OpenVPN Setup Question

[abhi.ko]

hi I am trying to set up OpenVPN with Asus AX86U running Merlin 388.2_2, AT&T fiber HUMAX BGW320-500 modem (router functionality turned off and in passthrough mode to Asus router), Pi-Hole (main and backup as the DNS devices configured). I'm trying to get OpenVPN configured, but the client (my android device) doesn't connect with the configuration file generated after turning the server on. I haven't configured any clients in the router, I also got the public IP warning and I did forward the 1194 port on the router.

I do get the private WAN IP address warning as well even after the port being forwarded.

I do have DDNS enabled with Asus DDNS but there also I get the private WAN warning.

I used to have openvpn as a docker on my UnRaid prior to this and it was working well but that stopped working about 4-5 month back, hence trying the router Open VPN server.

I am unsure of what I am doing here - very green on networking stuff, so any help would be appreciated.

 

[ColinTaylor]

I also got the public IP warning and I did forward the 1194 port on the router.

On which router did you forward that port? It is not required on the Asus. If your HUMAX is passing through the public IP address no port forwarding should be required there either.

Open your exported .ovpn file with a text editor and check the remote line. It should contain either your DDNS name or your public IP address.

Verify that your DDNS name resolves correctly to the public IP address and that this is not a CGNAT address.

 

[abhi.ko]

On which router did you forward that port? It is not required on the Asus. If your HUMAX is passing through the public IP address no port forwarding should be required there either.

Open your exported .ovpn file with a text editor and check the remote line. It should contain either your DDNS name or your public IP address.

Verify that your DDNS name resolves correctly to the public IP address and that this is not a CGNAT address.

Thanks for the response.

Yes the remoteline in the .ovpn file does have the DDNS hostname.asuscomm.com.

But I tried to access that address from outside the home network and it doesn't resolve correctly, when tried from my phone when disconnected from WiFi. What do I need to troubleshoot that?

While using the UnRaid docker for openvpn I had a duckdns subdomain registered for overcoming this dynamic IP problem - can I use that instead of the asuscomm domain?

 

[ColinTaylor]

While using the UnRaid docker for openvpn I had a duckdns subdomain registered for overcoming this dynamic IP problem - can I use that instead of the asuscomm domain?

Yes you can use any valid DDNS name in the remote line. It would also be worth verifying that it works with just your public IP address as seen at https://canyouseeme.org/

Do an nslookup hostname.asuscomm.com 1.1.1.1 and check that it matches your public IP address.

 

[abhi.ko]

Thanks - just tried that and none of the ports are visible/open from my public IP.

Should I be forwarding the port on the Humax router and is that safe?

 

[ColinTaylor]

Should I be forwarding the port on the Humax router and is that safe?

I don't know anything about the Humax or how it works. But you said "router functionality turned off and in passthrough mode". So it sounds like it isn't in passthrough mode otherwise your Asus would be getting a public WAN IP rather than a private one.

So either make passthrough mode work, or leave it in router mode and forward the port.

EDIT: This may help even though it's for a slightly different model: https://www.devonstephens.com/how-to-enable-ip-passthrough-on-att-bgw320-505/

 

[abhi.ko]

Thank you - that link was very helpful. And yes that is how my AT&T device (modem/router) is setup.

The nslookupdoes find my correct public IP, but the WAN IP on the ASUS router is different than that the public IP , but DDNS is active and turned on.

None of the ports are still accessible from the port check tool, I removed the 1194 port from being forwarded on the ASUS router.

 

[ColinTaylor]

What are the first two octets of your public IP and what are the first two octets of the WAN IP shown on the Asus?

 

[abhi.ko]

Actually just rebooted ASUS and now they do match, the one on the ASUS earlier was 192.168.x.x but now it has changed to reflect the pubic IP starting with 99.

But ports are still not open or accessible.

 

[abhi.ko]

Do I have to do anything with the OpenVPN Client Settings in ASUS?

 

[ColinTaylor]

But ports are still not open or accessible.

Is the OpenVPN Server status shown as running?

Do I have to do anything with the OpenVPN Client Settings in ASUS?

OpenVPN Client on the Asus should be off.

 

[abhi.ko]

Yes to both.

 

[abhi.ko]

When something tries to access the port from outside home, wouldn't that be hitting the AT&T Humax first, or would that pass through? I am wondering if any kind of port forwarding needs to be done on the Humax?

 

[abhi.ko]

You had mentioned these steps in another post, wondering whether I need to do something similar to Step 1. I am using the default port for OpenVPN - so should I forward 1194 on the AT&T equipment.

 

[ColinTaylor]

Have you tried to connect using your client?

Don't use CanYouSeeMe.org to check for the open port because that doesn't work for UDP connections.

When something tries to access the port from outside home, wouldn't that be hitting the AT&T Humax first, or would that pass through? I am wondering if any kind of port forwarding needs to be done on the Humax?

Passthrough mode passes through all traffic to the specified target. You don't need to do any port forwarding.

 

[abhi.ko]

Yes, finally it connects. However I am not able to access anything on the home network including the ASUS Router App or my server/plex etc.

This is how the server is setup.

 

[ColinTaylor]

Change your "VPN Details" setting to Advanced.

Can you ping any IP addresses on your LAN? If you can then it's likely an issue with the firewall on the Plex server.

 

[abhi.ko]

Here are the advanced settings.



I am trying to reach the LAN IP address (10.0.0.133) of my server (WebGUI) from my cellphone with WiFi turned off and it is not able to access it.

I also tried to use the ASUS Router app and the connection just times out.

OpenVPN is connected to the ASUS server and running.

 

[ColinTaylor]

Can you ping any IP addresses on your LAN?

Temporarily turn off the firewall on the server at 10.0.0.133 and see if you can now connect to it.

I don't know anything about the ASUS app or what it does so I can't help you there.

 

[abhi.ko]

How do I ping a device from my android phone?