OpenVPN server can't see client's LAN on Site to site connection

[AbOrigine]

Does anyone know where to find a detailed step-by-step guide on this subject?

 

[Wingsfan87]

I think I got it!
https://community.openvpn.net/openvpn/wiki/RoutedLans
trick is here:
OpenVPN Server side (192.168.0.0/24)
VPN Details: Advanced settings

Manage Client-Specific Options Yes
Allow Client <-> Client Yes
Allow only specified clients No

Custom Configuration

route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

create on OpenVPN SERVER side (192.168.0.0/24):
/jffs/configs/openvpn/ccd1/

file named "client" - this should be common name, if you have changed it, you should name it accordingly
and put this code inside

iroute 192.168.1.0 255.255.255.0

reboot OpenVPN server, reboot OpenVPN client
*change 192.168.1.0 address to your CLIENT LAN subnet, it could be differrent
*change 192.168.0.0 address to your SERVER LAN subnet, it could be differrent

now in OpenVPN status (server side) you should see this
Routes
Virtual Address Common Name Real Address Last Ref
10.8.0.6 client Sun May 31 02:08:38 2015
192.168.1.0/24 client Sun May 31 02:05:23 2015

from Server side (Asus router), I can ping Client LAN computers

@Merlin - what do you think about including OpenVPN site-to-site feature in next firmware release, at least as experimental feature? It should be dead simple to create one script

I know I am reviving an old post but I could use some advice on getting a 2nd client to work with the site to site VPN. I was able to follow the instructions above and get this to work with the Site A(Server) and Site B(Client1) but Site C is getting a connection issue where it wont connect. Using SSH I was able to create the directories /configs/openvpn/ccd1 and then command vi client to create the client file with the iroute. All 3 sites are on different subnets so there is no conflict. I am using TUN and just pushing the LAN not DNS or Internet Traffic. TLS auth is checked. Added the Route and Push to the custom config box. Client1 works great connecting to the server I can see both LANs from Client > Server and from Server > Client.

I exported the same .ovpn file to Client2. It has client in text at the very top. Since the OP said you need to have separate files for each client the only change I made to the was to rename the .ovpn file to client2 and edit the client part in the file and change it to client2. I created a second client2 file inside /jffs/configs/openvpn/ccd1 and set the iroute for that client2 subnet. Added the additional route and push in the custom config box on the server Saved and restarted both the server and client 1 and client 2.

I tried connecting from client 2 and no dice it fails the connection and I can't figure out why. Any help or ideas on what I need to change to allow it to connect? *Note I did try renaming the line back to client from client2 inside client2.ovpn and it connects but then gets the routing conflict.

Setup:
3 Sites: Server, Client1 and Client2
Server = RT-AC68R on stock ASUSWRT Firmware Version:3.0.0.4.380_7266
Client1 = RT-AC68R on stock ASUSWRT Firmware Version:3.0.0.4.380_7266
Client2 =RT-AC5300 on Merlin's Firmware:380.65_2

 

[Wingsfan87]

After further deliberation I believe the ASUSWRT outputs every .ovpn file as client and only allows 1 client? Is there a way to generate a second .ovpn with a different client so the second file /jffs/configs/openvpn/ccd1/client2 works? It seems it's not working nor connecting as client2 isn't an authorized client. Its all tied to 1 client.

I tried adding the 2nd iroute to the client file and renamed client2 back to client in the ovpn file. Now my Site C can connect to the server however from the Server and from Site B it can't see Site C.

Any thoughts?

 

[Martineau]

After further deliberation I believe the ASUSWRT outputs every .ovpn file as client and only allows 1 client? Is there a way to generate a second .ovpn with a different client so the second file /jffs/configs/openvpn/ccd1/client2 works? It seems it's not working nor connecting as client2 isn't an authorized client. Its all tied to 1 client.

I tried adding the 2nd iroute to the client file and renamed client2 back to client in the ovpn file. Now my Site C can connect to the server however from the Server and from Site B it can't see Site C.

