What's new

RT-AC66U B1 OpenVPN server - Intra-Client Connection Issues

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jeremyp52

New Around Here
I am really stumped on this one. I have been having a heck of a time trying to figure out why I can't ping other computers on a client's network, while I am actively using a VPN connection into my server. This is a Client <-> Client scenario:

Client/Network A 192.168.40.0 <---> Internet <---> OVPN Server ASUS router 192.168.50.0 <---> Internet <--->Client/Network B 192.168.1.0

In the example shown, Client/Network A is using a Synology DS218j be a client to the ASUS OpenVPN server. I have enabled allowing other networked computers to use the Synology's VPN connection, but I left the use default remote gateway unchecked because I don't want that entire network's traffic, including Internet, going to my main router. That network is able to access anything on the 50.0 subnet, but nothing on the 1.0 subnet.

Client/Network B is presently a single computer connecting. It is able to see anything on my 50.0 subnet, but can only see the Synology on the 40.0 subnet (the actual client to the OpenVPN server).

I want Client A, and it's network on the 40.0 subnet to be able to communicate with anyone on the Client B 1.0 subnet. I also want to be able to use my iPhone/laptop/whatever, not have an iroute/push/route established for it (since I'm usually connecting from work or on the go), and be able to access either of these client networks directly. I realize it would be a one-way freedom to connect at that point.

I have an OpenVPN server, hosted at my home on an ASUS RT-AC66U B1 Merlin. I have customized the OpenVPN setup quite a bit, beefing up the DF key bit to 2048, and using easy-RSA to generate my own CA, server, and client certificates and keys. I then exported the OVPN file from the ASUS after entering/storing these keys, and filled in the blanks in the file (the <cert> and <key> areas) with the certs/keys specific to the clients. I also have CCD directory set up in /jffs/configs/openvpn/ccd1/ with files set to the name of the CN (common name) that contain a single line of iroute (client subnet) 192.168.xxx.0 255.255.255.0

I also disabled the duplicate-cn in the Merlin build with an ovpnserver1.postconf file, which works great, enforcing only one instance of a common name at a time.

So, here's what works:
  • All clients are able to talk to the server, and, if the client is one that I've set up a push/iroute/route for, then I can communicate with that client and the client-side network while I am at home on my main network.
  • Each client has its own unique common name.
  • I am able to able to do access, ping, and do trace routes succesfully from the server side network (50.0 subnet) to all clients and their computers.

Here's where I run into some issues:
  • If I try to traceroute from any computer on either of the clients (for example, client B the 1.0 subnet or a random iPhone connection in) to any other clients (for example, client A, the 40.0 subnet), I am able to see the packet end up at the DiskStation, but it fails beyond that.
  • The ASUS router creates 'client' routes (I believe) when I try to ask it to find these particular addresses (i.e., if I'm VPN'd in to the server, and I try to go to the 40.0 router (192.168.40.254), it creates an entry on the ASUS VPN route table for 192.168.40.254C and it has a LEARN note in the system log on the ASUS.
Because I'm able to hit the Synology from literally any client connected to the server, I am feeling like this has something to do with the Synology not knowing how to route requests/packets that originate from an address other than the server (i.e., originates from 10.9.0.6 instead of 10.9.0.1), but I am just not sure and I have no idea how to fix this.

I am attaching a myriad of pics for your viewing pleasure. Let me know if you have any ideas!

1572930272_5QzQT.png

Generated OpenVPN Server config (based on both custom keys and GUI inputs in ASUS Merlin) located in /etc/openvpn/server1/config.ovpn



1572930380_ipHeH.png

General client OVPN file (the cert/keys are client specific)



1572930484_7MQv7.png

ASUS Routing Table


1572931014_dcH8y.png

Example of me connecting to VPN on my laptop (while still technically at home and on the home network) and the OpenVPN server showing the log status when I try to visit 192.168.40.254 (client connecting to OVPN server connecting to router on a connected client's network)



1572931171_SEFt8.png

ASUS VPN Server routes dynamically updated to show the recent clients I tried to access on the 40.0 subnet thru another VPN client
 
1572930085_ufMBc.png

Ping gateway/router on Synology Network from another VPN client


1572930201_g3D5G.png

Ping gateway/router on Synology Network from within server network


1572930526_DTpri.png

Synology VPN Connection



1572930566_t8MHN.png

Synology Service Order



1572930620_DHMzi.png

Synology Routing Table
 
1572930648_5j8NI.png

Synology VPN connection settings



1572930706_ABigy.png

Traceroute from computer on 40.0 subnet doing traceroute to client on server network



1572930761_2eOkG.png

Routing setup on router/gateway on 40.0 subnet (where Synology lives)



1572930918_HtsKp.png

Port forwarding on router/gateway on 40.0 subnet (where Synology lives)


1572930830_8dGVX.png

ASUS OpenVPN server port forwarding rules
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top