Help needed to make a router on LAN accessible remotely

[andres99]

I have a Linksys LRT 214 router facing WAN and acting as a DHCP server for LAN (192.168.10.1).

A LAN port of an ASUS RT-AC68U (with Merlin’s Asuswrt v384.13) is connected to a LAN port of the Linksys router (Asus has static IP 192.168.10.7 / mask 255.255.255.0). The DHCP server on Asus is switched off. Asus is in the router mode and it is used as a WiFi access point for LAN. The firewall of Asus is turned off, WAN/NAT is not enabled.

WiFi works flawlessly and I can access Asus at 192.168.10.7 from LAN but I cannot access the Asus router from remote points at any port, although I have forwarded the respective port from Linksys to 192.168.10.7. I can see from Linksys’s log that the packets are being forwarded to 192.168.10.7 but Asus seems not to respond to any remote queries.

A Tomato router that I used in a similar fashion (LAN port-LAN port connection with the Linksys router) was accessible from remote locations.

I need to run an OpenVPN server on Asus, and therefore I need it to be accessible remotely (of course, after port forwarding). Any ideas?

 

[ColinTaylor]

Check to see whether the Asus has a default route set (System Log - Routing Table). If it doesn't then you'll need to create one that points to your Linksys.

 

[andres99]

Check to see whether the Asus has a default route set (System Log - Routing Table). If it doesn't then you'll need to create one that points to your Linksys.

Thanks! Indeed there is no route labelled "default". When I add one, what should I write to the "Network/Host IP" and "Netmask" boxes?

 

[ColinTaylor]

I've not personally tried what you're doing, but my guess would be this:

Network/Host IP = 0.0.0.0
Netmask = 0.0.0.0
Gateway = 192.168.10.1
Interface = LAN

 

[andres99]

Thanks a lot, really! It works!

 

[ColinTaylor]

Excellent. So you can now access your entire LAN remotely through the Asus' VPN?

 

[andres99]

Well, not yet. At least I got my OpenVPN client connected from a remote location to the Asus’ VPN server (and that is already a big victory). But so far I cannot ping anything in the Linksys’ LAN. Trying to figure out what to change.

EDIT: As a side note, I have made this work already with another Asuswrt router (older version). But that version had "Push LAN to clients" option under OpenVPN server. There is no such option in the new version. And since I am running the OpenVPN server via LAN port, I am not sure if any NAT options would help.

 

[ColinTaylor]

Hmm... I think the VPN client traffic will have a source address of 10.8.0.x because it's NATed by the server.

The target machines don't know how to route back to that network and will therefore send their replies to the default gateway (the Linksys). As it's not practical to setup static routes on each individual LAN machine I think you'll need to setup a static route on the Linksys that says "network 10.8.0.0/24 is reachable via 192.168.10.7.

 

[andres99]

It seems that this did not work. I added the following route to Linksys:

Destination IP: 192.168.8.0
Subnet mask: 255.255.255.0
Default gateway: 192.168.10.7
Interface: LAN

Asus has the following Routing table:

192.168.10.0 * 255.255.255.0 LAN
192.168.8.0 * 255.255.255.0 tun21
default 192.168.10.1 0.0.0.0 LAN

And I cannot ping anything in 192.168.10.x from the remote location.

 

[ColinTaylor]

Have you tried pinging 192.168.10.7 ?

 

[andres99]

Yes but with no result.

I wonder if the removed "Push LAN to clients" is somehow replaceable with custom commands and if it would work in the case of a router like Asus in this case, which is cascaded to the primary router’s LAN.

If it is of any help, here is the log from my remote OpenVPN Client (which is also an Asus RT-AC68U):

Nov 28 05:53:03 openvpn[15746]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Nov 28 05:53:03 openvpn[15746]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0 vpn_gateway 500,route-gateway 192.168.8.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.8.2 255.255.255.0,peer-id 0'
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: route options modified
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: route-related options modified
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: peer-id set
Nov 28 05:53:03 openvpn[15746]: OPTIONS IMPORT: adjusting link_mtu to 1625
Nov 28 05:53:03 openvpn[15746]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Nov 28 05:53:03 openvpn[15746]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 28 05:53:03 openvpn[15746]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Nov 28 05:53:03 openvpn[15746]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 28 05:53:03 openvpn[15746]: TUN/TAP device tun12 opened
Nov 28 05:53:03 openvpn[15746]: TUN/TAP TX queue length set to 100
Nov 28 05:53:03 openvpn[15746]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Nov 28 05:53:03 openvpn[15746]: /usr/sbin/ip link set dev tun12 up mtu 1500
Nov 28 05:53:03 openvpn[15746]: /usr/sbin/ip addr add dev tun12 192.168.8.2/24 broadcast 192.168.8.255
Nov 28 05:53:05 openvpn[15746]: /usr/sbin/ip route add 192.168.10.0/24 metric 500 via 192.168.8.1
Nov 28 05:53:05 openvpn-routing: Skipping, client 2 not in routing policy mode
Nov 28 05:53:05 openvpn[15746]: Initialization Sequence Completed

 

[ColinTaylor]

What is the LAN IP range of the client router?