Any thoughts?

To keep things simple, force the two clients to each use a separate Username/password combination to logon to the server.
This means both clients will use the same client.ovpn file, but the /jffs/openvpn/ccd1/client file cannot be used for specific client customisation.

Instead you will need to use a script such as:

https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591"
which creates the virtual 'ccd1/client' file dynamically for each 'Username' as it connects to add the appropriate custom configuration such as the desired 'iroute' command.

NOTE: If you don't want to force the clients to authenticate then maybe if the clients have static I/P address (unlikely!) then the script should use the '$trusted_ip' rather than '$Username'

However, if you wish to create custom client files such as "SiteA.ovpn" and "SiteB.ovpn" (in order to use '/ccd1/SiteA' and '/ccd1/SiteB' file) then you need to follow

https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/EasyRSA-Readme.md"

EasyRSA can be installed on the router or Windows PC etc.
NOTE: If installing EasyRSA 3 on the router then I believe it also requires Entware utility 'mktemp'?

 

[Wingsfan87]

To keep things simple, force the two clients to each use a separate Username/password combination to logon to the server.
This means both clients will use the same client.ovpn file, but the /jffs/openvpn/ccd1/client file cannot be used for specific client customisation.

Instead you will need to use a script such as:

https://www.snbforums.com/threads/o...e-to-site-connection.24268/page-4#post-306591"
which creates the virtual 'ccd1/client' file dynamically for each 'Username' as it connects to add the appropriate custom configuration such as the desired 'iroute' command.

NOTE: If you don't want to force the clients to authenticate then maybe if the clients have static I/P address (unlikely!) then the script should use the '$trusted_ip' rather than '$Username'

However, if you wish to create custom client files such as "SiteA.ovpn" and "SiteB.ovpn" (in order to use '/ccd1/SiteA' and '/ccd1/SiteB' file) then you need to follow

https://github.com/OpenVPN/easy-rsa/blob/v3.0.0-rc1/doc/EasyRSA-Readme.md"

EasyRSA can be installed on the router or Windows PC etc.
NOTE: If installing EasyRSA 3 on the router then I believe it also requires Entware utility 'mktemp'?

Thank you @Martineau appreciate the help. Google never showed me your other post ;-) I did a ton of Googling for finding a solution last night. I was already using separate user names that align with the client and client2 to keep it simple. I was able to get it connect just the client-client wasn't working and route to Client2 from Client and the Server wasn't either. I also figured out the duplicate-cn line in the server config.ovpn prevents it from doing the ../ccd1/client1 ../ccd1/client2. Since I am running stock ASUSWRT firmware I will need to change it and install Merlin's to run the script you and Merlin provided.

I wish Asus would have just included the ability to generate multiple clients from the router making it simpler to do site to site VPN

 

[Martineau]

install Merlin's to run the script you and Merlin provide

OpenVPN scripts are allowed as a standard feature of the OpenVPN installation!

https://openvpn.net/index.php/open-source/documentation/manuals.html

I suggest you first try and run the client-connect script under stock ASUSWRT.

 

[Wingsfan87]

OpenVPN scripts are allowed as a standard feature of the OpenVPN installation!

https://openvpn.net/index.php/open-source/documentation/manuals.html

I suggest you first try and run the client-connect script under stock ASUSWRT.

@Martineau Thanks again for your assistance. I wanted to run Merlin's anyhow as I would like 1 server for routing the Site/Site and the other for secure Mobile internet browsing offsite.

However I have come across the issue a previous poster had adding your line client-connect /jffs/scripts/VPNClientConnect.sh causes my client router to say Authentication failed.

