OpenVPN site-to-site with Asus Merlin

[Plenkske]

Me and my brother both have a Synology NAS, since a recent move.
Now we want to establish a VPN connection so we can access both NAS as if they are both in our own LAN. We both have an Asus RT-AC66U router with firmware version 3.0.0.4.354.28 Beta1 (Merlin build). We also both have a stable glass fiber internet connection.
These are our current settings:

At home(openvpn server)
Router: 192.168.1.1
IP's: 192.168.1.1 - 192.168.1.149

At my brothers(openvpn client)
Router: 192.168.1.150
IP's: 192.168.1.150 - 192.168.1.254

OpenVPN server and client settings are in the attachments. Chosen for TAP interface because we want to see all clients in both LANs.
I created keys using this manual: http://openvpn.net/index.php/open-source/documentation/howto.html#pki

The problem is that the OpenVPN Client keeps turning off after some time and wont turn on again automatically. Before it turns off everything works fine. It turns off after some minutes or some hours. It can be seen in the VPN Status but also the ON/OFF switch is at OFF. Also I have to click twice to get it back ON again(so I guess it thinks its still ON the first click). There is no clear error message, but some things I got in the system log:

(server side)
openvpn[721]: event_wait : Interrupted system call (code=4)
openvpn[721]: TITLE,OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 19 2013
openvpn[721]: TIME,Fri May 3 10:34:37 2013,1367570077
openvpn[721]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
openvpn[721]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
openvpn[721]: GLOBAL_STATS,Max bcast/mcast queue length,0
openvpn[721]: END

and

nmbd[533]: [2013/05/03 10:28:07, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
nmbd[533]: Samba name server RT-AC66U-V is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.1

and client side
(right before it turns off)
openvpn[807]: Extracted DHCP router address: 192.168.1.1

and also

nmbd[537]: [2013/05/02 20:48:45, 0] nmbd/nmbd_incomingdgrams.crocess_local_master_announce(309)
nmbd[537]: process_local_master_announce: Server RT-AC66U-V at IP 192.168.1.1 is announcing itself as a local master browser for workgroup WORKGROUP and we think we are master. Forcing election.
nmbd[537]: [2013/05/02 20:48:45, 0] nmbd/nmbd_become_lmb.c:unbecome_local_master_success(149)
nmbd[537]: Samba name server RT-AC66U has stopped being a local master browser for workgroup WORKGROUP on subnet 192.168.1.150


What I have tried so far:
- Switch server-client side(ofcourse also switched the keys...).
- Switch from UDP to TCP.
- I found the keepalive option on a forum and it looked like it worked longer but after half a day the client is turned off again.
- I have port 1194 forwarded to the routers IP but I'm not sure if this is necassary?
- Also I'm not sure if our IP's are correct this way? We thought this was the best option because we want to see all clients in "one" LAN.

Right now I'm pretty much clueless on what to do so I hope someone here can help.
Thanks in advance!

 

[somms]

OpenVPN Site to Site Connection Using DD-WRT Capable Routers

Wrote a guide a couple years back on how to accomplish site to site via DD-WRT firmware...maybe you could gather some direction from?

 

[Plenkske]

The idea is the same yes, but I don't really see what I can do with it since the setup in DD-WRT is a lot different.
Yeah, I've checked the values but don't really see the difference or I am not seeing where I can change them.

Really hope someone can help me using the same firmware(the asus merlin build).

 

[somms]

and client side
(right before it turns off)
openvpn[807]: Extracted DHCP router address: 192.168.1.1

Can confirm that this bug was introduced back in OpenVPN 2.3.0 and has now been fixed with the release of OpenVPN 2.3.2.

As a workaround to maintain a stable UDP TAP OpenVPN connection, I have had to remove the line
push "route-gateway dhcp"
line from the Custom Configuration of my Asus RT-N66U configured as OpenVPN server to prevent OpenVPN clients with build older than 2.3.2 from crashing and exiting at the Extracted DHCP router address: point....

 

[Plenkske]

I don't think there is way to update the router's openvpn by myself, right?

That custom configuration line... I don't even use that, or is it the same as the "allocate from dhcp" option ?

 

[somms]

I don't think there is way to update the router's openvpn by myself, right?

That custom configuration line... I don't even use that, or is it the same as the "allocate from dhcp" option ?

This bug has been fixed since Shibby has included OpenVPN 2.3.2 code into his latest [RELEASE] 110 firmware build.

