OpenVPN access multiple networks

midniterebel

Occasional Visitor
Hello,

My main router is an RT-AX88U (192.168.1.x). Behind that I have an R7000 that I have setup as another network/subnet (192.168.2.x)

When I connnect remotely to the AX88U via OpenVPN, I cannot access the clients on the R7000 subnet.

I can reach both networks when i'm on the LAN, can anyone advise me how to access the R7000's subnet via VPN?

thank you!!
 

GSpock

Senior Member
 

midniterebel

Occasional Visitor
thanks for the link. I have tried the push route, but no luck. Here is a diagram of what I'm trying to accomplish. My IP Cameras are on the 2nd R7000 Router but when I'm connected to the VPN, I cannot access them. I have tried adding the push route for 192.168.3.1

Screen Shot 2022-05-18 at 9.56.36 AM.png
image.png
 

eibgrad

Part of the Furniture
Adding a route to the Manage Client-Specific Options section is only for the purposes of allowing site-to-site connections, where clients of the 192.168.3.x network are then able to *initiate* their own connections to the OpenVPN client and the devices behind it.

For the purposes of only needing to initiate connections from the OpenVPN client to the LAN, you need to specify either LAN only or Both for "Client will use VPN to access". In the case of the former, this will automatically generate a push directive for 192.168.1.x in the underlying config file. But if you want access to *additional* networks, you need to push them yourself, manually. But you do it in the custom config field, NOT using the Manage Client-Specific Options section.

Code:
push "route 192.168.3.0 255.255.255.0"

Assuming the R7000-2 is connected over its WAN to the LAN of the AX88U, you must allow access to the 192.168.3.x network from the WAN side of the AX88U (that would NOT be allowed by default). I assume you've already done this if devices on 192.168.1.x can initiate connections to 192.168.3.x.

Same thing for the R7000-1.

P.S. You may have to add the following firewall rule to the AX88U as well.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.3.0/24 -j ACCEPT
 
Last edited:

midniterebel

Occasional Visitor
Assuming the R7000-2 is connected over its WAN to the LAN of the AX88U, you must allow access to the 192.168.3.x network from the WAN side of the AX88U (that would NOT be allowed by default). I assume you've already done this if devices on 192.168.1.x can initiate connections to 192.168.3.x.

Same thing for the R7000-1.

P.S. You may have to add the following firewall rule to the AX88U as well.

Code:
iptables -I FORWARD -i tun2+ -d 192.168.3.0/24 -j ACCEPT

Hope I am getting this right. Currently I have a static route for each R7000 in the AX88U using the LAN interface. This enables me access from the R7000's back to the AX88U's network (192.168.1.x). Now I am trying to go from the AX88U network to the R7000's, however I cannot reach any of the cameras.

Once I resolve this local LAN issue, I should be on track to fix the vpn.
 

eibgrad

Part of the Furniture
Hope I am getting this right. Currently I have a static route for each R7000 in the AX88U using the LAN interface. This enables me access from the R7000's back to the AX88U's network (192.168.1.x). Now I am trying to go from the AX88U network to the R7000's, however I cannot reach any of the cameras.

Once I resolve this local LAN issue, I should be on track to fix the vpn.

Let's be very precise here. If those R7000's are connected from their WAN to the LAN of the AX88U, then this is NOT just a routing issue. Normally the WAN of any router is going to *deny* incoming access to its own LAN (192.168.2.x or 192.168.3.x) unless the firewall has been modified to specifically allow it. Once allowed in, replies back to the 192.168.1.x network will be allowed as well.

There's another possible firewall issue here as well. Sometimes the target device has its own personal firewall that will *only* allow access by a device on its own LAN! We see this all the time w/ Windows PCs. The PC is running on say 192.168.1.100, but a remote access from some other private IP network such as a VPN (10.8.0.0/24) is denied access until the Defender firewall is updated to allow it. Many other devices may do the same.

This is a common theme when it comes to remote access. You have two (2) obstacles. The routing *and* numerous firewalls. More times than NOT, it's the latter that causes most of the headaches.
 

midniterebel

Occasional Visitor
I did turn the firewalls off on the R7000's settings.

I was hoping it was a simple routing or setting I would have to work on to get this working, seems like it may be more complicated. My other option is to create another vpn on the R7000 hosting the IP Cameras, then port forward from the AX88U, I was hoping not to have to enable port forwarding though.
 

eibgrad

Part of the Furniture
I did turn the firewalls off on the R7000's settings.

I was hoping it was a simple routing or setting I would have to work on to get this working, seems like it may be more complicated. My other option is to create another vpn on the R7000 hosting the IP Cameras, then port forward from the AX88U, I was hoping not to have to enable port forwarding though.

Have you already eliminated the possibility of firewalls on the cameras being the problem? Because if it turns out that is the problem, moving the VPN to the R7000 isn't going to fix it. The cameras will *still* see the VPN's IP network and deny access.
 

midniterebel

Occasional Visitor
pretty sure there is no firewall on the cameras.

Would there be any other way of segregating the traffic of the IP Cameras on R7000-2? I am hoping to offload the work on the main router - AX88U.

thanks again.
 

RMerlin

Asuswrt-Merlin dev
Do a traceroute, you will see at which hop it gets stuck (or where it's missing a route).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top