What's new

OpenVPN server can't see client's LAN on Site to site connection

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Valentino - what happens when you try to ping PC by hostname from other subnet?

I think you need to enable SAMBA on ASUS router, and force it to be Master browser, also you need to enable WINS, and add WINS Server IP address (router IP) to DHCP Server settings page!

check with "ipconfig /all" if you got your WINS Server IP assigned by DHCP
 
Last edited:
Name resolution over VPN is tricky. The VPN client will have to use the router's DNS server for it to work.
I got routers as VPN clients. Do I have to use DNS of my server router on all client pcs or WINS?
Besides I can access all the routers by name in network neighborhood, but can't access pcs.
 
@Valentino - what happens when you try to ping PC by hostname from other subnet?

I think you need to enable SAMBA on ASUS router, and force it to be Master browser, also you need to enableWINS, and add WINS Server IP address (router IP) to DHCP Server settings page!

check with "ipconfig /all" if you got your WINS Server IP assigned by DHCP
peraburek, I enabled and configured samba on all routers. I can ping all the machines in all subnets.
remote browse sync, remote announce, domain master, local master, preferred master - all was set up in smb.conf
WINS is enabled and is given to all the pcs through DHCP.
 
are you giving respective WINS IP Server address for each subnet?
computers in 192.168.0.0/24 will probably have 192.168.0.1 as their WINS Server
computers in 192.168.2.0/24 will probably have to use 192.168.2.1. as their WINS Server

as long as you have WINS servers (ASUS Merlin routers) communicating with each other, you should have proper name resolution

try ping "remote pc computer in other subnet" and get back
 
Yes, each subnet uses it's own wins server, that is connected to the domain master browser with wins, that's why I can see pcs in network neighborhood.
Maybe there is a problem with Windows? maybe node type?
 
can you explain what is your problem?
remote browsing by IP works \\192.168.x.x\
remote browsing by hostname doesn't work \\remote_pc_hostname\
or something else is the problem?
 
I think I got it!
https://community.openvpn.net/openvpn/wiki/RoutedLans
trick is here:
OpenVPN Server side (192.168.0.0/24)
VPN Details: Advanced settings

Manage Client-Specific Options Yes
Allow Client <-> Client Yes
Allow only specified clients No

Custom Configuration
Code:
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

create on OpenVPN SERVER side (192.168.0.0/24):
/jffs/configs/openvpn/ccd1/

file named "client" - this should be common name, if you have changed it, you should name it accordingly
and put this code inside
Code:
iroute 192.168.1.0 255.255.255.0

reboot OpenVPN server, reboot OpenVPN client
*change 192.168.1.0 address to your CLIENT LAN subnet, it could be differrent
*change 192.168.0.0 address to your SERVER LAN subnet, it could be differrent

now in OpenVPN status (server side) you should see this
Routes
Virtual Address Common Name Real Address Last Ref
10.8.0.6 client Sun May 31 02:08:38 2015
192.168.1.0/24 client Sun May 31 02:05:23 2015

from Server side (Asus router), I can ping Client LAN computers :)

@Merlin - what do you think about including OpenVPN site-to-site feature in next firmware release, at least as experimental feature? It should be dead simple to create one script

@peraburek Hi I know this is an old post but I am having the same issues. Set up is Tun between 2 Asus routers. 1 Client 1 Server to separate subnets. I can access everything on the server side LAN from the client. I can't access anything on the client side from the server lan.

Following your instructions I understand how to make the changes and add the code to the Custom configuration. The issue is after you do that you click Apply and then Export the client.ovpn file. Where in the that client.ovpn file do you insert your code?
Code:
iroute 192.168.x.0 255.255.255.0
x= IP of the server subnet.

I tried at the beginning and the end and uploaded to client router and it now fails to connect back to the server router. Any ideas?
 
telnet to your router and find "client" file in: /jffs/configs/openvpn/ccd1/

add this command there "iroute 192.168.x.0 255.255.255.0"
adjust IP address of your network
 
telnet to your router and find "client" file in: /jffs/configs/openvpn/ccd1/

add this command there "iroute 192.168.x.0 255.255.255.0"
adjust IP address of your network

@peraburek I would like to point out I am using stock Asus firmware (not Merlin's AsusWRT) I used SSH instead of Telnet and I dont have a /configs folder in jffs.

I cd'ed to jffs and this is what I have. Also how do I add a line via command line if I did find a file? It's on a router so its not like I have a text document I can open and edit. See below for commands used and the file structure. I don't see any ccd folder.

ASUSWRT RT-AC68U_9.0.0.4 Mon Mar 21 08:16:51 UTC 2016
@RT-AC68R:/# cd /jffs
@RT-AC68R:/jffs# cd /configs
-sh: cd: can't cd to /configs
@RT-AC68R:/jffs# ls
nmp_client_list syslog.log traffic.db
openvpn syslog.log-1 usericon

@RT-AC68R:/jffs# cd openvpn
@RT-AC68R:/jffs/openvpn# ls
vpn_crt_client5_ca vpn_crt_server1_client_crt
vpn_crt_client5_crt vpn_crt_server1_client_key
vpn_crt_client5_key vpn_crt_server1_crt
vpn_crt_server1_ca vpn_crt_server1_dh
vpn_crt_server1_ca_key vpn_crt_server1_key

The only CCD folder I found was below and its empty. No client config.

@RT-AC68R:/# find / -name '*ccd*'
/tmp/etc/openvpn/server1/ccd
@RT-AC68R:/tmp/etc/openvpn/server1# ls
ca.crt ccd client_status dh.pem server.key
ca.key client.ovpn config.ovpn server.crt status

tstone10@RT-AC68R:/tmp/etc/openvpn/server1# cd ccd
tstone10@RT-AC68R:/tmp/etc/openvpn/server1/ccd# ls
tstone10@RT-AC68R:/tmp/etc/openvpn/server1/ccd#


 
Last edited:
I would like to point out I am using stock Asus firmware (not Merlin's AsusWRT) I used SSH instead of Telnet and I dont have a /configs folder in jffs.
None of this will work on stock firmware...the scripts/configs capability is a feature of Merlin only..
 
None of this will work on stock firmware...the scripts/configs capability is a feature of Merlin only..

Since both Merlin's and Asus are more than likely running the same version of OpenVPN why can't it work on Stock? I understand not everything in the GUI. Put I can plug in external drive to store a config. Just need to know how to command line the router to tell it to look there etc..
 
Each time my OpenVPN service restarts I am loosing my custom routing scripts in /tmp/etc/openvpn/server1/ccd and thus get no routing back up through the VPN tunnel.

I have saved those script files in /jffs/openvpn/ccd1/ (and .../ccd/) , but after a server restart I must ssh to the ASUS and manually execute a 'cp /jffs/openvpn/ccd1/* /etc/openvpn/server1/ccd/' . Then I log on to the client ASUS and toggle the OpenVPN client session off/on to establish a bi-directional tunnel.

I have checked the owner and permissions on the /jffs/ files and can't figure out what else is blocking the restore.
Of course I have 'Enable JFFS custom scripts and configs' enabled in the Administration page.
 
Make sure you also enable "Manage Client-Specific Options" under OpenVPN, I think that's what triggers the ccd support (I can't double check the source code right now).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top