What's new

OpenVPN unable to access local shares (AC3000 - CT8)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RangerZ

Regular Contributor
I am testing OpenVPN Server on a set of ASUS CT8 (FW 3.0.0.4.386.47399)

I have the CT8 set up behind my home network and it gets a WAN IP of 192.168.111.236. I am using the General default values with port 4999.

I have a client setup with the Community build V2.5.7 running on the 192.168.111.x subnet. The default exported config appears to connect with no issue. I can access the Internet, but unable to access the network shares including another PC and a USB drive attached to the CT8. I can access both devices when on the CT8 LAN, but not via OpenVPN.

The OpenVPN client gets an IP 10.8.0.6, not in the ASUS routers 192,168.50.x subnet. The VPN Client does not show in the General => Network Map, but reports as connected under VPN => Open VPN => Connection Status. (That's a bit disappointing.)

I can ping the router at 192.168.50.1 from the OpenVPN client, but not the other LAN PC at 192.168.50.170.

I have tested setting the WAN both as DHCP and STATIC IP settings. I also have tried with both Local (only) and Local and Internet config options. Same results.

I expect I am missing something, but not clear what. Thoughts?
 
As you observed, your VPN client has an IP address in the 10.8.0.x subnet. If you're trying to access Windows PCs bear in mind that Windows Firewall will block incoming pings and SMB requests that don't originate on the local subnet (unless it's part of a Windows domain).
 
Thank you Colin, Not surprised the subnet is the issue.

This is a consumer product and I would expect that ASUS would cover this in their article on setting up the OpenVPN server, for dumb users like me, but they do not. In effect, the documentation (and other YouTubes etc) configure OpenVPN with the GENERAL setting. It connects, but in effect, does not work from a practical perspective. There are 2 GENERAL option, LAN and ALL TRAFFIC (not the terms in the interface). The instructions leave you with LAN not doing anything that I can tell (on Windows??). With ALL TRAFFIC, internet is redirected.

Using ADVANCED SETTINGS yields other parameters of which I have tested 2 so far.

With ADVANCED defaults setting the subnet is available. I have tried to change the subnet, but am unable to move this to the IP of the "internal LAN" (192.168.50.x).

ADVANCED also offers the option to use TUN (default) or TAP. Changing to TAP, the option to change the subnet is removed, using TAP will now use the same subnet as the internal LAN. The downside is that this configuration does not support IOS and Android. This article OpenVPN on Routing and Bridging is relevant.

Indirectly related, with other than TAP, the devices in the OpenVPN subnet do not appear in the ASUS Network Map, so it's not readily clear that a VPN user is connected. This info can be found deep in the VPN menu, so not user friendly. The OpenVPN device does show in the Network Map when set as TAP.

I also am of the opinion that the ADVANCED parameter "Direct clients to redirect Internet Traffic" does not work as suggested. I see not difference with this on or off like I do for the analogous GENERAL parameter.

I have submitted feedback to ASUS via the interface option. Colin, if you can detail here how to fix this on the Windows client, that would be helpful.

So again, my test config is independent of my ISP speed limits. This was structured to test the hardware max performance. I use Tutosoft Lan Speedtest 1.32 for speed testing internally. I have found this offers similar results to iPerf, but easier to use. Basically I get 26 Mbps Write and 17 Mbps Read on the CT8 (AC3000) with substantially default OpenVPN parameters. Not sure why read is consistently lower. Tested 20MB to 2000MB files with very similar results.
 
To confirm a couple of points you mentioned...

You cannot have the TUN VPN subnet the same as the LAN subnet (on either side). This is simply not valid from a routing perspective. Using TAP creates a bridged connection so the client becomes part of the remote subnet, but that has it's own set of problems (as well as the lack of client support you mentioned).

Regarding the Windows Firewall problem, if this is just for testing on an internal network the simplest solution is to temporarily turn off the firewall on the target machine. If this were a permanent setup you could edit the Windows Firewall rules for Echo Request (ping) and SMB-In and change the Scope to include the 10.8.0.0/24 subnet.

I don't have the same router or firmware as you so there may be differences. But I was able to access the router's Samba shares via my VPN so I don't know why you couldn't. Maybe there's something different about Merlin's firmware.
 
@colin, thank you. Hopefully not TLDR

Regarding TAP, what are the other problems you are referring to?

I had a trio of RT-AC1900P\AC68us running Merlin. IIRC, there are differences in both the OpenVPN (multiple server option) and in the USB connectivity (SMB version options).

As for Test vs Production, eventually yes a production environment and likely to replace the above trio running at my sisters house. Having some coverage issues and drops, hard to diagnose remotely. Had thought it was the WiFi, but last week she had an issue with the TIVO (over Ethernet not MoCa) loosing connection. Now unclear.

Thanks to your help I now have this working, but it was not straight forward. LSS, I configured rules, disabled the Firewall and enabled SMB1, but still had no access. At some point I decided to try the the IP address instead of using the share name and was then able to connect.

For future Windows readers:
Control Panel => Windows Defender Firewall => Windows Defender Advanced Firewall => Inbound Rules
For the active Private Network:
File and Printer Sharing (Echo Request - ICMPv4-In)
Scope => Remote IP Address => add 10.0.8.0/24
File and Printer Sharing (SMB-In)
Scope => Remote IP Address => add 10.0.8.0/24


IP 10.0.8.0 is the default IP, however it is possible to change this by selecting the Advanced Settings option which offers the option to set an IP address.

