OpenVPN server issue

[wrongEl]

Hi All,

I am a newbie in networking, so sorry in advance for any blunders.

I have been running merlin (currently 384.9) on my AC68U for couple of years now & thought I will setup a VPN server to access all my media content on the connected HDD. My network setup is as follows:

Internet -> Cable Modem (192.168.1.1) -> AC68U Router (192.168.0.1) -> Clients

I enabled the VPN server (please see attached image for details), and imported the ovpn file to OpenVPN Connect android app. But I am not able to establish a connection to my local network. The logs from app goes like this.

22:47:49.927 -- EVENT: DISCONNECTED
22:47:49.938 -- EVENT: CORE_THREAD_INACTIVE
22:47:49.938 -- Tunnel bytes per CPU second: 0
22:47:49.939 -- ----- OpenVPN Stop -----
22:48:28.816 -- ----- OpenVPN Start -----
22:48:28.817 -- EVENT: CORE_THREAD_ACTIVE
22:48:28.819 -- Frame=512/2048/512 mssfix-ctrl=1250
22:48:28.820 -- UNUSED OPTIONS
14 [resolv-retry] [infinite]
15 [nobind]
22:48:28.825 -- EVENT: RESOLVE
22:48:28.827 -- Contacting 192.168.1.11:1194 via UDP
22:48:28.827 -- EVENT: WAIT
22:48:28.843 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
22:48:38.819 -- Server poll timeout, trying next remote entry...
22:48:38.820 -- EVENT: RECONNECTING
22:48:38.834 -- EVENT: RESOLVE
22:48:38.839 -- Contacting 192.168.1.11:1194 via UDP
22:48:38.840 -- EVENT: WAIT
22:48:38.851 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
22:48:48.828 -- Server poll timeout, trying next remote entry...
22:48:48.830 -- EVENT: RECONNECTING
22:48:48.842 -- EVENT: RESOLVE
22:48:48.856 -- Contacting 192.168.1.11:1194 via UDP
22:48:48.857 -- EVENT: WAIT
22:48:48.861 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
22:48:58.827 -- Server poll timeout, trying next remote entry...
​

Does this mean I have to enable port forwarding in my cable modem & also enable DDNS in AC68U?

Thanks in advance

 

[eibgrad]

Yes, you need port forwarding on the cable modem+router. Or else place the WAN ip of the Asus in the DMZ of the modem+router.

 

[martinr]

Are you trying to connect whilst still on your LAN? That does not work with udp: you must connect remotely if it’s going to work. Is 192.168.1.11 the router’s address on the modem’s subnet?

Yes, you must set up a ddns address unless your public IP address is fixed.

As to the effect of the router being on the modem’s subnet, that’s something I’n not familiar with; someone better qualified would need to comment on anything necessary there, which I see eibgrad has done. Or can the cable modem-router be put into bridge mode, to turn it into a modem alone?

 

[wrongEl]

Yes, you need port forwarding on the cable modem+router. Or else place the WAN ip of the Asus in the DMZ of the modem+router.

Do you mean I need to enable port forwarding in both router & modem or only on the cable modem?

Are you trying to connect whilst still on your LAN? That does not work with udp: you must connect remotely if it’s going to work.

I tried connecting to the VPN through my cell network after disabling wifi on my phone.

Is 192.168.1.11 the router’s address on the modem’s subnet?

I think it is. How can I check this?

Yes, you must set up a ddns address unless your public IP address is fixed.

I believe my public IP is not static. In DDNS settings in asus router page, I am seeing the following warning.

The wireless router currently uses a private WAN IP address.
This router may be int he multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

Anyways I went ahead and registered successfully for DDNS with asus (xxxxx.asuscomm.com). How can I check if xxxxx.asuscomm.com can be accessed from outside?

 

[martinr]

Do you mean I need to enable port forwarding in both router & modem or only on the cable modem?


I tried connecting to the VPN through my cell network after disabling wifi on my phone.