I wonder if the removed "Push LAN to clients" is somehow replaceable with custom commands and if it would work in the case of a router like Asus in this case, which is cascaded to the primary router’s LAN.

I don't understand what you mean by 'removed "Push LAN to clients"'. We can see the LAN is being pushed in the log file.

Can you try this with a different client, like a mobile phone. Trying to do it LAN to LAN with two routers might be complicating matters.

 

[andres99]

The client router (192.168.0.1, Asus RT-AC68U)) is also the primary router and DHCP server for a different subnet, 192.168.0.0 / 255.255.255.0.

I have tried to test the same OpenVPN with the official OpenVPN client for Windows - with the same result.

The Asus router (192.168.10.7 and 192.168.8.1 in the OpenVPN subnet) can ping (under Network. Tools - Network Analysis in the GUI) other devices in the 192.168.10.0 network. It can also ping 192.168.8.2 (which is the the client router, 192.168.0.1, Asus) in the OpenVPN subnet.

For comparison, I tried to create an OpenVPN connection over a very similar route, launching an OpenVPN server on a QNAP NAS (192.168.10.5) in the Linksys’ network and there OpenVPN worked flawlessly with the client router (192.168.0.1). However, I cannot leave the NAS to serve the OpenVPN.

 

[ColinTaylor]

There's probably something really simple that's missing because we're using the VPN server in a way that it was never intended.

Side note: I'm finding it really hard to check the settings because you've used 192.168.8.0 instead of 10.8.0.0 and I have to keep re-reading everything.

What does the syslog look like on the server side when the client connects?

Can the client ping 192.168.8.1 and 192.168.8.2 after it connects?

 

[andres99]

Okay, I discovered something strange. The Asus OpenVPN server router (192.168.10.7) cannot ping domain names, it can ping only IP addresses. So there is probably a DNS problem but I cannot figure out how to fix it.

I also noticed that the Asus’ (192.168.10.7) time was wrong. When I replaced the NTP server address with an IP address, the time was synchronised and now devices in the Client Asus’ (192.168.0.1) network can ping 192.168.10.7 and 192.168.8.1 (server Asus’ IP address in the OpenVPN subnet) and 192.168.8.2 (that is client Asus’ IP address in the OpenVPN subnet). However, devices in 192.168.0.0 cannot ping other devices in the 192.168.10.0 subnet, like 192.168.10.1 or 192.168.10.5.

The server side log when the client connects looks like this (I have replaced my remote IP address with x.x.x.x and my VPN username with <myvpnusername>:

