What's new

Can someone give me dummy guide on access LAN ip with OpenVPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

One other thing, just to double check: when you try to access eg 192.168.0.200, I assume you are entering that and not the local hostname in the address bar on your browser.
 
I basically followed that guide completely but it's not helping. Here are the logs

From the server side

Feb 19 01:49:24 openvpn[2839]: 184.151.179.221 TLS: Initial packet from [AF_INET6]::ffff:184.151.179.221:17114, sid=e4e5f4c5 30dbe4e0
Feb 19 01:49:24 openvpn[2839]: 184.151.179.221 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain
Feb 19 01:49:24 openvpn[2839]: 184.151.179.221 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_VER=3.2
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_PLAT=ios
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_NCP=2
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_TCPNL=1
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_PROTO=2
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_LZO_STUB=1
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_COMP_STUB=1
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_COMP_STUBv2=1
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 peer info: IV_AUTO_SESS=1
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Feb 19 01:49:25 openvpn[2839]: 184.151.179.221 [client] Peer Connection Initiated with [AF_INET6]::ffff:184.151.179.221:17114
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 MULTI: Learn: 10.8.0.2 -> client/184.151.179.221
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 MULTI: primary virtual IP for client/184.151.179.221: 10.8.0.2
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 PUSH: Received control message: 'PUSH_REQUEST'
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.0.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' (status=1)
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 Data Channel: using negotiated cipher 'AES-128-GCM'
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 Data Channel Encrypt: Cipher 'AES-128-GCM' initialized with 128 bit key
Feb 19 01:49:25 openvpn[2839]: client/184.151.179.221 Data Channel Decrypt: Cipher 'AES-128-GCM' initialized with 128 bit key


From the client side


2019-02-19 00:49:24 1



2019-02-19 00:49:24 ----- OpenVPN Start -----

OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04



2019-02-19 00:49:24 Frame=512/2048/512 mssfix-ctrl=1250



2019-02-19 00:49:24 UNUSED OPTIONS

5 [ncp-ciphers] [AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC]

13 [resolv-retry] [infinite]

14 [nobind]



2019-02-19 00:49:24 EVENT: RESOLVE



2019-02-19 00:49:24 Contacting [64.231.207.9]:1194/UDP via UDP



2019-02-19 00:49:24 EVENT: WAIT



2019-02-19 00:49:24 Connecting to [DOMAIN]:1194 (64.231.207.9) via UDPv4



2019-02-19 00:49:24 EVENT: CONNECTING



2019-02-19 00:49:24 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client



2019-02-19 00:49:24 Creds: UsernameEmpty/PasswordEmpty



2019-02-19 00:49:24 Peer Info:

IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894

IV_VER=3.2

IV_PLAT=ios

IV_NCP=2

IV_TCPNL=1

IV_PROTO=2

IV_LZO_STUB=1

IV_COMP_STUB=1

IV_COMP_STUBv2=1

IV_AUTO_SESS=1





2019-02-19 00:49:25 VERIFY OK : depth=0

cert. version : 3

serial number : 01

issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain

subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, emailAddress=me@myhost.mydomain

issued on : 2019-02-12 04:42:43

expires on : 2029-02-09 04:42:43

signed using : RSA with SHA-256

RSA key size : 1024 bits

basic constraints : CA=false

cert. type : SSL Server

key usage : Digital Signature, Key Encipherment

ext key usage : TLS Web Server Authentication





2019-02-19 00:49:25 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384



2019-02-19 00:49:25 Session is ACTIVE



2019-02-19 00:49:25 EVENT: GET_CONFIG



2019-02-19 00:49:25 Sending PUSH_REQUEST to server...



2019-02-19 00:49:25 OPTIONS:

0 [route] [192.168.0.0] [255.255.255.0] [vpn_gateway] [500]

1 [dhcp-option] [DNS] [192.168.0.1]

2 [redirect-gateway] [def1]

3 [route-gateway] [10.8.0.1]

4 [topology] [subnet]

5 [ping] [15]

6 [ping-restart] [60]

7 [ifconfig] [10.8.0.2] [255.255.255.0]

8 [peer-id] [0]

9 [cipher] [AES-128-GCM]





