1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN server issue

Discussion in 'Asuswrt-Merlin' started by wrongEl, Mar 20, 2019.

  1. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    Hi All,

    I am a newbie in networking, so sorry in advance for any blunders.

    I have been running merlin (currently 384.9) on my AC68U for couple of years now & thought I will setup a VPN server to access all my media content on the connected HDD. My network setup is as follows:

    Internet -> Cable Modem (192.168.1.1) -> AC68U Router (192.168.0.1) -> Clients

    I enabled the VPN server (please see attached image for details), and imported the ovpn file to OpenVPN Connect android app. But I am not able to establish a connection to my local network. The logs from app goes like this.

    22:47:49.927 -- EVENT: DISCONNECTED
    22:47:49.938 -- EVENT: CORE_THREAD_INACTIVE
    22:47:49.938 -- Tunnel bytes per CPU second: 0
    22:47:49.939 -- ----- OpenVPN Stop -----
    22:48:28.816 -- ----- OpenVPN Start -----
    22:48:28.817 -- EVENT: CORE_THREAD_ACTIVE
    22:48:28.819 -- Frame=512/2048/512 mssfix-ctrl=1250
    22:48:28.820 -- UNUSED OPTIONS
    14 [resolv-retry] [infinite]
    15 [nobind]
    22:48:28.825 -- EVENT: RESOLVE
    22:48:28.827 -- Contacting 192.168.1.11:1194 via UDP
    22:48:28.827 -- EVENT: WAIT
    22:48:28.843 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
    22:48:38.819 -- Server poll timeout, trying next remote entry...
    22:48:38.820 -- EVENT: RECONNECTING
    22:48:38.834 -- EVENT: RESOLVE
    22:48:38.839 -- Contacting 192.168.1.11:1194 via UDP
    22:48:38.840 -- EVENT: WAIT
    22:48:38.851 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
    22:48:48.828 -- Server poll timeout, trying next remote entry...
    22:48:48.830 -- EVENT: RECONNECTING
    22:48:48.842 -- EVENT: RESOLVE
    22:48:48.856 -- Contacting 192.168.1.11:1194 via UDP
    22:48:48.857 -- EVENT: WAIT
    22:48:48.861 -- Connecting to [192.168.1.11]:1194 (192.168.1.11) via UDPv4
    22:48:58.827 -- Server poll timeout, trying next remote entry...
    Does this mean I have to enable port forwarding in my cable modem & also enable DDNS in AC68U?

    Thanks in advance

    Screenshot1.jpg
     
  2. eibgrad

    eibgrad Regular Contributor

    Joined:
    Feb 20, 2017
    Messages:
    64
    Yes, you need port forwarding on the cable modem+router. Or else place the WAN ip of the Asus in the DMZ of the modem+router.
     
  3. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,692
    Location:
    United Kingdom
    Are you trying to connect whilst still on your LAN? That does not work with udp: you must connect remotely if it’s going to work. Is 192.168.1.11 the router’s address on the modem’s subnet?

    Yes, you must set up a ddns address unless your public IP address is fixed.

    As to the effect of the router being on the modem’s subnet, that’s something I’n not familiar with; someone better qualified would need to comment on anything necessary there, which I see eibgrad has done. Or can the cable modem-router be put into bridge mode, to turn it into a modem alone?
     
  4. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    Do you mean I need to enable port forwarding in both router & modem or only on the cable modem?

    I tried connecting to the VPN through my cell network after disabling wifi on my phone.

    I think it is. How can I check this?

    I believe my public IP is not static. In DDNS settings in asus router page, I am seeing the following warning.

    The wireless router currently uses a private WAN IP address.
    This router may be int he multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

    Anyways I went ahead and registered successfully for DDNS with asus (xxxxx.asuscomm.com). How can I check if xxxxx.asuscomm.com can be accessed from outside?
     
  5. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,692
    Location:
    United Kingdom

    The Asus DDNS has spotted that your modem isn’t just a modem but is also a router and so your Asus router’s WAN address is a private address on the cable modem-router’s LAN subnet. You are double NAT’d, as they say, and your OpenVPN won’t work until you fix that, either by following eibgrad’s advice or perhaps by putting your modem-router into bridge mode so its routing functions are disabled. There might be other ways; I don’t know. Do you have other devices on you cable modem-router’s subnet that would be affected by bridge mode?
     
    Zonkd likes this.
  6. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,692
    Location:
    United Kingdom
    As for checking the public IP address your DDNS name resolves to, you could use the nslookup tool in Network Tools on the Asus router or something like https://ipinfo.info/html/ip_checker.php

    But until you fix your double NAT setup, I don’t think you will get anywhere, or perhaps it will resolve to your public IP address but your double NAT will stifle any attempt to make a connection.
     
    Last edited: Mar 20, 2019
  7. Zonkd

    Zonkd Senior Member

    Joined:
    Oct 19, 2014
    Messages:
    460
    What is the exact model of your cable modem-router? Are you using a voip phone connected to it? Are you using any other special features on it? If no then you’d want to bridge it if possible.
     
    martinr likes this.
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    8,479
    Did you switch the option to do an external check for the correct IP address? If you have and this is still not working, then you must bridge the modem as has already been suggested.
     