Steps taken:
1) Made sure to follow Merlins advice to enable the custom scripts in System and then to remember to set the permission properties chmod a+rx /jffs/scripts/*
2) Updated the Custom Configuration box to match what your's showed with the path to the script, the routes, and push routes. I am using the same .3.0 and .4.0 schema for my 2 client subnets
3) Re-exported the client1.ovpn file since the server is on vpnserver1
4) Uploaded the cert to my client router and tried to connect. No dice auth failed.
5) Removing that script line it connects just fine but then I would go back to using a single client file in the ccd1/client and only allow 1 site instead of multiple which is not what I need.

I am including the system log from the Server said that says something interesting that you may know how to resolve. Notice the item in red. Why did the external program fork failed? And what does it mean -script security 2 or higher must be enabled? Is that Server side or client side or both? And how to enable it?

Server Log:
Mar 15 00:29:14 openvpn[1544]: XX.XX.XX.XX PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 15 00:29:14 openvpn[1544]: XX.XX.XX.XX TLS: Username/Password authentication succeeded for username 'client2'
Mar 15 00:29:14 openvpn[1544]: XX.XX.XX.XX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mar 15 00:29:14 openvpn[1544]: XX.XX.XX.XX [client] Peer Connection Initiated with [AF_INET6]::XXXX.XXXX.XXXX
Mar 15 00:29:14 openvpn[1544]: client/XX.XX.XX.XX MULTI_sva: pool returned IPv4=10.2.0.2, IPv6=(Not enabled)
Mar 15 00:29:14 openvpn[1544]: client/XX.XX.XX.XX WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info.
Mar 15 00:29:14 openvpn[1544]: client/XX.XX.XX.XX WARNING: Failed running command (--client-connect): external program fork failed
Mar 15 00:29:16 openvpn[1544]: client/XX.XX.XX.XX PUSH: Received control message: 'PUSH_REQUEST'
Mar 15 00:29:16 openvpn[1544]: client/XX.XX.XX.XX Delayed exit in 5 seconds
Mar 15 00:29:16 openvpn[1544]: client/XX.XX.XX.XX SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Mar 15 00:29:21 openvpn[1544]: client/XX.XX.XX.XX SIGTERM[soft,delayed-exit] received, client-instance exiting

Client Log:
Mar 15 00:29:13 openvpn[24016]: OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 10 2017
Mar 15 00:29:13 openvpn[24016]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.08
Mar 15 00:29:13 openvpn[24017]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 15 00:29:14 openvpn[24017]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mar 15 00:29:14 openvpn[24017]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mar 15 00:29:14 openvpn[24017]: TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX:XX
Mar 15 00:29:14 openvpn[24017]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Mar 15 00:29:14 openvpn[24017]: UDP link local: (not bound)
Mar 15 00:29:14 openvpn[24017]: UDP link remote: [AF_INET]XX.XX.XX.XX:XX
Mar 15 00:29:14 openvpn[24017]: TLS: Initial packet from [AF_INET]XX.XX.XX.XX:XX, sid=XXXXXXX
Mar 15 00:29:14 openvpn[24017]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 15 00:29:14 openvpn[24017]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Mar 15 00:29:14 openvpn[24017]: VERIFY OK: nsCertType=SERVER
Mar 15 00:29:14 openvpn[24017]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Mar 15 00:29:14 openvpn[24017]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mar 15 00:29:14 openvpn[24017]: [RT-AC68U] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:XX
Mar 15 00:29:16 openvpn[24017]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Mar 15 00:29:16 openvpn[24017]: AUTH: Received control message: AUTH_FAILED
Mar 15 00:29:16 openvpn[24017]: SIGTERM[soft,auth-failure] received, process exiting

 

[Martineau]

And what does it mean -script security 2 or higher must be enabled? Is that Server side or client side or both? And how to enable it?

Server side - (P.S. you can always read the OpenVPN 2.4 manual from the URL I posted! )

If I have only the following directives in the Custom Config for Server1

# Customise clients - assign I/P address; share remote subnet etc:
#client-connect /jffs/scripts/VPNClientConnect.sh

then (when the OpenVPN Server1 instance successfully initialises) the following Server1 configuration file is generated and not only contains my two custom directives but also (seemingly by default?) the required 'script-security 2' directive.

