OpenVPN and DNS address connection not working in subnet

[chutiloco]

Hi,

I have a router ASUS RT-A86U running with Asuswrt-Merlin FW 384.19. I have a client OpenVPN connection on my ASUS router so all traffic go through the VPN tunnel to my VPN server (raspberry PI with piVPN)

My setup is quite simple, I always connect my latptop to ASUS router , at home or travelling, so all my traffic always go the the same internet connection point, my VPN server.

At home I have a standard ISP's router, and connected to this ISP's router the VPN server (raspberry PI with piVPN) with ethernet cable. When I'm travelling, router get internet through a 4G-USB modem and at home it's connected to the same ISP's router with ethernet cable.

This setup has work for 2 years without any single issue. Suddendly, at home, 3 days ago OpenVPN client on ASUS wasn't available to connect with VPN server. It stopped working during the night without any update on router ASUS or raspberry server.

After several checks, I realize client connect with server as UNDEF user and logs show handshake problem on both side, so only partial connection established.

If ASUS router is connect at internet with 4G-modem it works perfecty but at home I need to insert private LAN IP address of the server 192.168.1.144 instead mydomain_piVPN.com to be available to connect. Note ISP's router has subnet 192.168.1.xxx and Asus router has subnet 192.168.2.xxx

In the past I remind to see in system register of router: dmask changing mydomain_piVPN.com public IP 213.xxx.xxx.xxx to IP 192.168.1.144, like router realize public IP has an equivalent IP lan, so it use LAN IP private address.

Now when I'm at home I need to enter address of server as 192.168.1.144 and when travelling I need to change address to mydomain_piVPN.com It's not so annoying but what f*** me it's that I don't know what happened and how to fix it.

 

[L&LD]

Welcome to the forums @chutiloco.

There are many questions (and possible issues) with your network as described above. The main one being you are running such old firmware on your main router.

Any reason you are sticking to such old firmware?

It makes sense (to me) that before anyone can help properly, you are using current firmware (and after a fresh reset too).

 

[eibgrad]

I want to make sure I understand this config.

So it sounds like you're using the ASUS (192.168.2.x) as both your home router, and a travel router, correct? And I assume the PI VPN is established on the ISP router's network (192.168.1.x), correct?

What is the purpose of accessing the pi VPN while at home? I can understand the need to access it remotely, in order to gain access to your home network. But once you're at home, I don't see the purpose. Unless the PI VPN is being used for other purposes (DNS?).

I'm just trying to understand what's you're trying to accomplish w/ this setup before trying to determine where things may have gone wrong. Because it not making complete sense based on what you've described so far.

IOW, please be more specific as what this configuration is doing!

 

[chutiloco]

Any reason you are sticking to such old firmware?

It makes sense (to me) that before anyone can help properly, you are using current firmware (and after a fresh reset too).

Thanks for answer.

Firmware 384.19 was the last release two years ago! And it has been working 24/7 perfect during all this time. If it works don't touch it!!! Security isn't so relevant in my opinion because my router is never exposed directly to internet.

All devices involved were reset. I have installed new firmware but way kill switch and new VPN director interface is done was confusing (really I have 3 clients VPN with IP rules, only problem with the mentioned). And failure commented still present so I returned to FW 384.19

I thought maybe issue was obvious to someone else.

Regards.

 

[chutiloco]

I want to make sure I understand this config.

So it sounds like you're using the ASUS (192.168.2.x) as both your home router, and a travel router, correct? And I assume the PI VPN is established on the ISP router's network (192.168.1.x), correct? Yes, It's correct.

What is the purpose of accessing the pi VPN while at home? I can understand the need to access it remotely, in order to gain access to your home network. But once you're at home, I don't see the purpose. Unless the PI VPN is being used for other purposes (DNS?). For someone monitoring laptop connection (work company laptop) and geolocation by IP, I always look at the same location, same MAC router, same router, same interna IP, same public IP--> home.

I'm just trying to understand what's you're trying to accomplish w/ this setup before trying to determine where things may have gone wrong. Because it not making complete sense based on what you've described so far.

