Menu
What's new
By:
Filters Better Search

Connect two networks using OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

redbird71

Occasional Visitor
Hi everyone,

I am trying to connect my home network to my office network in a way that I can access my office computers and network shares from home >>AND<< the other way around. It seams simple enough to make it work in one direction - just create a VPN Server on the office router and a VPN Client on home router (both AC68U) and done. But I can't get it to work bidirectionally. Would be grateful for any hints.
 
There are already numerous threads covering this. Check out those to see if any of them match your situation.
 
It's called a site-to-site configuration.

On the OpenVPN server side, you have to configure the Manage Client-Specific Options section and configure it w/ the local IP network of the connecting OpenVPN client based on the CN (Common Name) of its cert (when using the certs generated by the router, it will be named 'client' (no quotes)). But since that cert is typically shared across *all* OpenVPN clients, it becomes ambiguous which client is actually connecting (unless it's the *only* OpenVPN client you intend to connect to that server). In that case, and assuming you're using username/password, it's better to add the following to the OpenVPN server's custom config field.

Code: 
username-as-common-name

Then create a user strictly for the site-to-site connection (e.g., site2site) and use it as the CN w/ Manage Client-Specific Options. When that user connects, the OpenVPN server will use that entry in Manage Client-Specific Options to correctly route that OpenVPN client's local IP network over the tunnel.

On the OpenVPN client, you'll need to change the Inbound Firewall option to Allow (the default is Blocked). Also, there's no need to NAT the tunnel in a site-to-site configuration if properly configured.
 
eibgrad said:
It's called a site-to-site configuration.

On the OpenVPN server side, you have to configure the Manage Client-Specific Options section and configure it w/ the local IP network of the connecting OpenVPN client based on the CN (Common Name) of its cert (when using the certs generated by the router, it will be named 'client' (no quotes)). But since that cert is typically shared across *all* OpenVPN clients, it becomes ambiguous which client is actually connecting (unless it's the *only* OpenVPN client you intend to connect to that server). In that case, and assuming you're using username/password, it's better to add the following to the OpenVPN server's custom config field.

Code: 
username-as-common-name

Then create a user strictly for the site-to-site connection (e.g., site2site) and use it as the CN w/ Manage Client-Specific Options. When that user connects, the OpenVPN server will use that entry in Manage Client-Specific Options to correctly route that OpenVPN client's local IP network over the tunnel.

On the OpenVPN client, you'll need to change the Inbound Firewall option to Allow (the default is Blocked). Also, there's no need to NAT the tunnel in a site-to-site configuration if properly configured.
Click to expand...

Thank you for that.

Just to get this right this would mean:
1 - On the SERVER site - I open VPN Server config and create a user f.i. site2site with a password
2 - Change VPN Details from 'General' to 'Advanced Settings'
3 - set 'Manage Client-Specific Options' to YES
4 - Under 'Allowed Clients' below I but site2site into Common Name - Subnet ??? mask ??? Push ?? and add it as a client - press Apply
5 - export OpenVPN configuration file

6 - On the CLIENTE site - open VPN Client config
7 - load OpenVPN configuration file
8 - set 'Create NAT on tunnel' to NO
9 - set 'Inbound Firewall' to Allow
10 - Enter username site2site and password
11 - Apply
DONE


Could you fill in the blanks on Subnet - Mask - Push?
Don't I have to activate 'Allow only specified clients' so that the list of Allowed Clientes is checked at all?
Would I have to set up a secondary VPN Server for other users to connect to the server?
 
redbird71 said:
Thank you for that.

Just to get this right this would mean:
1 - On the SERVER site - I open VPN Server config and create a user f.i. site2site with a password
2 - Change VPN Details from 'General' to 'Advanced Settings'
3 - set 'Manage Client-Specific Options' to YES
4 - Under 'Allowed Clients' below I but site2site into Common Name - Subnet ??? mask ??? Push ?? and add it as a client - press Apply
5 - export OpenVPN configuration file

6 - On the CLIENTE site - open VPN Client config
7 - load OpenVPN configuration file
8 - set 'Create NAT on tunnel' to NO
9 - set 'Inbound Firewall' to Allow
10 - Enter username site2site and password
11 - Apply
DONE


Could you fill in the blanks on Subnet - Mask - Push?
Don't I have to activate 'Allow only specified clients' so that the list of Allowed Clientes is checked at all?
Would I have to set up a secondary VPN Server for other users to connect to the server?
Click to expand...

Basically the above is correct.

You can make this configuration simple or complex, depending on your overall intentions. Originally you only spoke of the *one* site-to-site connection, and if you had other connections from other users to the same server, these would be unidirectional tunnels. That's why I suggested naming that one site-to-site connection as site2site, to distinguish it from all others. But it's just a name. And you can name it anything you like.

