OpenVPN server setup - can't connect

[henning dalgaard]

Hello Folks!

I need your help as I am stuck here

I have bought two identical routers, Netgear Nighthawk R7000 that I want to setup as main router with OpenVPN server and a portable client.

I want to use the second (portable) router for traveling to use as an OpenVPN client, so that I can stream movies and such from my NAS. I have not gotten to the client yet as I am just testing the connection to the server from a laptop with openvpn software (on a different network)

I followed the guide here http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
it was recommended to use here: https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN

Unfortunatly I am unable to connect. At first I thought that it was because I forgot to open the port 1194 but I still get the same error. I am thinking it might still be a port problem because the program that I used to test the open port (from portforwarding.com) keeps saying that the port is not open. I also tried to disable the firewall but I still get the same error. Am I correct that I need to set "local ip" to the same ip as my routers main login page?

I am attaching some screenshots from the router admin page. I hope you can help.

 

[henning dalgaard]

forgot to add that I am running Asus-wrt Merlin, latest firmware

 

[octopus]

Netgear Nighthawk R7000 isnt supported by RMerlin.
Ask your questions here: http://www.linksysinfo.org/index.php?threads/asuswrt-merlin-on-netgear-r7000.71108/

 

[henning dalgaard]

ok, sorry about that. I though SNB forums covered that firmware also...

 

[Deleted member 27741]

There is a forum for Netgear routers, maybe you will have some luck there? Also in general, if you have the firewall setting to auto on the openvpn page you do not need to configure anything as far as port forwarding goes. Another note- if you use an online port checker it will generally see the port as closed unless you have a service up and listening on that port. In other words it will not say the port is open unless openvpn is up and running.

 

[Mike77]

Hi guys,

The goal is to merge two separate lan's though the internet. All machines have to be able to see eachother, file shares have to work, and I have to be able to connect to webcam's.

I'm trying to connect two asus rt-ac68u routers (newest merlin build, I know it will be slow) through OpenVPN. At the moment one of them has the server running (ip specs, 192.168.2.1, 255.255.255.0, DHCP 100 to 254) and the other is the cliënt (ip specs, 192.168.4.254, 255.255.255.0, DHCP 192.168.4.1 to 253). the machines seem to have a connection, but I can't ping the server from a laptop on the other network. Forthermore none of the machines show up, or can be accessed.

When I change the subnet on the cliënt side to 255.255.248.0 I can see some machines (all windows machines) on the other network and I can even use remote desktop t access them. but I still can't ping het router on the server side (192.168.2.1 (host unreachable) or even the machines I can see and use a remote desktop on?

I've already tried it with a laptop (Windows 10) as the OpenVPN cliënt. That seems to work and I can see all machines on the other network.

Can anyone help me with this?

 

[henning dalgaard]

I don't think my problem is a R7000 issue but more of a question about Merlin firmware and VPN. So I still hope for some help here. Another thread suggested this:

Since your OpenVPN server is sitting on the same machine as the router (and not sitting behind the router). You have to add the accept incoming port request at the router layer. You have to add this into your jffs/scripts to ensure you include into your iptables:

iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT

But I am unsure if this is correct - and I don't know how to actually include a line in my iptables. Anyone care to guide me step-by-step?

 

[Deleted member 27741]

I hate to repeat myself but...

If you have the firewall setting to auto on the vpn>>vpndetails page you do not need to configure anything as far as port forwarding goes. The proper firewall rules will be inserted into iptables for you. Of course, make sure you have the proper server selected, as there are two you can use on rmerlin's firmware. Do you have the firewall setting on auto? I see that you apparently do.

Another note- if you use an online port checker it will generally see the port as closed unless you have a service up and listening on that port. In other words, it will not say it is open unless openvpn is up, running, and working properly. So get the openvpn server WORKING PROPERLY before you use a port checker.

Did you insert your certificates? Check your server logs and see what errors you are getting, this will help us help you.

 

[henning dalgaard]

Thanks for all the help so far.

I have finally setup my VPN server on my router (Netgear R7000 running Asua Merlin WRT). I am able to connect from my Openvpn client (laptop for now - later I will setup another R7000 as a client). However, I am unsure whether I am really running all my traffic through the tunnel - maybe I don't need to - but here are my goals:

1. My VPN-server is here in Denmark and I want to let my brother in USA connect to the VPN, so he obtains a Danish IP that can be used to access news and tv-shows that are restricted for Danish people. After connection the VPN client seems to have the same public IP, so I am unsure that my brother will avoid the country restrictions

2. I can access the router admin page where the VPN server is located but I am unable to access any other machines on the home LAN from the client. I would like to "trick" the client into seeing one of the machines behind the routher/VPN as being part of the client LAN. Is this possible without TAP? The reason is that this would make it possible for my brother to install hdhomerun drivers on his client in USA and use my tv-tuner in Denmark to watch Danish TV from my LAN. I have tried installing the drivers on the client but the hdhomerun software is unable to find the tv-tuner on my LAN.

3. Unrelated bonus question: Should I be running on UDP instead of TCP? Or does this article not concern me? :? http://sites.inka.de/~bigred/devel/tcp-tcp.html
I have a fixed public IP 62.107.xx.xx and my VPN and router is running on 192.168.2.1

server config:
# Automatically generated configuration
daemon
topology subnet
server 10.8.0.0 255.255.255.0
proto tcp-server
rcvbuf 0
sndbuf 0
port 1194
dev tun21
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.2.0 255.255.255.0"
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration


Client config

client
;dev tap
dev tun0
;dev-node MyTap
;proto tcp
proto tcp
remote 62.107.xx.xx 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
;tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
;mute 20

IPtables

iptables -I INPUT 1 -p tcp –dport 1194 -j ACCEPT
iptables -I FORWARD 1 –source 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE