Menu
What's new
By:
Filters Better Search

OpenVpn

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

E

enrico

New Around Here
Hi All,
I have an RT-AC65P router as an OpenVPN server in my home. At another place, there is an RT-N18U with Merlin firmware and a USB-attached external HDD. The N18U can connect as a client via OpenVPN to my AC65P. I need to access the HDD on the client from my server's subnet via ftps. (ftps share works in N18U's lan), but can't access from server's subnet. What should I set up?

Many thanks in advance!
 
Merlin has never made a firmware for the RT-N18U so you're probably using an unofficial port based on some old code. I suggest you contact the creator of the firmware directly as it's unlikely anyone here knows how your firmware works.
 
ColinTaylor said:
Merlin has never made a firmware for the RT-N18U so you're probably using an unofficial port based on some old code. I suggest you contact the creator of the firmware directly as it's unlikely anyone here knows how your firmware works.
Click to expand...
Thank you for your feedback. I understand the point, but assume OpenVPN should work in the same way on all devices. My question focused on OpenVPn settings available in Merlin firmware.
 
enrico said:
but assume OpenVPN should work in the same way on all devices.
Click to expand...

This is not the case. Merlin has made many changes that can effect the VPN over the years. Some of these effect routing and the firewall. What advanced options do you have for your VPN client and VPN server?
 
I got it.
OpenVPN_server.png
OpenVPN_client.png
 

Attachments

  • OpenVPN_client.png
    OpenVPN_client.png
    78.2 KB · Views: 11
  • OpenVPN_server.png
    OpenVPN_server.png
    97.5 KB · Views: 12
In the VPN client settings change "Inbound Firewall" to Allow and see if that works.
 
Unfortunately, it doesn't. As I understand I should add something to Custom Configuration about routing, but I don't know what.
 
What IP address are you trying to connect to with your FTPS client?

Can you connect using a different protocol, e.g. SSH?

What is the output of this command:
Code: 
iptables-save -t filter

What is the IP subnet address of the VPN server's LAN, VPN client's LAN, and the VPN client itself (your screenshot is too fuzzy to read).
 
Last edited:
ColinTaylor said:
What IP address are you trying to connect to with your FTPS client?

Can you connect using a different protocol, e.g. SSH?

What is the output of this command:
Code: 
iptables-save -t filter

What is the IP subnet address of the VPN server's LAN, VPN client's LAN, and the VPN client itself (your screenshot is too fuzzy to read).
Click to expand...
Server subnet: 192.168.1.0/24
VPN clients LAN: 192.168.3.0/24 (by server)
Client's LAN 192.168.2.0/24 (by clients)
The client gets 192.168.3.6 from the server and its IP is 192.168.2.1

I have tried to connect to 192.168.2.1 and 192.168.3.5 too.
Code: 
ASUSWRT-Merlin RT-N18U 386.3_2 Mon Oct 31 15:43:08 UTC 2022
admin@RT-N18U-0764:/tmp/home/root# iptables-save -t filter
# Generated by iptables-save v1.4.15 on Fri Mar 29 15:27:29 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1836:512174]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:NSFW - [0:0]
:OVPN - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:other2wan - [0:0]
-A INPUT -p udp -m udp --dport 4672 -j ACCEPT
-A INPUT -p udp -m udp --dport 4665 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -d 192.168.1.135/32 -p tcp -m tcp --dport 8481 -j DROP
-A INPUT -d 192.168.1.135/32 -p tcp -m tcp --dport 8081 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j DROP
-A OUTPUT -p udp -m udp --dport 4672 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4665 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j DROP
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP
COMMIT
# Completed on Fri Mar 29 15:27:29 2024
 
And this from the server (the previous is from the client)

