OpenVPN Server Setup

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

#TY

Senior Member
I am currently installing a new Asus AX88U at a clients office and its running the latest merlin firmware, 384.19.

I am trying to configure the OpenVPN server to allow staff members with the same router at home to always have their routers connected to the office OpenVPN server so that they can access the file server, etc.

The LAN IP structure at the office is 192.168.1.x (I know its not ideal but they have way too many things static with that structure that they don't want to go through the hassle of changing it).

I setup the OpenVPN to Lan only with pretty much the default setup. The only thing I enabled was the "Manage Client-Specific options" and I allowed Client to Client.

When I had left the initial VPN subnet to 10.8.0.0, I was able to connect to the VPN server but couldn't ping anything inside (i.e. 192.168.1.1).

Then I changed the VPN subnet to 192.168.0.0 and all of a sudden I was able to ping everything inside the local network and all is well.

My VPN client received an IP of 192.168.0.2

Then I setup someone else's Asus router to do the same thing and the odd thing is, they also connected no problem but their VPN Client also got the same IP I did (192.168.0.2) which seems a little unusual to me. The odd thing is that we're both able to connect to everything without any issue.

Is this normal? I've attached the setup below. Thanks to all in advance.
Screen Shot 2020-10-26 at 7.28.30 AM.png
 

eibgrad

Very Senior Member
Beware the Client-to-Client option is usually NOT what ppl think it is. This allows OpenVPN clients to access each other (and perhaps the networks behind them). IOW, the OpenVPN server acts as a *gateway* between those OpenVPN clients. By default, that's NOT allowed, and is a relatively rare feature to have enabled since it raises both security concerns, and adds complexity if you also intend to allow the OpenVPN clients to access the network(s) behind each client.

In general, I don't recommend using 192.168.x.x for the tunnel, since you risk conflicts w/ the OpenVPN clients' own local networks (it's already bad enough the office is using 192.168.1.x for its own private network; that will likely, eventually, prove a headache). Use the default 10.8.0.0/24, or at least something in 10.x.x.x to minimize that risk. And as I explained in that other thread, you can always NAT the inbound traffic from the tunnel so it appears to be coming from the router itself if that helps disguise the fact the tunnel is using a different IP network from the private network.

 

#TY

Senior Member
I will switch off the client to client. Thanks for clarifying that. I will also revert to the default 10.8.0.0.

I honestly can't thank you enough. I would have never figured this out on my own. You are a life saver my friend :)
 

elorimer

Very Senior Member
I am trying to configure the OpenVPN server to allow staff members with the same router at home to always have their routers connected to the office OpenVPN server so that they can access the file server, etc.

The LAN IP structure at the office is 192.168.1.x (I know its not ideal but they have way too many things static with that structure that they don't want to go through the hassle of changing it).
Do you really mean for their routers to connect to the office OpenVPN server? That means any device on the home LAN will have access to the office LAN; sounds like a firing offence to me. :eek: I do this with my travel router to connect to my home network, to provide the spouse with the same user experience as home, but I don't think I would do it with a work site. It would be better for just their PCs/other devices to be the clients.

The problem with 192.168.1.x in the office is that anyone with a home network that has that scheme and the router at 192.168.1.1 is not going to go to the default gateway necessarily to reach your static 192.168.1.whatever address; they are going to look for it on the home network. That will happen regardless of the VPN network scheme.

Also, if the "static" devices are actually DHCP reservations, it is really easy to change them to an odd scheme like 192.168.70.x. (We have 0.x, 1.x, 2.x, 50.x and 8.x in wide circulation now, so 192.168.x.x is itself a possible source of issues). If they aren't DHCP reservations, most of them could/should be, I think.

Last, are you really using client specific options?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top