I can now use push "route-gateway dhcp"
on the server without causing the clients to eventually crash...

Once Merlin incorporates OpenVPN 2.3.2 this should clear the bug causing intermittent crashes on your client router running Merlin's firmware.

 

[epicurean]

Will OPENVPN work between an PC connected to a asus N56U, and a NAS connected to an asus AC66U in another location?

 

[Plenkske]

Thanks for the replys somms, I have changed some settings and now it works stable since last monday! (knock on woods)

Changes client side (compared to the picture in head post): encryption cipher set to BF-CBC and compression set to enabled.

Server side options, see attached picture...

 

[Plenkske]

Since we had some troubles with the ip's of laptops/phones I changed the VPN ip's to 192.168.1.225 - 192.168.1.240 and the LAN of my brothers set to ...150 - ...224

We thought that was the solution but for some reason, sometimes a laptop or phone gets a too high or too low IP and the gateway of the wrong router. This is annoying since it then suddenly uses the internet of the wrong side, and so the internet is very slow.
For example: I'm at home, laptop gets .170 IP and the gateway of my brother. So the internet connection on my laptop is then via the router of my brother(first goes through vpn ofcourse).

Is there a way to fix this without having to set up static ip's on all devices?

 

[somms]

Since we had some troubles with the ip's of laptops/phones I changed the VPN ip's to 192.168.1.225 - 192.168.1.240 and the LAN of my brothers set to ...150 - ...224

We thought that was the solution but for some reason, sometimes a laptop or phone gets a too high or too low IP and the gateway of the wrong router. This is annoying since it then suddenly uses the internet of the wrong side, and so the internet is very slow.
For example: I'm at home, laptop gets .170 IP and the gateway of my brother. So the internet connection on my laptop is then via the router of my brother(first goes through vpn ofcourse).

Is there a way to fix this without having to set up static ip's on all devices?

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

You can either put the above into the Firewall Script of the OpenVPN server router or you could enter Dnsmasq custom config as follows:

dhcp-host=00:26:5E:89:A4:C9,ignore
dhcp-host=F0:7B:CB:28:4D:4B,ignore
dhcp-host=00:1F:16:FDE:15,ignore

entering those specific MAC addresses would block them from using the gateway thru the tunnel but you would have to enter these on both the Server and Client routers. You would need to enter your brother's MAC addresses into your router to prevent them from using your router as the gateway and he would have to enter your MAC addresses to prevent them from using his router as the gateway. It is one of the drawbacks of using a TAP connection instead of a TUN OpenVPN connection.

 

[Plenkske]

Thanks! I have put those lines in the server router. Seems to work
Are there any drawbacks using that?

 

[somms]

Thanks! I have put those lines in the server router. Seems to work
Are there any drawbacks using that?

No drawbacks. I use that firewall script in the OpenVPN server router in my site-to-site TAP setup. It just prevents any remote clients from receiving the DHCP response from the local router and vice versa...

 

[PiNG]

Hi Guys,
I've got site to site vpn up and running, but I'm running into that DHCP problem where with my laptop I jump from site A to site B, i end up with Site A's gateway and end up hitting the web through the siteA's network.

It seems that answer is the previous reply from somms, but I don't get where to enter the ebtables. I've tried custom config, just copying and pasting into the custom section at the bottom of asus's openvpn section gives out errors in the system log.

ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap+ --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP


where do i input the above ebtables ? I tried SSH into router and found /jffs/scripts/ folder empty, so I created firewall-start and input the 4 lines into there, but i'm not sure if that's correct way to do it? pointers would be great! Thanks!

 

[ychauhan4u]

i am able to connect vpn between 2 asus router, but where i can add ebtables?

 

[PiNG]

Not sure if you found the solution, but this seemed to have done the job for me.

On the main site (server side) & Client Side
SSH into router and found /jffs/scripts/ and create a new file called "firewall-start" , put the 4 lines into it then restart the router.

I haven't had any issues jumping to and from different vpn locations.

 

[cezare]

Hi there,

You used this script on both server and client?

Thanks,

 

[cezare]

Hey guys,
Yet again, I know this is an old thread but I have a question about Plenkske's config.
He set his VPN tunnel's Client Address Pool to be on the same subnet as his own LAN : 192.168.1
Wouldn't that be interfering with his DHCP?

Thanks,