OpenVPN server on GT-AX11000 Pro - connection from clients fail

[josephwit]

Brand new GT-AX11000Pro, set up AiMesh with my older GT-AX11000 and two ZenWiFi AX nodes - working amazing, except that I cannot get the primary router VPN servers to connect to my Mac or iOS devices. I am using default router settings as much as possible - I don't want to mess with things I don't understand. Tunnelblick log is below - cycles forever. Appears to say "network unreachable" when attempting to contact my public IP: port. I tried the Wireguard server as well (no experience with it), and couldn't connect with it either.

(my user name and public IP replaced with xx.xx.xx.xx:xxxx in the log. I am trying to connect while on my home network (and tried cellular), but this always worked before when the older 11000 was my primary router, no AiMesh. I do have DDNS set up.)

Help appreciated!!
Tunnelblick log and router settings screen shots below:



6.0beta08 (build 6120)

2025-05-27 11:42:32.512233 *Tunnelblick: openvpnstart starting OpenVPN

2025-05-27 11:42:33.120488 OpenVPN 2.6.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]

2025-05-27 11:42:33.120544 library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10

2025-05-27 11:42:33.121266 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:62507

2025-05-27 11:42:33.121291 Need hold release from management interface, waiting...

2025-05-27 11:42:33.772378 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52932

2025-05-27 11:42:33.809252 MANAGEMENT: CMD 'pid'

2025-05-27 11:42:33.809315 MANAGEMENT: CMD 'auth-retry interact'

2025-05-27 11:42:33.809353 MANAGEMENT: CMD 'state on'

2025-05-27 11:42:33.809385 MANAGEMENT: CMD 'state'

2025-05-27 11:42:33.809416 MANAGEMENT: CMD 'bytecount 1'

2025-05-27 11:42:33.811989 MANAGEMENT: CMD 'hold release'

2025-05-27 11:42:56.734344 MANAGEMENT: CMD 'username "Auth" “xxxxxxxxx”

2025-05-27 11:42:56.734459 MANAGEMENT: CMD 'password [...]'

2025-05-27 11:42:56.734616 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2025-05-27 11:42:56.737673 MANAGEMENT: >STATE:1748371376,RESOLVE,,,,,,



2025-05-27 11:42:56.775968 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xxx:xxxx

2025-05-27 11:42:56.776025 Socket Buffers: R=[131072->131072] S=[131072->131072]

2025-05-27 11:42:56.776038 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xxx:xxxx

2025-05-27 11:42:56.776054 MANAGEMENT: >STATE:1748371376,TCP_CONNECT,,,,,,

2025-05-27 11:43:03.886381 TCP: connect to [AF_INET]xx.xx.xx.xxx:xxxx failed: Network is unreachable

2025-05-27 11:43:03.886628 SIGUSR1[connection failed(soft),connection-failed] received, process restarting

2025-05-27 11:43:03.886658 MANAGEMENT: >STATE:1748371383,RECONNECTING,connection-failed,,,,,

2025-05-27 11:43:04.889330 MANAGEMENT: CMD 'hold release'

2025-05-27 11:43:04.889397 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2025-05-27 11:43:04.890982 MANAGEMENT: >STATE:1748371384,RESOLVE,,,,,,



2025-05-27 11:43:04.891984 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xxx:xxxx

2025-05-27 11:43:04.892023 Socket Buffers: R=[131072->131072] S=[131072->131072]

2025-05-27 11:43:04.892036 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xxx:xxxx

2025-05-27 11:43:04.892048 MANAGEMENT: >STATE:1748371384,TCP_CONNECT,,,,,,

2025-05-27 11:43:11.949800 TCP: connect to [AF_INET]xx.xx.xx.xxx:xxxx failed: Network is unreachable

2025-05-27 11:43:11.950021 SIGUSR1[connection failed(soft),connection-failed] received, process restarting

2025-05-27 11:43:11.950058 MANAGEMENT: >STATE:1748371391,RECONNECTING,connection-failed,,,,,

2025-05-27 11:43:12.953484 MANAGEMENT: CMD 'hold release'

2025-05-27 11:43:12.953564 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2025-05-27 11:43:12.956670 MANAGEMENT: >STATE:1748371392,RESOLVE,,,,,,

 

[bbunge]

Is your "public" IP address static or obtained via DHCP from your ISP?
If you use Asus DDNS and you are using the same Host Name as the prior router, did you deregister the DDNS account on the old router before you switched routers?
By any chance did you set up the new "Pro" router with a settings file from the old router? If you did it is time to factory reset the "Pro" and manually configure it.

 

[josephwit]

Is your "public" IP address static or obtained via DHCP from your ISP?
If you use Asus DDNS and you are using the same Host Name as the prior router, did you deregister the DDNS account on the old router before you switched routers?
By any chance did you set up the new "Pro" router with a settings file from the old router? If you did it is time to factory reset the "Pro" and manually configure it.

No, the setup of the new router was from factory settings - I did not import old settings. My public IP is not static, but my DDNS through dyndns.org was successfully registered on the new router. DDNS page shows certificates issued to the new router, and whatsmyip.com confirms public IP same as OpenVPN was attempting to contact.

 

[bbunge]

No, the setup of the new router was from factory settings - I did not import old settings. My public IP is not static, but my DDNS through dyndns.org was successfully registered on the new router. DDNS page shows certificates issued to the new router, and whatsmyip.com confirms public IP same as OpenVPN was attempting to contact.

Sounds good.
Settings to change: Client will use Internet and local network, Respond to DNS - On
Save the settings and export a new config file.

Also try InstantGuard on a phone or tablet. It should work as it is simple. If it doesn't there is something wrong with your DHCP. And do not bother with the Let's Encrypt certs. You do not need them for VPN.

 

[josephwit]

Sounds good.
Settings to change: Client will use Internet and local network, Respond to DNS - On
Save the settings and export a new config file.

Also try InstantGuard on a phone or tablet. It should work as it is simple. If it doesn't there is something wrong with your DHCP. And do not bother with the Let's Encrypt certs. You do not need them for VPN.

Nope, still no connect, "network is unreachable". What was the warning from the router that for iOS, a DNS server must be added to the app or something? don't see it now. And I don't know what InstantGuard is...
Thanks for your help! - Joe

 

[josephwit]

Wow, got it! Just realized that the IP OpenVPN was trying to contact in the log file was NOT the same as the current public address showing in my router - first 2 were the same and it looked similar at a gIance. I had to go to dyndns.org account and tell it where to look - from there on dyndns should update the router's address correctly. Thanks for your help! duh...