If you want/need *multiple* users to be connected as site-to-site, then you need to configure each of them under Manage Client-Specific Options as well. And you might as well just use the actual usernames (Frank, Phil, Lucy, etc.). Just realize that each OpenVPN client that's connected to the server has to be using a unique, non-overlapping local IP network.

If you want those OpenVPN clients to be able to talk to each other (i.e., use the OpenVPN server as a gateway), then you need to enable the "Allow Client <-> Client" option. Also, you need to check the Push option on each entry of the table so all the connected OpenVPN clients in a site-to-site configuration have their respective routing information made available to each other (if you only ever have *one* OpenVPN client in a site-to-site configuration, you do NOT need to Push it).

If the only clients allowed access to the server are those configured as site-to-site (i.e., NO unidirectional tunnels), then enable "Allow only specified clients". Frankly, I don't find this a particularly useful setting since there's no particular value in limiting connections to bi-directional tunnels (at least NOT that I can see).
 
In the following example, there's only one configured site-to-site connection. All others are unidirectional.

screenshot-lab-merlin1.yankee_8443-2022.04.06-02_17_55.png


In the following example, we have multiple site-to-site connections, none of which are allowed to communicate w/ each other.

screenshot-lab-merlin1.yankee_8443-2022.04.06-02_12_56.png


In the following example, all of the site-to-site connections are allowed to communicate w/ each other.

screenshot-lab-merlin1.yankee_8443-2022.04.06-02_16_19.png


In all of the above examples, unidirectional tunnels are allowed since "Allow only specified clients" is set to No.
 
eibgrad said:
In the following example, there's only one configured site-to-site connection. All others are unidirectional.

View attachment 40617

In the following example, we have multiple site-to-site connections, none of which are allowed to communicate w/ each other.

View attachment 40618

In the following example, all of the site-to-site connections are allowed to communicate w/ each other.

View attachment 40619

In all of the above examples, unidirectional tunnels are allowed since "Allow only specified clients" is set to No.
Click to expand...
Thank you. This is very helpful. I'll give it a try.
 
Also - the moment I activate 'Manage Client-Specific Options' - the connection becomes unstable, effectively disconnecting every 2 minutes approximately.
 
redbird71 said:
Should there be any relation to those two addresses?


View attachment 40786
Click to expand...

10.8.2.0 255.255.255.0 is the IP network of the tunnel. What you want to specify in Manage Client-Specific Options is the IP network on which that specific OpenVPN client is running (e.g., 192.168.1.0 255.255.255.0). That's how the OpenVPN server learns how to route to that specific IP network when a device on the OpenVPN server's local IP network (e.g., 192.168.2.0 255.255.255.0) needs to communicate w/ the IP network of the OpenVPN client. That's the whole point of using that section.

P.S. I just realized that you have 10.8.0.0 for the tunnel, and the site-to-site IP is 10.8.2.0. So there is no problem here *if* indeed the IP network on which that OpenVPN client is residing is 10.8.2.0 255.255.255.0. IOW, the only relationship between them that matters is that they do NOT overlap or create ambiguous routing.
 
Last edited:
You must log in or register to reply here.

Similar threads

F
OpenVPN client not resolving server local DNS names
Replies
9
Views
1K
felixdd
F
M
OpenVPN clients cannot connect to LAN computers.
Replies
0
Views
79
MNBob
M
N
Connecting an ax58u to a BT homehub 5, via a lan port, and not getting internet access.
Replies
3
Views
103
ColinTaylor
C
Z
Port forwarding for client connected to OpenVPN server
Replies
0
Views
435
zakazak
Z
R
AC68U, v386.11, No internet access through VPN
Replies
0
Views
466
redbird71
R
Similar threads
Thread starter Title Forum Replies Date
P Connect OpenVPN server with Client networks Asuswrt-Merlin 3
M OpenVPN clients cannot connect to LAN computers. Asuswrt-Merlin 0
M Cannot connect to a website Asuswrt-Merlin 5
W Tera Term can't SSH connect to router running Merlin 384, but works when flash back to ASUS stock FW Asuswrt-Merlin 6
D False alert for "Unable to connect to the Internet" Asuswrt-Merlin 3
S some iot devices can't connect to internet after a NAS give a static ip Asuswrt-Merlin 4
D [ASUS AX86U Merlin] Blink Sync Module does not connect (connects to iphone hotspot) Asuswrt-Merlin 0
BobMCT Help with ntwk connect to RT-AC86U USB drive? Asuswrt-Merlin 5
N Solved Unable to connect to VPN server with self-signed certificate Asuswrt-Merlin 0
octopus Solved Can you connect to Wireguard server from wan side? Asuswrt-Merlin 17

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 779 (members: 24, guests: 755)
Top