OpenVpn help

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

elorimer

Very Senior Member
I did a test with my wife's hotspot on her phone.. I connected to it via wifi and I was able to use OpenVpn app... so there's got to be something in my wifi/router settings that's blocking the connection?
I'm so lost. The point of all of this is to make a secure connection to your router from a galaxy far, far away. When you connect to your wife's hotspot on your phone, you are connecting to the phone's LAN. When you use your openvpn app on your phone, your phone is going out to through her phone to some cell tower and thence to the internet. From there it looks like it is coming back through your modem and then to the Asus router, just as it would if you were connecting from that galaxy far, far away.

The same is true if you are using your cell phone internet connection. You are going out to a tower in the outer world and coming back in from your modem. So that is working fine.

When you say
.if I connect to my wifi, the OpenVpn app won't connect...
are you connecting to your router's LAN over Wi-fi and then trying to connect to the router's OpenVPN server? Why would you want to do that? That's a loopback issue.

Loopback should be working, but it could be a problem with the server starting on the right interface. You might enter into the custom configuration box local [yourddnsname].asuscomm.com. That will bind the server just to the wan side.

If that doesn't work, I would write down all your settings and reset the router to factory defaults and reenter all your settings.
 
Last edited:

eibgrad

Very Senior Member
As @elorimer has stated, connecting to your own OpenVPN server while on your local network (i.e., wifi) is POINTLESS! Remember what the OpenVPN server is intended to do. It *routes* you from some remote location and back into your home network. As such, it's messing w/ the client's routing tables. In all likelihood, it will create routing ambiguity for the client because the client has a routing path to the local network both locally *and* over the OpenVPN connection! That's why even testing an OpenVPN server locally is pointless. The *only* thing that matters and counts is accessing it while you actually are remotely located, such as the cellular connection of your smartphone.

A VPN is different from all other remote services for this reason. Unlike FTP, a webserver, RDP, whatever, where testing locally makes some sense, a VPN doesn't. It will only lead to confusion.
 

macster2075

Senior Member
I'm so lost. The point of all of this is to make a secure connection to your router from a galaxy far, far away. When you connect to your wife's hotspot on your phone, you are connecting to the phone's LAN. When you use your openvpn app on your phone, your phone is going out to through her phone to some cell tower and thence to the internet. From there it looks like it is coming back through your modem and then to the Asus router, just as it would if you were connecting from that galaxy far, far away.

The same is true if you are using your cell phone internet connection. You are going out to a tower in the outer world and coming back in from your modem. So that is working fine.

When you say

are you connecting to your router's LAN over Wi-fi and then trying to connect to the router's OpenVPN server? Why would you want to do that? That's a loopback issue.
Right.. I understand.. that was just for a test to see if while I was on a wifi connection the OpenVpn app would connect... that was the only reason I did that... so I realized that if I am connected to my wifi at home, the openvpn app won't connect..
 

macster2075

Senior Member
Forgive me guys...did not mean to confuse anyone.... I was just doing some testing to see if the OpenVpn app would connect or not while I was on a wifi connection. I did that because last night when it was working.. I was able to connect to the OpenVpn app while I was on my home wifi.( I understand that connecting to the openvpn app while on my own wifi is pointless.. I get it.)
 
Last edited:

macster2075

Senior Member
So does this mean that the reason I cannot connect to OpenVpn app on the iphone is because I was connected to my own wifi and that is causing the issue?
 

elorimer

Very Senior Member
so I realized that if I am connected to my wifi at home, the openvpn app won't connect..
Actually, for most people who have a public ip address it will connect. [But it isn't a test of whether it is actually working]. I think your problem is that your app is looking to reach your asuscomm address, which is on the other side of the modem and the loopback is failing in the modem. Nothing to do with the router.