  9. guho

    guho Occasional Visitor

    Joined:
    Apr 26, 2012
    Messages:
    41
    I have this setup. Verizon Fios router is main router in the basement. AC86u connected to Fios router via one of its LAN ports (Gigabit Ethernet), no double natting for me. It is centrally located in the house so it can serve most wireless clients except the basement. I also have OpenVPN server on my ac86u. Besides the port forwarding it is also necessary to add routing rule of VPN subnet addresses to AC86u. On my LAN the OpenVPN clients receive addresses 192.168.3.x. Main router is 192.168.0.1. AC86u static LAN address is 192.168.0.2. I have route in my main router of 192.168.3.x to be sent via 192.168.0.2. I have it all working, not just OpenVPN but also IKEv2 and PPTP VPN servers running on the ac86u. If you have more questions, let me know.
     
    Last edited: Mar 20, 2019
    L&LD likes this.
  10. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    Thanks for all the help till now.

    So here is the update so far. I enabled bridge mode in my cable modem & now my asus router is correctly showing the ip assigned by my internet provider in Network Map. So that part is fixed.

    I enabled ddns in router & ipinfo.info is correctly resolving the address to my WAN ip.

    Still I am unable to establish a VPN connection to my network. :(

    The logs in OpenVPN Connect is now different.

    23:17:40.928 -- ----- OpenVPN Start -----
    23:17:40.929 -- EVENT: CORE_THREAD_ACTIVE
    23:17:40.930 -- Frame=512/2048/512 mssfix-ctrl=1250
    23:17:40.930 -- UNUSED OPTIONS
    14 [resolv-retry] [infinite]
    15 [nobind]

    23:17:40.931 -- EVENT: RESOLVE
    23:17:41.562 -- Contacting 100.XX.XX.XX:1194 via UDP
    23:17:41.562 -- EVENT: WAIT
    23:17:41.568 -- Connecting to [xxxxxx.asuscomm.com]:1194 (100.XX.XX.XX) via UDPv4
    23:17:50.928 -- Server poll timeout, trying next remote entry...
    23:17:50.934 -- EVENT: RECONNECTING
    23:17:50.949 -- EVENT: RESOLVE
    23:17:50.961 -- Contacting 100.XX.XX.XX:1194 via UDP
    23:17:50.962 -- EVENT: WAIT
    23:17:50.967 -- Connecting to [xxxxxx.asuscomm.com]:1194 (100.XX.XX.XX) via UDPv4
    23:18:00.927 -- Server poll timeout, trying next remote entry...
    23:18:00.928 -- EVENT: RECONNECTING
    23:18:00.932 -- EVENT: RESOLVE
    23:18:00.942 -- Contacting 100.XX.XX.XX:1194 via UDP
    23:18:00.943 -- EVENT: WAIT

    Please note that I still haven't set port forwarding in asus router or in my cable modem.
    Please let me know if that is the cause of the issue.

    And if port forwarding needs to be enabled in router, what are the values I need to fill in following fields?

    External Port
    Internal Port
    Internal IP address

    Source IP
     
  11. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    668
    1. On the VPN Status page, is Server 1 shown as running?
    2. You might show us the settings on the Advanced Settings page for Server 1.

    It doesn't look like your server is responding to OpenVPN Connect. I assume also on the Network Map page the IP address for your WAN is the 100.xx.xx.xx address you have sanitized.
     
  12. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    Yes Server 1 is shown as running

    VPN_Server_Advanced.JPG

    Yes the Network Map shows my WAN ip (100.xx.xx.xx)
     
  13. eibgrad

    eibgrad Regular Contributor

    Joined:
    Feb 20, 2017
    Messages:
    64
    Port forwarding is no longer an issue if the primary router is now hosting the OpenVPN server. The router will now open the 1194 port for the OpenVPN server once it's started. Looks to me just a case of the OpenVPN client either having the wrong public IP for the OpenVPN server, or perhaps the OpenVPN server is configured w/ TCP but your're specifying UDP on the client, or the port isn't 1194, etc. Just a mismatch of some kind. But without seeing the details of the client and server, we're left to guess.
     
  14. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    I just shared a screen shot of my VPN server configuration. Hope that helps.
     
  15. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    1,105
    IF you have 100 wanipnumber you are on CGNnat. You need a public ip-number to get it work.
     
    Last edited: Mar 20, 2019
  16. wrongEl

    wrongEl New Around Here

    Joined:
    Oct 29, 2018
    Messages:
    7
    Oh I see. Like you mentioned, whatsmyip is showing my ip as 116.xx.xx.xx where as WAN ip in router is 100.xx.xx.xx. Maybe my internet provider is using CGN :( .

    Does this mean I can't setup a personal VPN server in my setup?
     
  17. eibgrad

    eibgrad Regular Contributor

    Joined:
    Feb 20, 2017
    Messages:
    64
    If you don't have an addressable public IP, you're screwed. It means some other network lies between your router and the internet. And unless they are willing and able to port forward from their network's router to your router, you don't have remote access capabilities!
     
  18. elorimer

    elorimer Very Senior Member

    Joined:
    Dec 16, 2013
    Messages:
    668