Spoiler: OpenVPN Server1 configuration file '/etc/openvpn/server1/config.ovpn'

# Automatically generated configuration
daemon
topology subnet
server 10.188.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
compress lz4
keepalive 15 60
verb 3
push "route 10.88.8.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 10.88.8.1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 10

# Custom Configuration
# Customise clients - assign I/P address; share remote subnet etc:
#client-connect /jffs/scripts/VPNClientConnect.sh

This is using the RMerlin firmware (as we are in the Asuswrt-Merlin firmware forum!!!)

EDIT: If '/jffs/scripts/openvpn-event' doesn't exist then you must explicitly specify the 'script-security 2' directive.

e.g. Try cut'n'paste the following into the Custom config and see if the Server initialises correctly and the script is invoked for a client connection:

script-security 2
# Customise clients - assign I/P address; share remote subnet etc:
client-connect /jffs/scripts/VPNClientConnect.sh

Hopefully you should get something similar in Syslog - obviously for your usernames 'client1/2' rather than my SGS5 phone!

Spoiler: client-connect script execution

openvpn[8881]: xxx.xxx.xxx.xxx TLS: Username/Password authentication succeeded for username 'SGS5'
openvpn[8881]: xxx.xxx.xxx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
openvpn[8881]: xxx.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:xxx.xxx.xxx.xxx:36012
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.188.0.3, IPv6=(Not enabled)
(VPNClientConnect.sh): 10114 VPN Client user 'SGS5' CCD configuration starting.... [/tmp/openvpn_cc_e070a460f17c33c64e0549f9d9313a2a.tmp]
(VPNClientConnect.sh): 10114 VPN Client user 'SGS5' CCD config: iroute 192.168.3.0 255.255.255.0
(VPNClientConnect.sh): 10114 VPN Client CCD configuration ended.
openvpn[8881]: client/xxx.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_e070a460f17c33c64e0549f9d9313a2a.tmp
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: Learn: 10.188.0.3 -> client/xxx.xxx.xxx.xxx
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx: 10.188.0.3
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: internal route 192.168.3.0/24 -> client/xxx.xxx.xxx.xxx
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: Learn: 192.168.3.0/24 -> client/xxx.xxx.xxx.xxx

 

[Wingsfan87]

Server side - (P.S. you can always read the 2.4 OpenVPN manual from the URL I posted! )

If I have only the following directives in the Custom Config for Server1

# Customise clients - assign I/P address; share remote subnet etc:
#client-connect /jffs/scripts/VPNClientConnect.sh

then (when the OpenVPN Server1 instance successfully initialises) the following Server1 configuration file is generated and not only contains my two custom directives but also (seemingly by default?) the required 'script-security 2' directive.

Spoiler: OpenVPN Server1 configuration file '/etc/openvpn/server1/config.ovpn'

# Automatically generated configuration
daemon
topology subnet
server 10.188.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
compress lz4
keepalive 15 60
verb 3
push "route 10.88.8.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 10.88.8.1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 10

# Custom Configuration
# Customise clients - assign I/P address; share remote subnet etc:
#client-connect /jffs/scripts/VPNClientConnect.sh

This is using the RMerlin firmware (as we are in the Asuswrt-Merlin firmware forum!!!)