2019-02-19 00:49:25 PROTOCOL OPTIONS:

cipher: AES-128-GCM

digest: SHA1

compress: COMP_STUB

peer ID: 0



2019-02-19 00:49:25 EVENT: ASSIGN_IP



2019-02-19 00:49:25 NIP: preparing TUN network settings



2019-02-19 00:49:25 NIP: init TUN network settings with endpoint: 64.231.207.9



2019-02-19 00:49:25 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0



2019-02-19 00:49:25 NIP: adding (included) IPv4 route 10.8.0.0/24



2019-02-19 00:49:25 NIP: adding (included) IPv4 route 192.168.0.0/24



2019-02-19 00:49:25 NIP: redirecting all IPv4 traffic to TUN interface



2019-02-19 00:49:25 NIP: adding DNS 192.168.0.1



2019-02-19 00:49:25 Connected via NetworkExtensionTUN



2019-02-19 00:49:25 LZO-ASYM init swap=0 asym=1



2019-02-19 00:49:25 Comp-stub init swap=1



2019-02-19 00:49:25 EVENT: CONNECTED DOMAIN:1194 (64.231.207.9) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]
 
One other thing, just to double check: when you try to access eg 192.168.0.200, I assume you are entering that and not the local hostname in the address bar on your browser.

Yes I was putting in the ip in the browser.

But regardless right now I cannot access SSH, HTTP or any services in the LAN
I cannot browse the internet
I can ping all local IPs
 
Yes I was putting in the ip in the browser.

But regardless right now I cannot access SSH, HTTP or any services in the LAN
I cannot browse the internet
I can ping all local IPs

You said “You have to mess with iptables and directives and all kind of crap. ”. Can you disable/undo, temporarily if you like, anything you’ve done in that respect? The fact that you can ping the LAN devices but not reach them by other services is significant - DNS or firewall issue?

OpenVPN is now almost always a works-first-time setup with no specialist knowledge required. In fact, there ought to be a warning in big red letters on the OpenVPN page: Specialist knowledge can be harmful.
 
Last edited:
Hope I'm posting in the correct area.

I am currently overseas (Asia - Philippines) and was looking to use an Apple TV. Geo-blocking caused me to look for a router and VPN solution. I decided on the ASUS since it was highly recommended by NORD VPN. However I went with their latest Blue Cave. Features all seem pretty good and comparible to the 87 and 88Us however the signal strength isn't quite as strong. But it did have Amazon Echo and IFTTT support built in which was the final determining factor.

My issue is the OpenVPN - Since I'm trying to use a VPN from the US (8000 miles away) I see a huge loss in speed. My Modem is Uploading and Downloading at 25Mbps, while the ASUS Blue Cave via VPN is only yielding 3-5Mbps. Thats a pretty substantial loss considering my goal was to stream video.

Any ideas on where I could improve?

Also - I have the Blue Cave direct (via LAN) to the Apple TV. Can I use OpenVPN to the LAN connection ONLY leaving the router to broadcast (Non VPN) at higher speeds for use in the home??

-- Dave

Hello Dave

Welcome to the forum but you must be in the wrong place. Asus Blue Cave is not supported by Merlin, so you can’t be using his firmware. So this really is the wrong place to ask. And even if you were using Merlin’s firmware on a supported Asus router, the nature of your question is such that you might have got a better response from a forum dedicated to OpenVPN problems.
 
Last edited:
Thanks Martin - I couldn't figure out how to create a post - thought maybe it was a limited feature on a new account.

Using an ASUS Blue Cave - not running Merlin although I have looked it up a bit. Not familiar, and nt opposed to trying it, but once I leave here my wife will be stuck if it goes down. I can't really walk her through too many settings over the phone

-- Dave
Hi Dave
Whilst you were replying, I realised your router was a Blue Cave, something I’ve never heard of, so I re-wrote my post. If you now look at my post you’ll see it’s quite different to the one you replied to.

I don’t think you’ll get an answer to your question here, not because people don’t want to help, but because your problem is unrelated to Merlin’s firmware and is quite specific to running a vpn. I really would try posting in an OpenVPN forum, though it’s still possible someone here might have some thoughts.
 
Actually we've made progress! By turning on "direct clients", regular internet traffic broke as well! So nothing works now! :p

So changing “Direct clients to redirect internet traffic” to yes had the very opposite effect: you could access the Internet with it set to No but not when set to Yes! And I presume you set it back to No and, despite that, you still can’t access the Internet?
 
You said “You have to mess with iptables and directives and all kind of crap. ”. Can you disable/undo, temporarily if you like, anything you’ve done in that respect? The fact that you can ping the LAN devices but not reach them by other services is significant - DNS or firewall issue?

