Bidirectional OpenVPN between two networks

[Igor]

Hello!

I have two networks: 192.168.1.0/24 and 192.168.50.0/24. Both networks are behind Asus routers with the latest Merlin firmware installed. A router with 192.168.1.1 connects to the Internet via L2TP (static IP), 192.168.50.1 via USB-modem (DHCP). The task is to connect two networks 192.168.1.0/24 and 192.168.50.0/24. How to build bi-directional OpenVPN between two networks?

I've tried building like this:
Run OpenVPN server (TUN) on a router with 192.168.1.1
Run OpenVPN client (TUN) on a router with 192.168.50.1
A 10.8.0.0/24 network has formed between the client and the server

traceroute from 192.168.50.2 to 192.168.1.2 Ok
traceroute from 192.168.1.2 to 192.168.50.2 problem

It's the same from routers.
traceroute from 192.168.50.1 to 192.168.1.1 Ok
traceroute from 192.168.1.1 to 192.168.50.1 problem

Help me please.

OpenVPN Server:

server@RT-AC68U:/tmp/home/root# cat /etc/openvpn/server1/config.ovpn
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
port 1194
dev tun21
txqueuelen 1000
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

OpenVPN Client:

client@RT-AX68U:/tmp/home/root# cat /etc/openvpn/client1/config.ovpn
daemon ovpn-client1
client
dev tun11
txqueuelen 1000
proto tcp-client
remote xxx.xxx.xxx.xxx 1194
connect-retry-max 15
nobind
persist-key
persist-tun
comp-lzo adaptive
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
route-noexec
ca ca.crt
cert client.crt
key client.key
up 'ovpn-up 1 client'
down 'ovpn-down 1 client'
route-up 'ovpn-route-up'
route-pre-down 'ovpn-route-pre-down'
script-security 2
route-delay 2
verb 3
status-version 2
status status 5

# Custom Configuration
resolv-retry infinite
float
keepalive 15 60
remote-cert-tls server

 

[eibgrad]

In order for communications to be initiated from the server side to the client side, you have to configure the Manage Client-Specific Options section of the OpenVPN server w/ the private IP network(s) of the particular OpenVPN client in question. You identify that specific client to the OpenVPN server in that section based on the CN (common-name) of its client cert. This assumes every OpenVPN client has its own unique client cert and CN. If they don't, but instead you're sharing the same cert w/ other OpenVPN clients, but each user has their own username/password, you should be able to use the username as the CN.

P.S. Also make sure the Inbound Firewall settings on the OpenVPN client is set to Allow.

 

[Igor]

eibgrad​

Thank you for the clarification! Do I understand correctly what I need to change:

OpenVPN Server:
1. "Manage Client-Specific Options" - On
2. Add "Common Name(CN)" network 192.168.50.0 255.255.255.0 push - yes

OpenVPN Client:
"Inbound Firewal" - Allow.

After these changes, access to the network from the OpenVPN server did not appear.

 

[eibgrad]

You do NOT push that network to the OpenVPN client. You merely use the entry to tell the OpenVPN server what lies behind that OpenVPN client.

IIRC, the CN defaults to 'client' (no quotes) if you're not using a username/password. If you've configured things correctly, you should now see the following in the server's config file.

client-config-dir ccd
route 192.168.50.0 255.255.255.0

And an iroute directive w/ the same IP network in a file (by same name as the client's CN) in the CCD directory.

cat /tmp/etc/openvpn/server1/ccd/client

Of course, the OpenVPN server has to allow LAN only or Both for "Client will use VPN to access" too. At that point, it should be working. But if it's NOT, then either you have the CN wrong, or else it's probably a firewall issue w/ the device you're trying to reach.

 

[Igor]

eibgrad,​

Thank you very much!!!

 

[JGrana]

Yes, thanks @eibgrad ! I have had tried setup my OpenVPN as a simple bi-directional to/from my cabin/home.
Server was running at the cabin AX86U. I could go from client (home) to cabin fine. But, could never go the other direction.
After reading this post, I discovered I had “pushed” the route from server to client AND did not allow inbound firewall.

Now - fully bi-directional!

 

[willm]

Hello @eibgrad, sorry to resurrect an old post, but I have the same problem with achieving bi-directional communication between a second home's network (192.168.21.XXX) and my main home (192.168.23.XXX).

I have tried to follow your instructions, but am still not getting there. My knowledge of OpenVPN is very poor.

These are the settings on the VPN server on my router:

At the client end, I have a basic fibre router supplied by the ISP, which does not have OpenVPN built in, so I have OpenVPNConnect running on my windows 11 pc there. I can connect fine from the client to the server and can ping IP address of the VPN Server in my Asus Merlin Router at home from the remote client, but not the devices on the home network. I am not able to ping IP addresses on the client's side from my main home server side.

So far I have:

• Selected manage client specific options to yes
• Added username-as-common-name to the custom configuration
• set up a username specifically for this connection
• Opened UDP Port 1194 through to my remote (client side router) to the OpenVPN widows 11 pc
• Opened the firewall on the windows pc to allow UDP 1194
• Placed an exception for OpenVPNConnect on the firewall on the remote windows pc
• Turned off the firewall for private networks on the remote windows pc

I'm still not able to ping the client windows PC or any other devices there (e.g. cameras).

One step I do not understand is:

"OpenVPN Client: Inbound Firewall" - Allow.". The OpenVPNConnect app does not seem to have this option available. Where would I add that instruction or select this option?

I have two basic symptoms:

1) I can't see the IP addresses in the home network from the client side
2) I can't see the client or its LAN from the server side

Can anybody see what I am missing or doing wrong? Please be kind and explain any ideas clearly so I can implement them (remember I'm an OpenVPN Noob).

Thanks in advance.