EDIT: If the firmware does not have the 'Selective Routing Policy rules' option in the VPN Client GUI then you must explicitly specify the 'script-security 2' directive.

e.g. Try cut'n'paste the following into the Custom config and see if the Server initialises correctly and the script is invoked for a client connection:

script-security 2
# Customise clients - assign I/P address; share remote subnet etc:
client-connect /jffs/scripts/VPNClientConnect.sh

Just attempted a client connection to my Server1

Spoiler: client-connect script execution

openvpn[8881]: xxx.xxx.xxx.xxx TLS: Username/Password authentication succeeded for username 'SGS5'
openvpn[8881]: xxx.xxx.xxx.xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
openvpn[8881]: xxx.xxx.xxx.xxx [client] Peer Connection Initiated with [AF_INET6]::ffff:xxx.xxx.xxx.xxx:36012
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI_sva: pool returned IPv4=10.188.0.3, IPv6=(Not enabled)
(VPNClientConnect.sh): 10114 VPN Client user 'SGS5' CCD configuration starting.... [/tmp/openvpn_cc_e070a460f17c33c64e0549f9d9313a2a.tmp]
(VPNClientConnect.sh): 10114 VPN Client user 'SGS5' CCD config: iroute 192.168.3.0 255.255.255.0
(VPNClientConnect.sh): 10114 VPN Client CCD configuration ended.
openvpn[8881]: client/xxx.xxx.xxx.xxx OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_e070a460f17c33c64e0549f9d9313a2a.tmp
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: Learn: 10.188.0.3 -> client/xxx.xxx.xxx.xxx
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: primary virtual IP for client/xxx.xxx.xxx.xxx: 10.188.0.3
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: internal route 192.168.3.0/24 -> client/xxx.xxx.xxx.xxx
openvpn[8881]: client/xxx.xxx.xxx.xxx MULTI: Learn: 192.168.3.0/24 -> client/xxx.xxx.xxx.xxx

Again very much appreciate your helpfulness @Martineau . My apologies for not being clear enough in my previous post. I am using Merlin's Firmware already when I discovered the problem. After you told me about doing the scripts I installed on my AC68R (server router) Merlin's latest stable build 380.65.2. So I am not running stock ASUSWRT as with my very first post.

In regards to the manual for 2.4 manual I did search it and there was nothing with "-script security 2" I couldn't find that anywhere. Also I did a Google Search and came up empty as well. https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=-script+security+2+++OpenVPN&* I always do my best at researching on my own before I ask for assistance. Thank you for the help again as always. Logic dictated it was Server but wanted to be sure.

Steps taken:
Added the "script-security 2" into the custom configuration box
Applied, then stopped server, restarted server
Exported new .ovpn for client
Added to the client
No option for 'Selective Routing Policy rules' in AC5300(client router) Merlins 380.65.2 (Where do you enable?
Attempted to start and still get the authentication failed on the client.

Any more ideas? I noticed in yours you also have 2 scripts underneath script-security-2 (up updown.sh, down updown.sh). I am assuming those are somewhere in the gui since they arent in the custom box? Also if you're willing we could always schedule WebEx session and I could walk you through? I see you are based in the UK according to your profile. We could work out a time that's best for you if you're interested. Or just continue going back and forth here. Whatever works. Just trying to figure it out.

Here is the server log: Shows the user/password is fine but WARNING: Failed running command (--client-connect): could not execute external program

Spoiler: client-connect script execution

[COLOR=#000000]Mar 15 13:18:24 openvpn[3018]: XX.XX.XX.XX:XX TLS: Username/Password authentication succeeded for username 'client2'
Mar 15 13:18:24 openvpn[3018]: XX.XX.XX.XX:XX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mar 15 13:18:24 openvpn[3018]: XX.XX.XX.XX:XX [client] Peer Connection Initiated with [AF_INET6]::ffff:XX.XX.XX.XX:XX:38349
Mar 15 13:18:24 openvpn[3018]: client/XX.XX.XX.XX:XX MULTI_sva: pool returned IPv4=10.2.0.2, IPv6=(Not enabled)
Mar 15 13:18:24 openvpn[3018]: client/XX.XX.XX.XX:XX [/COLOR][COLOR=#ff0000]WARNING: Failed running command (--client-connect): could not execute external program[/COLOR]
[COLOR=#000000]Mar 15 13:18:25 openvpn[3018]: client/XX.XX.XX.XX:XX PUSH: Received control message: 'PUSH_REQUEST'
Mar 15 13:18:25 openvpn[3018]: client/XX.XX.XX.XX:XX Delayed exit in 5 seconds
Mar 15 13:18:25 openvpn[3018]: client/XX.XX.XX.XX:XX SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Mar 15 13:18:30 openvpn[3018]: client/XX.XX.XX.XX:XX SIGTERM[soft,delayed-exit] received, client-instance exiting
[/SPOILER][/QUOTE][/COLOR]

