What's new

Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

If the OpenVPN server GUI has a custom config field, add the following directive.

Code:
client-to-client
 
I have client to client enabled in the checkbox as seen and it works as long as I don't have the custom script that assigns static IPs enabled. When I add what is in the box at the bottom to run the clientconnect.sh to assign static IPs the client to client quits working. Do I also need to add client-to-client in the box field with the script? How would it look instead of like this?
Code:
script-security 2
--client-connect /jffs/scripts/clientconnect.sh
 

Attachments

  • ASUSScreenshot_2024-06-21_02-20-38.jpg
    ASUSScreenshot_2024-06-21_02-20-38.jpg
    52.7 KB · Views: 15
IIRC, the OpenVPN server uses a subnet topology by default (at least AsusWRT-Merlin does, I assume the same for the OEM firmware). In that case, it would make more sense you change the ifconfig-push directive to use a subnet configuration too.

Code:
ifconfig-push 10.8.0.18 255.255.255.0

In contrast, the example you provided is assuming a P2P (point to point) configuration, and so I suspect this is limiting the clients' ability to communicate w/ each other because each is being treated as separate and unique IP networks.

At least that's my best guess at the moment. I'd have to see a dump of the actual OpenVPN server config file and/or the syslog to be sure if I'm right about the topology.
 
The ifconfig-push is what I'm using in the script to assign static IPs for the various computer names that login. Here is my clientconnect.sh.
Code:
#!/bin/sh
if [ "$username" = "echo" ];
then
    echo "ifconfig-push 10.8.0.11 255.255.255.0" >>$1
elif [ "$username" = "romeo" ];
then
    echo "ifconfig-push 10.8.0.12 255.255.255.0" >>$1
elif [ "$username" = "milo" ];
then
    echo "ifconfig-push 10.8.0.13 255.255.255.0" >>$1
elif [ "$username" = "ace" ];
then
    echo "ifconfig-push 10.8.0.14 255.255.255.0" >>$1
elif [ "$username" = "lucky" ];
then
    echo "ifconfig-push 10.8.0.15 255.255.255.0" >>$1
elif [ "$username" = "juliet" ];
then
    echo "ifconfig-push 10.8.0.16 255.255.255.0" >>$1
elif [ "$username" = "sparky" ];
then
    echo "ifconfig-push 10.8.0.17 255.255.255.0" >>$1
elif [ "$username" = "midnight" ];
then
    echo "ifconfig-push 10.8.0.18 255.255.255.0" >>$1
elif [ "$username" = "charlie" ];
then
    echo "ifconfig-push 10.8.0.19 255.255.255.0" >>$1
elif [ "$username" = "sunny" ];
then
    echo "ifconfig-push 10.8.0.20 255.255.255.0" >>$1
elif [ "$username" = "hpomendavid" ];
then
    echo "ifconfig-push 10.8.0.21 255.255.255.0" >>$1
elif [ "$username" = "hpomenrowdy" ];
then
    echo "ifconfig-push 10.8.0.22 255.255.255.0" >>$1
fi
 
So are you telling me you *always* had it this was, or that you changed it and it made no difference?
 
Everything in the check boxes was as seen and the PCs talk to each other but get a dynamic IP. I need to set static IPs so I created this clientconnect.sh script and when I enable it the PCs receive the static IP but can no longer talk to each other.
 
Let me also ask you this. As you can see in my config I have devices assigned to 10.8.0.11, 10.8.0.12, etc. but I was reading that they should be set to multiples of 4+2 such as 10.8.0.10, 10.8.0.14, etc. The problem with that is that once the number gets so high I end up receiving this error. For example this was the device trying to use 10.8.0.42.
 

Attachments

  • TUNErrorScreenshot_2024-06-21_15-19-45.jpg
    TUNErrorScreenshot_2024-06-21_15-19-45.jpg
    13.2 KB · Views: 16
Let's back up a little.

There are two (actually three, but we'll leave out the 3rd for now) ways to configure the OpenVPN server. Either w/ net30 or subnet topology. The original script that you posted assumed a net30 topology, where each IP in the pair represented a local (client) and remote (server) IP for the client connection. IOW, it creates a /30 network w/ those two IPs as beginning and ending IPs. In order to prevent those /30 networks from overlapping, the instructions tell you to increase their values 4+2.

