Can't get Asus Merlin VPN to work with OpenVPN!

exhibitO

Occasional Visitor
Hello,

My need is a simple one. I would like to connect remotely into my Asus Merlin AX-88U router with OpenVPN. I have enabled and configured the VPN Server in the router settings as below:

chrome_2022-08-17_16-02-56.png



I am unsure if I need to add "Allowed Clients" section below and how that is configured, in addition, I think I may need to enable static routes based on this log:

Aug 17 15:17:19 ovpn-server1[11850]: Closing TUN/TAP interface
Aug 17 15:17:19 ovpn-server1[11850]: /usr/sbin/ip addr del dev tun21 10.8.0.1/24
Aug 17 15:17:19 lldpd[2218]: removal request for address of 10.8.0.1%60, but no knowledge of it
Aug 17 15:17:19 ovpn-server1[11850]: ovpn-down 1 server tun21 1500 1623 10.8.0.1 255.255.255.0 init
Aug 17 15:17:19 ovpn-server1[11850]: SIGTERM[hard,] received, process exiting


chrome_2022-08-17_16-03-36.png


What am I doing wrong?

I have exported the .ovpn file in OpenVPN Android app, it fails to connect. In the logs, I get TCPv4 connection error, No route to host. I have opened the server port in port forwarding as well. I think my issue is with routing.
 

ColinTaylor

Part of the Furniture
You don't need any static routes or port forwarding. Remove those if you've made them.

Set "Manage Client-Specific Options" to No for now.

Export the ovpn file again, open it in a text editor and check that the remote line is correct.
 

ColinTaylor

Part of the Furniture
EDIT: I've just noticed at the top of your image there's a warning that your router doesn't have a public IP address. Therefore you will have to forward the OpenVPN port on the upstream router and probably change the remote line in the config file.
 

exhibitO

Occasional Visitor
You don't need any static routes or port forwarding. Remove those if you've made them.

Set "Manage Client-Specific Options" to No for now.

Export the ovpn file again, open it in a text editor and check that the remote line is correct.
thank you for replying. I disabled port forwarding and deleted routes but it still doesnt work.

The remote line in the .ovpn config file, when I use my DDNS hostname, I get TCPv4 connection error, No route to host. But when I replace my hostname with my IP address in the remote line, I get Transport Error: TCPv4 connect error on IP: port connection refused in OpenVPN app on Android.
 

ColinTaylor

Part of the Furniture
See my previous post.

Also, what version of Merlin's firmware are you using?
 
Last edited:

exhibitO

Occasional Visitor
EDIT: I've just noticed at the top of your image there's a warning that your router doesn't have a public IP address. Therefore you will have to forward the OpenVPN port on the upstream router and probably change the remote line in the config file.

I've done this alrady, this was the original state. Do you think the line: The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x). Please refer to the FAQ and set up the port forwarding. has something to do with this?

My upstream router is AT&T which operates as a router/switch, the input is the fiber cable and the output is ethernet which I run into my AX88U.

I enabled the port forward in the upstream router and I still get No Route to Host.
 

ColinTaylor

Part of the Furniture
I've done this alrady, this was the original state. Do you think the line: The wireless router currently uses a private WAN IP address (192.168.x.x, 10.x.x.x or 172.16.x.x). Please refer to the FAQ and set up the port forwarding. has something to do with this?

My upstream router is AT&T which operates as a router/switch, the input is the fiber cable and the output is ethernet which I run into my AX88U.

I enabled the port forward in the upstream router and I still get No Route to Host.

OK. So to be clear,

1. On the AT&T router you have forwarded TCP port 7183 to the WAN IP address of the Asus router.
2. You have checked that the WAN IP address of the AT&T is a public address.
3. You have put this public IP address and 7183 in the remote line of the OVPN file.
4. You are testing this from outside your LAN, e.g. over a mobile phone network.

Correct?

With all those things in place, is the OpenVPN server running (VPN - Status)?

What is the WAN IP address of the Asus router?
What are the first two octets (e.g. 123.66.xxx.yyy) of the AT&T WAN IP address?
 
Last edited:

exhibitO

Occasional Visitor
OK. So to be clear,

1. On the AT&T router you have forwarded TCP port 7183 to the WAN IP address of the Asus router.
2. You have checked that the WAN IP address of the AT&T is a public address.
3. You have put this public IP address and 7183 in the remote line of the OVPN file.
4. You are testing this from outside your LAN, e.g. over a mobile phone network.

Correct?

With all those things in place, is the OpenVPN server running (VPN - Status)?

What is the WAN IP address of the Asus router?
What are the first two octets (e.g. 123.66.xxx.yyy) of the AT&T WAN IP address?

It works!

I needed to forward the port on my AT&T upstream router, the issue is with the AT&T interface, its not clear which device is which, since you can't differentiate by IP addresses, I Searched the MAC address in the ASUS router and was able to map it to the device.

Thanks so much!

EDIT, so it connected but there is no internet and I cannot resolve any of my hosts on my local, any ideas?
 

ColinTaylor

Part of the Furniture
EDIT, so it connected but there is no internet and I cannot resolve any of my hosts on my local, any ideas?
Go to the VPN Server General Details and make sure "Client will use VPN to access" = Both.
 

ColinTaylor

Part of the Furniture
Your client might be using DoH instead traditional DNS which would bypass local name resolution.

Can you ping an internet address, e.g. 8.8.8.8 ?

Check the log on the Asus router as well as the client's log.
 

exhibitO

Occasional Visitor
Your client might be using DoH instead traditional DNS which would bypass local name resolution.

Can you ping an internet address, e.g. 8.8.8.8 ?

Check the log on the Asus router as well as the client's log.


It works now! I forgot to mention I use a pihole, and under LAN > DNS and WINS Server Setting I have set DNS 1 to my pihole IP address, when I removed the IP address in the setting (use DNS from my ISP), now I have to figure out how to work this with my pihole.
 

exhibitO

Occasional Visitor
Everything seeems to work now!

I set Advertise router's IP in addition to user-specified DNS under LAN to Yes and now it works! Hopefully I did this right LOL
 

exhibitO

Occasional Visitor
For anyone that is reading this in posterity, in pihole you need to change DNS settings to respond only on eth0, I was getting a warning in pihole -
in dnsmasq core: ignoring query from non-local network. The request was originating from 10.8.0.0 which is the IP assigned from my VPN client. Thats why it was not blocking ads.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top