed between the client and the server

traceroute from 192.168.50.2 to 192.168.1.2 Ok
traceroute from 192.168.1.2 to 192.168.50.2 problem

It's the same from routers.
traceroute from 192.168.50.1 to 192.168.1.1 Ok
traceroute from 192.168.1.1 to 192.168.50.1 problem

Help me please.

OpenVPN Server:
[email protected]:/tmp/home/root# cat /etc/openvpn/server1/config.ovpn
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
txqueuelen 1000
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

OpenVPN Client:
[email protected]:/tmp/home/root# cat /etc/openvpn/client1/config.ovpn
daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto tcp-client
remote xxx.xxx.xxx.xxx 1194
connect-retry-max 15
nobind
persist-key
persist-tun
comp-lzo adaptive
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
route-noexec
ca ca.crt
cert client.crt
key client.key
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
route-up 'ovpn-route-up'
route-pre-down 'ovpn-route-pre-down'
script-security 2
route-delay 2
verb 3
status-version 2
status status 5

# Custom Configuration
resolv-retry infinite
float
keepalive 15 60
remote-cert-tls server
 

eibgrad

Part of the Furniture
In order for communications to be initiated from the server side to the client side, you have to configure the Manage Client-Specific Options section of the OpenVPN server w/ the private IP network(s) of the particular OpenVPN client in question. You identify that specific client to the OpenVPN server in that section based on the CN (common-name) of its client cert. This assumes every OpenVPN client has its own unique client cert and CN. If they don't, but instead you're sharing the same cert w/ other OpenVPN clients, but each user has their own username/password, you should be able to use the username as the CN.

P.S. Also make sure the Inbound Firewall settings on the OpenVPN client is set to Allow.
 
Last edited:

Igor

Regular Contributor

eibgrad

Thank you for the clarification! Do I understand correctly what I need to change:

OpenVPN Server:
1. "Manage Client-Specific Options" - On
2. Add "Common Name(CN)" network 192.168.50.0 255.255.255.0 push - yes

OpenVPN Client:
"Inbound Firewal" - Allow.

After these changes, access to the network from the OpenVPN server did not appear.
 

eibgrad

Part of the Furniture
You do NOT push that network to the OpenVPN client. You merely use the entry to tell the OpenVPN server what lies behind that OpenVPN client.

IIRC, the CN defaults to 'client' (no quotes) if you're not using a username/password. If you've configured things correctly, you should now see the following in the server's config file.

Code:
client-config-dir ccd
route 192.168.50.0 255.255.255.0

And an iroute directive w/ the same IP network in a file (by same name as the client's CN) in the CCD directory.

Code:
cat /tmp/etc/openvpn/server1/ccd/client

Of course, the OpenVPN server has to allow LAN only or Both for "Client will use VPN to access" too. At that point, it should be working. But if it's NOT, then either you have the CN wrong, or else it's probably a firewall issue w/ the device you're trying to reach.
 

JGrana

Very Senior Member
Yes, thanks @eibgrad ! I have had tried setup my OpenVPN as a simple bi-directional to/from my cabin/home.
Server was running at the cabin AX86U. I could go from client (home) to cabin fine. But, could never go the other direction.
After reading this post, I discovered I had “pushed” the route from server to client AND did not allow inbound firewall.

Now - fully bi-directional!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top