What's new

How to set up one Asuswrt-Merlin OpenVPN server and two Asuswrt-Merlin OpenVPN clients?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gariv

New Around Here
How do I set up all 3 routers so that all PCs can see each other?
openVpn.jpg
 
What you lack is site-to-site capability. You have to enable the Manage Client-Specific Options section on the OpenVPN server and config it so that you identify to the server the IP network(s) that lie behind each OpenVPN client. Also, enable the Client to Client option.

Because the auto-generated certs by the server only create *one* shared client cert by the CN (Common Name) of 'client' (no quotes), you either have to use easy-rsa to generate unique certs for each client in order to disambiguate them (preferred), OR, add the following to the custom config field of the OpenVPN server and disambiguate based on username (less secure, but less hassle too).

Code:
username-as-common-name
 
P.S. Make sure to enable the Push option w/ the IP networks defined in Manage Client-Specific Options. Also, there's no need for the OpenVPN clients to NAT the tunnel if all this is configured properly.
 
Last edited:
Thanks, I tried, but push=yes doesn't work and push=no doesn't work. As before the changes.

openVpn-server2.jpg
openVpn-server-status-push-no.jpg
openVpn-server-status-push-yes.jpg


What else would i try?
 
The username-as-common-name directive doesn't appear correct. The separator does NOT look like a normal dash (-) character. Or perhaps that's just an artifact of the screen capture.

Also, why are there *two* instances of the OpenVPN server? Seems to me based on your initial post there should be only *one*.

It doesn't help either that you obscured the Common Name field. Each client has to be uniquely identified by different usernames, which correspond to how you configured Manage Client-Specific Options. You can always change the username(s) later. But for diagnostic purposes, you're making things more difficult.
 
I'm sorry for obscured.
Usernames differ only by the number at the end of the name and I did not obscured them.
Server 1 is on a different port (redirects all traffic and the client will use VPN to access LAN and Internet), works well and should be independent of Server 2. Other clients (devices) are connected to Server 1.
The dash is normal.

Tracert from pc3 to server 192.168.11.1 is ok
Tracert from pc3 to client1 192.168.5.1 is not ok.

1654951046380.png


I need to create some route on client2, then on client1, of course also on server2, but I don't know where :)
 
Also make sure the OpenVPN clients has their Inbound Firewall option set to Allow (the default is Block).
 
Last edited:
now i have changed the push to yes and tracert from client2 to client2 works.
I still have to try everything. Thank you very much for your help.

1654955251561.png


thanks, everything works.
 
Last edited:
One OpenVPN server and two clients with certificates.

Installed OpenVPN server on the router. I see "Data ciphers: CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC".
The client on another router connects only with a certificate. Everything is working.

I install the third router as an OpenVPN client. The client does not connect because no "Client Certificate" and "Client Key". How to generate them correctly?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top