Routing question when connected via OpenVPN to router in cascade

[GSpock]

Hi all,
Here is my set-up:

• Main router is AX-86U with 192.168.1.1 ip
• Second router in cascade (behind AX-86U) is AX-56U getting 192.168.1.98 as WAN ip from AX-86U, and has 192.168.98.1 lan ip with one PC connected to its LAN port, getting 192.168.98.32 ip
• AX-56U has an OpenVPN Server running TUN, and is accessible from AX-86U thanks to port forward.
• AX-56U has firewall disabled
• so far so good ... everything works as expected
• Then, when I connect with my W11 laptop to OpenVPN Server from outside the LAN, I can access 192.168.98.32 PC without any issue but I cannot reach any 192.168.1.0/24 devices, which is I guess the normal behavior ; so my question is: what is it missing to be able to access any 192.168.1.0/24 devices when connected via that AX-56U OpenVPN Server ? (I guess something related to routing somewhere ...)

Thanks,
GS

N.B. for those who would be wondering why this set-up rather than simply have an OpenVPN Server running on AX-86U, the answer is simple: the RT-AX56U is powered-on/off on demand with a home plug.

 

[ColinTaylor]

You need to set the VPN servers' Client will use VPN to access = Both. If you set it to LAN only instead you would need to get the server to push the route for 192.168.1.0 to the client.

 

[GSpock]

Thanks @ColinTaylor ,
this is what I have, VPN access = LAN only, and push route but it does not work.
To be precise: access from my laptop (and android phone) connected to AX-56U via OpenVPN on mobile data can access 192.168.98.32 but not any 192.168.1.0/24 devices (NAS, Nvidia shield ..)
Thx

 

[ColinTaylor]

Check the client's VPN log to see if it's accepting the pushed route. I'd also suggest temporarily changing VPN to access to Both just to see if it makes a difference.

 

[GSpock]

Thanks @ColinTaylor ,
I did not see anything special in the log file of the client:

2023-03-25 16:51:34 Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
2023-03-25 16:51:34 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-03-25 16:51:34 OpenVPN 2.6.1 [git:v2.6.1/2c2a98a0e559928c] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar  8 2023
2023-03-25 16:51:34 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-03-25 16:51:34 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-25 16:51:36 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xxx.xxx:yyyyy
2023-03-25 16:51:36 UDPv4 link local: (not bound)
2023-03-25 16:51:36 UDPv4 link remote: [AF_INET]xx.xxx.xxx.xxx:yyyyy
2023-03-25 16:51:37 [RT-AX56U] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xxx:yyyyy
2023-03-25 16:51:37 open_tun
2023-03-25 16:51:37 tap-windows6 device [Connexion au réseau local] opened
2023-03-25 16:51:37 Set TAP-Windows TUN subnet mode network/local/netmask = 10.88.0.0/10.88.0.2/255.255.255.0 [SUCCEEDED]
2023-03-25 16:51:37 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.88.0.2/255.255.255.0 on interface {C6870729-E05D-4D73-AF3E-31C8820B0279} [DHCP-serv: 10.88.0.0, lease-time: 31536000]
2023-03-25 16:51:37 Successful ARP Flush on interface [22] {C6870729-E05D-4D73-AF3E-31C8820B0279}
2023-03-25 16:51:37 IPv4 MTU set to 1500 on interface 22 using service
2023-03-25 16:51:42 Initialization Sequence Completed
2023-03-25 16:52:24 SIGTERM[hard,] received, process exiting

I confirm that when switching to VPN client access = both, then access to 192.168.1.0/24 devices is OK via their ip address.
Nevertheless I would like to stick to access = LAN only, due to performances issues when "both" is selected.

Any further suggestions ?
Thanks,
GS