Can't access OpenVPN Server router 192.168.0.1 admin from client router ASUS-Merlin

SunSkyPi

New Around Here
Hi All,

Trying to figure out how I can access my OpenVPN server router admin from an ASUS-Merlin client through OpenVPN. I can access internet through VPN from client out from server just fine. All my other setups work fine to access the remote router admin.

My setup:

Router0 (Client OpenVPN) -> Main Router1 -> Internet -> Main Router2 -> Router3 (OpenVPN server)

When Client Router0 is dd-wrt, VPN works perfectly, from client I can access internet through Router3 and admin for Router3. This has worked for multiple different dd-wrt routers.

In addition, if I use OpenVPN from Windows 10 or Chromebook on Router1 LAN, can also access Router 3 admin over VPN by just typing in 192.168.0.1.

The problem:
When I use ASUS-Merlin 386.3_2 (ASUS RT86U) for Router0, through VPN, I can access the internet through Router3, but when I try to access admin for Router3, I instead get Router1. I have checked Redirect all traffic on Router0, but when I enter admin 192.168.0.1 to access admin, what I think would be Router3, I instead get the local Router 1. Router0 is not sending 192.168.0.1 to VPN.

Here are sample LANs:

Router0 (Merlin 386.3_2) -> Main Router1 -> Internet -> Main Router2 -> Router3 (OpenVPN server)
LAN:192.168.50.2----------->192.168.0.1-------------------->10.0.0.0---------->192.168.0.1 (VPN: 10.8.0.0)

I have read to avoid having similar subnets in VPN, but this set up works fine in all other cases except when I use the ASUS-Merlin as router0. It seems like the Merlin router VPN does not redirect the 192.168.0.1 request through the tunnel (where it would hit Router 3) but instead just routes it to Router1. I do have “Redirect Internet traffic through tunnel” selected as “Yes (all)”.

Anybody have any ideas how I can access my router 3 admin using an asus-merlin for router0?

When I look at routing table I can now see why on router0 a request to 192.168.0.1 goes to WAN, but I don’t have any idea how to change the routing table nor why this works fine when I hook up dd-wrt routers as router0? Since the routing table is built automatically--is there anyway can force the Asus-Merlin to behave like ddwrt routers and pass the 192.168.01 request to VPN?

I don’t want to change anything upstream of client router0, since it works fine with other routers. Any help is greatly appreciated!

Thank you


Router0, Merlin 386.3_2, ASUS RT86U
IPv4 Routing table:

IPv4 Routing table
DestinationGatewayGenmaskFlagsMetricRefUseIface
default192.168.0.10.0.0.0UG000WAN
10.8.0.5*255.255.255.255UH000tun12
192.168.0.0*255.255.255.0U000WAN
192.168.0.1*255.255.255.255UH000WAN
192.168.50.0*255.255.255.0U000LAN


OpenVPN client settings, pretty much all default:





Thank you,
SunSkyPi
 

eibgrad

Part of the Furniture
Please post the output from the following commands.

Code:
ip rule
ip route show table ovpnc2
 

SunSkyPi

New Around Here
It took me awhile to figure out how to do that, but thanks to internet installed PuTTY and got access. Could not figure out a way to copy from PuTTy other than using snipping tool, hope these figures come across okay. Thank you for your help!

ip rule:
1630178019765.png


ip route show table ovpnc2:
1630181001521.png
 
Last edited:

eibgrad

Part of the Furniture
Took a little while for me to determine what was happening. At least what I think is happening (not everything is fully transparent to me as an end user).

Normally, when the developer implements the OpenVPN client, he lets OpenVPN itself manage the addition/deletion of routes. Such is the case w/ DD-WRT and others. But Merlin manages the routing himself, within his own code. And when the OpenVPN server pushes its local network to the OpenVPN client, he's noticing that there already exists a route for 192.168.0.0/24 on the client, and so he discards it. On something like DD-WRT, OpenVPN will allow the additional route to the 192.168.0.0/24 network. But then it becomes unpredictable which route will be used given both presumably have the same metric. Not unless OpenVPN is smart enough to give its own route to 192.168.0.0/24 a lower metric (i.e., make it preferred). I've never noticed if that is indeed the case.

This is why you need to avoid having the same IP network accessible from different routes. Sometimes you'll get away with it if the route chosen happens to be what you want for a given purpose. But more times than not, you're asking for trouble. The IP protocol was never designed to support more than one device for a given IP. The fact that NAT makes that possible doesn't mean it's OK when using a VPN. NAT assumes you'll never directly expose those same IPs to each other. But a VPN is a perfect opportunity for that to happen.

All that said, what might work is if you add a specific route for 192.168.1.1 to the custom config field of the OpenVPN client.

Code:
route 192.168.0.1 255.255.255.255 vpn_gateway

Or else don't push the whole 192.168.0.0/24 network on the OpenVPN server config, but just the route above.

Code:
push "route 192.168.0.1 255.255.255.255 vpn_gateway"

That way, Merlin's code will NOT see an exact match based on 192.168.0.0/24 and allow the route to be added. 192.168.0.1 (VPN) is more specific than 192.168.0.0/24 (WAN), so it will take precedence. But realize you still risk issues should the router need to access 192.168.0.1 over the WAN for any reason.
 
Last edited:

SunSkyPi

New Around Here
I added the command to custom config:

route 192.168.0.1 255.255.255.255 vpn_gateway

And rebooted. But no change in routing, when enter 192.168.0.1 still go to local router1.
Here are the outputs from ip rule and ip route show table ovpnc2 below. It looks like it ignored the custom config command. So it seems like Asus-Merlin is overriding or ignoring the custom config?

ip rule


ip route show table ovpnc2 (public IP redacted):


Then per your suggestion I changed the router3 IP to 192.168.2.1 from 192.168.0.1 so now have:

Router0 (Merlin 386.3_2) -> Main Router1 -> Internet -> Main Router2 -> Router3 (OpenVPN server)
LAN:192.168.50.2 192.168.0.1 10.0.0.0 192.168.2.1 (VPN: 10.8.0.0)

And now if I type 192.168.2.1 Success! I can access Router 3 admin. And the behavior is now the same with the other dd-wrt routers in place of router0, as well as OpenVPN on Win10 or Chromebook on Router1 LAN. I guess the moral is probably best as everyone says and to make sure all equipment in chain has different IP’s.

Thank you so much!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top