IOW, please be more specific as what this configuration is doing! I know it's an atypicall setup but it has work super great for me to be moving wherever I wanted looking at home to IT company supervision...

Answer on your post above.

 

[L&LD]

I believe you're mistaken that your router isn't 'exposed directly' to the internet if you have it using an OpenVPN connection.

You may need to learn a few things that have changed from 2 years ago compared to today but running old firmware shouldn't be an option in any case.

To be fair here, I'm finding your posts hard to understand. So the misunderstanding may be mine.

 

[eibgrad]

Given so little to go on here, I'd said it's premature to blame the ASUS router. We have a number of components here (ASUS router, ISP router, PI, even the laptop) that at this point are all suspect. And until we get a boatload more detail from the OP, seems to me we're dead in the water.

 

[pinkgrae]

ISP's router has subnet 192.168.1.xxx and Asus router has subnet 192.168.2.xxx

when I'm at home I need to enter address of server as 192.168.1.144 and when travelling I need to change address to mydomain_piVPN.com It's not so annoying but what f*** me it's that I don't know what happened and how to fix it.

This sounds like you're connecting directly to your ISP router when at home and using the Asus router to connect to the VPN run by the pi when away. If so, then your devices would show subnet 192.168.1.xxx when at home and 192.168.2.xxx when away?

What I'm puzzled about is the function of the Asus router in your setup at home: it sounds like it's not connecting anything with anything when at home, just sitting there looking pretty. In which case your issue might be to do with the ISP router rather than with the Asus router.

Anyway, difficult to say without fully understanding your setup - maybe you could draw us a diagram? I find pictures easier to interpret than text when it comes to networks.

 

[chutiloco]

Given so little to go on here, I'd said it's premature to blame the ASUS router. We have a number of components here (ASUS router, ISP router, PI, even the laptop) that at this point are all suspect. And until we get a boatload more detail from the OP, seems to me we're dead in the water.

This sounds like you're connecting directly to your ISP router when at home and using the Asus router to connect to the VPN run by the pi when away. If so, then your devices would show subnet 192.168.1.xxx when at home and 192.168.2.xxx when away?

What I'm puzzled about is the function of the Asus router in your setup at home: it sounds like it's not connecting anything with anything when at home, just sitting there looking pretty. In which case your issue might be to do with the ISP router rather than with the Asus router.

Anyway, difficult to say without fully understanding your setup - maybe you could draw us a diagram? I find pictures easier to interpret than text when it comes to networks.

I believe you're mistaken that your router isn't 'exposed directly' to the internet if you have it using an OpenVPN connection.

You may need to learn a few things that have changed from 2 years ago compared to today but running old firmware shouldn't be an option in any case.

To be fair here, I'm finding your posts hard to understand. So the misunderstanding may be mine.

I have attached net diagram. Not really my expertise area, I hope it's more clear now. All laptop connection sto internet are always going out to internet trought my pi VPN server and my ISP router, travelling or at home. For anyone monitoring laptop connections, laptop is always connected at the same net/location.

 

[L&LD]

Thanks for the diagrams. I still don't think things are as you believe. At the very least, for the traveling setup.

 

[chutiloco]

Thanks for the diagrams. I still don't think things are as you believe. At the very least, for the traveling setup.

Hi L&LD,

My original question was: why 3 days ago with address in Asus Router mydomain_piVPN.com, VPN client works with both configuration and now I need to put 192.168.1.144 for Home setup without any update in Raspberry and Asus Router. That's my original question and reason of my post.

About setup, I know exactly how it works and what both setup are doing.

 

[eibgrad]

Thanks for the diagrams. Every bit helps.

Let me make something clear here about this configuration. And I *know* you say it was working fine until recently. But let's put that aside for the moment since I don't know how that was ever possible given what I'm about to say. So hear me out before you respond w/ "but it was working fine until now".

When dealing w/ a VPN, you have to appreciate that unlike other remote access services, this one changes the local and remote routing tables. And that can lead to various problems when the remote network over the tunnel (i.e., data channel) is the same one being used to manage the control channel over the WAN. What you've created is ambiguous routing. One of two things is likely to happen, depending on how the routers decide to deal w/ the ambiguity (not all routers do the same thing).

