What's new

Tutorial How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi Yorgi,

The servers I have are just a couple of NAS'. If the PC was the only device on Local IP, wouldn't the DDNS still need to reach out to the router first in order to wake my PC? I would be sending a request to port 9 using portforward, but if the router was still on VPN, seems like wouldn't be able to reach the PC. Is there a way to connect to my PC without going through the router?

Same with the NAS', as I use portforward to access them with DDNS. It seems the only way is to put the router on WAN. Of course, I'm no professional by any means so any information from anyone is of high value to me. Thank you Yorgi!
 
Last edited:
Hi Yorgi,

The servers I have are just a couple of NAS'. If the PC was the only device on Local IP, wouldn't the DDNS still need to reach out to the router first in order to wake my PC? I would be sending a request to port 9 using portforward, but if the router was still on VPN, seems like wouldn't be able to reach the PC. Is there a way to connect to my PC without going through the router?

Same with the NAS', as I use portforward to access them with DDNS. It seems the only way is to put the router on WAN. Of course, I'm no professional by any means so any information from anyone is of high value to me. Thank you Yorgi!
If the PC you want to wake up is connected to a VPN Server the only way to wake it up is to setup a VPN server on your router, then log onto your server, now you have access to the LAN and you can send a magic packet to wake up the PC.
The only way to wake up or control a PC that is connected to a VPN server like PIA is from your LAN otherwise you cannot reach that PC from outside your LAN local network.
Another way is to have a PC that is connected to local ISP on your router, you can remote desktop to that PC and wake up or access any device in the network and you can remote desktop to a PC that is connected to a VPN server from within your network and access your files or backups or your NAS.
 
Hi Yorgi,

I actually previously set up the VPN in the Asus router and was able to access my LAN, however, when I turned the client VPN on, it was no longer able to connect. Have you ever used TeamViewer? It has the WOL option available. I haven't had the time to try it yet, but I did set it up on my pc last night. I made sure WOL was enabled in the bios and the properties of my lan card. Then I enabled WOL on the latest version of Teamviewer with my DDNS, and using port 9 and signed in with my account. Now when I have time, I going to install TeamViewer on my laptop to see if I can use the WOL feature. I will be connecting my laptop to my hotspot so that it's off the network. I know it's far fetched, but I'm wondering if it will connect if the PC is going through the VPN. I will have to report back! :)

I have also made a small donation to Eric for all his hard work on the Asus firmware. I will be sure to donate more in the near future.

I just want to say thanks again for all your help Yorgi!! You have been a lifesaver!! You have no idea how much I appreciate all your help.

Richard
 
I need help!!!

I tried for days now to get Giganews VPN to work on my router (RT-AC66U with latest Firmware:380.62_1).

Supposedly Giganews VPN is the branded version of Goldenfrog VPN, I have followed instructions on both sites and still cannot get OpenVPN Client to work.

problems
  1. Changed the DNS on the WAN to Google DNS / OpenDNS and the client got no internet connection - VPN Status shows Client1 as connecting and seems to hang at "Connecting".
  2. When I turned on the VPN Service, the green light is on but got message "Error Routing Conflict!". Rebooted router and turn VPN Client on again got rid of the error, the green light is on but with ipleak check it still detect my ISP address.
  3. Changed "Accept DNS Configuration" from Strict to Exclusive, the green light still on but lost internet access.
I have Redirect Internet Access to Policy Rules and the client list contains only one client. I tried ipconfig /flushdns everytime I changed config and no dice...
 
I need help!!!

I tried for days now to get Giganews VPN to work on my router (RT-AC66U with latest Firmware:380.62_1).

Supposedly Giganews VPN is the branded version of Goldenfrog VPN, I have followed instructions on both sites and still cannot get OpenVPN Client to work.

problems
  1. Changed the DNS on the WAN to Google DNS / OpenDNS and the client got no internet connection - VPN Status shows Client1 as connecting and seems to hang at "Connecting".
  2. When I turned on the VPN Service, the green light is on but got message "Error Routing Conflict!". Rebooted router and turn VPN Client on again got rid of the error, the green light is on but with ipleak check it still detect my ISP address.
  3. Changed "Accept DNS Configuration" from Strict to Exclusive, the green light still on but lost internet access.
I have Redirect Internet Access to Policy Rules and the client list contains only one client. I tried ipconfig /flushdns everytime I changed config and no dice...
Did you load the .ovpn file to the VPN client?
you need to have it set to explusive.
before you start using policy rules, try putting it to "all traffic" and see if you get the VPN working.
You don't need to chagne DNS on the WAN to google that won't make any difference on the VPN client and what DNS it will use.
Make sure that you load the certificates in the proper places.
if you loaded certificates in the wrong place and then pasted them in a different area you will need to do a default and enter those
certificates in the right place.
 