Nov 28 18:58:15 rc_service: httpds 224:notify_rc restart_chpass;restart_vpnserver1
Nov 28 18:58:17 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Nov 28 18:58:17 kernel: device tun21 entered promiscuous mode
Nov 28 18:58:17 ovpn-server1[27434]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Nov 28 18:58:17 ovpn-server1[27434]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08
Nov 28 18:58:17 ovpn-server1[27435]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 28 18:58:17 ovpn-server1[27435]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 28 18:58:17 ovpn-server1[27435]: Diffie-Hellman initialized with 2048 bit key
Nov 28 18:58:17 ovpn-server1[27435]: TUN/TAP device tun21 opened
Nov 28 18:58:17 ovpn-server1[27435]: TUN/TAP TX queue length set to 1000
Nov 28 18:58:17 ovpn-server1[27435]: /usr/sbin/ip link set dev tun21 up mtu 1500
Nov 28 18:58:17 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Nov 28 18:58:17 ovpn-server1[27435]: /usr/sbin/ip addr add dev tun21 192.168.8.1/24 broadcast 192.168.8.255
Nov 28 18:58:17 ovpn-server1[27435]: updown.sh tun21 1500 1622 192.168.8.1 255.255.255.0 init
Nov 28 18:58:17 ovpn-server1[27435]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Nov 28 18:58:17 ovpn-server1[27435]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Nov 28 18:58:17 ovpn-server1[27435]: setsockopt(IPV6_V6ONLY=0)
Nov 28 18:58:17 ovpn-server1[27435]: UDPv6 link local (bound): [AF_INET6][undef]:41194
Nov 28 18:58:17 ovpn-server1[27435]: UDPv6 link remote: [AF_UNSPEC]
Nov 28 18:58:17 ovpn-server1[27435]: MULTI: multi_init called, r=256 v=256
Nov 28 18:58:17 ovpn-server1[27435]: IFCONFIG POOL: base=192.168.8.2 size=252, ipv6=0
Nov 28 18:58:17 ovpn-server1[27435]: Initialization Sequence Completed
Nov 28 18:58:29 ovpn-server1[27435]: x.x.x.x:52338 TLS: Initial packet from [AF_INET6]::ffff:x.x.x.x:52338, sid=8b1bd693 af218b40
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_VER=2.4.0
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_PLAT=linux
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_PROTO=2
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_NCP=2
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_LZ4=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_LZ4v2=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_LZO=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_COMP_STUB=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_COMP_STUBv2=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 peer info: IV_TCPNL=1
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 TLS: Username/Password authentication succeeded for username '<myvpnusername>' [CN SET]
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Nov 28 18:58:30 ovpn-server1[27435]: x.x.x.x:52338 [<myvpnusername>] Peer Connection Initiated with [AF_INET6]::ffff:x.x.x.x:52338
Nov 28 18:58:30 ovpn-server1[27435]: <myvpnusername>/x.x.x.x:52338 MULTI_sva: pool returned IPv4=192.168.8.2, IPv6=(Not enabled)
Nov 28 18:58:30 ovpn-server1[27435]: <myvpnusername>/x.x.x.x:52338 MULTI: Learn: 192.168.8.2 -> <myvpnusername>/x.x.x.x:52338
Nov 28 18:58:30 ovpn-server1[27435]: <myvpnusername>/x.x.x.x:52338 MULTI: primary virtual IP for <myvpnusername>/x.x.x.x:52338: 192.168.8.2
Nov 28 18:58:31 ovpn-server1[27435]: <myvpnusername>/x.x.x.x:52338 PUSH: Received control message: 'PUSH_REQUEST'
Nov 28 18:58:31 ovpn-server1[27435]: <myvpnusername>/x.x.x.x:52338 SENT CONTROL [<myvpnusername>]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0 vpn_gateway 500,route-gateway 192.168.8.1,topology subnet,ping 15,ping-restart 60,ifconfig 192.168.8.2 255.255.255.0,peer-id 0' (status=1)

 

[ColinTaylor]

OK this is a bit of a random guess, but try adding this static route to the Linksys:

Destination IP: 192.168.0.0
Subnet mask: 255.255.255.0
Default gateway: 192.168.10.7
Interface: LAN

 

[andres99]

Unfortunately that did not change anything. I guess that Asus (192.168.10.7), for some reason (probably because of being connected only through a LAN port), does not want to route at all. But on the other hand, given the intensity of VPN, perhaps it is reasonable to expect that I should be able run a secondary router dedicated to WiFi and VPN behind the secondary router in the same LAN.

Maybe the question is in Asus’ routing table, namely in:

192.168.10.0*255.255.255.0U000LAN​

Perhaps it should be 192.168.10.1 (Linksys) instead of the asterisk? But can I override the routing table?

 

[andres99]

The situation changed a little when I checked "Advertise router's IP in addition to user-specified DNS" under LAN. Now I can ping (from a remote device) some more devices in 192.168.10.x (the Asus OpenVPN router 192.168.10.7, the Linksys router 192.168.10.1, a NAS, 2 printers). However, most devices in 192.168.10.0 are still unpingable.

 

[ColinTaylor]

I was assuming that all your "pinging" was done with IP addresses and not host names. Name resolution across subnets is a whole other problem that can be addressed later.

Bear in mind that if the target device has a firewall (e.g. a Windows PC) then it will need to be modified to allow the incoming traffic. It will see the traffic as being "not local" and therefore treat it as though it were unsolicited traffic from the internet. Windows Firewall for example will block non-local ping requests.

 

[andres99]

At least one unpingable Windows PC has its firewall turned off and the log of Linksys’s (192.168.10.1) firewall shows no blocked connections.

And when I restarted the OpenVPN server, I lost all pingability again (no devices in 192.168.10.0 are remotely pingable after connecting to the OpenVPN server even though the configuration is 100% the same). Trying hard to see any logic in all this.

EDIT: One more thing. I notice that for some reason the log contains "Could not determine IPv4/IPv6 protocol. Using AF_INET6" - but on the Asus (192.168.10.7), IPV6 is disabled.

EDIT2: After another restart of the OpenVPN server I can ping (from a remote device) some devices on the 192.168.10.0 network again but not so many as previously. Now I can see only 102.168.10.7 and one of the printers, which is 192.168.10.8. The other devices on 192.168.10.0 (including the Linksys 192.168.10.1, a NAS and one more printer) are unpingable. Seems somewhat random.