Regarding performance, it seems that TUN is faster on the READ than TAP. Again with defaults, I am able to get about 25Mbps Write and 40Mbps Read. Write is slightly slower than TAP, but Read is almost twice as fast. I performed about a dozen tests with different file sizes, with very similar results. Not blazing speed, but usable for our needs and not too different than the current Netgear R7800.

In general, while TUN is faster, TAP is more convenient.

I have noticed a couple of other items I am not clear about.
  1. VPN Log and Network Connections Devices - I noticed a reference to TAP in the connection logs (see below). I have verified that TUN is set in the VPN => Advanced Settings Interface Type parameter. I also see in the clients Network connections 2 items, OpenVPN TAP-Windows6 and OpenVPN Wintun. The former (TAP) adapter is in use, the other Disabled.
  2. ASUS Network Map - Before adding the firewall rule I was unable to see the VPN client, but now I can. It shows in the Network Map with an IP address in the 109.168.50.x subnet, not the VPN client IP. I confirmed the device with the MAC.
  3. SMB - I am of the opinion that ASUS stock FW is only SMB1, but not sure. I can connect to the USB device with SMB1 disabled.

The first of these is the most curious. Not sure if the values I originally used are properly cleared. Do not understand why I am using a TAP adapter.

The related GUI does not work as expected. After saving the ADVANCED settings changes, the GUI reverts to showing GENERAL and no longer displays the advanced settings. A new Custom radio button shows to the right of the Client will use VPN to access parameter. Directly related, I am not sure ADVANCED respects the option to push the internet to the VPN server (ADVANCED => Direct clients to redirect Internet traffic). I know some options are saved after returning to GENERAL, specifically the IP address.

For reference, I have subsequent to this post, which you commented in, discusses using some rules on the router to accomplish this (not tested):
How to allow openvpn clients to access my LAN PC

With this understanding, do you know if a Synology or QNAP NAS will have similar access issues?

VPN LOG:
Code:
2022-10-18 21:23:04 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-10-18 21:23:04 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-10-18 21:23:04 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
2022-10-18 21:23:04 Windows version 10.0 (Windows 10 or greater) 64bit
2022-10-18 21:23:04 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
2022-10-18 21:23:10 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.111.236:4999
2022-10-18 21:23:10 UDP link local: (not bound)
2022-10-18 21:23:10 UDP link remote: [AF_INET]192.168.111.236:4999
2022-10-18 21:23:10 [ZenWiFi_CT8] Peer Connection Initiated with [AF_INET]192.168.111.236:4999
2022-10-18 21:23:11 open_tun
2022-10-18 21:23:11 tap-windows6 device [OpenVPN TAP-Windows6] opened
2022-10-18 21:23:11 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.8.10/255.255.255.252 on interface {[REDACTED]} [DHCP-serv: 10.0.8.9, lease-time: 31536000]
2022-10-18 21:23:11 Successful ARP Flush on interface [6] {[REDACTED]}
2022-10-18 21:23:11 IPv4 MTU set to 1500 on interface 6 using service
2022-10-18 21:23:11 Blocking outside dns using service succeeded.
2022-10-18 21:23:16 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-10-18 21:23:16 Initialization Sequence Completed
 
For reference, I have subsequent to this post, which you commented in, discusses using some rules on the router to accomplish this (not tested):
How to allow openvpn clients to access my LAN PC

With this understanding, do you know if a Synology or QNAP NAS will have similar access issues?
I avoided suggesting using that method, even though it solves most of the problems associated with TUN connections, because you can't run Merlin's firmware on your router. Therefore there's no reliable way that I'm aware of to apply it.

I've not seen the tap-windows6 message before but I suspect it's used for IPv6 VPN support.

P.S. The beginning of your post is confusing. You talk about your sister and Test vs Production. You never mentioned any of this before. You seem to be replying to a different thread?
 
@ColinTaylor
I avoided suggesting using that method, even though it solves most of the problems associated with TUN connections, because you can't run Merlin's firmware on your router. Therefore there's no reliable way that I'm aware of to apply it.
I missed that this was a Merlin only scenario, thanks

First para - Acknowledging your comments re stock vs Merlin FW and noting what I believe are the relevant differences
Second para - Acknowledging your comment about testing vs permanent, balance really not relevant but context.
I've not seen the tap-windows6 message before but I suspect it's used for IPv6 VPN support.
I was thinking similar, just not sure why Windows is using a Virtual TAP adapter. I think I may reset and retest.

From your first post, what do you see as the other issues with TAP (asside from lack of mobile device support)?
 
The concerns around TAP is that it creates a bridged connection. This can be seen as both an advantage and a disadvantage depending on the circumstances.

If the TAP connection is for a single client connecting to a VPN server it's not really a problem (other than client support).

The main issue is if you're connecting two LANs together. This presents security issues as both networks become one. You have to then avoid network conflicts from things like duplicated DHCP servers and work out how your local DNS will work. You can also create a dependency for one network on the other always being available (e.g. DHCP and DNS servers). There may also be issues around bandwidth. If the two networks are remote from each other the link between them might be low bandwidth. With a bridged connection all the normal network broadcast traffic is constantly being sent across the VPN tunnel. This was more of an issue in the past when network interconnects were measured in kilobits rather than megabits.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top