Open VPN Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Preskitt.man

Regular Contributor
Am running Merlin 386.1_2 So, I decided to implement OpenVPN server on my AC86U. Technically, it went well, and my test client Samsung S20 connected to the VPN. Having said that, my phone behaves as if it were still just connected to my ISP - T-Mobile. WiFi is turned off on the phone, just cellular via T-Mobile. If I do a WhatsMyIP, it shows the address from T-Mobile, not the address from the Router, so internet queries are not going through the VPN. And pinging the address of any device on the LAN (192.168.1.x), fails. WiFMan shows my IP address to be 10.8.0.2, which fits in with the VPN settings, and it's graphic shows Internet ->Gateway -> to phone (@10.8.0.2)

The entire setup at this time is pure vanilla. Enabled the VPN Server, checked that I would like to access both the internet and the lan, set a userid and password, and applied the settings. Downloaded the config file and imported into VPN Connect 3 client for Android. Connected using the userid and password previously supplied, and the connection was made. But as noted, internet connections seem to be directly through T-Mobile's cellular connection with no routing to my network. And certainly can't see my local devices. Frankly, I'm not sure how that would ever work with an assigned IP address of 10.8.0.2 from OpenVPN, but in reading the conflicting posts (lot of opinions on what to do), recommendation was not to set a connection on the 192.168.1.x network.

What I would like the end result to be is two fold:
1) When my phone connects, internet traffic gets routed through my router and then to the internet
2) When using my MAC and/or Windows laptop, I can access devices on my LAN

Any Ideas?
 

Attachments

  • Open VPN Connect1.png
    Open VPN Connect1.png
    20.1 KB · Views: 90
  • Open VPN Connect2.png
    Open VPN Connect2.png
    374.1 KB · Views: 80
  • Open VPN Connect3.png
    Open VPN Connect3.png
    339.8 KB · Views: 78

eibgrad

Very Senior Member
You need to add the following directive to the OpenVPN server custom config field.

Code:
push "redirect-gateway def1"

P.S. Many times personal firewalls on the OpenVPN server side will prevent access, something very common w/ Windows. You either need to reconfigure them to accept the tunnel's IP network (10.8.0.0/24), or NAT the inbound traffic from the tunnel as it's dropped on the local network.

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
 
Last edited:

Preskitt.man

Regular Contributor
I tried the push push "redirect-gateway def1" all by itself. No change in behavior. And with this test, windows not even involved - Android phone to Asus router.
In any case, I inserted the iptables .... code in. This time, after clicking Apply on router, it came back with the message:
OpenVPN server daemon failed to start.
Please check your device environment or contents on the Advanced Setting page.
 

eibgrad

Very Senior Member
The iptables command goes into a nat-start script, NOT the OpenVPN server config.

 

eibgrad

Very Senior Member
"recommendation was not to set a connection on the 192.168.1.x network.

It's recommended you do NOT use the all too common 192.168.1.0/24 or 192.168.0.0/24 for your home network because it's far more likely the remote client will be using one of these as well (that's why it's so common). If and when that happens, all references to either of those networks remains *local* to the remote client. IOW, it's never routed over the OpenVPN client's tunnel. Instead, your remote client will look locally (in vain) to find the target device.

Is that the problem in this case? Can't say for sure without checking the local IP that was assigned to your smart phone over the cellular network. Seems unlikely. Most cellular networks won't use either of these networks for that very reason. But always worth checking, just in case.
 

eibgrad

Very Senior Member
Something else to consider when using a Windows PC or laptop for your OpenVPN client.

When the OpenVPN client connects, it has to alter the local routing table. But that requires administrative privileges! So if you're using something like OpenVPN Connect, you need to give that app those elevated privileges before attempting the connection. If you don't, you'll likely see error messages stating it couldn't add the routes in the client log.
 
Last edited:

Preskitt.man

Regular Contributor
My bad on modifying the NAT rules. Since that involves a reboot of the router, will have to schedule that for a time when TV is not in use. :)
As for the phone though, when it is just on cellular, it's address is 192.0.0.2 connecting to a router at 192.0.0.1 and then on to the internet. So, while I (sort of) understand what you are suggesting doing with the NAT tables, that would apply for internal routing of traffic from the phone (or other clients) to devices behind the router - in particular my PC's. My end goal is to access my primary home PC with RDP without doing port redirection.
However, your explanation and solution doesn't seem to address my other goal - to have Internet bound traffic flow from the client (phone) through the router and out to the internet. I would imagine for that to work, it would not be dependent on the NATing, and simply have internet bound traffic (google, etc.) go from the client (phone) through the Tunnel and on out to the internet. Which would mean, when I do a WhatsMyIp, I would see the internet address of the router. But, I'm not, I am seeing the internet address of the T-Mobile server.
 

eibgrad

Very Senior Member
My bad on modifying the NAT rules. Since that involves a reboot of the router, will have to schedule that for a time when TV is not in use. :)

Well actually, it doesn't. It's only necessary to create the nat-start script to make it permanent. For temporary purposes, you could use the shell (ssh) and simply copy/paste the rule (NOT the whole script) into the window. But if you feel more comfortable w/ the script and a reboot, that's fine.

As for the phone though, when it is just on cellular, it's address is 192.0.0.2 connecting to a router at 192.0.0.1 and then on to the internet. So, while I (sort of) understand what you are suggesting doing with the NAT tables, that would apply for internal routing of traffic from the phone (or other clients) to devices behind the router - in particular my PC's. My end goal is to access my primary home PC with RDP without doing port redirection.
However, your explanation and solution doesn't seem to address my other goal - to have Internet bound traffic flow from the client (phone) through the router and out to the internet. I would imagine for that to work, it would not be dependent on the NATing, and simply have internet bound traffic (google, etc.) go from the client (phone) through the Tunnel and on out to the internet. Which would mean, when I do a WhatsMyIp, I would see the internet address of the router. But, I'm not, I am seeing the internet address of the T-Mobile server.