You might reset all your VPN stuff using the "Default" button on the VPN Server page. If you want to play more you can go here: https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302

So does this mean that the reason I cannot connect to OpenVpn app on the iphone is because I was connected to my own wifi and that is causing the issue?
Yes. That's what I think.
 

macster2075

Senior Member
Actually, for most people who have a public ip address it will connect. [But it isn't a test of whether it is actually working]. I think your problem is that your app is looking to reach your asuscomm address, which is on the other side of the modem and the loopback is failing in the modem.
oh ok.. well, it seems to be working and connecting fine as long as I am not connected to my wifi...which is fine...as long as it works when Im not home!
Man this was painful... I can't imagine how you guys feel having to guide a blind through the forest lol - but I am very, very appreciative of all you guys help!

So, now with regards to DMZ.. do I not use that then?
 

eibgrad

Very Senior Member
So, now with regards to DMZ.. do I not use that then?

That's up to you. As someone pointed out previously, if you only need the one port forwarded to your ASUS router for the OpenVPN server, NOT using the DMZ places two firewalls between the public internet and the local network behind that ASUS router. I suppose two will always be better than one. Then again, the vast majority of us are living quite happily and successfully w/ the one and only firewall provided by our ASUS router. And had you been able to bridge the ISP's router, it wouldn't even be a topic of discussion. The DMZ was more useful in the days when users routinely exposed many services to the internet. It was just a hassle to have to manage individual port forwards across multiple routers. But now that you have OpenVPN server, the need to port forward individual services can (and should) be avoided.
 

Tech9

Very Senior Member
I hope you know now how the things work. Asuswrt-Merlin makes it as easy as possible, actually. All you need to fix now is your OpenDNS updater, but you can run it on your PC. If your external IP doesn't change very often (happens when modem re-connects or ISP DHCP renewal with different IP), once a day verification/update (when you turn the PC on) should be enough.
 

macster2075

Senior Member
and you know what.. now that I know why it wasn't connecting and thanks to you all got it figured out.. I went back to DDNS and used all.dnsomatic.com which was the one I was using to update OpenDns...and it works!! ( I did go into the OpenVpn app and updated the config file to show the new host).. I still connect to the OpenVpn app and now I will be able to update OpenDns with my IP address...two birds in one shot... that was the only thing lingering in my head on how I was going to do that... Thanks again Tech9 - you all have been very patient.

Im good for now... but Im sure I'll be back for something else haha!
 
Last edited:

Tech9

Very Senior Member
In general it means all ports are open for this specific IP only (your router), on the modem/router firewall. You still have your router's firewall, where port 1194 only (or whatever you have there for your OpenVPN server) is open. DMZ saves you port forwarding work on your modem/router. It's a partial workaround when the modem doesn't have bridge mode. You still have to deal with double NAT. This is what we did on first few pages - make sure the port is open and .ovpn file contains your DDNS hostname pointing to modem/router external IP. Port forwarding a single port on a device I know nothing about and trying to connect with .ovpn file with unknown contents would be much slower and harder process for both of us. This way the other helping folks could see what was done already and go from there.
 

macster2075

Senior Member
Right.. makes sense. Just for giggles, I disabled DMZ setting on the ISP modem and the OpenVpn app still connects... if that's the case, meaning if DMZ is not required for my particular situation...do you recommend leaving it off or turn it back On?
 

Tech9

Very Senior Member
In order to allow WAN connections this modem/router has to have port forwarded, DMZ host or entire firewall off. Again, I don't know this device. It may have to be rebooted to close the ports. Without having the device in front of me I can't tell what's happening there. There are online open ports check tools, like this one - https://www.yougetsignal.com/tools/open-ports/. Copy/paste your external IP and the port number.
 

macster2075

Senior Member
hmm.. it says port 1194 is closed... wouldn't it be better to port forward port 1194 in the ISP modem?
 

elorimer

Very Senior Member
A few years ago I reset a router to factory defaults, and in the 20 seconds or so it took me to change the admin password the router was hacked. So I am somewhat paranoid.

In general, something like DMZ and other ways of opening the barn door are overinclusive and simple. I try to follow something more restrictive, and only grant the minimum rights necessary for the things I want accomplished to be accomplished. No more. I don't pretend to always understand what is going on, but it certainly provides me teaching moments. Same with samba.

So if it works fine without DMZ, something is doing the port forwarding for you and you don't know what.

Also: not having the servers on 1194 etc in the first place. I get TCP/443 as a necessary evil.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top