Did you load the .ovpn file to the VPN client?
you need to have it set to explusive.
before you start using policy rules, try putting it to "all traffic" and see if you get the VPN working.
You don't need to chagne DNS on the WAN to google that won't make any difference on the VPN client and what DNS it will use.
Make sure that you load the certificates in the proper places.
if you loaded certificates in the wrong place and then pasted them in a different area you will need to do a default and enter those
certificates in the right place.

Did you load the .ovpn file to the VPN client?
Yes

you need to have it set to explusive
Tried that and lost internet connection.

before you start using policy rules, try putting it to "all traffic" and see if you get the VPN working.
Will try that tonight.
Make sure that you load the certificates in the proper places.
Certificate is in place, otherwise connection would fail, isn't it?
 
Yes


Tried that and lost internet connection.
Will try that tonight.
Certificate is in place, otherwise connection would fail, isn't it?
If you lost connection it means you where never connected. Leave that option to ALL TRAFFIC for now until you get it working.
you have to keep it on Exclusive. You can have a green light and still have a conflict.
Usually its the certificates if they are not in the right place or you are missing some additional switches in the custom configuration area.

can you give open up that opvn file in notpad ++ editor and paste the information in the thread>?
I have to take a look at it I am sure that there are configurations that you have to load up.
Once I look at that then if you still cant connect I would need you to upload a log file. but not yet. lets do one thing at a time
 
If you lost connection it means you where never connected. Leave that option to ALL TRAFFIC for now until you get it working.
you have to keep it on Exclusive. You can have a green light and still have a conflict.
Usually its the certificates if they are not in the right place or you are missing some additional switches in the custom configuration area.

can you give open up that opvn file in notpad ++ editor and paste the information in the thread>?
I have to take a look at it I am sure that there are configurations that you have to load up.
Once I look at that then if you still cant connect I would need you to upload a log file. but not yet. lets do one thing at a time

Firstly thanks for taking the time tro help.

here is the content of the opvn file -

client
dev tun
proto udp
remote us1.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
;ca ca.vyprvpn.com.crt
tls-remote us1.vpn.giganews.com
auth-user-pass
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
-----END CERTIFICATE-----
</ca>

Edit...

Good news. I went through the log and suddenly it hit me...I have a custom openvpn-event script in the /jffs/scripts/ a long while back....So I set format /jffs on next reboot...and rebooted the router.

and now VPN is working....
 
Last edited:
hello, i have purevpn and have problem to setup vpnclient. i used this tutorial but if i goes to whatismyipaddress still showing my real address? https://support.purevpn.com/an-easy-guide-for-setting-up-openvpn-on-asus-rt-n66u-2
That guide cannot be any clearer. I would suggest you look at your custom configurations. even missing a space will give you a problem.
But if you are still having problems connecting take that openvpn file from purevpn and open it up with notepad and copy paste the info in the forum and I can take a look at it and help you further.
 
this is from router:
http://imagizer.imageshack.com/img922/5703/oydHBg.png
http://imagizer.imageshack.com/img923/8170/1W4r0l.png
http://imagizer.imageshack.com/img923/1665/wdnXLt.png

and this is .ovpn file which i upload to openvpn clients settings...
Code:
client