Based on everything you've described, it *should* be routing your internet access through the OpenVPN server and through your ISP at home. Why it apparently isn't is a mystery at this point.

Is WhatsMyIp the website or an app? Sometimes apps report the cellular public IP despite being connected to a VPN. It's always better to use the browser and check a website, like ipchicken.com, and perhaps more than one. Don't pin everything on that one website/app.
 
Last edited:

Preskitt.man

Regular Contributor
WhatsMyIP.com is a website displaying your current IP address. Access it from my phone by bringing up Chrome. So it should, if going through the router, display the IP the router is connected to.
 

eibgrad

Very Senior Member
As long as the OpenVPN server is pushing the redirect-gateway directive to the client, the client is supposed to change its default gateway to the VPN, which then forces all traffic over the VPN. Beyond that, there really isn't all that much more to it. As I said, I have seen issues w/ Windows clients not having the necessary privileges to alter the local routing table. But I haven't seen anything comparable w/ smartphones.

Might be worth checking your OpenVPN server config file just to be sure it's configured as expected. From a shell (ssh), post the output from the following command (I'm assuming it's server #1).

Code:
cat /tmp/etc/openvpn/server1/config.ovpn

Also check your OpenVPN client log for any errors/warnings/issues.

Anything else you can test besides the smartphone?
 
Last edited:

Preskitt.man

Regular Contributor
Only other test machines are PC's, and since they require internet, which would come from the same router, not very meaninful. Will try setting up a hotspot from my phone tomorrow, and see where that gets me.

I did examine the client.ovpn file, and the push "redirect-gateway def1" statement was not in there, even though I had placed it in the advanced config area. So, edited the file and inserted the statement. It didn't make any difference. Only difference i see at all, is when I am not connected to the VPN and do a whatsmyip, it shows both a an IPv4 and an IPv6 address. When I am connected to the VPN, only the IPv4 address is show - same one as before.

This is the text of the ovpn file up to the <ca>

client
dev tun
proto udp
remote xxxxxxxx.asuscomm.com 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server
push "redirect-gateway def1"
 

Preskitt.man

Regular Contributor
So, the interesting part of the log file has these two lines:
You have specified redirect-gaeway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
NOTE: unable to redirect IPv4 default gateway - Couldn't obtain current remote host address
 

eibgrad

Very Senior Member
I was primarily interested in the contents of the OpenVPN server config file. If you have Both specified for the "Client will use VPN to access" setting, it will add the following directives in response.

Code:
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"

If you're saying these are NOT in there (again, in the *server* config file), that make no sense. They should be.

On the OpenVPN client, it is possible to have the client force the traffic to be routed over the tunnel using the same redirect-gateway directive (although if the server is push'ing it already, it's redundant), but you do NOT push it, you just state it.

Code:
redirect-gateway def1
 

eibgrad

Very Senior Member
So, the interesting part of the log file has these two lines:
You have specified redirect-gaeway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
NOTE: unable to redirect IPv4 default gateway - Couldn't obtain current remote host address

I've never seen the redirect-gateway directive specified multiple times cause a problem. But if it's still in the custom config field of the OpenVPN server, remove it. And there's no indication you have redirect-private specified anywhere.

At least we now know the client is warning about the failure to redirect. Just need to be sure exactly why.
 

eibgrad

Very Senior Member
Are you possibly using IPv6 on the server side?

Or perhaps even IPv6 on the client (Android)?
 
Last edited:

Preskitt.man

Regular Contributor
Not using IPv6 anywhere on the server side. Only time I seee that is where phone is off the vpn.

here's the server config;

ASUSWRT-Merlin RT-AC86U 386.1_2 Fri Feb 12 22:48:22 UTC 2021
[email protected]:/tmp/home/root# cat /tmp/etc/openvpn/server1/config.ovpn
daemon ovpn-server1
topology subnet
server 10.8.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
compress lz4
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
push "redirect-gateway def1"
 

Preskitt.man

Regular Contributor
So no, not using IPv6 on server side
On client side,, when using WiFi, it connect to router using IPv4
But apparently, when phone connects to T-Mobile servers for IP over cellular, it is using IPv6 as well as IPv4
 

eibgrad

Very Senior Member
You can remove the push directive from Custom Configuration (it's redundant).

Try disabling IPv6 on smartphone. Router only supports IPv4 w/ OpenVPN.
 

Preskitt.man

Regular Contributor
Progress - removed the push directive from Custom Config.
Setup my phone as a hotspot (no vpn)
Connected my laptop via wifi to phone's hotspot.
Enabled OpenVPN on laptop
What's my IP showed my IPv4 address to be same as rouiters
Could ping 192.168.1.x addresses
Most importantly, could RDP into my desktop running Windows

Phone still doesn't work correctly as VPN client.
Not very easy to disable IPv6 on T-Mobile. It's baked into the one and only APN on the phone, and that APN is not editable.

Still must be some way to do it. Do have a commercial VPN app (PIA), and it works fine on the phone.
 

eibgrad

Very Senior Member
Still must be some way to do it. Do have a commercial VPN app (PIA), and it works fine on the phone.

PIA probably supports IPv6 w/ OpenVPN, router doesn't. IPv6 has to be the issue w/ the smartphone and router.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top