[COLOR=#ff0000][/COLOR]

 

[Martineau]

In regards to the manual for 3.4 I did search it and there was nothing with "-script security 2" I couldn't find that anywhere.

Strange, when I browse the OpenVPN 3.4 [sic] manual (using the URL I posted) I find this...

Did you cut'n'paste the three lines exactly as I posted?

Post the '/etc/openvpn/server1/config.ovpn' file.

Also did you make the script file executable as per the wiki? https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

 

[Wingsfan87]

Strange, when I browse the OpenVPN 3.4 [sic] manual (using the URL I posted) I find this...

View attachment 8748

Did you cut'n'paste the three lines exactly as I posted?

Post the '/etc/openvpn/server1/config.ovpn' file.

Also did you make the script file executable as per the wiki? https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

Just saw my mistake.. bad typo. Was searching for "-script security 2" and its "-script-security" using Ctrl+F came up with 0 results on this. Thanks for pointing it out Yes I did. I didn't include the commented out portion. Just the actual code.

And yes made it executable as noted in previous comment. It shows its executable by everyone. (Groups, Owner, Others)

Steps taken:
1) Made sure to follow Merlins advice to enable the custom scripts in System and then to remember to set the permission properties chmod a+rx /jffs/scripts/*

Here is /etc/openvpn/server1/config.ovpn file

Spoiler: OpenVPN Server1 configuration file '/etc/openvpn/server1/config.ovpn'

# Automatically generated configuration
daemon
topology subnet
server 10.2.0.0 255.255.255.0
proto udp
port 1192
dev tun21
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-256-CBC
auth RSA-SHA256
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.2.0 255.255.255.0"
client-config-dir ccd
client-to-client
duplicate-cn
tls-auth static.key 0
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10

# Custom Configuration
script-security 2
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

 

[Martineau]

# Custom Configuration
script-security 2
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"

EDIT: If '/jffs/scripts/openvpn-event' doesn't exist then you must explicitly specify the 'script-security 2' directive.

Anyway perhaps the actual script needs to be debugged...

SSH/Telnet to the router and then cut'n'paste the following commands and post the complete output. (Excuse me if I don't believe you have done as expected, but sadly 'the devil is in the detail' and typos do happen.)

NOTE the 'l' command should have the 's' appended to form a 2-char command....but the forum normally blocks this from being posted

cd /jffs/scripts/

l -lah ./VPNClientConnect.sh

./VPNClientConnect.sh

chmod a+rx /jffs/scripts/*

l -lah ./VPNClientConnect.sh

./VPNClientConnect.sh

dos2unix ./VPNClientConnect.sh

./VPNClientConnect.sh

cat ./VPNClientConnect.sh | head

 

[Wingsfan87]

EDIT: If '/jffs/scripts/openvpn-event' doesn't exist then you must explicitly specify the 'script-security 2' directive.

So I don't have anything else in my scripts folder other than your VPN Connect Script. What is the /openvpn-event?

Below is the debug. **Note in the script the only changes were the client1 and client 2 names like you stated. and I did change the "l" to "ls" to run it.