dev tun
remote il1-ovpn.purevpn.net  53
proto udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
MIIEoTCCA4mgAwIBAgIJANysBdFD6U2oMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJISzELMAkGA1UECBMCSEsxETAPBgNVBAcTCEhvbmdLb25nMRAwDgYDVQQK
EwdQdXJlVlBOMQswCQYDVQQLEwJJVDEQMA4GA1UEAxMHUHVyZVZQTjEQMA4GA1UE
KRMHUHVyZVZQTjEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjAeFw0x
NDA0MTAwNzI5NDlaFw0yNDA0MDcwNzI5NDlaMIGRMQswCQYDVQQGEwJISzELMAkG
A1UECBMCSEsxETAPBgNVBAcTCEhvbmdLb25nMRAwDgYDVQQKEwdQdXJlVlBOMQsw
CQYDVQQLEwJJVDEQMA4GA1UEAxMHUHVyZVZQTjEQMA4GA1UEKRMHUHVyZVZQTjEf
MB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRvbWFpbjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAJYqtUkQTlf/pHcGXuuII8S3pfI0fwFbs7l/1RP3nX3n
v1vyuvLi7h0jWsgJU0XM7LJywiRFJ8zsMLH7KZnIg7bscb50GY75WIq7C2NnWnnS
7zzyCCm2XD/2xZPym2lVRytpnWJbpemSS6Hdz7xI3q2FmixuBa1t5FeKsXfeaGGg
+ohwLvamnGHJYUYu3Nu0EWVzzy5wgT0c2C5jleGxl3kxRimD8FpnlAVdqyt0ib/f
f9XanaotSopIHUZmpYjT+udRC2+harlNKvOXYgDRl1mpimCvlzEWpZAo8dyBCxWl
xlBIT8OA8rimGi1XviknuOlWu2cGi13Ug8mCG0MjOQ0CAwEAAaOB+TCB9jAdBgNV
HQ4EFgQUt+1vJ2X2ho12PUDhdo2CsSHYXbYwgcYGA1UdIwSBvjCBu4AUt+1vJ2X2
ho12PUDhdo2CsSHYXbahgZekgZQwgZExCzAJBgNVBAYTAkhLMQswCQYDVQQIEwJI
SzERMA8GA1UEBxMISG9uZ0tvbmcxEDAOBgNVBAoTB1B1cmVWUE4xCzAJBgNVBAsT
AklUMRAwDgYDVQQDEwdQdXJlVlBOMRAwDgYDVQQpEwdQdXJlVlBOMR8wHQYJKoZI
hvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA3KwF0UPpTagwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEAAhLQQmkKWJdyGqgMSKOWXSKN2WXTDjIdb9bK
Q8uHeq0LYCcPoRh8VYJg2X4UWR/KO9pKaG+iZJw4Jqz4GQJjjJLKHfsWwj790ay0
7U5KT08qmxFaxZUYn663H9b0+Zud1spTsTJjVe1eoRk6IDbbB4OMUzN9zyWEn6er
xi6llIAjQX1qtlBQasmTAbRtbSsCsZAxL2kXysULIdLrQP0iTgMQqqkv5zvpdEKN
3ciKCd8OHEhHOlAwA0/DNy3dg3Et0F2hNMDJhqMpxXsbKtGJ/rzGXQF2geEVzLZA
o42I1wBOSZLTX1fO1gl3gAGS9aYg5o31rrpBKzQewitJgIuc+Q==
-----END CERTIFICATE-----
</ca>

#
# 2048 bit OpenVPN static key
#
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
e30af995f56d07426d9ba1f824730521
d4283db4b4d0cdda9c6e8759a3799dcb
7939b6a5989160c9660de0f6125cbb1f
585b41c074b2fe88ecfcf17eab9a33be
1352379cdf74952b588fb161a93e13df
9135b2b29038231e02d657a6225705e6
868ccb0c384ed11614690a1894bfbeb2
74cebf1fe9c2329bdd5c8a40fe882062
4d2ea7540cd79ab76892db51fc371a3a
c5fc9573afecb3fffe3281e61d72e915
79d9b03d8cbf7909b3aebf4d90850321
ee6b7d0a7846d15c27d8290e031e951e
19438a4654663cad975e138f5bc5af89
c737ad822f27e19057731f41e1e254cc
9c95b7175c622422cde9f1f2cfd3510a
dd94498b4d7133d3729dd214a16b27fb
-----END OpenVPN Static key V1-----

</tls-auth>
key-direction 1

verb 1
mute 20
route-method exe
route-delay 2
auth-user-pass
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
 
this is from router:[/CODE]

Hi follow these images and you should connect without any issues.
Just make sure that the certificates are in Authorization Mode/Content modification of Keys & Certificates.
main.jpg
cert.jpg
 
this is from router:

ifconfig-nowarn[/CODE]