OpenVPN is now almost always a works-first-time setup with no specialist knowledge required. In fact, there ought to be a warning in big red letters on the OpenVPN page: Specialist knowledge can be harmful.

So I removed the directives at the bottom of that config page. It doesn't seem to help.

I've not had to make any changes to the iptables but I've read threads on this forum where some suggested in doing it.

I don't think it's a DNS issue, because I'm trying to access http://192.168.0.200 which wouldn't need DNS.

I don't think it's a firewall issue because I literally cannot access any device.
 
So changing “Direct clients to redirect internet traffic” to yes had the very opposite effect: you could access the Internet with it set to No but not when set to Yes! And I presume you set it back to No and, despite that, you still can’t access the Internet?

I can access the internet when set to No (because basically it's just using its own WAN connection). I cannot access internet when set to Yes.

What this seems to suggest is that the vpn connection cannot route any traffic at all, outside of pings. So when the client is told to use the VPN for internet traffic, it would fail. When the client is told to use its own connection, of course it works.
 
How are you connecting with your iPhone; from a remote wifi or via 3G/4G?

I’m no expert at gaining every last ounce of info from the logfiles but clearly yiu are connected. And one thing I noticed prompted me to point out a “gotcha”. If your home network address is, say, 192.168..0.0, and your remote device coincidentally is on a network with the identical 192.168.0.0 network address, you have a potential conflict when you enter the IP address into your browser. So it’s best to have your home network address as something you’re unlikely to encounter remotely eg 192.168.91.0.

I don’t suppose that’s the problem?
 
Did you try another subnet mask? instead of 255.255.255.0 try 255.255.0.0. for your VPN.
 
Hi, try this,
assuming you got a ddns set up....
1-press "default" on the openvpn server page to clear all your settings.
2- reboot
3-configure the openvpn server and use "TCP" protocol"
username/password authentication "yes" ( setup a user name and password or use you router username/password as login credentials )
push lan to clients "yes"
respond to dns "yes"
advertise and to clients "yes"
Do not add any custom configs at this stage.
4-export open vpn config file and reload it onto client device,
test it over 3g or any other network besides the one running the open vpn server.
Good luck
 
EDIT: Never mind my rambling on this post, per @ColinTaylor post below, the firmware already does this.

I have seen this question more often on the DD-WRT forum. The main issue I see is people can not access their NAS devices when connected to the router over OpenVPN. In this example the:

Code:
LAN network is: 192.168.1.1/24
OpenVPN network is: 10.0.0.1/24

The solution is to add a push route in the OpenVPN Additional Config to tell the remote client to use the tunnel to reach your LAN IPs:
Code:
push "route 192.168.1.0 255.255.255.0"

If this still does not work, then we may need to add some firewall rules:
Code:
Tell the firewall to allow traffic between the VPN tunnel and the LAN:
 
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
I have not tested any of this and not sure if the firewall rules will work. I see this topic come up more in the DD-WRT forum. Here are the two threads I referenced to cobble this reply together. @eibgrad is the expert on this topic. I have seen him appear here a few times, but mainly in the DD-WRT forum.

Reference:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=870201
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1079262
 
Last edited:
Never tested accessing LAN clients using the OpenVPN server on the router. But at one site I support, I occasionally need to access the Windows Server over the VPN tunnel. Once I connect to the site, I have to use the Windows Remote Desktop program available on the Windows Store to access it.
 
How are you connecting with your iPhone; from a remote wifi or via 3G/4G?

I’m no expert at gaining every last ounce of info from the logfiles but clearly yiu are connected. And one thing I noticed prompted me to point out a “gotcha”. If your home network address is, say, 192.168..0.0, and your remote device coincidentally is on a network with the identical 192.168.0.0 network address, you have a potential conflict when you enter the IP address into your browser. So it’s best to have your home network address as something you’re unlikely to encounter remotely eg 192.168.91.0.

I don’t suppose that’s the problem?

I'm connecting from LTE, so this shouldn't be a conflict
 
But does it? Maybe Im thinking it doesnt for my older version of the firmware. Thats why others are reporting that it works 'out of the box' but not mine?
You might be on to something there. The same problem appears to have been reported here. Again, the client is an iPhone which always seems to be the devices that have problems.

@martinr You say you don't have any problem connecting? Are you still using your iPhone to connect? If so, would you mind telling us what client version you are using, and what router firmware version.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top