If the router routes 192.168.1.0/24 over the WAN to maintain the control channel, then the tunnel is starved of traffic and it proves nothing. OTOH, if it routes 192.168.1.0/24 over the tunnel, then it will likely route the control channel over the tunnel as well (aka, recursive routing), which will eventually kill the connection and tunnel.

But there is a caveat. If neither the OpenVPN client or server are referencing each other's local networks, then it shouldn't be a problem. Much like when you configure the OpenVPN client to a commercial OpenVPN provider, both sides respective local networks *might* be using the same IP network (e.g., 192.168.1.0/24), but it doesn't matter. The tunnel is only being used for internet access. So there's no ambiguity wrt routing. What each side is using for its own local IP network is irrelevant, at least in that one special case.

THIS is why I wanted to know more about what you're doing w/ the VPN! How you are using it, for what purposes, as just a gateway or site-to-site, all of which make a big difference in whether and how things can go wrong. But in a total vacuum of information (which is how we started out at least), it's pretty difficult to give good advice.

 

[chutiloco]

Thanks for the diagrams. Every bit helps.

Let me make something clear here about this configuration. And I *know* you say it was working fine until recently. But let's put that aside for the moment since I don't know how that was ever possible given what I'm about to say. So hear me out before you respond w/ "but it was working fine until now".

When dealing w/ a VPN, you have to appreciate that unlike other remote access services, this one changes the local and remote routing tables. And that can lead to various problems when the remote network over the tunnel (i.e., data channel) is the same one being used to manage the control channel over the WAN. What you've created is ambiguous routing. One of two things is likely to happen, depending on how the routers decide to deal w/ the ambiguity (not all routers do the same thing).

If the router routes 192.168.1.0/24 over the WAN to maintain the control channel, then the tunnel is starved of traffic and it proves nothing. OTOH, if it routes 192.168.1.0/24 over the tunnel, then it will likely route the control channel over the tunnel as well (aka, recursive routing), which will eventually kill the connection and tunnel.

But there is a caveat. If neither the OpenVPN client or server are referencing each other's local networks, then it shouldn't be a problem. Much like when you configure the OpenVPN client to a commercial OpenVPN provider, both sides respective local networks *might* be using the same IP network (e.g., 192.168.1.0/24), but it doesn't matter. The tunnel is only being used for internet access. So there's no ambiguity wrt routing. What each side is using for its own local IP network is irrelevant, at least in that one special case.

THIS is why I wanted to know more about what you're doing w/ the VPN! How you are using it, for what purposes, as just a gateway or site-to-site, all of which make a big difference in whether and how things can go wrong. But in a total vacuum of information (which is how we started out at least), it's pretty difficult to give good advice.

I really appreciate the time you have spent for explanation.

It helped me to undertstand better the root cause of the problem to find it. And I found the problem!

Finally the problem is that ISP has launch recently a batch of automatic remote firmware update in the background to "improve" 5GHz Wifi stability and this firmware has also de-active the default NAT Loop Back feature in ISP's router. In a couple of forums I have found a lot of clients complaining because their access to serveillance camera or servers weren't accesible anymore at home (Client configured with DNS address server), so now they also need two links to access IP camera or any server services (local IP private at home 192.168.x.x and DNS address outside). There is even companies claims...

The point is that ISP router is cheap and this NAT Loop Back feature isn't even accesible in the setup user panel...

That confirm my point that if something works, don't touch it!!! They have fixed a feature that I don't use, I use Asus Router wifi because stability and coverage is very good and they have broken NAT Loop Back feature...

Thanks all for support received.

Edit for any user in future: If in VPN clientSetup/configuration personalized area in Asus Router I insert this line:

remote 192.168.1.144 1194

It fix the issue. So normal setup with mydomain_piVPN.com adding this line in the bottom area.
Functioning: When the TLS handshake fail after default 60 seconds in mydomain_piVPN.com, VPN client jump to 192.168.1.144 connecting perfectly.

I have also added this line:
hand-window 30

#decrease to 30 second TLS handshake failure awaiting time, so it jumps to alternative address within 30 second, no need to wait 60 seconds