How to set up one Asuswrt-Merlin OpenVPN server and two Asuswrt-Merlin OpenVPN clients?

gariv

New Around Here
How do I set up all 3 routers so that all PCs can see each other?
openVpn.jpg
 

eibgrad

Part of the Furniture
What you lack is site-to-site capability. You have to enable the Manage Client-Specific Options section on the OpenVPN server and config it so that you identify to the server the IP network(s) that lie behind each OpenVPN client. Also, enable the Client to Client option.

Because the auto-generated certs by the server only create *one* shared client cert by the CN (Common Name) of 'client' (no quotes), you either have to use easy-rsa to generate unique certs for each client in order to disambiguate them (preferred), OR, add the following to the custom config field of the OpenVPN server and disambiguate based on username (less secure, but less hassle too).

Code:
username-as-common-name
 

eibgrad

Part of the Furniture
P.S. Make sure to enable the Push option w/ the IP networks defined in Manage Client-Specific Options. Also, there's no need for the OpenVPN clients to NAT the tunnel if all this is configured properly.
 
Last edited:

gariv

New Around Here
Thanks, I tried, but push=yes doesn't work and push=no doesn't work. As before the changes.

openVpn-server2.jpg
openVpn-server-status-push-no.jpg
openVpn-server-status-push-yes.jpg


What else would i try?
 

eibgrad

Part of the Furniture
The username-as-common-name directive doesn't appear correct. The separator does NOT look like a normal dash (-) character. Or perhaps that's just an artifact of the screen capture.

Also, why are there *two* instances of the OpenVPN server? Seems to me based on your initial post there should be only *one*.

It doesn't help either that you obscured the Common Name field. Each client has to be uniquely identified by different usernames, which correspond to how you configured Manage Client-Specific Options. You can always change the username(s) later. But for diagnostic purposes, you're making things more difficult.
 

gariv

New Around Here
I'm sorry for obscured.
Usernames differ only by the number at the end of the name and I did not obscured them.
Server 1 is on a different port (redirects all traffic and the client will use VPN to access LAN and Internet), works well and should be independent of Server 2. Other clients (devices) are connected to Server 1.
The dash is normal.

Tracert from pc3 to server 192.168.11.1 is ok
Tracert from pc3 to client1 192.168.5.1 is not ok.

1654951046380.png


I need to create some route on client2, then on client1, of course also on server2, but I don't know where :)
 

eibgrad

Part of the Furniture
Also make sure the OpenVPN clients has their Inbound Firewall option set to Allow (the default is Block).
 
Last edited:

gariv

New Around Here
now i have changed the push to yes and tracert from client2 to client2 works.
I still have to try everything. Thank you very much for your help.

1654955251561.png


thanks, everything works.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top