Also make sure that you set Redirect Internet traffic to all traffic or policy rules. Do policy rules after you have connected to all traffic and you have a VPN IP
if you need to go to policy rules enable if tunnel goes down drop connection and
setup a rule that does this
source 192.168.1.0/24 destination 0.0.0.0 lface VPN
I would assume your router is 192.168.1.1 for the above rule. if you have a different subnet adjust accordingly
 
Also make sure that you set Redirect Internet traffic to all traffic or policy rules. Do policy rules after you have connected to all traffic and you have a VPN IP
if you need to go to policy rules enable if tunnel goes down drop connection and
setup a rule that does this
source 192.168.1.0/24 destination 0.0.0.0 lface VPN
I would assume your router is 192.168.1.1 for the above rule. if you have a different subnet adjust accordingly
thank you very much....now it is connected over VPN....:) i have another question now....i have to go to sites like real-debrid, furk.net and easynews.org through WAN and not VPN.....how to do that?
EDIT: after setup policy rules i got my real IP address again? what is wrong in my policy rules?
hCb6N5.png
 
Last edited:
thank you very much....now it is connected over VPN....:) i have another question now....i have to go to sites like real-debrid, furk.net and easynews.org through WAN and not VPN.....how to do that?
EDIT: after setup policy rules i got my real IP address again? what is wrong in my policy rules?
cold boot the router. Turn power off from the wall and leave the on button from the router enabled.
then put the power back on the router and let it boot again.
if this happens again I would default the VPN client and set it up again.
it was not set like that from the begining and you maybe getting a router conflict.
Are you using more then one VPN client enabled at the same time?
Your rule looks fine so long as your router is 192.168.10.1 range and that you went to IP pool and setup the range to be 99 for static and 100 + for DHCP
then you should be fine after the reboot.
 
Hi!

thanks a lot for this guide !

I tried to setup a VPN between 2 routers,but Im somehow stuck :(

Here is what I want to do :
I need to reach a vnc server ,on a asusrouter that cant be connected to (3G network with no real outside IP).
So the solution was to build a VPN between 2 routers :
What I managed so far :
Stable VPN Connection from Router2(client) to Router1(Server).
Accessing i.e. the webgui of router1 works,so the direction client=>server is ok.

Yet this is the opposite direction I need :(

What do I have to change/add,so I can reach i.e. 192.168.2.222@5900 (vnc server @router2) when being connected to router1´s lan (i.e. working on the computer,or with a wifi@tablet connection) ?


Details :
Router 1 (server):
AC56u (latest merlinFW) @staticIP&DDNS = VPN Server
router IP : 192.168.1.1
20161107_vpn_server.png


Router 2 (client):
RTN66U (latest merlinFW) @3G-usbSTICK (no real IP)
router IP : 192.168.2.1

20161107_vpn_client.png


big thanks ahead for help !!!

ps: sorry,no clue why the images are so blurry,I tried jpg/gif/png.. always the same ...
 
Last edited:
Hi!

thanks a lot for this guide !

I tried to setup a VPN between 2 routers,but Im somehow stuck :(

Here is what I want to do :
I need to reach a vnc server ,on a asusrouter that cant be connected to (3G network with no real outside IP).
So the solution was to build a VPN between 2 routers :
What I managed so far :
Stable VPN Connection from Router2(client) to Router1(Server).
Accessing i.e. the webgui of router1 works,so the direction client=>server is ok.

Yet this is the opposite direction I need :(

What do I have to change/add,so I can reach i.e. 192.168.2.222@5900 (vnc server @router2) when being connected to router1´s lan (i.e. working on the computer,or with a wifi@tablet connection) ?


Details :
Router 1 (server):
AC56u (latest merlinFW) @staticIP&DDNS = VPN Server
router IP : 192.168.1.1
View attachment 7671

Router 2 (client):
RTN66U (latest merlinFW) @3G-usbSTICK (no real IP)
router IP : 192.168.2.1

View attachment 7672

big thanks ahead for help !!!
You cannot connect a VPN client to a VPN server locally.
I am really confused why you would want to do such a setup.
When connecting 2 routers together router 1 can see routers 2 network but not vise versa.
Introducing a VPN server/client to the equation only makes things a bigger mess.
The only way you can connect to your VPN Server is by using another internet connection not with the same modem.
So if you where to use your iPad with your iphone hotspoted to your tablet using your phones internet service provider then you can connect to
your VPN server and have everything work the way you like.
So in theory what you are trying to do will never work and using 2 routers in the way you have it is really useless.