Using username "userx".
Authenticating with public key "rsa-key-20150809"
Passphrase for key "rsa-key-20150809":


ASUSWRT-Merlin RT-AC68U 380.65-2 Fri Mar 10 05:29:50 UTC 2017
userx@RT-AC68R-2DA8:/tmp/home/root# cd /jffs/scripts/
userx@RT-AC68R-2DA8:/jffs/scripts# l s -lah ./VPNClientConnect.sh
-rwxr-xr-x    1 userx root        1.9K Mar 15 16:23 ./VPNClientConnect.sh
userx@RT-AC68R-2DA8:/jffs/scripts# ./VPNClientConnect.sh
(VPNClientConnect.sh): 3366 VPN Client user '' CCD configuration starting.... []

(VPNClientConnect.sh): 3366 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
(VPNClientConnect.sh): 3366 VPN Client CCD configuration ended.
userx@RT-AC68R-2DA8:/jffs/scripts# chmod a+rx /jffs/scripts/*
userx@RT-AC68R-2DA8:/jffs/scripts# l s -lah ./VPNClientConnect.sh
-rwxr-xr-x    1 userx root        1.9K Mar 15 16:23 ./VPNClientConnect.sh
userx@RT-AC68R-2DA8:/jffs/scripts# ./VPNClientConnect.sh
(VPNClientConnect.sh): 3382 VPN Client user '' CCD configuration starting.... []

(VPNClientConnect.sh): 3382 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
(VPNClientConnect.sh): 3382 VPN Client CCD configuration ended.
userx@RT-AC68R-2DA8:/jffs/scripts# dos2unix ./VPNClientConnect.sh
userx@RT-AC68R-2DA8:/jffs/scripts# ./VPNClientConnect.sh
(VPNClientConnect.sh): 3398 VPN Client user '' CCD configuration starting.... []

(VPNClientConnect.sh): 3398 **WARNING VPN Client user '' not defined - dynamic CCD config skipped.
(VPNClientConnect.sh): 3398 VPN Client CCD configuration ended.
userx@RT-AC68R-2DA8:/jffs/scripts#

#!/bin/sh
#=============================================================================
#
# This VPN Server custom script will create a CCD/tmp_file based on 'User names' when they share the same 'Common name' e.g. 'client'
#
#   i.e. CCD file '/jffs/configs/openvpn/ccd1/client' is inappropriate for multiple concurrent clients
#
# The remote subnets for each individual User (identified by login credentials) will be defined etc.
#
# e.g.  VPN Server 192.168.5.0 will host two clients (each with its own LAN subnet) and all three will communicate with each other over the VPN tunnels
#
# Requires VPN Server directives:
#
#       client-to-client
#       duplicate-cn
#       # Custom Configuration
#       client-connect /jffs/scripts/VPNClientConnect.sh
#
logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD configuration starting...." [$@]

# Configure the VPN Client CCD/file dynamically
STATUS="OK"    # Let's be positive! ;-)

# Identify client
case "$username" in
   "client1")
              echo "iroute 192.168.3.0 255.255.255.0" >>$1
              ;;
   "client2")
              echo "iroute 192.168.4.0 255.255.255.0" >>$1
              ;;
   *)
    STATUS="FAIL"
    ;;
esac

if [ "$STATUS" == "OK" ];then
   logger -st "($(basename $0))" $$ "VPN Client user '"$username"' CCD config:" `cat $1`
else
   echo -e "\a"
   logger -st "($(basename $0))" $$ "**WARNING VPN Client user '"$username"' not defined - dynamic CCD config skipped."
fi

#Send_email [file | "A_single_line_text_message_in_quotes_to_be_emailed" ] [email_method]
TEMPFILE="/tmp/VPNClientConnect"${username}".txt"
echo "Common Name: $common_name" >>$TEMPFILE
echo "Username: $username" >>$TEMPFILE
echo "I/P: $trusted_ip" >>$TEMPFILE
echo "PORT:$trusted_port" >>$TEMPFILE
echo "MTU: $tun_mtu" >>$TEMPFILE
#Send_email $TEMPFILE

logger -st "($(basename $0))" $$ "VPN Client CCD configuration ended."

exit 0

 

[Martineau]

What is the /openvpn-event?