I think it is. How can I check this?


I believe my public IP is not static. In DDNS settings in asus router page, I am seeing the following warning.

The wireless router currently uses a private WAN IP address.
This router may be int he multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

Anyways I went ahead and registered successfully for DDNS with asus (xxxxx.asuscomm.com). How can I check if xxxxx.asuscomm.com can be accessed from outside?

The Asus DDNS has spotted that your modem isn’t just a modem but is also a router and so your Asus router’s WAN address is a private address on the cable modem-router’s LAN subnet. You are double NAT’d, as they say, and your OpenVPN won’t work until you fix that, either by following eibgrad’s advice or perhaps by putting your modem-router into bridge mode so its routing functions are disabled. There might be other ways; I don’t know. Do you have other devices on you cable modem-router’s subnet that would be affected by bridge mode?

 

[martinr]

Do you mean I need to enable port forwarding in both router & modem or only on the cable modem?


I tried connecting to the VPN through my cell network after disabling wifi on my phone.


I think it is. How can I check this?


I believe my public IP is not static. In DDNS settings in asus router page, I am seeing the following warning.

The wireless router currently uses a private WAN IP address.
This router may be int he multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

Anyways I went ahead and registered successfully for DDNS with asus (xxxxx.asuscomm.com). How can I check if xxxxx.asuscomm.com can be accessed from outside?

As for checking the public IP address your DDNS name resolves to, you could use the nslookup tool in Network Tools on the Asus router or something like https://ipinfo.info/html/ip_checker.php

But until you fix your double NAT setup, I don’t think you will get anywhere, or perhaps it will resolve to your public IP address but your double NAT will stifle any attempt to make a connection.

 

[Zonkd]

What is the exact model of your cable modem-router? Are you using a voip phone connected to it? Are you using any other special features on it? If no then you’d want to bridge it if possible.

 

[L&LD]

Do you mean I need to enable port forwarding in both router & modem or only on the cable modem?


I tried connecting to the VPN through my cell network after disabling wifi on my phone.


I think it is. How can I check this?


I believe my public IP is not static. In DDNS settings in asus router page, I am seeing the following warning.

The wireless router currently uses a private WAN IP address.
This router may be int he multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

Anyways I went ahead and registered successfully for DDNS with asus (xxxxx.asuscomm.com). How can I check if xxxxx.asuscomm.com can be accessed from outside?

Did you switch the option to do an external check for the correct IP address? If you have and this is still not working, then you must bridge the modem as has already been suggested.

 

[guho]

I have this setup. Verizon Fios router is main router in the basement. AC86u connected to Fios router via one of its LAN ports (Gigabit Ethernet), no double natting for me. It is centrally located in the house so it can serve most wireless clients except the basement. I also have OpenVPN server on my ac86u. Besides the port forwarding it is also necessary to add routing rule of VPN subnet addresses to AC86u. On my LAN the OpenVPN clients receive addresses 192.168.3.x. Main router is 192.168.0.1. AC86u static LAN address is 192.168.0.2. I have route in my main router of 192.168.3.x to be sent via 192.168.0.2. I have it all working, not just OpenVPN but also IKEv2 and PPTP VPN servers running on the ac86u. If you have more questions, let me know.

 

[wrongEl]

Thanks for all the help till now.

So here is the update so far. I enabled bridge mode in my cable modem & now my asus router is correctly showing the ip assigned by my internet provider in Network Map. So that part is fixed.

I enabled ddns in router & ipinfo.info is correctly resolving the address to my WAN ip.

Still I am unable to establish a VPN connection to my network.

The logs in OpenVPN Connect is now different.