A 2 router scenario would be used like this.
Router 1 local ISP and router 2 VPN client connecting to PIA for example.
each router has different IP example router 1 192.168.1.1 router 2 192.168.2.1
one would then connect to router 1 for local isp and router 2 for PIA
2 separate networks using 1 modem.
 
You cannot connect a VPN client to a VPN server locally.
I am really confused why you would want to do such a setup.
When connecting 2 routers together router 1 can see routers 2 network but not vise versa.
Introducing a VPN server/client to the equation only makes things a bigger mess.
The only way you can connect to your VPN Server is by using another internet connection not with the same modem.
So if you where to use your iPad with your iphone hotspoted to your tablet using your phones internet service provider then you can connect to
your VPN server and have everything work the way you like.
So in theory what you are trying to do will never work and using 2 routers in the way you have it is really useless.

A 2 router scenario would be used like this.
Router 1 local ISP and router 2 VPN client connecting to PIA for example.
each router has different IP example router 1 192.168.1.1 router 2 192.168.2.1
one would then connect to router 1 for local isp and router 2 for PIA
2 separate networks using 1 modem.

sorry if I explained it the wrong way:

the opvn server router is located on a different location,using a different ISP (staticIP)

the opvn client router only has internet access through a 3G usb stick. Due to the nature of the 3G connection(double nat/..) no service/server running on this routers lan can be reached from the outside.

so the solution I thought would be a VPN between the 3GinetRouter and the statipIProuter.
right now client=>server works,but I need to have access to the clients lan.

I believe this is a routing problem,but I cant figure out how to do that :(


here is all the info I could gather,maybe this helps to figure this out :


vpn info :

client1.ovpn :

client
dev tun
proto udp
remote someDDNSip.asuscom 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
....
------------------------------------------------------------
Server : AC56U
LanIP : 192.168.1.1
OPENVPN IP : 10.8.0.1


Client : N66U
LanIP : 192.168.0.1
OPENVPN IP : 10.8.0.2
-------------------------------------------------------------


server(AC56U) info :


pings :

@RT-AC56U:/tmp/mnt# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

@RT-AC56U:/tmp/mnt# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=64 time=2245.690 ms
64 bytes from 10.8.0.2: seq=1 ttl=64 time=1264.778 ms
64 bytes from 10.8.0.2: seq=2 ttl=64 time=284.499 ms
^C
--- 10.8.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 284.499/1264.989/2245.690 ms

-----------------------------

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
myWANip * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
80.109.235.0 * 255.255.255.0 U 0 0 0 WAN
default myWANip 0.0.0.0 UG 0 0 0 WAN

------------------------------

@RT-AC56U:/tmp/mnt# traceroute 10.8.0.2
traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 38 byte packets
1 10.8.0.2 (10.8.0.2) 214.754 ms 186.755 ms 159.891 ms

-----------------------------------------------------------------------------------

Client(RTN66U) info :

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 WAN
192.168.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun11
10.8.0.0 * 255.255.255.0 U 0 0 0 tun11
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN
169.254.0.0 * 255.255.0.0 U 0 0 0 MAN
default 10.64.64.64 0.0.0.0 UG 0 0 0 WAN

------------------

pings :

@RT-N66U-A730:/tmp/home/root# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=138.926 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=210.341 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=240.392 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=230.444 ms
64 bytes from 192.168.1.1: seq=4 ttl=64 time=220.389 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 138.926/208.098/240.392 ms



@RT-N66U-A730:/tmp/home/root# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=146.545 ms
64 bytes from 10.8.0.1: seq=1 ttl=64 time=120.454 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 120.454/133.499/146.545 ms
 
sorry if I explained it the wrong way:

the opvn server router is located on a different location,using a different ISP (staticIP)

the opvn client router only has internet access through a 3G usb stick. Due to the nature of the 3G connection(double nat/..) no service/server running on this routers lan can be reached from the outside.

so the solution I thought would be a VPN between the 3GinetRouter and the statipIProuter.
right now client=>server works,but I need to have access to the clients lan.