Users choose the RMerlin firmware because of its extensive customisation via scripting - you can read about openvpn-event (see Usage->User scripts) and all the others (Usage->Customising config files etc.) here:

https://github.com/RMerl/asuswrt-merlin/wiki

So since openvpn-event is an optional RMerlin recognised custom script, if it exists then clearly for it to execute, the 'script-security 2' directive is obviously mandatory. - Doh!

Below is the debug. **Note in the script the only changes were the client1 and client 2 names like you stated. and I did change the "l" to "ls" to run it.

The script appears to run correctly (several times) on the console - and I assume it has created the associated logfile in '/tmp' ?

So I can see no reason why the clients when they connect don't show the script executing.

If you temporarily remove the need for Username/password authentication,, can client1/2 connect with the script seen as running in Syslog?

 

[Wingsfan87]

Users choose the RMerlin firmware because of its extensive customisation via scripting - you can read about openvpn-event (see Usage->User scripts) and all the others (Usage->Customising config files etc.) here:

https://github.com/RMerl/asuswrt-merlin/wiki

So since openvpn-event is an optional RMerlin recognised custom script, if it exists then clearly for it to execute, the 'script-security 2' directive is obviously mandatory. - Doh!



The script appears to run correctly (several times) on the console - and I assume it has created the associated logfile in '/tmp' ?

So I can see no reason why the clients when they connect don't show the script executing.

If you temporarily remove the need for Username/password authentication,, can client1/2 connect with the script seen as running in Syslog?

@Martineau I figured it out. I happened to be browsing another Having trouble running custom scripts that had some issue that you also helped with.

My issue seemed to be the encoding. Even though I had created it prior with Notepad++ and copied it over via SCP it didn't recognize. What I did is delete the file and recreate it using the internal editor in WinSCP and save again.. chmod it to allow execute and boom retried and it worked fine.

I have all 3 sites working now thanks to you! You were a big help in guiding me and providing the scripts.

 

[Martineau]

@Martineau I figured it out. I happened to be browsing another Having trouble running custom scripts that had some issue that you also helped with.

My issue seemed to be the encoding. Even though I had created it prior with Notepad++ and copied it over via SCP it didn't recognize. What I did is delete the file and recreate it using the internal editor in WinSCP and save again.. chmod it to allow execute and boom retried and it worked fine.

I have all 3 sites working now thanks to you! You were a big help in guiding me and providing the scripts.

Thanks for the feedback! - I can now finally relax ....I was 200% sure that my script worked but I must admit I was starting to doubt my abilities

 

[Wingsfan87]

Thanks for the feedback! - I can now finally relax ....I was 200% sure that my script worked but I must admit I was starting to doubt my abilities

@Martineau you are so very welcome! I can't thank you enough! I don't doubt your abilities at all. You know your stuff. Since I have your attention haha. Any thoughts on resolving hostnames over OpenVPN?

None of the networks are on a domain just Workgroup only.
Option in Open VPN server is Push to LAN clients only.

I don't want any internet traffic or WAN DNS requests to resolve on the VPN server. Only LAN from all 3 clients.

The options Respond to DNS and Advertise DNS to clients I am assuming is related to the WAN DNS and not local dns right?

How would I go about forcing each client and server to resolve each other local lan DNS without a domain and without editing a local PC host file.

 

[AbOrigine]

Would anyone be willing to write a step-by-step guide to the whole process?
I guess it will benefit people who are not that much Linux/OpenVPN savvy (like for example - me).

 

[helio58]

Would anyone be willing to write a step-by-step guide to the whole process?
I guess it will benefit people who are not that much Linux/OpenVPN savvy (like for example - me).

Agree with you AbOrigine, have tried to follow this but don't get it. Working just one way.

 

[peraburek]

@AbOrigine - here is example how to get it working

on my ASUS router VPN Server side (192.168.0.1) I have added client1 entry 192.168.1.0/255.255.255.0
and connection works both ways, no need for additional scripts or anything else

VPN client side and VPN server side can't use the same IP range