1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN client on router between different Merlin versions

Discussion in 'Asuswrt-Merlin' started by nbdwt73, Dec 14, 2018.

  1. nbdwt73

    nbdwt73 Occasional Visitor

    Joined:
    Dec 12, 2014
    Messages:
    34
    I have a router RT-AC68U running 380.70 on a small network containing a backup server in an offsite location. Access is only required on occasion. I also have an RT-AC86U running 384.8_2 on a network with several computers that may need access to the backup server. I had the OpenVPN client on the 86U connected to the 68U and working fine last year - 2017 (worked well for years - can't tell you which older version it was running the last time it was connected) but no longer. Currently my laptop (on the 86U network) connects fine (can connect to IP addresses on remote LAN and to the internet) when using a local OpenVPN client on the laptop (not using the router site-to-site client). It has the same credentials as the router client. However the router client will connect (both 86U and 68U show connect status and looks correct - routes look correct) but no access to remote server machine or the internet thru the VPN, pings to anything on the remote subnet time out.

    I have been working on this for over a week - have followed Martineau's instructions as well as the OpenVPN instructions for Merlin. Question is will newer versions of the router client operate with older versions of the server? If so, I need some further help and will post specifics of the 86U setup... Thanks
     
  2. wesbez

    wesbez Regular Contributor

    Joined:
    Jun 18, 2016
    Messages:
    89
    Upload the openvpn file to the device (again) that isn’t working with OpenVPN. Delete the old one. You could have made some changes which broke it.
     
  3. nbdwt73

    nbdwt73 Occasional Visitor

    Joined:
    Dec 12, 2014
    Messages:
    34
    I actually went as far as starting over with new client credentials (both client and server opvn files - easy-rsa is my friend...). I am sure that I am overlooking something very small but I have exhausted every permutation that I can find including adding routes on the server side. The reason for my question regarding versions is that 1) the laptop OpenVPN works fine and is the same version since before 2017 and 2) the only thing that has changed since this worked before is the Merlin version on the local LAN.

    I read (and followed) the instructions from OpenVPN, Github, Martineau (I did try but since deleted the CCD client directory on the remote router). As mentioned, the routers connect fine... just no traffic. I suspect it is something on the client side setup that I am missing...
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,252
    Location:
    UK
    I seem to remember that there were some changes to later versions of OpenVPN regarding depreciated or insecure options. Can't remember the details, have a look through Merlin's change log.
     
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,012
    Location:
    United States
    The way to set the client/server options changed starting with 384.5 (the end result is the same, but the way to get there may be different). Maybe post a screenshot of your setup.
    Code:
       - CHANGED: Revised OpenVPN server options:
                  o Removed "TLS Reneg time" (rarely used, can manually
                    be set as a custom option)
                  o Removed "Server Poll" (which didn't work
                    properly), and reimplemented watchdog service,
                    hardcoded to 2 mins frequency.
                  o Removed "Push LAN" and "Redirect Gateway",
                    replaced with new Client Access setting
                  o Removed Firewall setting (firewall rules are now
                    always created, and the broken External mode
                    was fixed and integrated into the new Client
                    Access setting).  You can now use the postconf
                    script to override it.
                  o Removed option to respond to DNS queries - enabling
                    the option to Push DNS will also handle it
                  o Added new Client Access setting to select between
                    three types of access: LAN only, WAN only (will
                    block access to the LAN, including the router
                    itself) and LAN + WAN.
                  o Keys and certificates can now be up to 7999
                    characters long.
    
       - CHANGED: Revised OpenVPN client options:
                  o Reorganized settings into groups
                  o Removed "Poll Interval" (which didn't work
                    properly), and reimplemented watchdog service,
                    with a hardcoded frequency of 2 mins.
                  o Removed Firewall setting (firewall rules are now
                    always created).  You can now use the postconf
                    script to override it.
                  o Modified behaviour of Connection Retry.  Instead
                    of taking a value in seconds that only affected
                    resolution failure, it now takes a number of
                    attempts, and affects connection failures.
                    Resolution failures will now retry for an infinite
                    period of time (the default OpenVPN value).
                  o Added "refresh" link which can be clicked to
                    re-query the public IP endpoint of the tunnel
                  o Keys and certificates can now be up to 7999
                    characters long.
     
  6. nbdwt73

    nbdwt73 Occasional Visitor

    Joined:
    Dec 12, 2014
    Messages:
    34
  7. nbdwt73

    nbdwt73 Occasional Visitor

    Joined:
    Dec 12, 2014
    Messages:
    34
    Server OVPN...

    # Automatically generated configuration
    daemon
    topology subnet
    server 10.8.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun21
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    cipher AES-128-CBC
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
    client-config-dir ccd
    client-to-client
    duplicate-cn
    route 192.168.100.0 255.255.255.0
    push "route 192.168.100.0 255.255.255.0"
    push "redirect-gateway def1"
    plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status 5
    # Custom Configuration
    push "route 0.0.0.0 0.0.0.0"
    push "redirect-gateway def1"
     
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,958
    Location:
    UK
    For your intended Selective Routing try changing
    Code:
    LAN 0.0.0.0 0.0.0.0 vpn
    to (where xxx.xxx.xxx is your LAN subnet prefix)
    Code:
    LAN xxx.xxx.xxx.0/24 0.0.0.0 vpn
     
  9. nbdwt73

    nbdwt73 Occasional Visitor

    Joined:
    Dec 12, 2014
    Messages:
    34
    Thanks... tried that - same result.
     
  10. wesbez

    wesbez Regular Contributor

    Joined:
    Jun 18, 2016
    Messages:
    89
    Is the open vpn app/software updated on the client? I know some settings require a newer version. Worth a try at this point.
     
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,958
    Location:
    UK
    Hmmm, I'm assuming that the PC client is also OpenVPN 2.4.x rather than 2.3.x etc.?

    So presumably you have simply compared the two configuration text files:
    ...the working PC config 'C:\Program Files\OpenVPN\config\clientX' with one used on the RT-AC86U '/etc/openvpn/clientX'.

    Invariably (in my experience) it is the compression mismatch that is usually the culprit i.e. when the tunnel appears to be valid but it is only when you attempt a data transfer that it becomes apparent that there is an issue.
    So you could tediously work your way through the options, 'disabled,none comp-lzo' etc.