I believe this is a routing problem,but I cant figure out how to do that :(


here is all the info I could gather,maybe this helps to figure this out :


vpn info :

client1.ovpn :

client
dev tun
proto udp
remote someDDNSip.asuscom 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
....
------------------------------------------------------------
Server : AC56U
LanIP : 192.168.1.1
OPENVPN IP : 10.8.0.1


Client : N66U
LanIP : 192.168.0.1
OPENVPN IP : 10.8.0.2
-------------------------------------------------------------


server(AC56U) info :


pings :

@RT-AC56U:/tmp/mnt# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

@RT-AC56U:/tmp/mnt# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=64 time=2245.690 ms
64 bytes from 10.8.0.2: seq=1 ttl=64 time=1264.778 ms
64 bytes from 10.8.0.2: seq=2 ttl=64 time=284.499 ms
^C
--- 10.8.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 284.499/1264.989/2245.690 ms

-----------------------------

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
myWANip * 255.255.255.255 UH 0 0 0 WAN
10.8.0.0 * 255.255.255.0 U 0 0 0 tun21
192.168.1.0 * 255.255.255.0 U 0 0 0 LAN
80.109.235.0 * 255.255.255.0 U 0 0 0 WAN
default myWANip 0.0.0.0 UG 0 0 0 WAN

------------------------------

@RT-AC56U:/tmp/mnt# traceroute 10.8.0.2
traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 38 byte packets
1 10.8.0.2 (10.8.0.2) 214.754 ms 186.755 ms 159.891 ms

-----------------------------------------------------------------------------------

Client(RTN66U) info :

IPv4 Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 * 255.255.255.255 UH 0 0 0 WAN
192.168.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun11
10.8.0.0 * 255.255.255.0 U 0 0 0 tun11
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN
169.254.0.0 * 255.255.0.0 U 0 0 0 MAN
default 10.64.64.64 0.0.0.0 UG 0 0 0 WAN

------------------

pings :

@RT-N66U-A730:/tmp/home/root# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=138.926 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=210.341 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=240.392 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=230.444 ms
64 bytes from 192.168.1.1: seq=4 ttl=64 time=220.389 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 138.926/208.098/240.392 ms



@RT-N66U-A730:/tmp/home/root# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=146.545 ms
64 bytes from 10.8.0.1: seq=1 ttl=64 time=120.454 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max = 120.454/133.499/146.545 ms
Try interface type to TAP instead of TUN not sure if it supports iPad but it will work if you are using windows PC's
If that doesnt work and you go back to TUN make sure that you do not put the IP address of the second router as you did.
Leave it to 10.8.0.0 and subnet to 255.255.255.0
also I would suggest you put username and pass authentication because you are putting yourself at risk.
If TAP doesn't work with your windows PC's both directions then something is up with that USB 3G.
let me know what happens :)
 
Try interface type to TAP instead of TUN not sure if it supports iPad but it will work if you are using windows PC's
If that doesnt work and you go back to TUN make sure that you do not put the IP address of the second router as you did.
Leave it to 10.8.0.0 and subnet to 255.255.255.0
also I would suggest you put username and pass authentication because you are putting yourself at risk.
If TAP doesn't work with your windows PC's both directions then something is up with that USB 3G.
let me know what happens :)
hi !
sorry for the late reply,work...

tried tap,but thats a dead ringer... no connection out/in possible.

so back to tun

I can ping the server@192.168.1.1 from the client side AND I can ping the openvpn gateway 10.8.0.2 on the clients side,so the tunnel works,yet no data is routed from the server to the client.
So I guess its just a question of where/how to add a routing rule.

I googled so much,that my head&eyes hurt.. so Im not sure what of the following would do the trick:

* client config file
info you put into ccd files (client configuration..)
didnt try that,not sure what to put into the config file

* a static route on the server side
done via i.e.
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.2 dev tun21
or ip route add 192.168.0.0/24 via 10.8.0.2

this also didnt help


* or via server custom configuration
ie. push route "192.168.0.0 255.255.255.0 10.8.0.2 1"

yet push route results in a routing error ,as seen on the clients syslog :

Nov 8 17:09:07 openvpn[12642]: Ignore conflicted routing rule: 192.168.0.0 255.255.255.0
Nov 8 17:09:07 openvpn-routing: Skipping, client 1 not in routing policy mode

slowly but steady starting to hate networkstuff :(
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top