23:17:40.928 -- ----- OpenVPN Start -----
23:17:40.929 -- EVENT: CORE_THREAD_ACTIVE
23:17:40.930 -- Frame=512/2048/512 mssfix-ctrl=1250
23:17:40.930 -- UNUSED OPTIONS
14 [resolv-retry] [infinite]
15 [nobind]

23:17:40.931 -- EVENT: RESOLVE
23:17:41.562 -- Contacting 100.XX.XX.XX:1194 via UDP
23:17:41.562 -- EVENT: WAIT
23:17:41.568 -- Connecting to [xxxxxx.asuscomm.com]:1194 (100.XX.XX.XX) via UDPv4
23:17:50.928 -- Server poll timeout, trying next remote entry...
23:17:50.934 -- EVENT: RECONNECTING
23:17:50.949 -- EVENT: RESOLVE
23:17:50.961 -- Contacting 100.XX.XX.XX:1194 via UDP
23:17:50.962 -- EVENT: WAIT
23:17:50.967 -- Connecting to [xxxxxx.asuscomm.com]:1194 (100.XX.XX.XX) via UDPv4
23:18:00.927 -- Server poll timeout, trying next remote entry...
23:18:00.928 -- EVENT: RECONNECTING
23:18:00.932 -- EVENT: RESOLVE
23:18:00.942 -- Contacting 100.XX.XX.XX:1194 via UDP
23:18:00.943 -- EVENT: WAIT
​

Please note that I still haven't set port forwarding in asus router or in my cable modem.
Please let me know if that is the cause of the issue.

And if port forwarding needs to be enabled in router, what are the values I need to fill in following fields?

External Port
Internal Port
Internal IP address
Source IP​

 

[elorimer]

1. On the VPN Status page, is Server 1 shown as running?
2. You might show us the settings on the Advanced Settings page for Server 1.

It doesn't look like your server is responding to OpenVPN Connect. I assume also on the Network Map page the IP address for your WAN is the 100.xx.xx.xx address you have sanitized.

 

[wrongEl]

1. On the VPN Status page, is Server 1 shown as running?

Yes Server 1 is shown as running

2. You might show us the settings on the Advanced Settings page for Server 1.

It doesn't look like your server is responding to OpenVPN Connect. I assume also on the Network Map page the IP address for your WAN is the 100.xx.xx.xx address you have sanitized.

Yes the Network Map shows my WAN ip (100.xx.xx.xx)

 

[eibgrad]

Port forwarding is no longer an issue if the primary router is now hosting the OpenVPN server. The router will now open the 1194 port for the OpenVPN server once it's started. Looks to me just a case of the OpenVPN client either having the wrong public IP for the OpenVPN server, or perhaps the OpenVPN server is configured w/ TCP but your're specifying UDP on the client, or the port isn't 1194, etc. Just a mismatch of some kind. But without seeing the details of the client and server, we're left to guess.

 

[wrongEl]

I just shared a screen shot of my VPN server configuration. Hope that helps.

 

[octopus]

Yes Server 1 is shown as running
View attachment 16628
Yes the Network Map shows my WAN ip (100.xx.xx.xx)

IF you have 100 wanipnumber you are on CGNnat. You need a public ip-number to get it work.

 

[wrongEl]

Oh I see. Like you mentioned, whatsmyip is showing my ip as 116.xx.xx.xx where as WAN ip in router is 100.xx.xx.xx. Maybe my internet provider is using CGN .

Does this mean I can't setup a personal VPN server in my setup?

 

[eibgrad]

Oh I see. Like you mentioned, whatsmyip is showing my ip as 116.xx.xx.xx where as WAN ip in router is 100.xx.xx.xx. Maybe my internet provider is using CGN .

Does this mean I can't setup a personal VPN server in my setup?

If you don't have an addressable public IP, you're screwed. It means some other network lies between your router and the internet. And unless they are willing and able to port forward from their network's router to your router, you don't have remote access capabilities!

 

[elorimer]

What happens if you use the external method for ddns? That might supply the 116.xx.xx.xx address. Curious if that might help starting with the wiki: https://github.com/RMerl/asuswrt-merlin/wiki/DDNS-services