Code: 
# Generated by iptables-save v1.4.12.2 on Fri Mar 29 15:32:21 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [414:25722]
:OUTPUT ACCEPT [7983:7766690]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
-A INPUT -i tun15 -j ACCEPT
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 64565 -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -d 192.168.1.1/32 -i br0 -p udp -m udp --dport 53 -m string --string "Instagram" --algo bm --to 65535 --icase -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i pptp+ -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i tun15 -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -i br0 -p udp -m udp --dport 53 -m string --string "Instagram" --algo bm --to 65535 --icase -j DROP
-A FORWARD -p tcp -m webstr--webstr Instagram  -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o eth3 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
-A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
-A OUTPUT -j OUTPUT_IP
-A FUPNP -d 192.168.1.67/32 -p udp -m udp --dport 57241 -j ACCEPT
-A FUPNP -d 192.168.1.218/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A OUTPUT_DNS -m string --hex-string "|10706f697579747975696f706b6a666e6603636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d72666a656a6e666a6e65666a6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1131306166646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f376d667364666173646d6b676d726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0d386d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f3966646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|086861636b7563647403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|076c696e77756469056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0f6c6b6a68676664736174727975696f03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0b6d6e627663787a7a7a313203636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077131313133333303746f7000|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|057371353230056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|077563746b6f6e6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0e7a786376626d6e6e666a6a66777103636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_DNS -m string --hex-string "|0a65756d6d6167766e627003636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
-A OUTPUT_IP -d 193.201.224.0/24 -j logdrop_ip
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_dns -j DROP
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop_ip -j DROP
COMMIT
# Completed on Fri Mar 29 15:32:21 2024
 
ColinTaylor said:
The iptables output from your VPN client looks like the client isn't turned on? Is that the case?
Click to expand...
Indeed. It connects now.
Code: 
ASUSWRT-Merlin RT-N18U 386.3_2 Mon Oct 31 15:43:08 UTC 2022
admin@RT-N18U-0764:/tmp/home/root# iptables-save -t filter
# Generated by iptables-save v1.4.15 on Fri Mar 29 15:51:28 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [885:810324]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:NSFW - [0:0]
:OVPN - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:other2wan - [0:0]
-A INPUT -p udp -m udp --dport 4672 -j ACCEPT
-A INPUT -p udp -m udp --dport 4665 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -d 192.168.1.135/32 -p tcp -m tcp --dport 8481 -j DROP
-A INPUT -d 192.168.1.135/32 -p tcp -m tcp --dport 8081 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -j DROP
-A OUTPUT -p udp -m udp --dport 4672 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 4665 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4662 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i eth0 -p icmp -j DROP
-A OVPN -i tun11 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP
COMMIT
# Completed on Fri Mar 29 15:51:28 2024
 
You must log in or register to reply here.

Similar threads

Wobbo
Configuring USB-Connected HDD for FTP Sharing via NordVPN Dedicated IP on AC86U
Replies
3
Views
462
ColinTaylor
C
M
OpenVPN / site to site with special security/routing constraints
Replies
7
Views
335
elorimer
E
J
Reverse internet access through Asus-Merlin OpenVPN client.
Replies
0
Views
456
Johnco2
J
A
Questions about AiDisk (FTP) and remote access of USB HDD - Load balancing and CGNAT
Replies
1
Views
345
OzarkEdge
OzarkEdge
K
OpenVPN on Asus Router (DSL-AC88U) - No internet for client
Replies
2
Views
730
KingsGambit
K
Similar threads
Thread starter Title Forum Replies Date
M Vpn fusion not able to have 2 OpenVPN configs active. ASUS AC Routers & Adapters (Wi-Fi 5) 0
K OpenVPN on Asus Router (DSL-AC88U) - No internet for client ASUS AC Routers & Adapters (Wi-Fi 5) 2
D OpenVPN on iOS Cannot Parse Certificate ASUS AC Routers & Adapters (Wi-Fi 5) 4
radiochuck Client will use VPN to access... OpenVPN Server setting ASUS AC Routers & Adapters (Wi-Fi 5) 12
S OpenVPN TAP setup (for LAN gaming) on stock ASUS RT-AC66U B1 ASUS AC Routers & Adapters (Wi-Fi 5) 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,011 (members: 27, guests: 984)
Top