All that's fine and well under normal circumstances. But the use of a net30 topology means you lose communications between those subnets (i.e., the clients)!!! IOW, the very thing you're trying to establish.

As I said before, I don't know for sure if your OpenVPN server is configuring itself as a net30 or subnet topology unless I can see the server's config file and/or the syslog. Given the error messages you're getting, I suspect it is net30.

So what I want you to do is use the script changes I suggested (the one w/ the 255.255.255.0 subnet masks) *and* add the following to the custom config field.

Code:
topology subnet
client-to-client

This will *force* the OpenVPN server to use a subnet topology (just in case it's defaulting to net30), which will be consistent w/ the changes made to the script. And all your clients should now be able to communicate since they're all on the same subnet.
 
Last edited:
Would Merlin 384.13_10 allow me to change from a net30 topology? I don't see anything in stock to change it.

Yes. In fact, it defaults to a subnet topology. But as I stated above, you should be able to change it provided the OpenVPN server GUI has a custom config field, even w/ the OEM firmware.
 
Yes it seems to default to net30 with no option of changing it except maybe the custom configuration. I have changed all of my IPs in the script to multiples of 4+2. Would I add the code you suggested into the script like this?
Code:
#!/bin/sh
topology subnet
client-to-client
if [ "$username" = "echo" ];
then
    echo "ifconfig-push 10.8.0.10 255.255.255.0" >>$1
elif [ "$username" = "ace" ];
then
    echo "ifconfig-push 10.8.0.14 255.255.255.0" >>$1
elif [ "$username" = "lucky" ];
then
    echo "ifconfig-push 10.8.0.18 255.255.255.0" >>$1
elif [ "$username" = "juliet" ];
then
    echo "ifconfig-push 10.8.0.22 255.255.255.0" >>$1
elif [ "$username" = "sparky" ];
then
    echo "ifconfig-push 10.8.0.26 255.255.255.0" >>$1
elif [ "$username" = "midnight" ];
then
    echo "ifconfig-push 10.8.0.30 255.255.255.0" >>$1
elif [ "$username" = "charlie" ];
then
    echo "ifconfig-push 10.8.0.34 255.255.255.0" >>$1
elif [ "$username" = "sunny" ];
then
    echo "ifconfig-push 10.8.0.38 255.255.255.0" >>$1
elif [ "$username" = "hpomendavid" ];
then
    echo "ifconfig-push 10.8.0.42 255.255.255.0" >>$1
elif [ "$username" = "romeo" ];
then
    echo "ifconfig-push 10.8.0.46 255.255.255.0" >>$1
elif [ "$username" = "milo" ];
then
    echo "ifconfig-push 10.8.0.50 255.255.255.0" >>$1
elif [ "$username" = "hpomenrowdy" ];
then
    echo "ifconfig-push 10.8.0.54 255.255.255.0" >>$1
fi
 
The ifconfig-push is what I'm using in the script to assign static IPs for the various computer names that login. Here is my clientconnect.sh.
You should be using CCD for that.
 
My buddy has stock on this box atm. What is CCD?
I don`t think stock supports it, you would have to check if they offer a custom client section.

CCD = Client Config Directory. CCD allows you to have client-specific custom configs (most commonly used to assign a static IP to a specific client) that automatically gets applied based on the Certificate CN value. It requires however for you to generate separate certs for each client, as the certificate name is what is used to determine what extra custom config entries to use.
 
In Asuswrt-Merlin, for basic option (just to assign a static IP), you can even do it through the GUI, no need to create files in the JFFS partition.

1719003839199.png
 
I don`t think stock supports it, you would have to check if they offer a custom client section.

CCD = Client Config Directory. CCD allows you to have client-specific custom configs (most commonly used to assign a static IP to a specific client) that automatically gets applied based on the Certificate CN value. It requires however for you to generate separate certs for each client, as the certificate name is what is used to determine what extra custom config entries to use.
Well atm eibgrad's suggestion seems to be working. If I run into any issues I will ask my buddy if he is cool with flashing to Merlin.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top